mjgraham
asked on
Site to Site VPN setup
Hi, I have taken over support for an office and they have a Cisco ASA 5505. They are trying to set up a site to site VPN with another company, all they sent us was their outside IP , their internal IP structure, the pre share key, the encryption and hash and the DH group info. I ran the wizard and put in this information and all seemed to look good. When I try to ping the remote internal IP I see it start to bring up the tunnel however after just a few seconds I get a message saying:
Received an un-encrypted INVALID_COOKIE notify message, dropping
Information Exchange processing failed
I have contacted the remote company and they say all the information is OK oh their end, however I get the same info even if I put the wrong pre share key in so I am not sure where the problem is. The wizard makes it looks easy but sometimes there are hidden things. I have also copied some examples on this site but no luck there either.
Thanks,
Jarrid Graham
Received an un-encrypted INVALID_COOKIE notify message, dropping
Information Exchange processing failed
I have contacted the remote company and they say all the information is OK oh their end, however I get the same info even if I put the wrong pre share key in so I am not sure where the problem is. The wizard makes it looks easy but sometimes there are hidden things. I have also copied some examples on this site but no luck there either.
Thanks,
Jarrid Graham
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I tried both, the first reply had a dash in the wrong place , the second one I put in all of the information and saw what I thought was a problem originally but after removing some old config stuff it still did not work, I am going to put a chunk of the logs for this as see. I may just wipe the device and start over, one bad thing about taking over where someone else worked for a while is all the strange stuff that you are not sure should be there. Of course these are in reverse order with the first at the bottom.
IP = <Remote IP>, Error: Unable to remove PeerTblEntry
IP = <Remote IP>, Removing peer from peer table failed, no match!
IP = <Remote IP>, sending delete/delete with reason message
IP = <Remote IP>, IKE SA MM:1921ce35 terminating: flags 0x01000022, refcnt 0, tuncnt 0
IP = <Remote IP>, IKE MM Initiator FSM error history (struct &0x3ae3bc0) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG4, EV_TIMEOUT-->MM_WAIT_MSG4,
IP = <Remote IP>, Information Exchange processing failed
IP = <Remote IP>, Received an un-encrypted INVALID_COOKIE notify message, dropping
IP = <Remote IP>, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
IP = <Remote IP>, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
IP = <Remote IP>, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 224
IP = <Remote IP>, Information Exchange processing failed
IP = <Remote IP>, Received an un-encrypted INVALID_COOKIE notify message, dropping
IP = <Remote IP>, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
IP = <Remote IP>, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
IP = <Remote IP>, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 224
IP = <Remote IP>, Information Exchange processing failed
IP = <Remote IP>, Received an un-encrypted INVALID_COOKIE notify message, dropping
IP = <Remote IP>, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
IP = <Remote IP>, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
IP = <Remote IP>, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 224
IP = <Remote IP>, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 224
IP = <Remote IP>, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
IP = <Remote IP>, constructing VID payload
IP = <Remote IP>, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
IP = <Remote IP>, Send IOS VID
IP = <Remote IP>, constructing xauth V6 VID payload
IP = <Remote IP>, constructing Cisco Unity VID payload
IP = <Remote IP>, constructing nonce payload
IP = <Remote IP>, constructing ke payload
IP = <Remote IP>, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: True
IP = <Remote IP>, Received Fragmentation VID
IP = <Remote IP>, processing VID payload
IP = <Remote IP>, Oakley proposal is acceptable
IP = <Remote IP>, processing SA payload
IP = <Remote IP>, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
Built outbound UDP connection 1131 for outside:<Remote IP>/500 (<Remote IP>/500) to NP Identity Ifc:72.4.4.221/500 (72.4.4.221/500)
Built local-host outside:<Remote IP>
IP = <Remote IP>, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
IP = <Remote IP>, constructing Fragmentation VID + extended capabilities payload
IP = <Remote IP>, constructing ISAKMP SA payload
IP = <Remote IP>, IKE Initiator: New Phase 1, Intf inside, IKE Peer <Remote IP> local Proxy Address 192.168.5.0, remote Proxy Address 192.168.50.0, Crypto map (newmap)
Thanks for everything.
IP = <Remote IP>, Error: Unable to remove PeerTblEntry
IP = <Remote IP>, Removing peer from peer table failed, no match!
IP = <Remote IP>, sending delete/delete with reason message
IP = <Remote IP>, IKE SA MM:1921ce35 terminating: flags 0x01000022, refcnt 0, tuncnt 0
IP = <Remote IP>, IKE MM Initiator FSM error history (struct &0x3ae3bc0) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG4, EV_TIMEOUT-->MM_WAIT_MSG4,
IP = <Remote IP>, Information Exchange processing failed
IP = <Remote IP>, Received an un-encrypted INVALID_COOKIE notify message, dropping
IP = <Remote IP>, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
IP = <Remote IP>, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
IP = <Remote IP>, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 224
IP = <Remote IP>, Information Exchange processing failed
IP = <Remote IP>, Received an un-encrypted INVALID_COOKIE notify message, dropping
IP = <Remote IP>, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
IP = <Remote IP>, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
IP = <Remote IP>, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 224
IP = <Remote IP>, Information Exchange processing failed
IP = <Remote IP>, Received an un-encrypted INVALID_COOKIE notify message, dropping
IP = <Remote IP>, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
IP = <Remote IP>, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
IP = <Remote IP>, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 224
IP = <Remote IP>, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 224
IP = <Remote IP>, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
IP = <Remote IP>, constructing VID payload
IP = <Remote IP>, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
IP = <Remote IP>, Send IOS VID
IP = <Remote IP>, constructing xauth V6 VID payload
IP = <Remote IP>, constructing Cisco Unity VID payload
IP = <Remote IP>, constructing nonce payload
IP = <Remote IP>, constructing ke payload
IP = <Remote IP>, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: True
IP = <Remote IP>, Received Fragmentation VID
IP = <Remote IP>, processing VID payload
IP = <Remote IP>, Oakley proposal is acceptable
IP = <Remote IP>, processing SA payload
IP = <Remote IP>, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
Built outbound UDP connection 1131 for outside:<Remote IP>/500 (<Remote IP>/500) to NP Identity Ifc:72.4.4.221/500 (72.4.4.221/500)
Built local-host outside:<Remote IP>
IP = <Remote IP>, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
IP = <Remote IP>, constructing Fragmentation VID + extended capabilities payload
IP = <Remote IP>, constructing ISAKMP SA payload
IP = <Remote IP>, IKE Initiator: New Phase 1, Intf inside, IKE Peer <Remote IP> local Proxy Address 192.168.5.0, remote Proxy Address 192.168.50.0, Crypto map (newmap)
Thanks for everything.
It looks like the negotiations for encryption are not working. I hate to say it but we need to verify that isakmp (Phase1) settings are the same and your ipsec (Phase2) settings are the same from your site to the remote site.
1) What did they tell you was needed? (Dont give the pre-shared key or the remote IP address)
Did they specify Phase1(isakmp) and Phase2 (ipsec) settings?
2) We may need to see the output of the following commands:
sh isakmp
sh crypto map
sh tunnel-group
1) What did they tell you was needed? (Dont give the pre-shared key or the remote IP address)
Did they specify Phase1(isakmp) and Phase2 (ipsec) settings?
2) We may need to see the output of the following commands:
sh isakmp
sh crypto map
sh tunnel-group
ASKER
What they gave me was their remote IP ,their internal IPs which was 192.168.50.0 255.255.255.0, then in order listed on the form with no descriptions
3DES
SHA
Group 1
Lifetime 86400
I modified your example to these when I used it. (hash and group)
Result of the command: "sh isakmp"
There are no isakmp sas
Global IKE Statistics
Active Tunnels: 0
Previous Tunnels: 0
In Octets: 2808
In Packets: 36
In Drop Packets: 27
In Notifys: 27
In P2 Exchanges: 0
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In P2 Sa Delete Requests: 0
Out Octets: 9324
Out Packets: 45
Out Drop Packets: 0
Out Notifys: 0
Out P2 Exchanges: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 0
Initiator Tunnels: 9
Initiator Fails: 9
Responder Fails: 0
System Capacity Fails: 0
Auth Fails: 0
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 0
Global IPSec over TCP Statistics
--------------------------
Embryonic connections: 0
Active connections: 0
Previous connections: 0
Inbound packets: 0
Inbound dropped packets: 0
Outbound packets: 0
Outbound dropped packets: 0
RST packets: 0
Recevied ACK heart-beat packets: 0
Bad headers: 0
Bad trailers: 0
Timer failures: 0
Checksum errors: 0
Internal errors: 0
The show crypto map does not work nor does the sh tunnel-group.
Result of the command: "sh crypto ?"
exec mode commands/options:
accelerator Show accelerator operational data
ca Show certification authority policy
ipsec Show IPsec operational data
isakmp Show ISAKMP operational data
key Show long term public keys
protocol Show protocol statistics
Result of the command: "sh t?"
exec mode commands/options:
tcpstat tech-support terminal time-range
track traffic
I mostly feel the problem is on their end, basically it went they sent us a form to fill out with our network information( I didnt know about it), some time went by and they sent us that information so I punched it in and it didnt work. I asked how they knew about this network and they said Oh we need to fill out this form, so then we did and sent it off, well I am not sure if I am getting anyone up there to check and just make sure, they just say we have the form and were OK don't bother us, I just wanted to know if/what the error messages they are getting but I can not get much help out of them so I want to make sure our end is as good.
Thanks,
Jarrid Graham
3DES
SHA
Group 1
Lifetime 86400
I modified your example to these when I used it. (hash and group)
Result of the command: "sh isakmp"
There are no isakmp sas
Global IKE Statistics
Active Tunnels: 0
Previous Tunnels: 0
In Octets: 2808
In Packets: 36
In Drop Packets: 27
In Notifys: 27
In P2 Exchanges: 0
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In P2 Sa Delete Requests: 0
Out Octets: 9324
Out Packets: 45
Out Drop Packets: 0
Out Notifys: 0
Out P2 Exchanges: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 0
Initiator Tunnels: 9
Initiator Fails: 9
Responder Fails: 0
System Capacity Fails: 0
Auth Fails: 0
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 0
Global IPSec over TCP Statistics
--------------------------
Embryonic connections: 0
Active connections: 0
Previous connections: 0
Inbound packets: 0
Inbound dropped packets: 0
Outbound packets: 0
Outbound dropped packets: 0
RST packets: 0
Recevied ACK heart-beat packets: 0
Bad headers: 0
Bad trailers: 0
Timer failures: 0
Checksum errors: 0
Internal errors: 0
The show crypto map does not work nor does the sh tunnel-group.
Result of the command: "sh crypto ?"
exec mode commands/options:
accelerator Show accelerator operational data
ca Show certification authority policy
ipsec Show IPsec operational data
isakmp Show ISAKMP operational data
key Show long term public keys
protocol Show protocol statistics
Result of the command: "sh t?"
exec mode commands/options:
tcpstat tech-support terminal time-range
track traffic
I mostly feel the problem is on their end, basically it went they sent us a form to fill out with our network information( I didnt know about it), some time went by and they sent us that information so I punched it in and it didnt work. I asked how they knew about this network and they said Oh we need to fill out this form, so then we did and sent it off, well I am not sure if I am getting anyone up there to check and just make sure, they just say we have the form and were OK don't bother us, I just wanted to know if/what the error messages they are getting but I can not get much help out of them so I want to make sure our end is as good.
Thanks,
Jarrid Graham
Yes, See if you can get them to verify their settings with you on the phone or atleast through email. It looks like they may have sometheing set differently. I'm guess that they're using some other settings for their end.
Good Luck!
Good Luck!
Also, you can post your sanitized config here and we can review it for any glaring errors. I doubt it but they might give you their config too.
ASKER
Here is the config cleaned up (hope not too much) I just got to thinking they use the cisco VPN to connect from home to this network, would that effect it's ability to connect out? seems like it shouldnt effect anything but who knows.
Thanks.
ASA Version 7.2(3)
!
hostname LFM-ASA5505
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.5.59 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.224
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name LFM.COM
access-list LittonFamilyMedicine_split
access-list outside_access_in extended permit icmp any any
access-list inside_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.6.0 255.255.255.224
access-list inside_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.5.0 255.255.255.0 192.168.50.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging buffer-size 131072
logging asdm-buffer-size 512
logging buffered informational
logging asdm debugging
logging flash-minimum-free 30760
logging flash-maximum-allocation 10240
mtu inside 1500
mtu outside 1500
ip local pool LFM 192.168.6.10-192.168.6.20 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
!
router rip
network 192.168.3.0
network 192.168.5.0
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable 500
http 192.168.5.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
http 192.168.6.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer <stupid remote IP that doesnt work>
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set nat-t-disable
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
telnet timeout 5
ssh 192.168.6.0 255.255.255.0 inside
ssh 192.168.6.0 255.255.255.0 outside
ssh timeout 5
console timeout 5
management-access inside
dhcpd auto_config outside
!
dhcpd address 192.168.5.60-192.168.5.91 inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
ntp server LFM_SERVER02 source inside
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication
user-authentication disable
user-authentication-idle-t
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools value LFM
smartcard-removal-disconne
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
group-policy LFM_Policy internal
group-policy LFM_Policy attributes
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec
password-storage disable
ip-comp enable
re-xauth disable
group-lock value DefaultL2LGroup
pfs disable
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain value LFM.COM
split-dns none
backup-servers keep-client-config
address-pools value LFM
smartcard-removal-disconne
client-firewall none
client-access-rule none
group-policy LFM internal
group-policy LFM attributes
dns-server value 192.168.5.90
vpn-tunnel-protocol IPSec
ip-comp enable
default-domain value LFM.COM
tunnel-group LFM type ipsec-ra
tunnel-group LFM general-attributes
address-pool LFM
default-group-policy LFM
tunnel-group LFM ipsec-attributes
pre-shared-key <key1>
tunnel-group <stupid remote IP that doesnt work> type ipsec-l2l
tunnel-group <stupid remote IP that doesnt work> ipsec-attributes
pre-shared-key <key for site the doesnt work>
tunnel-group-map default-group LFM
prompt hostname context
Thanks.
ASA Version 7.2(3)
!
hostname LFM-ASA5505
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.5.59 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.224
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name LFM.COM
access-list LittonFamilyMedicine_split
access-list outside_access_in extended permit icmp any any
access-list inside_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.6.0 255.255.255.224
access-list inside_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.5.0 255.255.255.0 192.168.50.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging buffer-size 131072
logging asdm-buffer-size 512
logging buffered informational
logging asdm debugging
logging flash-minimum-free 30760
logging flash-maximum-allocation 10240
mtu inside 1500
mtu outside 1500
ip local pool LFM 192.168.6.10-192.168.6.20 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
!
router rip
network 192.168.3.0
network 192.168.5.0
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable 500
http 192.168.5.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
http 192.168.6.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer <stupid remote IP that doesnt work>
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set nat-t-disable
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
telnet timeout 5
ssh 192.168.6.0 255.255.255.0 inside
ssh 192.168.6.0 255.255.255.0 outside
ssh timeout 5
console timeout 5
management-access inside
dhcpd auto_config outside
!
dhcpd address 192.168.5.60-192.168.5.91 inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
ntp server LFM_SERVER02 source inside
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication
user-authentication disable
user-authentication-idle-t
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools value LFM
smartcard-removal-disconne
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
group-policy LFM_Policy internal
group-policy LFM_Policy attributes
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec
password-storage disable
ip-comp enable
re-xauth disable
group-lock value DefaultL2LGroup
pfs disable
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain value LFM.COM
split-dns none
backup-servers keep-client-config
address-pools value LFM
smartcard-removal-disconne
client-firewall none
client-access-rule none
group-policy LFM internal
group-policy LFM attributes
dns-server value 192.168.5.90
vpn-tunnel-protocol IPSec
ip-comp enable
default-domain value LFM.COM
tunnel-group LFM type ipsec-ra
tunnel-group LFM general-attributes
address-pool LFM
default-group-policy LFM
tunnel-group LFM ipsec-attributes
pre-shared-key <key1>
tunnel-group <stupid remote IP that doesnt work> type ipsec-l2l
tunnel-group <stupid remote IP that doesnt work> ipsec-attributes
pre-shared-key <key for site the doesnt work>
tunnel-group-map default-group LFM
prompt hostname context
ASKER
Well I set up a constant ping to bounce tunnels off of their end to make their end have to look at something after a while of that it magically came up.
Thanks for everything.
Thanks for everything.
2) try adding the "sysopt connection-permit ipsec" command