o-tvw-ee
asked on
Cisco ASA 5510 Lan2Lan IPSec tunnel
Hi all,
We would like to build an IPSec tunnel to a customer of ours. We have several tunnels and they are working fine, but this one just won't come up.
This is the scenario, we can use 2 ip adresses to connect to the customer, and we use natting to translate some IP ranges from the inside to those 2 ip adresses. When I start a ping from the inside (192.168.40.30 to be exact) to the cust.ip.addres.17 nothing happens.
I've tried debug crypto ipsec/isakmp but they don't show me any info on this tunnel. I don't see anything in the logs about this tunnel either. It seems that he doesn't use the tunnel to try to get to the customer ip.
What am I doing wrong?
Thanks!
We would like to build an IPSec tunnel to a customer of ours. We have several tunnels and they are working fine, but this one just won't come up.
This is the scenario, we can use 2 ip adresses to connect to the customer, and we use natting to translate some IP ranges from the inside to those 2 ip adresses. When I start a ping from the inside (192.168.40.30 to be exact) to the cust.ip.addres.17 nothing happens.
I've tried debug crypto ipsec/isakmp but they don't show me any info on this tunnel. I don't see anything in the logs about this tunnel either. It seems that he doesn't use the tunnel to try to get to the customer ip.
What am I doing wrong?
Thanks!
Cisco Adaptive Security Appliance Software Version 7.2(3)
Device Manager Version 5.2(3)
access-list crypto_customer remark VPN Tunnel to customer
access-list crypto_customer extended permit ip our.ip.addr.104 255.255.255.254 cust.ip.addr.16 255.255.255.248
access-list nat_customer remark NAT for VPN tunnel to customer
access-list nat_customer extended permit ip 192.168.45.0 255.255.255.0 cust.ip.addr.16 255.255.255.248
access-list nat_customer extended permit ip host 192.168.40.30 cust.ip.addr.16 255.255.255.248
global (outside) 3 our.ip.addr.104
nat (inside) 3 access-list nat_customer
static (inside,outside) our.ip.addr.104 192.168.40.2 netmask 255.255.255.255 dns
static (inside,outside) our.ip.addr.105 192.168.40.67 netmask 255.255.255.255 dns
crypto ipsec transform-set ESP_AES_SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 140 match address crypto_customer
crypto map outside_map 140 set pfs
crypto map outside_map 140 set peer PEERIP
crypto map outside_map 140 set transform-set ESP_AES_SHA
crypto map outside_map 140 set security-association lifetime seconds 3600
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
tunnel-group PEERIP type ipsec-l2l
tunnel-group PEERIP ipsec-attributes
pre-shared-key *
ASKER
We need to access the other end from 2 ip addresses: .104 and .105, so I need the 255.255.255.254 netmask. I don't see any error msg's in the syslog.
then you should do the following modification
no global (outside) 3 our.ip.addr.104
global (outside) 3 our.ip.addr.104 netmask 255.255.255.254
also
"When I start a ping from the inside (192.168.40.30 to be exact) to the cust.ip.addres.17 nothing happens. "
you have crypto and nat entries for cust.ip.addres.16 not 17
no global (outside) 3 our.ip.addr.104
global (outside) 3 our.ip.addr.104 netmask 255.255.255.254
also
"When I start a ping from the inside (192.168.40.30 to be exact) to the cust.ip.addres.17 nothing happens. "
you have crypto and nat entries for cust.ip.addres.16 not 17
ASKER
We'r using the our.ip.addr.104 through the global setting, and the our.ip.addr.105 through a static for a specific server.
Also, on the customer side we have a netmask of 255.255.255.248 so the .17 address is included in the crypto and the nat
Also, on the customer side we have a netmask of 255.255.255.248 so the .17 address is included in the crypto and the nat
Ah I see.
Do you have a NAT-global staement before 3 that use something like
nat (inside) 1 0 0
If yes, trafic would be flowing through that statement before reaches yours. So I suggest giving a higher value to that knd of statements.
Please post here the output of following command
packet-tracer input inside 192.168.40.30 3389 cust.ip.addres.17 3389 detailed
Do you have a NAT-global staement before 3 that use something like
nat (inside) 1 0 0
If yes, trafic would be flowing through that statement before reaches yours. So I suggest giving a higher value to that knd of statements.
Please post here the output of following command
packet-tracer input inside 192.168.40.30 3389 cust.ip.addres.17 3389 detailed
ASKER
Interesting command :) I learn something new every day...
I can see the packet is dropped, but I have no clue why.....
I can see the packet is dropped, but I have no clue why.....
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x4436780, priority=1, domain=permit, deny=false
hits=43569747, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x4439aa8, priority=0, domain=permit-ip-option, deny=true
hits=13198981, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
Phase: 5
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x4cb32b0, priority=20, domain=lu, deny=false
hits=11580544, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 3 access-list nat_customer
match ip inside host 192.168.40.30 outside cust.ip.addr.16 255.255.255.248
dynamic translation to pool 3 (our.ip.addr.104)
translate_hits = 514, untranslate_hits = 0
Additional Information:
Dynamic translate 192.168.40.30/3389 to our.ip.addr.104/1024 using netmask 255.255.255.255
Forward Flow based lookup yields rule:
in id=0x4593aa0, priority=2, domain=nat, deny=false
hits=513, user_data=0x4593a30, cs_id=0x0, flags=0x0, protocol=0
src ip=192.168.40.30, mask=255.255.255.255, port=0
dst ip=cust.ip.addr.16, mask=255.255.255.248, port=0
Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 3 access-list nat_customer
match ip inside host 192.168.40.30 outside cust.ip.addr.16 255.255.255.248
dynamic translation to pool 3 (our.ip.addr.104)
translate_hits = 514, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0x4593cf0, priority=2, domain=host, deny=false
hits=551, user_data=0x4593a30, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=192.168.40.30, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
Phase: 8
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x525d2d8, priority=70, domain=encrypt, deny=false
hits=37, user_data=0x0, cs_id=0x4c23f80, reverse, flags=0x0, protocol=0
src ip=our.ip.addr.104, mask=255.255.255.254, port=0
dst ip=cust.ip.addr.16, mask=255.255.255.248, port=0
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
ASKER
Also, we don't have a nat (inside) 1 0 0 command. We use nat (inside) 1 192.168.0.0 255.255.0.0
We use nat (inside) 1 192.168.0.0 255.255.0.0
192.168.0.0 covers 192.168.40.30 so packet should not be passing via this translation and nat 3 should be ignored but packet-tracer does not say so(interesting)
What I would suggest is issuing the following exactly (make sure you take steps below via console, not remotely because it may cause disconnectivity)
no nat (inside) 1 192.168.0.0 255.255.0.0
no global (outisde) 1 xxxxwhatever
no global (outside) 3 our.ip.addr.104
no nat (inside) 3 access-list nat_customer
nat (inside) 5 192.168.0.0 255.255.0.0
global (outside) 5 xxxxwhatever
nat (inside) 1 access-list nat_customer
global (outside) 1 our.ip.addr.104
clear xlate
Packet-analyzer says your config is OK, it says drop in phase 8 VPN because VPN tunnel is not established. Something may be wrong at remote end.
Next, configure your ASDM syslog options for logging notifications not informational, so you will be able to see the essential syslogs about VPN. As you try pinging or telnet remote host, a log saying "IKE initiator bla bla" in blue color should appear in syslogs
192.168.0.0 covers 192.168.40.30 so packet should not be passing via this translation and nat 3 should be ignored but packet-tracer does not say so(interesting)
What I would suggest is issuing the following exactly (make sure you take steps below via console, not remotely because it may cause disconnectivity)
no nat (inside) 1 192.168.0.0 255.255.0.0
no global (outisde) 1 xxxxwhatever
no global (outside) 3 our.ip.addr.104
no nat (inside) 3 access-list nat_customer
nat (inside) 5 192.168.0.0 255.255.0.0
global (outside) 5 xxxxwhatever
nat (inside) 1 access-list nat_customer
global (outside) 1 our.ip.addr.104
clear xlate
Packet-analyzer says your config is OK, it says drop in phase 8 VPN because VPN tunnel is not established. Something may be wrong at remote end.
Next, configure your ASDM syslog options for logging notifications not informational, so you will be able to see the essential syslogs about VPN. As you try pinging or telnet remote host, a log saying "IKE initiator bla bla" in blue color should appear in syslogs
ASKER
I get these error messages in my logfile as soon as I start pinging the remote LAN:
%ASA-3-713063: IKE Peer address not configured for destination X.X.X.X
(X.X.X.X is a random IP address that changes with each error message). The dissappear as soon as I stop pinging...
%ASA-3-713063: IKE Peer address not configured for destination X.X.X.X
(X.X.X.X is a random IP address that changes with each error message). The dissappear as soon as I stop pinging...
Can you post your full config? (then you can ask moderator to delete it)
can you type sme example IPs that x.x.x.x take randomly?
can you type sme example IPs that x.x.x.x take randomly?
Try this
no access-list crypto_valuesource extended permit ip our.ip.address.104 255.255.255.254 193.244.115.16 255.255.255.248
access-list crypto_valuesource permit ip host our.ip.address.104 193.244.115.16 255.255.255.248
access-list crypto_valuesource permit ip host our.ip.address.105 255.255.255.254 193.244.115.16 255.255.255.248
Then in CLI, type PING. As source address for ping, type 192.168.40.7 and destination as 193.244.115.16
Open your ASDM, click on monitor> click VPN, choose sessions then filter L2L. Click refresh after PING trials and see if the tunnel is established or not. May be tunnel establishes but no traffic flows
no access-list crypto_valuesource extended permit ip our.ip.address.104 255.255.255.254 193.244.115.16 255.255.255.248
access-list crypto_valuesource permit ip host our.ip.address.104 193.244.115.16 255.255.255.248
access-list crypto_valuesource permit ip host our.ip.address.105 255.255.255.254 193.244.115.16 255.255.255.248
Then in CLI, type PING. As source address for ping, type 192.168.40.7 and destination as 193.244.115.16
Open your ASDM, click on monitor> click VPN, choose sessions then filter L2L. Click refresh after PING trials and see if the tunnel is established or not. May be tunnel establishes but no traffic flows
correction
"Then in CLI, type PING. As source address for ping, type 192.168.40.7 and destination as 193.244.115.17 try 18 and 19 after
"Then in CLI, type PING. As source address for ping, type 192.168.40.7 and destination as 193.244.115.17 try 18 and 19 after
correction
access-list crypto_valuesource permit ip host our.ip.address.105 193.244.115.16 255.255.255.248
access-list crypto_valuesource permit ip host our.ip.address.105 193.244.115.16 255.255.255.248
ASKER
nothing changed.. I still get the error messages and I don't see any output in the debug isakmp or ipsec from this tunnel.
I did the packet trace again and that seems ok... The translation to the external IP address works, but it seems that the ASA just doesn't recognize that the traffic should go through the tunnel...
I did the packet trace again and that seems ok... The translation to the external IP address works, but it seems that the ASA just doesn't recognize that the traffic should go through the tunnel...
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 3 access-list nat_valuesource
match ip inside 192.168.0.0 255.255.0.0 outside 193.244.115.16 255.255.255.248
dynamic translation to pool 3 (212.35.120.104)
translate_hits = 27142, untranslate_hits = 0
Additional Information:
Dynamic translate 192.168.40.30/3389 to 212.35.120.104/1025 using netmask 255.255.255.255
Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 3 access-list nat_valuesource
match ip inside 192.168.0.0 255.255.0.0 outside 193.244.115.16 255.255.255.248
dynamic translation to pool 3 (212.35.120.104)
translate_hits = 27142, untranslate_hits = 0
Additional Information:
Phase: 7
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Ah, totally forgot that one. Computer101 would you please let me have the full config once then I will reply for removal.
ASKER
I'll post the config again. We changed it a bit (removed the PAT and increased the external IP addresses we use from 2 to 4 to make it less complex, symptoms stay the same though..)
: Saved
:
ASA Version 7.2(3)
!
hostname ORDFW01
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address our.ip.address.90 0.0.0.0 standby our.ip.address.91
!
interface Ethernet0/1
description Inside MPLS interface
nameif inside
security-level 100
ip address 0.0.0.0 0.0.0.0 standby 0.0.0.0
!
interface Ethernet0/2
description DMZ Zone
nameif dmz
security-level 50
ip address 0.0.0.0 0.0.0.0 standby 0.0.0.0
!
interface Ethernet0/3
description LAN/STATE Failover Interface
!
interface Management0/0
nameif management
security-level 0
ip address 0.0.0.0 0.0.0.0 standby 0.0.0.0
management-only
!
boot system disk0:/asa723-k8.bin
ftp mode passive
clock timezone CET 2
dns server-group DefaultDNS
access-list acl_outside extended permit udp any host our.ip.address.90 eq 1701 inactive
access-list acl_outside extended permit icmp any any echo
access-list acl_outside extended permit icmp any any echo-reply
access-list acl_outside extended permit icmp any any time-exceeded
access-list acl_outside extended permit ip 0.0.0.0 0.0.0.0 any
access-list acl_outside remark Iterum Planningstool - Marc Van Damme
access-list acl_outside extended permit tcp any host our.ip.address.89 eq www
access-list acl_outside extended permit tcp any host our.ip.address.89 eq https
access-list acl_outside remark Telefooncentrale Leuven - Rudi Potoms
access-list acl_outside extended permit tcp any host our.ip.address.120 eq 5000
access-list acl_outside extended permit tcp any host our.ip.address.120 eq 6000
access-list acl_outside extended permit tcp any host our.ip.address.120 eq 6100
access-list acl_outside extended permit tcp any host our.ip.address.120 eq 9000
access-list acl_outside remark ORDSCS - Gunter De Neef
access-list acl_outside extended permit tcp any host our.ip.address.92 eq ftp
access-list acl_outside remark SAPRouter - Hans Lauwers
access-list acl_outside extended permit tcp any host our.ip.address.93 eq 3299
access-list acl_outside extended permit tcp any host our.ip.address.103 eq 3299
access-list acl_outside remark TVWBSupport connection to HoTH database
access-list acl_outside extended permit tcp host our.ip.address.69 host our.ip.address.93 eq 1433
access-list acl_outside remark Webserver
access-list acl_outside extended permit tcp any host our.ip.address.69 eq www
access-list acl_outside extended permit tcp any host our.ip.address.69 eq https
access-list acl_outside extended permit tcp any host our.ip.address.69 eq ftp
access-list acl_outside extended permit tcp any host our.ip.address.69 eq 3389
access-list acl_outside remark Evobizz
access-list acl_outside extended permit tcp any host our.ip.address.80 eq www
access-list acl_outside extended permit tcp any host our.ip.address.80 eq https
access-list acl_outside remark Email/Antispam
access-list acl_outside extended permit tcp any host our.ip.address.78 eq 995
access-list acl_outside extended permit tcp any host our.ip.address.78 eq 993
access-list acl_outside extended permit tcp any host our.ip.address.78 eq 8000
access-list acl_outside extended permit tcp any host our.ip.address.78 eq https
access-list acl_outside extended permit tcp any host our.ip.address.78 eq www
access-list acl_outside extended permit tcp any host our.ip.address.78 eq smtp
access-list acl_outside remark Intranet
access-list acl_outside extended permit tcp any host our.ip.address.82 eq www
access-list acl_outside extended permit tcp any host our.ip.address.82 eq https
access-list acl_outside extended permit tcp any host our.ip.address.82 eq 8091
access-list acl_outside extended permit tcp any host our.ip.address.82 eq 8090
access-list acl_outside extended permit tcp any host our.ip.address.82 eq 90
access-list acl_outside extended permit tcp any host our.ip.address.82 eq 91
access-list acl_outside remark ORDWsus - Geert Coelmont
access-list acl_outside extended permit tcp any host our.ip.address.94 eq ftp
access-list acl_outside remark ORDVPCDEV11 - Paul Hermans
access-list acl_outside extended permit tcp any host our.ip.address.86 eq www
access-list acl_outside remark ORDVMORACLE01 - Dimitri Gielis
access-list acl_outside extended permit tcp any host our.ip.address.87 eq https
access-list acl_outside remark ORDvmsappi - Cedric Laridon
access-list acl_outside extended permit tcp any host our.ip.address.85 eq 50001
access-list acl_outside extended permit tcp any host our.ip.address.85 eq 50000
access-list acl_outside extended permit tcp any host our.ip.address.85 eq 8000
access-list acl_outside extended permit icmp host 0.0.0.0 host 0.0.0.0
access-list acl_outside remark JIRA production - Yves Thomas
access-list acl_outside extended permit tcp any host our.ip.address.100 eq www
access-list acl_outside remark Webserver
access-list acl_outside extended permit tcp any host our.ip.address.101 eq www
access-list acl_outside extended permit tcp any host our.ip.address.101 eq 3389
access-list acl_outside extended permit tcp any host our.ip.address.101 eq https
access-list acl_outside remark Development - Daan Kets
access-list acl_outside extended permit tcp any host our.ip.address.97
access-list acl_outside extended permit tcp any host our.ip.address.98
access-list acl_outside extended permit tcp any host our.ip.address.99
access-list acl_outside extended permit tcp any host 0.0.0.0 eq ftp
access-list acl_outside remark ORDVMNWMON01 - SeKo - SNMP
access-list acl_outside extended permit udp host 0.0.0.0 host our.ip.address.84 eq syslog
access-list acl_outside remark Access to SAPRouter for SAP - SAP Tech
access-list acl_outside extended permit tcp host 0.0.0.0 host our.ip.address.103 eq 3200
access-list acl_outside extended permit tcp host 0.0.0.0 host our.ip.address.103 eq 3300
access-list acl_outside extended permit tcp host 0.0.0.0 host our.ip.address.103 eq 3399
access-list acl_outside extended permit tcp host 0.0.0.0 host our.ip.address.103 eq 3600
access-list acl_outside extended permit tcp host 0.0.0.0 host our.ip.address.103 eq 3299
access-list acl_outside remark Production Webserver
access-list acl_outside extended permit tcp any host our.ip.address.115 eq www
access-list acl_outside extended permit tcp any host our.ip.address.115 eq https
access-list acl_outside extended permit tcp any host our.ip.address.115 eq 990
access-list acl_outside remark Access for Texaco to download SAP Notes - SAP Tech
access-list acl_outside extended permit tcp 0.0.0.0 0.0.0.0 host 0.0.0.0 eq 3299
access-list acl_outside extended permit tcp any host our.ip.address.78 eq ssh
access-list acl_outside remark FTP Server
access-list acl_outside extended permit tcp any host our.ip.address.116 eq 990
access-list acl_outside extended permit tcp any host our.ip.address.116 eq ssh
access-list acl_outside extended permit tcp any host our.ip.address.116 eq ftp
access-list acl_outside extended permit tcp any host our.ip.address.116 eq ftp-data
access-list acl_outside extended permit tcp any host our.ip.address.115 eq ftp
access-list acl_outside remark MOSS environment J&J Demo Server . Elke Bogaerts
access-list acl_outside extended permit tcp any host our.ip.address.117 eq www
access-list acl_outside extended permit tcp any host our.ip.address.117 eq 8080
access-list acl_outside extended permit tcp any host our.ip.address.117 eq 7000
access-list acl_outside remark Topdesk - Yves Thomas
access-list acl_outside extended permit tcp any host our.ip.address.118 eq https
access-list acl_outside remark Team Foundation Server - Paul Hermans
access-list acl_outside extended permit tcp any host our.ip.address.105 eq 81
access-list acl_outside remark JTech Server - Frederick Beernaert
access-list acl_outside extended permit tcp any host our.ip.address.81 eq www
access-list acl_outside extended permit icmp any any
access-list nonat remark Remote VPN users
access-list nonat extended permit ip 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
access-list nonat remark VPN tunnel to NTT for NAGIOS alerts from KUBOTA Servers - Steven Helsen
access-list nonat extended permit ip host 0.0.0.0 0.0.0.0 0.0.0.0
access-list nonat remark VPN tunnel to PAB - Hans Lauwers
access-list nonat extended permit ip 0.0.0.0 0.0.0.0 host 0.0.0.0
access-list nonat extended permit ip 0.0.0.0 0.0.0.0 host 0.0.0.0
access-list nonat remark VPN tunnel to SUBARU for SAP - Hans Lauwers
access-list nonat extended permit ip 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
access-list nonat remark Nonat to DMZ
access-list nonat extended permit ip 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
access-list nonat remark VPN tunnel to Texaco - Hans Lauwers
access-list nonat extended permit ip 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
access-list nonat remark VPN Tunnel to HQ GCeurope for SAP - Hans Lauwers
access-list nonat remark VPN Tunnel to Toerisme Vlaandere for SAP - Hans Lauwers
access-list nonat extended permit ip 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
access-list nonat remark VPN Tunnel to Texaco (Delek) for SAP - Hans Lauwers
access-list nonat extended permit ip 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
access-list nonat remark VPN Tunnel to Sanico - Hans Lauwers
access-list nonat extended permit ip 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
access-list nonat remark VPN Tunnel to Blankedale for SAP - Hans Lauwers
access-list nonat extended permit ip 0.0.0.0 0.0.0.0 host 0.0.0.0
access-list nonat extended permit ip 0.0.0.0 0.0.0.0 host 0.0.0.0
access-list nonatBPI extended permit ip 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
access-list crypto_BPI remark VPN tunnel to BPI for DENKART - Gery Laeremans
access-list crypto_BPI extended permit ip 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
access-list crypto_SUBARU remark VPN tunnel to SUBARU for SAP - Hans Lauwers
access-list crypto_SUBARU extended permit ip 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
access-list crypto_SUBARU extended permit ip 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
access-list crypto_SUBARU extended permit ip 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
access-list crypto_SUBARU extended permit ip 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
access-list crypto_SUBARU extended permit ip 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
access-list crypto_NAGIOS_to_NTT remark VPN tunnel to NTT for NAGIOS alerts from KUBOTA Servers - Steven Helsen
access-list crypto_NAGIOS_to_NTT extended permit ip host 0.0.0.0 0.0.0.0 0.0.0.0
access-list crypto_RUTGES remark VPN tunnel to Rutges - Gunther De Neef
access-list crypto_RUTGES extended permit ip host our.ip.address.92 0.0.0.0 0.0.0.0
access-list crypto_PAB remark VPN tunnel to PAB - Hans Lauwers
access-list crypto_PAB extended permit ip 0.0.0.0 0.0.0.0 host 0.0.0.0
access-list crypto_PAB extended permit ip 0.0.0.0 0.0.0.0 host 0.0.0.0
access-list crypto_sanico remark VPN Tunnel to Sanico - Hans Lauwers
access-list crypto_sanico extended permit ip 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
access-list crypto_hqgceurope remark VPN Tunnel to HQ GCeurope for SAP - Hans Lauwers
access-list acl_dmz extended permit ip any interface outside
access-list acl_dmz extended permit tcp any any eq https
access-list acl_dmz extended permit tcp any any eq www
access-list acl_dmz extended permit udp any any eq domain
access-list acl_dmz extended permit tcp any any eq domain
access-list acl_dmz extended permit icmp any any echo
access-list acl_dmz extended permit icmp any any echo-reply
access-list acl_dmz extended permit icmp any any time-exceeded
access-list acl_dmz extended permit tcp host 0.0.0.0 host 0.0.0.0 eq smtp
access-list acl_dmz extended permit tcp any any eq 3389
access-list acl_dmz extended permit tcp host 0.0.0.0 host 0.0.0.0 eq smtp
access-list acl_dmz extended permit tcp any any eq 1433
access-list crypto_toerismevlaanderen remark VPN Tunnel to Toerisme Vlaanderen for SAP - Hans Lauwers
access-list crypto_toerismevlaanderen extended permit ip 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
access-list crypto_kubota remark VPN Tunnel to Kubota - SAP Tech
access-list crypto_kubota extended permit ip host our.ip.address.103 0.0.0.0 0.0.0.0
access-list crypto_kubota extended permit ip host our.ip.address.103 0.0.0.0 0.0.0.0
access-list crypto_kubota extended permit ip host our.ip.address.103 0.0.0.0 0.0.0.0
access-list crypto_kubota extended permit ip host our.ip.address.103 host 0.0.0.0
access-list crypto_texaco remark VPN Tunnel to Texaco (Delek) for SAP - Hans Lauwers
access-list crypto_texaco extended permit ip 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
access-list crypto_punch remark VPN Tunnel to Punch for SAP - Hans Lauwers
access-list crypto_punch extended permit ip host our.ip.address.90 0.0.0.0 0.0.0.0
access-list crypto_punch extended permit ip host our.ip.address.90 0.0.0.0 0.0.0.0
access-list crypto_punch extended permit ip host our.ip.address.90 0.0.0.0 0.0.0.0
access-list crypto_punch extended permit ip host our.ip.address.103 0.0.0.0 0.0.0.0
access-list crypto_punch extended permit ip host our.ip.address.103 0.0.0.0 0.0.0.0
access-list crypto_punch extended permit ip host our.ip.address.103 0.0.0.0 0.0.0.0
access-list crypto_QuickBarracuda remark VPN tunnel to Quick (Interoute) for managing Barracuda
access-list crypto_QuickBarracuda extended permit ip host our.ip.address.90 0.0.0.0 0.0.0.0
access-list crypto_SAP remark VPN Tunnel to SAP for maintenance - SAP Tech
access-list crypto_SAP extended permit ip host our.ip.address.103 host 0.0.0.0
access-list crypto_valuesource remark VPN Tunnel to KBC - ValueSource
access-list crypto_valuesource extended permit ip our.ip.address.104 0.0.0.0 0.0.0.0 0.0.0.0
pager lines 24
logging enable
logging monitor notifications
logging trap notifications
logging asdm warnings
logging host inside 0.0.0.0
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
ip local pool clientVPNpool 0.0.0.0-0.0.0.0 mask 0.0.0.0
failover
failover lan unit primary
failover lan interface fo Ethernet0/3
failover link fo Ethernet0/3
failover interface ip fo 0.0.0.0 0.0.0.0 standby 0.0.0.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 2 our.ip.address.78
global (outside) 100 interface
nat (inside) 0 access-list nonat
nat (inside) 2 0.0.0.0 0.0.0.0
nat (inside) 100 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
static (inside,outside) our.ip.address.89 0.0.0.0 netmask 0.0.0.0
static (inside,outside) our.ip.address.120 0.0.0.0 netmask 0.0.0.0
static (inside,outside) our.ip.address.93 0.0.0.0 netmask 0.0.0.0
static (inside,outside) our.ip.address.92 0.0.0.0 netmask 0.0.0.0
static (inside,outside) 0.0.0.0 access-list nonatBPI
static (inside,outside) our.ip.address.86 0.0.0.0 netmask 0.0.0.0
static (inside,outside) our.ip.address.85 0.0.0.0 netmask 0.0.0.0
static (inside,outside) our.ip.address.94 0.0.0.0 netmask 0.0.0.0
static (inside,outside) our.ip.address.82 0.0.0.0 netmask 0.0.0.0 dns
static (inside,outside) our.ip.address.80 0.0.0.0 netmask 0.0.0.0 dns
static (inside,outside) our.ip.address.97 0.0.0.0 netmask 0.0.0.0
static (inside,outside) our.ip.address.98 0.0.0.0 netmask 0.0.0.0
static (inside,outside) our.ip.address.99 0.0.0.0 netmask 0.0.0.0
static (inside,outside) our.ip.address.100 0.0.0.0 netmask 0.0.0.0 dns
static (inside,outside) our.ip.address.87 0.0.0.0 netmask 0.0.0.0 dns
static (dmz,outside) our.ip.address.101 0.0.0.0 netmask 0.0.0.0 dns
static (inside,outside) our.ip.address.102 0.0.0.0 netmask 0.0.0.0
static (inside,outside) our.ip.address.103 0.0.0.0 netmask 0.0.0.0
static (inside,outside) our.ip.address.104 0.0.0.0 netmask 0.0.0.0 dns
static (inside,outside) our.ip.address.84 0.0.0.0 netmask 0.0.0.0
static (inside,outside) our.ip.address.105 0.0.0.0 netmask 0.0.0.0 dns
static (dmz,outside) our.ip.address.115 0.0.0.0 netmask 0.0.0.0 dns
static (dmz,outside) our.ip.address.116 0.0.0.0 netmask 0.0.0.0 dns
static (inside,outside) our.ip.address.78 0.0.0.0 netmask 0.0.0.0 dns
static (inside,outside) our.ip.address.117 0.0.0.0 netmask 0.0.0.0 dns
static (inside,outside) our.ip.address.118 0.0.0.0 netmask 0.0.0.0 dns
static (inside,outside) our.ip.address.81 0.0.0.0 netmask 0.0.0.0 dns
static (inside,outside) our.ip.address.106 0.0.0.0 netmask 0.0.0.0 dns
access-group acl_outside in interface outside
access-group acl_dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 our.ip.address.65 1
route inside 0.0.0.0 0.0.0.0 0.0.0.0 1
route inside 0.0.0.0 0.0.0.0 0.0.0.0 1
route inside 0.0.0.0 0.0.0.0 0.0.0.0 1
route inside 0.0.0.0 0.0.0.0 0.0.0.0 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server we_radius protocol radius
aaa-server we_radius host 192.168.40.2
key OrD1Na2007
aaa authentication ssh console we_radius
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 management
http 0.0.0.0 0.0.0.0 outside
snmp-server host inside 0.0.0.0 community we
snmp-server host inside 0.0.0.0 community we
no snmp-server location
no snmp-server contact
snmp-server community we
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps remote-access session-threshold-exceeded
service resetoutside
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP_AES_SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA
crypto map outside_map 10 match address crypto_SUBARU
crypto map outside_map 10 set pfs
crypto map outside_map 10 set peer our.ip.address.70
crypto map outside_map 10 set transform-set ESP_3DES_SHA
crypto map outside_map 10 set security-association lifetime seconds 7200
crypto map outside_map 20 match address crypto_texaco
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer 0.0.0.0
crypto map outside_map 20 set transform-set ESP_3DES_SHA
crypto map outside_map 20 set security-association lifetime seconds 7200
crypto map outside_map 20 set security-association lifetime kilobytes 4096000
crypto map outside_map 30 match address crypto_PAB
crypto map outside_map 30 set pfs
crypto map outside_map 30 set peer 0.0.0.0
crypto map outside_map 30 set transform-set ESP_3DES_SHA
crypto map outside_map 30 set security-association lifetime seconds 7200
crypto map outside_map 40 match address crypto_RUTGES
crypto map outside_map 40 set pfs
crypto map outside_map 40 set peer 0.0.0.0
crypto map outside_map 40 set transform-set ESP_3DES_SHA
crypto map outside_map 40 set security-association lifetime seconds 3600
crypto map outside_map 50 match address crypto_NAGIOS_to_NTT
crypto map outside_map 50 set pfs
crypto map outside_map 50 set peer 0.0.0.0
crypto map outside_map 50 set transform-set ESP_3DES_SHA
crypto map outside_map 50 set security-association lifetime seconds 7200
crypto map outside_map 60 match address crypto_BPI
crypto map outside_map 60 set pfs
crypto map outside_map 60 set peer 0.0.0.0
crypto map outside_map 60 set transform-set ESP_3DES_SHA
crypto map outside_map 60 set security-association lifetime seconds 1800
crypto map outside_map 80 match address crypto_toerismevlaanderen
crypto map outside_map 80 set pfs
crypto map outside_map 80 set peer 0.0.0.0
crypto map outside_map 80 set transform-set ESP_3DES_SHA
crypto map outside_map 80 set security-association lifetime seconds 7200
crypto map outside_map 80 set security-association lifetime kilobytes 4096000
crypto map outside_map 90 match address crypto_kubota
crypto map outside_map 90 set pfs
crypto map outside_map 90 set peer 0.0.0.0
crypto map outside_map 90 set transform-set ESP_3DES_SHA
crypto map outside_map 90 set security-association lifetime seconds 7200
crypto map outside_map 90 set security-association lifetime kilobytes 4096000
crypto map outside_map 100 match address crypto_sanico
crypto map outside_map 100 set pfs
crypto map outside_map 100 set peer 0.0.0.0
crypto map outside_map 100 set transform-set ESP_3DES_SHA
crypto map outside_map 100 set security-association lifetime seconds 7200
crypto map outside_map 100 set security-association lifetime kilobytes 4096000
crypto map outside_map 110 match address crypto_punch
crypto map outside_map 110 set peer 0.0.0.0
crypto map outside_map 110 set transform-set ESP_3DES_SHA
crypto map outside_map 110 set security-association lifetime seconds 3600
crypto map outside_map 110 set security-association lifetime kilobytes 4096000
crypto map outside_map 140 match address crypto_valuesource
crypto map outside_map 140 set pfs
crypto map outside_map 140 set peer 0.0.0.0
crypto map outside_map 140 set transform-set ESP_AES_SHA
crypto map outside_map 140 set security-association lifetime seconds 3600
crypto map outside_map 150 match address crypto_SAP
crypto map outside_map 150 set peer 0.0.0.0
crypto map outside_map 150 set transform-set ESP_3DES_MD5
crypto map outside_map 150 set security-association lifetime seconds 7200
crypto map outside_map 160 match address crypto_QuickBarracuda
crypto map outside_map 160 set pfs
crypto map outside_map 160 set peer 0.0.0.0
crypto map outside_map 160 set transform-set ESP_3DES_SHA
crypto map outside_map 160 set security-association lifetime seconds 7200
crypto map outside_map 160 set security-association lifetime kilobytes 4096000
crypto map outside_map 900 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 20
crypto isakmp am-disable
crypto isakmp disconnect-notify
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
!
service-policy global_policy global
ntp server 0.0.0.0 source outside
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
wins-server value 0.0.0.0
dns-server value 0.0.0.0
vpn-tunnel-protocol IPSec l2tp-ipsec
default-domain value we.be
username admin_we password U46J02nhFY9Kn8Zgvy7rsQ== nt-encrypted
tunnel-group DefaultRAGroup general-attributes
address-pool ClientVPNpool
authentication-server-group we_radius LOCAL
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
tunnel-group 0.0.0.0 type ipsec-l2l
tunnel-group 0.0.0.0 ipsec-attributes
pre-shared-key *
tunnel-group 0.0.0.0 type ipsec-l2l
tunnel-group 0.0.0.0 ipsec-attributes
pre-shared-key *
tunnel-group our.ip.address.70 type ipsec-l2l
tunnel-group our.ip.address.70 ipsec-attributes
pre-shared-key *
tunnel-group 0.0.0.0 type ipsec-l2l
tunnel-group 0.0.0.0 ipsec-attributes
pre-shared-key *
tunnel-group 0.0.0.0 type ipsec-l2l
tunnel-group 0.0.0.0 ipsec-attributes
pre-shared-key *
tunnel-group 0.0.0.0 type ipsec-l2l
tunnel-group 0.0.0.0 ipsec-attributes
pre-shared-key *
tunnel-group 0.0.0.0 type ipsec-l2l
tunnel-group 0.0.0.0 ipsec-attributes
pre-shared-key *
tunnel-group 0.0.0.0 type ipsec-l2l
tunnel-group 0.0.0.0 ipsec-attributes
pre-shared-key *
tunnel-group 0.0.0.0 type ipsec-l2l
tunnel-group 0.0.0.0 ipsec-attributes
pre-shared-key *
tunnel-group 0.0.0.0 type ipsec-l2l
tunnel-group 0.0.0.0 ipsec-attributes
pre-shared-key *
tunnel-group 0.0.0.0 type ipsec-l2l
tunnel-group 0.0.0.0 ipsec-attributes
pre-shared-key *
tunnel-group 0.0.0.0 type ipsec-l2l
tunnel-group 0.0.0.0 ipsec-attributes
pre-shared-key *
tunnel-group 0.0.0.0 type ipsec-l2l
tunnel-group 0.0.0.0 ipsec-attributes
pre-shared-key *
tunnel-group 0.0.0.0 type ipsec-l2l
tunnel-group 0.0.0.0 ipsec-attributes
pre-shared-key *
tunnel-group 0.0.0.0 type ipsec-l2l
tunnel-group 0.0.0.0 ipsec-attributes
pre-shared-key *
tunnel-group 0.0.0.0 type ipsec-l2l
tunnel-group 0.0.0.0 ipsec-attributes
pre-shared-key *
smtp-server 0.0.0.0
prompt hostname context
Cryptochecksum:ccb1162205f841109b3c6ea5863faec3
: end
[OK]
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hmm Rebooting the cisco's fixed the problem. We applied the crypto map several times to the outside interface, but nothing helped..
Thanks for the help! I'll give you the points for being so nice to stick with me through this problem ;)
Thanks for the help! I'll give you the points for being so nice to stick with me through this problem ;)
"Hmm Rebooting the cisco's fixed the problem"
clear xlate should have done the same effect, was an interesting issue. But glad that it is sorted out
Thanks for points :)
clear xlate should have done the same effect, was an interesting issue. But glad that it is sorted out
Thanks for points :)
ASKER
I cleared the xlate several times... This is probably a 'feature' of the ASA devices :)
Altered last code snippet to convert all IP addresses to 0.0.0.0 at 0-tvw-ee's request.
ForestDenizen
Community Support Moderator
ForestDenizen
Community Support Moderator
Try this
no access-list crypto_customer extended permit ip our.ip.addr.104 255.255.255.254 cust.ip.addr.16 255.255.255.248
access-list crypto_customer permit ip host our.ip.addr.104 cust.ip.addr.16 255.255.255.248
Also watch Syslog output in ASDM window and paste error messages if any
Regards