Solved

New ASA 5505 doesn't allow https

Posted on 2007-12-04
21
7,036 Views
Last Modified: 2013-11-16
Heya All,

Great forum!

I have a fresh ASA 5505 that I am trying to eventually setup a site-to-site VPN connection with, but in the meantime have to use it as a gateway to internet for about 40 users.  When I connect the ASA 5505, all users get the internet, but it doesn't allow https sites.  I'm sure it is something simple(maybe an inspect https statement?)but I'm new to this particular device(the granularity is overwhelming!).

I'd also be interested in any acls that will make the device more secure than the stock vanilla.

I look forward to learning more about this device and appreciate the responses.

Sanitized config below:

ASA Version 8.0(2)
!
hostname xxxx
enable password xxxx encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.x.x.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 12.x.x.122 255.255.255.x
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxxx encrypted
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
access-list inside_nat0_outbound extended permit ip host 192.x.x.0 host 10.x.x.0
access-list outside_2_cryptomap extended permit ip 192.x.x.0 255.255.255.0 host 10.x.x.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool fourthcorp1 10.x.x.1-10.x.x.254
ip local pool interface1 192.x.x.2-192.x.x.254
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo outside
icmp permit any echo-reply outside
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 12.x.x.121 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.x.x.0 255.255.255.0 inside
http 10.x.x.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 70.x.x.120
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.x.x.2-192.x.x.129 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
tunnel-group 70.x.x.120 type ipsec-l2l
tunnel-group 70.x.x.120 ipsec-attributes
 pre-shared-key *
prompt hostname context
0
Comment
Question by:cargomaster
  • 12
  • 6
  • 2
  • +1
21 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 20407245
There is nothing that should be blocking any secure sites. Oftentimes if you have a DSL/pppoe account, the added overhead of pppoe requires a MTU setting of 1492 vs the default 1500. You can try that either on the ASA or on the router/modem.
0
 

Author Comment

by:cargomaster
ID: 20407306
Unfortunately I can't get into the router as it is the ISPs.  Not sure if that is something I can request from them for troubleshooting or not.  Thank you for the reply.  
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 20407342
You can also try adjusting the MTU on the PC itself and see if it helps any
http://ask-leo.com/i_cant_access_some_websites_why.html
0
 
LVL 3

Expert Comment

by:RouterDude
ID: 20408261
You can adjust the MTU on the ASA interfaces themselves. a setting of 1460 usually fixes 443 problems.

Try this,
sysopt connection tcp-mss 1380
and
mtu Outside 1460

The first will set the maximum TCP packet size, the second sets total packet size. Give them a try and see if they help. If not, the next step would be to run some packet traces and see what is happening to them.

As far your second question, the ASA is rather secure out of the box, it does not let anything in unless specifically told to do so with either the management commands, http, ssh, telnet, or through an ACL or ICMP commands. All connections opened up outgoing will close after a set timeout, and there are built in rules to prevent syn floods and dos attacks.
0
 

Author Comment

by:cargomaster
ID: 20411169
I will give the interface commands a try.  I'm assuming this should be applied to both vlan 1 and vlan 2?

Thanks!
0
 
LVL 3

Expert Comment

by:RouterDude
ID: 20411603
Usually you only need it on the outside interface, but it doesn't hurt to have it on both.
0
 

Author Comment

by:cargomaster
ID: 20420679
Ok I made the MTU changes on the 5505 side, but it didn't seem to make a difference. I still cannot access https websites. I also just for grins tried to connect(site to site) to the VPN peer and have the log files of those too..

Here is the current config of the ASA 5505(Home site):
ASA Version 8.0(2)
!
hostname ####
enable password #### encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.x.x.250 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd #### encrypted
banner login UNAUTHORIZED ACCESS IS PROHIBITED AND MONITORED
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
access-list inside_nat0_outbound extended permit ip host 10.x.100.x host 10.x.99.x
access-list inside_nat0_outbound extended permit ip host 192.x.x.0 host 10.x.99.x
access-list inside_nat0_outbound extended permit ip 192.x.x.0 255.255.255.0 any
access-list outside_2_cryptomap extended permit ip 192.x.x.0 255.255.255.0 host 10.x.99.x
access-list outside_1_cryptomap extended permit ip 192.x.x.0 255.255.255.0 any
access-list outside_1_cryptomap extended permit ip 192.x.x.0 255.255.255.0 host 10.x.99.x
access-list inside_access_in extended permit tcp 192.x.x.0 255.255.255.0 any eq www
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1460
ip local pool fourthcorp1 10.x.x.1-10.x.x.254
ip local pool interface1 192.x.x.2-192.x.x.249
ip verify reverse-path interface inside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo outside
icmp permit any echo-reply outside
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 12.x.x.121 1
route outside 12.x.x.122 255.255.255.255 12.x.x.121 255
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.x.x.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 70.x.x.120
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 70.x.x.120
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.x.x.251-192.x.x.254 inside
dhcpd dns 4.2.2.2 151.164.85.201 interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
tunnel-group 70.x.x.120 type ipsec-l2l
tunnel-group 70.x.x.120 ipsec-attributes
 pre-shared-key *
prompt hostname context
Cryptochecksum:####
: end




Here is the config of the ASA 5520(Peer):
ASA Version 7.2(3)
!
hostname ####
domain-name ####
enable password #### encrypted
names
name 10.x.x.253 #### description #### Server
name 70.x.x.121 outside_#### description Outside Address of #### Server
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 70.x.x.120 255.255.255.128
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 10.x.x.10 255.255.255.0
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd #### encrypted
banner exec                          --- *** WARNING NOTICE *** ---
banner exec       This system is restricted solely to #### authorized
banner exec        users for legitimate business purposes only.  The
banner exec        actual or attempted unauthorized access, use, or
banner exec        modification of this system is strictly prohibited
banner exec        by ####.
banner exec        Unauthorized users are subject to Company
banner exec        disciplinary proceedings and/or criminal and civil
banner exec        penalties under state, federal, or other applicable
banner exec        domestic and foreign laws.
banner exec        The use of this system may be monitored and recorded
banner exec        for administrative and security reasons. Anyone
banner exec        accessing this system expressly consents to such
banner exec        monitoring and is advised that if monitoring reveals
banner exec        possible evidence of criminal activity, #### may
banner exec        provide the evidence of such activity to law
banner exec        enforcement officials.
banner exec        All users must comply with #### Corporate
banner exec        Instructions regarding the protection of ####
banner exec        information assets.
banner login                                 --- *** WARNING NOTICE *** ---
banner login        This system is restricted solely to #### authorized
banner login        users for legitimate business purposes only.  The
banner login        actual or attempted unauthorized access, use, or
banner login        modification of this system is strictly prohibited
banner login        by ####.
banner login        Unauthorized users are subject to Company
banner login        disciplinary proceedings and/or criminal and civil
banner login        penalties under state, federal, or other applicable
banner login        domestic and foreign laws.
banner login        The use of this system may be monitored and recorded
banner login        for administrative and security reasons. Anyone
banner login        accessing this system expressly consents to such
banner login        monitoring and is advised that if monitoring reveals
banner login        possible evidence of criminal activity, #### may
banner login        provide the evidence of such activity to law
banner login        enforcement officials.
banner login        All users must comply with #### Corporate
banner login        Instructions regarding the protection of ####
banner login        information assets.
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name ####
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service ####_support tcp
 description Support for #### Server
 port-object eq ftp
 port-object eq ftp-data
 port-object eq ssh
object-group network ####Public
 description These are all the public addresses for ####, headquartered on ####.
 network-object host 12.x.x.120
 network-object host 12.x.x.121
 network-object host 12.x.x.122
 network-object host 12.x.x.123
 network-object host 12.x.x.124
 network-object host 12.x.x.125
 network-object host 12.x.x.126
 network-object host 12.x.x.127
 network-object host 65.x.x.17
 network-object host 65.x.x.18
 network-object host 65.x.x.19
 network-object host 65.x.x.20
 network-object host 65.x.x.21
 network-object host 65.x.x.22
 network-object host 65.x.x.23
 network-object host 65.x.x.24
 network-object host 65.x.x.25
 network-object host 65.x.x.26
access-list outside_access_in remark Support #### Server
access-list outside_access_in extended permit tcp any host outside_#### object-group ####_support
access-list inside_nat0_outbound extended permit ip 10.x.x.0 255.255.255.0 192.x.x.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.x.x.0 255.255.255.0 10.x.10.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.x.x.0 255.255.255.0 192.x.x.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 10.x.x.0 255.255.255.0 10.x.10.0 255.255.255.0
access-list inside_access_in extended permit ip 10.x.0.0 255.255.255.0 10.x.x.0 255.255.255.0
pager lines 24
logging enable
logging list VPN-tunnels level alerts
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
monitor-interface outside
monitor-interface inside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,outside) outside_#### #### netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 70.x.x.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 70.x.x.10 255.255.255.255 outside
http 65.x.x.17 255.255.255.255 outside
http 12.x.x.122 255.255.255.255 outside
http 65.x.x.20 255.255.255.255 outside
http 12.x.x.120 255.255.255.255 outside
http 65.x.x.18 255.255.255.255 outside
http 65.x.x.26 255.255.255.255 outside
http 12.x.x.125 255.255.255.255 outside
http 65.x.x.23 255.255.255.255 outside
http 65.x.x.22 255.255.255.255 outside
http 12.x.x.126 255.255.255.255 outside
http 65.x.x.25 255.255.255.255 outside
http 65.x.x.24 255.255.255.255 outside
http 12.x.x.127 255.255.255.255 outside
http 12.x.x.121 255.255.255.255 outside
http 65.x.x.21 255.255.255.255 outside
http 65.x.x.19 255.255.255.255 outside
http 12.x.x.123 255.255.255.255 outside
http 12.x.x.124 255.255.255.255 outside
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 12.x.x.122
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 65.x.x.121
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 2 set reverse-route
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 inside
ssh timeout 5
ssh version 2
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
  inspect icmp error
  inspect ipsec-pass-thru
!
service-policy global_policy global
group-policy DfltGrpPolicy attributes
 banner value This system is for authorized users only. All activity is logged and regulary checked by systems personnel. Individuals using this system without authority or in excess of their authority are subject to having all their services revoked. Any unauthorized use or attempted unauthorized use on this system will be reported to local law enforcement, and said user will be punished to the full extent of the law. Anyone using this system consents to these terms.
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 50
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 intercept-dhcp 255.255.255.255 disable
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 nac disable
 nac-sq-period 300
 nac-reval-period 36000
 nac-default-acl none
 address-pools none
 smartcard-removal-disconnect enable
 client-firewall none
 client-access-rule none
 webvpn
  functions url-entry
  html-content-filter none
  homepage none
  keep-alive-ignore 4
  http-comp gzip
  filter none
  url-list none
  customization value DfltCustomization
  port-forward none
  port-forward-name value Application Access
  sso-server none
  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
  svc none
  svc keep-installer installed
  svc keepalive none
  svc rekey time none
  svc rekey method none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
username #### password #### encrypted privilege 15
username #### password #### encrypted privilege 15
username #### password #### encrypted privilege 15
username #### password #### encrypted privilege 15
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group 12.x.x.122 type ipsec-l2l
tunnel-group 12.x.x.122 ipsec-attributes
 pre-shared-key *
tunnel-group 65.x.x.121 type ipsec-l2l
tunnel-group 65.x.x.121 ipsec-attributes
 pre-shared-key *
prompt hostname context
Cryptochecksum:####
: end


And finally, here is the 5505 log when trying to establish tunnel with Peer:

6|Dec 05 2007|20:50:08|713219|||Group = 70.x.x.120, IP = 70.x.x.120, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
6|Dec 05 2007|20:50:07|713219|||Group = 70.x.x.120, IP = 70.x.x.120, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
6|Dec 05 2007|20:50:07|713219|||Group = 70.x.x.120, IP = 70.x.x.120, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
6|Dec 05 2007|20:50:06|713219|||Group = 70.x.x.120, IP = 70.x.x.120, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
6|Dec 05 2007|20:50:05|713219|||Group = 70.x.x.120, IP = 70.x.x.120, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
4|Dec 05 2007|20:50:05|713903|||Group = 70.x.x.120, IP = 70.x.x.120, Information Exchange processing failed
4|Dec 05 2007|20:50:05|713903|||Group = 70.x.x.120, IP = 70.x.x.120, Error, peer has indicated that something is wrong with our message.  This could indicate a pre-shared key mismatch.
5|Dec 05 2007|20:50:05|713904|||Group = 70.x.x.120, IP = 70.x.x.120, Received an un-encrypted PAYLOAD_MALFORMED notify message, dropping
5|Dec 05 2007|20:50:05|713041|||IP = 70.x.x.120, IKE Initiator: New Phase 1, Intf inside, IKE Peer 70.x.x.120  local Proxy Address 192.x.x.0, remote Proxy Address 0.0.0.0,  Crypto map (outside_map)
4|Dec 05 2007|20:50:04|713903|||Group = 70.x.x.120, IP = 70.x.x.120, Error: Unable to remove PeerTblEntry
3|Dec 05 2007|20:50:04|713902|||Group = 70.x.x.120, IP = 70.x.x.120, Removing peer from peer table failed, no match!
6|Dec 05 2007|20:50:04|713905|||Group = 70.x.x.120, IP = 70.x.x.120, P1 Retransmit msg dispatched to MM FSM
5|Dec 05 2007|20:50:04|713201|||Group = 70.x.x.120, IP = 70.x.x.120, Duplicate Phase 1 packet detected.  Retransmitting last packet.
6|Dec 05 2007|20:50:04|713219|||Group = 70.x.x.120, IP = 70.x.x.120, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
6|Dec 05 2007|20:50:04|713219|||Group = 70.x.x.120, IP = 70.x.x.120, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
6|Dec 05 2007|20:50:04|713905|||Group = 70.x.x.120, IP = 70.x.x.120, P1 Retransmit msg dispatched to MM FSM
5|Dec 05 2007|20:50:04|713201|||Group = 70.x.x.120, IP = 70.x.x.120, Duplicate Phase 1 packet detected.  Retransmitting last packet.
6|Dec 05 2007|20:50:04|713905|||Group = 70.x.x.120, IP = 70.x.x.120, P1 Retransmit msg dispatched to MM FSM
5|Dec 05 2007|20:50:04|713201|||Group = 70.x.x.120, IP = 70.x.x.120, Duplicate Phase 1 packet detected.  Retransmitting last packet.
6|Dec 05 2007|20:50:03|713219|||Group = 70.x.x.120, IP = 70.x.x.120, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
6|Dec 05 2007|20:50:03|713219|||Group = 70.x.x.120, IP = 70.x.x.120, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
5|Dec 05 2007|20:50:03|713904|||IP = 70.x.x.120, Received encrypted packet with no matching SA, dropping
6|Dec 05 2007|20:50:00|713219|||Group = 70.x.x.120, IP = 70.x.x.120, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
6|Dec 05 2007|20:50:00|713219|||Group = 70.x.x.120, IP = 70.x.x.120, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
6|Dec 05 2007|20:49:59|713219|||Group = 70.x.x.120, IP = 70.x.x.120, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
6|Dec 05 2007|20:49:59|713219|||Group = 70.x.x.120, IP = 70.x.x.120, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
6|Dec 05 2007|20:49:58|713219|||Group = 70.x.x.120, IP = 70.x.x.120, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
6|Dec 05 2007|20:49:57|713219|||Group = 70.x.x.120, IP = 70.x.x.120, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
6|Dec 05 2007|20:49:57|713219|||Group = 70.x.x.120, IP = 70.x.x.120, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
6|Dec 05 2007|20:49:56|713219|||Group = 70.x.x.120, IP = 70.x.x.120, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
4|Dec 05 2007|20:49:56|713903|||Group = 70.x.x.120, IP = 70.x.x.120, Information Exchange processing failed
4|Dec 05 2007|20:49:56|713903|||Group = 70.x.x.120, IP = 70.x.x.120, Error, peer has indicated that something is wrong with our message.  This could indicate a pre-shared key mismatch.



I did reset the router to defaults and tried the wizard to redo the site-to-site VPN  to see if that cleared the issue up to no avail.

Upping the point value  : )

Respectfully,
0
 

Author Comment

by:cargomaster
ID: 20422708
I'm thinking I may just do a "clear configure all" and start from scratch.  That way I can focus solely on:

A) Getting the device on the internet
B) Resolving the HTTPS issue
C) Connect to VPN Peer

What do you all recommend?  Also, should I post a new topic for point A?
0
 
LVL 3

Expert Comment

by:RouterDude
ID: 20423147
Interesting that https isnt working. Your inspection policy is fine. Just for kicks, did you verify that you can get to the same sites from outside the firewall? One item I like to do is change the NAT

nat (inside) 1 0.0.0.0 0.0.0.0
to more specific addressing, just the traffic you want to translate. I find it makes for a cleaner config and easier for troubleshooting since you know exactly what you are translating.
Do a show xlate and look for the IP of the website you are attempting to reach to verify that it is translating, and there is another thing that can be done to troubleshoot this. The good news is you are running version 8.0 which means you have ASDM ver 6. There is a tool called packet trace in the NAT configuration. Run a packet trace using port443 and see what comes up. If you dont get any errors, then the problem it on the outside of the firewall, and we can do some further testing with CLI tools.
0
 
LVL 3

Expert Comment

by:theeter
ID: 20430224
I think you may have overlooked your inside access list is only permitting www.

access-list inside_access_in extended permit tcp 192.x.x.0 255.255.255.0 any eq www

add...

access-list inside_access_in extended permit tcp 192.x.x.0 255.255.255.0 any eq https
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:cargomaster
ID: 20430236
I now have the internet with https after doing "clear configure all"... Now A and B are completed, I just need to establish VPN with peer:

Here is the current 5505 config:

ASA Version 8.0(2)
!
hostname ####
domain-name ####
enable password #### encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.x.x.250 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 12.x.x.122 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 shutdown
!
passwd #### encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name ####
access-list inside_nat0_outbound extended permit ip host 10.x.100.x host 10.x.99.x
access-list inside_nat0_outbound extended permit ip host 192.x.x.0 host 10.x.99.x
access-list inside_nat0_outbound extended permit ip 192.x.x.0 255.255.255.0 host 10.x.99.x
access-list outside_1_cryptomap extended permit ip 192.x.x.0 255.255.255.0 host 10.x.99.x
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool fourthcorp1 10.x.x.1-10.x.x.254
ip local pool interface1 192.x.x.2-192.x.x.249
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 12.x.x.121 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.x.0.x 255.255.0.0 inside
http 192.x.x.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 70.x.x.120
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 151.164.85.201 151.164.11.201
dhcpd ping_timeout 750
dhcpd domain transportindustries.local
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
!
service-policy global_policy global
tunnel-group 70.x.x.120 type ipsec-l2l
tunnel-group 70.x.x.120 ipsec-attributes
 pre-shared-key *
prompt hostname context
Cryptochecksum:####
: end
0
 

Author Comment

by:cargomaster
ID: 20430560
Heya Theeter!

Just saw you post right before I did.  I had already cleared the device yesterday and hooked it back up for testing and that cleared it up.

thanks!
0
 
LVL 3

Expert Comment

by:RouterDude
ID: 20430676
Your debug indicates the pre-share is not matching. Make sure the key at both ends is identical, and reenter them just to make sure.
0
 

Author Comment

by:cargomaster
ID: 20430772
Going to try that again on both sides RouterDude, thanks.  Will let ya know what happens.
0
 

Author Comment

by:cargomaster
ID: 20442372
Ok I entered the pre-shared key on both sides and also made sure the algorithm matches. Still no tunnel.

Here is the log from the PEER Side which says crypto map not found.  What do you suggest I do?

4|Dec 06 2007|08:54:11|113019|||Group = 12.x.x.122, Username = 12.x.x.122, IP = 12.x.x.122, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found
3|Dec 06 2007|08:54:11|713902|||Group = 12.x.x.122, IP = 12.x.x.122, Removing peer from correlator table failed, no match!
3|Dec 06 2007|08:54:11|713902|||Group = 12.x.x.122, IP = 12.x.x.122, QM FSM error (P2 struct &0x4d86ae8, mess id 0x7c852be5)!
3|Dec 06 2007|08:54:11|713061|||Group = 12.x.x.122, IP = 12.x.x.122, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.100.0/255.255.255.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside



Thanks!

0
 

Author Comment

by:cargomaster
ID: 20445010
In looking at the packet tracer on both the home and remote site, it gets to the ACL portion and drops packets:

Info: (acl-drop) Flow is denied by configured rule.
0
 

Author Comment

by:cargomaster
ID: 20449326
In looking at the ACL Manager from the remote site, I have the following:

Outside_1_cryptomap
inside network/24(source) to 10.x.x.0(destination) IP (service) Permit

 1   Inside_nat0_outbound
     10.x.100.0(source) to 10.x.99.0(destination) IP (service) Permit

2  192.x.100.x(255.255.255.255) to 10.x.99.x(destination) IP (service) Permit

3  Inside network/24(source) to 10.x.99.x(destination) IP(service) Permit

I have tried removing the tunnels and recreating with the ASDM gui but it still says that a rule or acl is blocking my VPN tunnel.


0
 

Author Comment

by:cargomaster
ID: 20449595
Ok Now from the PEER side I removed the ACL's and want to start from scratch.

I need remote network 192.x.x.0/24(Inside) & 12.x.x.122(Outside)
to be able to access
remote network 10.x.x.253(Inside) & 70.x.x.121(Outside)

The Peer is 70.x.x.120

Here is the ACL config from the PEER side:

access-list outside_access_in remark Support #### Server
access-list outside_access_in extended permit tcp any host outside_#### object-group ####_support
access-list inside_nat0_outbound extended permit ip 10.x.x.0 255.255.255.0 192.x.x.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.x.x.0 255.255.255.0 192.x.x.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 10.x.99.0 255.255.255.0 10.x.10.0 255.255.255.0
access-list inside_access_in extended permit tcp 10.x.0.0 255.255.255.0 10.x.0.0 255.255.255.0

Here is the Tunnel Info:

no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 12.x.x.122
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs

crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
0
 
LVL 3

Accepted Solution

by:
RouterDude earned 250 total points
ID: 20453105
As long as the ISAKMP is identical on both sides, the ACL for interesting traffic matches(but opposite) and you have crypto map outside_map interface outside, IPSec will work. You also need to add tunnel group (IP)  for the preshare key.
Here is an example to go one from a working setup.

access-list VPN-IN extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list Inside_out_VPN extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list Inside_out_VPN extended permit ip 192.168.1.0 255.255.255.0 192.168.101.0 255.255.255.240

nat (inside) 0 access-list Inside_out_VPN
crypto ipsec transform-set VPN-Users esp-aes-256 esp-sha-hmac
crypto ipsec transform-set To-Hoffman esp-aes-256 esp-sha-hmac
crypto dynamic-map VPN-Users 20 set pfs
crypto dynamic-map VPN-Users 20 set transform-set VPN-Users To-Hoffman
crypto dynamic-map VPN-Users 20 set reverse-route
crypto map VPN 10 match address VPN-IN
crypto map VPN 10 set peer 74.x.x.24
crypto map VPN 10 set transform-set To-Hoffman
crypto map VPN 20 ipsec-isakmp dynamic VPN-Users
crypto map VPN interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
tunnel-group 74.x.x.24 type ipsec-l2l
tunnel-group 74.x.x.24 ipsec-attributes
 pre-shared-key *

The other side is identical except for the ACL, reverse the networks, Keep in mind the source network(first one) is the local network, many times these get reversed. Tunnel group will be same as peer(remoteASA).  If you still have a problem and are using the ASDM, use the CLI. There is a version of ASDM that causes IPSEC to fail by inputting the wrong commands. You can basically takes what I posted here, put it in notepad, modify it to match your information and paste into the CLI. Part of the config above includes dynamic tunnels for VPN clients, so you may want to remove those lines.
0
 

Author Closing Comment

by:cargomaster
ID: 31412677
RouterDude,

Thanks so much for your tenacity on helping me solve my issue(s).  Your help is greatly appreciated!
0
 
LVL 3

Expert Comment

by:RouterDude
ID: 20454367
Glad I could help.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now