hypknight
asked on
Site-to-Site IPSec VPN between Cisco ASA 5505 and Cisco 1710
Hi Guys,
We're switching out old PIX 501s for ASA 5505 appliances and I need some help here as I'm new to the ASA product. Currently, we have a few locations terminated via PIX into a Cisco 1710 which is acting as the Hub for the Spokes.
The relevant information from the 1710 is as follows:
1710
------------------
crypto isakmp policy 1
hash md5
authentication pre-share
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp key <crypto key here> address <ip of remote host here> no-xauth
!
crypto isakmp client configuration group 3000client
key <key here>
dns 192.168.200.100 192.168.1.11
domain domain.com
pool ippool
acl 108
!
!
crypto ipsec transform-set store esp-des esp-md5-hmac
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 99
set transform-set myset
!
!
crypto map clientmap client auhentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap 20 ipsec-isakmp
set peer <ip of peer>
set transform-set store
match address 131
crypto map clientmap 99 ipsec-isakmp dynamic dynmap
!
!
access-list 131 permit ip 192.168.1.0 0.0.0.255 192.168.15.0 0.0.0.255
The information from one of the OLD PIXs in question is as follows:
PIX 501
-------------------------- --
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto map mymap 21 ipsec-isakmp
crypto map mymap 21 match address ipsec
crypto map mymap 21 set peer <ip of HUB 1710>
crypto map mymap 21 set transform-set myset
crypto map mymap interface outside
!
isakmp enable outside
isakmp key <key here> address <IP of HUB 1710> netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 21 authentication pre-share
isakmp policy 21 encryption des
isakmp policy 21 hash md5
isakmp policy 21 group 1
isakmp policy 21 lifetime 7200
The above configuration is up and working perfectly. We're migrating off of the PIX platform due to end-of-life and the myriad of issues they have. What I need to know is what would the ASA config look like to connect to the 1710 Router with the above configuration.
Also, I'm being asked if we can enable remote VPN connectivity into the ASA 5505 as well for VPN users to connect into it. If this is possible with this configuration, could you shed some insight on that as well?
Thanks in Advance Guys.
We're switching out old PIX 501s for ASA 5505 appliances and I need some help here as I'm new to the ASA product. Currently, we have a few locations terminated via PIX into a Cisco 1710 which is acting as the Hub for the Spokes.
The relevant information from the 1710 is as follows:
1710
------------------
crypto isakmp policy 1
hash md5
authentication pre-share
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp key <crypto key here> address <ip of remote host here> no-xauth
!
crypto isakmp client configuration group 3000client
key <key here>
dns 192.168.200.100 192.168.1.11
domain domain.com
pool ippool
acl 108
!
!
crypto ipsec transform-set store esp-des esp-md5-hmac
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 99
set transform-set myset
!
!
crypto map clientmap client auhentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap 20 ipsec-isakmp
set peer <ip of peer>
set transform-set store
match address 131
crypto map clientmap 99 ipsec-isakmp dynamic dynmap
!
!
access-list 131 permit ip 192.168.1.0 0.0.0.255 192.168.15.0 0.0.0.255
The information from one of the OLD PIXs in question is as follows:
PIX 501
--------------------------
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto map mymap 21 ipsec-isakmp
crypto map mymap 21 match address ipsec
crypto map mymap 21 set peer <ip of HUB 1710>
crypto map mymap 21 set transform-set myset
crypto map mymap interface outside
!
isakmp enable outside
isakmp key <key here> address <IP of HUB 1710> netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 21 authentication pre-share
isakmp policy 21 encryption des
isakmp policy 21 hash md5
isakmp policy 21 group 1
isakmp policy 21 lifetime 7200
The above configuration is up and working perfectly. We're migrating off of the PIX platform due to end-of-life and the myriad of issues they have. What I need to know is what would the ASA config look like to connect to the 1710 Router with the above configuration.
Also, I'm being asked if we can enable remote VPN connectivity into the ASA 5505 as well for VPN users to connect into it. If this is possible with this configuration, could you shed some insight on that as well?
Thanks in Advance Guys.
also you will not need this in your crypto map.
crypto map mymap 21 ipsec-isakmp
crypto map mymap 21 ipsec-isakmp
ASKER
so do i still need all of the isakmp policy information?
isakmp enable outside
isakmp key <key here> address <IP of HUB 1710> netmask 255.255.255.255 no-xauth no-config-mode -- removed
isakmp identity address
isakmp policy 21 authentication pre-share
isakmp policy 21 encryption des
isakmp policy 21 hash md5
isakmp policy 21 group 1
isakmp policy 21 lifetime 7200
Sorry, not trying to be thick. I just want to make sure I understand properly.
isakmp enable outside
isakmp key <key here> address <IP of HUB 1710> netmask 255.255.255.255 no-xauth no-config-mode -- removed
isakmp identity address
isakmp policy 21 authentication pre-share
isakmp policy 21 encryption des
isakmp policy 21 hash md5
isakmp policy 21 group 1
isakmp policy 21 lifetime 7200
Sorry, not trying to be thick. I just want to make sure I understand properly.
you do not need
isakmp key <key here> address <IP of HUB 1710> netmask 255.255.255.255 no-xauth no-config-mode -- removed
you still need the following
isakmp enable outside
isakmp identity address
isakmp policy 21 authentication pre-share
isakmp policy 21 encryption des
isakmp policy 21 hash md5
isakmp policy 21 group 1
isakmp policy 21 lifetime 7200
isakmp key <key here> address <IP of HUB 1710> netmask 255.255.255.255 no-xauth no-config-mode -- removed
you still need the following
isakmp enable outside
isakmp identity address
isakmp policy 21 authentication pre-share
isakmp policy 21 encryption des
isakmp policy 21 hash md5
isakmp policy 21 group 1
isakmp policy 21 lifetime 7200
ASKER
Hub Network: 192.168.1.0
Spoke Network: 192.168.15.0
so here's what I have currently on the ASA:
access-list ipsec extended permit 192.168.15.0 255.255.255.0 192.168.1.0 255.255.255.0
!
crypto ipsec transform-set primaryTransformSet esp-des esp-md5-hmac
crypto map primaryCryptoMap 21 match address ipsec
crypto map primaryCryptoMap 21 set peer <IP of HUB 1710>
crypto map primaryCryptoMap 21 set transform-set primaryTransformSet
crypto map primaryCryptoMap interface outside
!
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 21
authentication pre-share
encryption des
hash md5
group 1
lifetime 7200
!
tunnel-group <IP of HUB 1710> type ipsec-l2l
tunnel-group <IP of HUB 1710> ipsec-attributes
pre-shared-key <Key Here>
!
No VPN light is lit on the ASA... if the above is correct ( I haven't made any changes to the 1710 side), is there a command I need to do to instigate the tunnel connection? Again, sorry for the simplistic questions.
Spoke Network: 192.168.15.0
so here's what I have currently on the ASA:
access-list ipsec extended permit 192.168.15.0 255.255.255.0 192.168.1.0 255.255.255.0
!
crypto ipsec transform-set primaryTransformSet esp-des esp-md5-hmac
crypto map primaryCryptoMap 21 match address ipsec
crypto map primaryCryptoMap 21 set peer <IP of HUB 1710>
crypto map primaryCryptoMap 21 set transform-set primaryTransformSet
crypto map primaryCryptoMap interface outside
!
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 21
authentication pre-share
encryption des
hash md5
group 1
lifetime 7200
!
tunnel-group <IP of HUB 1710> type ipsec-l2l
tunnel-group <IP of HUB 1710> ipsec-attributes
pre-shared-key <Key Here>
!
No VPN light is lit on the ASA... if the above is correct ( I haven't made any changes to the 1710 side), is there a command I need to do to instigate the tunnel connection? Again, sorry for the simplistic questions.
no worries.
Pleas post your nat and global statements for the ASA. Do the following and paste info here
sh run nat
sh run global
Pleas post your nat and global statements for the ASA. Do the following and paste info here
sh run nat
sh run global
ASKER
sh run nat
-------------------------
nat (inside) 1 0.0.0.0 0.0.0.0
sh run global
-------------------------
global (outside) 1 interface
nice and easy, nothing complex.
-------------------------
nat (inside) 1 0.0.0.0 0.0.0.0
sh run global
-------------------------
global (outside) 1 interface
nice and easy, nothing complex.
ok add this to your nat statements and add this acl also
access-list no-nat permit ip 192.168.15.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list no-nat
access-list no-nat permit ip 192.168.15.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list no-nat
ASKER
Alrighty, done:
sh run nat
-------------------------- -
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
Still no light after reload...
sh run nat
--------------------------
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
Still no light after reload...
no need to reload. Also did you save the config before reloading?
If the config is still intact issue a ping from a host on the 192.168.15.0 network to 192.168.1.0 network and see if you get a reply.
While you are pinging you can issue the command sh isakmp sa to see if you see the tunnel initializing.
If the config is still intact issue a ping from a host on the 192.168.15.0 network to 192.168.1.0 network and see if you get a reply.
While you are pinging you can issue the command sh isakmp sa to see if you see the tunnel initializing.
ASKER
Yes i did save it. Just reloaded for good measure.
during the ping attempt I get this:
hostname# sh isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: <IP of HUB 1710>
Type: L2L Role: initiator
Rekey: no State: MM_WAIT_MSG6
after the ping attempt finishes it immediately disappears.
during the ping attempt I get this:
hostname# sh isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: <IP of HUB 1710>
Type: L2L Role: initiator
Rekey: no State: MM_WAIT_MSG6
after the ping attempt finishes it immediately disappears.
ASKER
It actually takes about 15 seconds then disappears and says : There are no isakmp sas
yeah it seems like the tunnel doesn't like something.
can you post the ACL's, crypto, isakmp and tunnel-group statments.
In the mean time you can issue this command to see if you see any errors. You'll have to keep a continous ping going to see anything.
deb crypto isakmp 10
can you post the ACL's, crypto, isakmp and tunnel-group statments.
In the mean time you can issue this command to see if you see any errors. You'll have to keep a continous ping going to see anything.
deb crypto isakmp 10
ASKER
Here's the pertinent configuration of the ASA:
ASA Version 7.2(4)
!
hostname hostname
domain-name domain.com
enable password <password> encrypted
passwd <password> encrypted
!
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.15.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.0.248 255.255.255.0
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 10.10.100.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name domain.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list ipsec extended permit ip 192.168.15.0 255.255.255.0 192.168.1.0 255.255.255.0
!
access-list no-nat extended permit ip 192.168.15.0 255.255.255.0 192.168.1.0 255.255.255.0
!
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
!
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
!
route outside 0.0.0.0 0.0.0.0 <IP of gateway> 1
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
!
http server enable
http 192.168.15.0 255.255.255.0 inside
!
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set primaryTransformSet esp-des esp-md5-hmac
crypto map primaryCryptoMap 21 match address ipsec
crypto map primaryCryptoMap 21 set peer <IP of HUB 1710>
crypto map primaryCryptoMap 21 set transform-set primaryTransformSet
crypto map primaryCryptoMap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 21
authentication pre-share
encryption des
hash md5
group 1
lifetime 7200
!
telnet timeout 5
ssh timeout 5
console timeout 0
!
tunnel-group <IP of HUB 1710> type ipsec-l2l
tunnel-group <IP of HUB 1710> ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
!
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Here's a snippet of the results of the debug:
Nov 10 11:45:00 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 10 11:45:00 [IKEv1]: Group = <IP of HUB 1710>, IP = <IP of HUB 1710>, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Nov 10 11:45:05 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 10 11:45:05 [IKEv1]: Group = <IP of HUB 1710>, IP = <IP of HUB 1710>, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Nov 10 11:45:10 [IKEv1 DEBUG]: Group = <IP of HUB 1710>, IP = <IP of HUB 1710>, IKE MM Initiator FSM error history (struct &0x175ccc8) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG6, EV_PROB_AUTH_FAIL-->MM_WAI T_MSG6, EV_TIMEOUT-->MM_WAIT_MSG6, NullEvent-->MM_SND_MSG5, EV_SND_MSG-->MM_SND_MSG5, EV_START_TMR-->MM_SND_MSG5 , EV_RESEND_MSG-->MM_WAIT_MS G6, EV_TIMEOUT
Nov 10 11:45:10 [IKEv1 DEBUG]: Group = <IP of HUB 1710>, IP = <IP of HUB 1710>, IKE SA MM:281efe24 terminating: flags 0x0100c022, refcnt 0, tuncnt 0
Nov 10 11:45:10 [IKEv1 DEBUG]: Group = <IP of HUB 1710>, IP = <IP of HUB 1710>, sending delete/delete with reason message
Nov 10 11:45:10 [IKEv1 DEBUG]: Group = <IP of HUB 1710>, IP = <IP of HUB 1710>, constructing blank hash payload
Nov 10 11:45:10 [IKEv1 DEBUG]: Group = <IP of HUB 1710>, IP = <IP of HUB 1710>, constructing IKE delete payload
Nov 10 11:45:10 [IKEv1 DEBUG]: Group = <IP of HUB 1710>, IP = <IP of HUB 1710>, constructing qm hash payload
Nov 10 11:45:10 [IKEv1]: IP = <IP of HUB 1710>, IKE_DECODE SENDING Message (msgid=d58497e8) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
Nov 10 11:45:10 [IKEv1]: Group = <IP of HUB 1710>, IP = <IP of HUB 1710>, Removing peer from peer table failed, no match!
Nov 10 11:45:10 [IKEv1]: Group = <IP of HUB 1710>, IP = <IP of HUB 1710>, Error: Unable to remove PeerTblEntry
Nov 10 11:45:11 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 10 11:45:11 [IKEv1]: IP = <IP of HUB 1710>, IKE Initiator: New Phase 1, Intf inside, IKE Peer <IP of HUB 1710> local Proxy Address 192.168.15.0, remote Proxy Address 192.168.1.0, Crypto map (primaryCryptoMap)
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, constructing ISAKMP SA payload
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, constructing Fragmentation VID + extended capabilities payload
Nov 10 11:45:11 [IKEv1]: IP = <IP of HUB 1710>, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
Nov 10 11:45:11 [IKEv1]: IP = <IP of HUB 1710>, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + NONE (0) total length : 80
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, processing SA payload
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, Oakley proposal is acceptable
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, constructing ke payload
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, constructing nonce payload
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, constructing Cisco Unity VID payload
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, constructing xauth V6 VID payload
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, Send IOS VID
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, constructing VID payload
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Nov 10 11:45:11 [IKEv1]: IP = <IP of HUB 1710>, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 224
Nov 10 11:45:11 [IKEv1]: IP = <IP of HUB 1710>, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 224
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, processing ke payload
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, processing ISA_KE payload
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, processing nonce payload
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, processing VID payload
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, Received Cisco Unity client VID
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, processing VID payload
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, Received DPD VID
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, processing VID payload
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 0000007f)
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, processing VID payload
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, Received xauth V6 VID
Nov 10 11:45:11 [IKEv1]: IP = <IP of HUB 1710>, Connection landed on tunnel_group <IP of HUB 1710>
Nov 10 11:45:11 [IKEv1 DEBUG]: Group = <IP of HUB 1710>, IP = <IP of HUB 1710>, Generating keys for Initiator...
Nov 10 11:45:11 [IKEv1 DEBUG]: Group = <IP of HUB 1710>, IP = <IP of HUB 1710>, constructing ID payload
Nov 10 11:45:11 [IKEv1 DEBUG]: Group = <IP of HUB 1710>, IP = <IP of HUB 1710>, constructing hash payload
Nov 10 11:45:11 [IKEv1 DEBUG]: Group = <IP of HUB 1710>, IP = <IP of HUB 1710>, Computing hash for ISAKMP
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, Constructing IOS keep alive payload: proposal=32767/32767 sec.
Nov 10 11:45:11 [IKEv1 DEBUG]: Group = <IP of HUB 1710>, IP = <IP of HUB 1710>, constructing dpd vid payload
Nov 10 11:45:11 [IKEv1]: IP = <IP of HUB 1710>, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 92
Nov 10 11:45:12 [IKEv1]: Group = <IP of HUB 1710>, IP = <IP of HUB 1710>, Rxed Encrypted Notify without a message Id!
Nov 10 11:45:16 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 10 11:45:16 [IKEv1]: Group = <IP of HUB 1710>, IP = <IP of HUB 1710>, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Nov 10 11:45:19 [IKEv1]: Group = <IP of HUB 1710>, IP = <IP of HUB 1710>, Rxed Encrypted Notify without a message Id!
Nov 10 11:45:22 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 10 11:45:22 [IKEv1]: Group = <IP of HUB 1710>, IP = <IP of HUB 1710>, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
ASA Version 7.2(4)
!
hostname hostname
domain-name domain.com
enable password <password> encrypted
passwd <password> encrypted
!
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.15.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.0.248 255.255.255.0
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 10.10.100.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name domain.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list ipsec extended permit ip 192.168.15.0 255.255.255.0 192.168.1.0 255.255.255.0
!
access-list no-nat extended permit ip 192.168.15.0 255.255.255.0 192.168.1.0 255.255.255.0
!
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
!
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
!
route outside 0.0.0.0 0.0.0.0 <IP of gateway> 1
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
!
http server enable
http 192.168.15.0 255.255.255.0 inside
!
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set primaryTransformSet esp-des esp-md5-hmac
crypto map primaryCryptoMap 21 match address ipsec
crypto map primaryCryptoMap 21 set peer <IP of HUB 1710>
crypto map primaryCryptoMap 21 set transform-set primaryTransformSet
crypto map primaryCryptoMap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 21
authentication pre-share
encryption des
hash md5
group 1
lifetime 7200
!
telnet timeout 5
ssh timeout 5
console timeout 0
!
tunnel-group <IP of HUB 1710> type ipsec-l2l
tunnel-group <IP of HUB 1710> ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
!
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Here's a snippet of the results of the debug:
Nov 10 11:45:00 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 10 11:45:00 [IKEv1]: Group = <IP of HUB 1710>, IP = <IP of HUB 1710>, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Nov 10 11:45:05 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 10 11:45:05 [IKEv1]: Group = <IP of HUB 1710>, IP = <IP of HUB 1710>, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Nov 10 11:45:10 [IKEv1 DEBUG]: Group = <IP of HUB 1710>, IP = <IP of HUB 1710>, IKE MM Initiator FSM error history (struct &0x175ccc8) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG6, EV_PROB_AUTH_FAIL-->MM_WAI
Nov 10 11:45:10 [IKEv1 DEBUG]: Group = <IP of HUB 1710>, IP = <IP of HUB 1710>, IKE SA MM:281efe24 terminating: flags 0x0100c022, refcnt 0, tuncnt 0
Nov 10 11:45:10 [IKEv1 DEBUG]: Group = <IP of HUB 1710>, IP = <IP of HUB 1710>, sending delete/delete with reason message
Nov 10 11:45:10 [IKEv1 DEBUG]: Group = <IP of HUB 1710>, IP = <IP of HUB 1710>, constructing blank hash payload
Nov 10 11:45:10 [IKEv1 DEBUG]: Group = <IP of HUB 1710>, IP = <IP of HUB 1710>, constructing IKE delete payload
Nov 10 11:45:10 [IKEv1 DEBUG]: Group = <IP of HUB 1710>, IP = <IP of HUB 1710>, constructing qm hash payload
Nov 10 11:45:10 [IKEv1]: IP = <IP of HUB 1710>, IKE_DECODE SENDING Message (msgid=d58497e8) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
Nov 10 11:45:10 [IKEv1]: Group = <IP of HUB 1710>, IP = <IP of HUB 1710>, Removing peer from peer table failed, no match!
Nov 10 11:45:10 [IKEv1]: Group = <IP of HUB 1710>, IP = <IP of HUB 1710>, Error: Unable to remove PeerTblEntry
Nov 10 11:45:11 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 10 11:45:11 [IKEv1]: IP = <IP of HUB 1710>, IKE Initiator: New Phase 1, Intf inside, IKE Peer <IP of HUB 1710> local Proxy Address 192.168.15.0, remote Proxy Address 192.168.1.0, Crypto map (primaryCryptoMap)
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, constructing ISAKMP SA payload
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, constructing Fragmentation VID + extended capabilities payload
Nov 10 11:45:11 [IKEv1]: IP = <IP of HUB 1710>, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
Nov 10 11:45:11 [IKEv1]: IP = <IP of HUB 1710>, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + NONE (0) total length : 80
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, processing SA payload
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, Oakley proposal is acceptable
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, constructing ke payload
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, constructing nonce payload
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, constructing Cisco Unity VID payload
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, constructing xauth V6 VID payload
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, Send IOS VID
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, constructing VID payload
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Nov 10 11:45:11 [IKEv1]: IP = <IP of HUB 1710>, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 224
Nov 10 11:45:11 [IKEv1]: IP = <IP of HUB 1710>, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 224
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, processing ke payload
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, processing ISA_KE payload
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, processing nonce payload
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, processing VID payload
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, Received Cisco Unity client VID
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, processing VID payload
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, Received DPD VID
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, processing VID payload
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 0000007f)
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, processing VID payload
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, Received xauth V6 VID
Nov 10 11:45:11 [IKEv1]: IP = <IP of HUB 1710>, Connection landed on tunnel_group <IP of HUB 1710>
Nov 10 11:45:11 [IKEv1 DEBUG]: Group = <IP of HUB 1710>, IP = <IP of HUB 1710>, Generating keys for Initiator...
Nov 10 11:45:11 [IKEv1 DEBUG]: Group = <IP of HUB 1710>, IP = <IP of HUB 1710>, constructing ID payload
Nov 10 11:45:11 [IKEv1 DEBUG]: Group = <IP of HUB 1710>, IP = <IP of HUB 1710>, constructing hash payload
Nov 10 11:45:11 [IKEv1 DEBUG]: Group = <IP of HUB 1710>, IP = <IP of HUB 1710>, Computing hash for ISAKMP
Nov 10 11:45:11 [IKEv1 DEBUG]: IP = <IP of HUB 1710>, Constructing IOS keep alive payload: proposal=32767/32767 sec.
Nov 10 11:45:11 [IKEv1 DEBUG]: Group = <IP of HUB 1710>, IP = <IP of HUB 1710>, constructing dpd vid payload
Nov 10 11:45:11 [IKEv1]: IP = <IP of HUB 1710>, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 92
Nov 10 11:45:12 [IKEv1]: Group = <IP of HUB 1710>, IP = <IP of HUB 1710>, Rxed Encrypted Notify without a message Id!
Nov 10 11:45:16 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 10 11:45:16 [IKEv1]: Group = <IP of HUB 1710>, IP = <IP of HUB 1710>, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Nov 10 11:45:19 [IKEv1]: Group = <IP of HUB 1710>, IP = <IP of HUB 1710>, Rxed Encrypted Notify without a message Id!
Nov 10 11:45:22 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 10 11:45:22 [IKEv1]: Group = <IP of HUB 1710>, IP = <IP of HUB 1710>, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
looks like it doesn't like something with phase 2. Are you sure you entered the correct Pre-shared key?
ASKER
I'm relatively certain, I'll re-enter it though.
One other thing does the cisco 1710 still point to the pix? Or did you change the peer IP on the router to point to the new ASA 5505?
ASKER
Alrighty, the tunnel itself appears to be up!
shh isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: <IP of HUB 1710>
Type: L2L Role: initiator
Rekey: no State: MM_ACTIVE
and the VPN light is on and solid.
However, I can't ping across the tunnel and get a reply.. I've tried 2 seperate remote IP addresses. Any ideas?
shh isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: <IP of HUB 1710>
Type: L2L Role: initiator
Rekey: no State: MM_ACTIVE
and the VPN light is on and solid.
However, I can't ping across the tunnel and get a reply.. I've tried 2 seperate remote IP addresses. Any ideas?
Try it in the other direction. so ping from 192.168.1.0/24 network to a host onthe 192.168.15.0/24 network. Keep the ping going on the host on the 15 network at the same time. Then issue the command deb icmp trace and see if u see the traffic.
ASKER
You're a genius. Had a missing route in an intermediate router... =) Now with the configuration you see above, is split-tunneling enabled?
split-tunneling will be for the people using the VPN clients.
The configuration we just went over will allow remote and local access.
The configuration we just went over will allow remote and local access.
ASKER
Right, but I mean for the point-to-point from hub to spoke, is there a way to ensure the internet traffic is routed directly out the gateway and not across the tunnel? or does the no-nat ACL ensure that already?
The crypto maps that you set up seperate the tunnel traffic from the internet traffic. So yes the inside hosts that are trying to access anything outside of 192.168.1.0/24 will go to the internet.
ASKER
alright, I thought that was the case, I just wanted to be sure. So I'm going to attempt the remote vpn portion now... I should be able to put one of the switchports in the DMZ and use that port to test the software client correct?
I've never tested it coming from the DMZ. I have an additional cable line coming in that I test it on. You can give it a shot but I think for trouble shooting testing on aline outside of your network including DMZ would be the easiest way.
ASKER
OK, so for the ACLs you mentioned above:
"As for VPN it would look something like this
access-list remoteusers_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0(for local lan access)
access-list no-nat permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0 (network that you want remote users to see)
ip local pool remoteusers 10.10.10.1-10.10.10.254 (range of ip's you want he remote users to have when connected)"
The first one says that the VPN users (getting 10.10.10.x addresses) should be able to access my Hub network.
The second one says that it shouldn't be applied to NAT right? Do I need to put one in from the 10. 10.10.0/24 network to my 192.168.15.0/24 network?
"As for VPN it would look something like this
access-list remoteusers_splitTunnelAcl
access-list no-nat permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0 (network that you want remote users to see)
ip local pool remoteusers 10.10.10.1-10.10.10.254 (range of ip's you want he remote users to have when connected)"
The first one says that the VPN users (getting 10.10.10.x addresses) should be able to access my Hub network.
The second one says that it shouldn't be applied to NAT right? Do I need to put one in from the 10. 10.10.0/24 network to my 192.168.15.0/24 network?
If you want the users to access the network behind the ASA it should look like this.
access-list remoteusers_splitTunnelAcl permit ip 192.168.5.0 255.255.255.0 10.10.10.0 255.255.255.0(for local lan access)
access-list no-nat permit ip 192.168.15.0 255.255.255.0 10.10.10.0 255.255.255.0 (network that you want remote users to see)
Sorry I was just giving an example in the first config.
access-list remoteusers_splitTunnelAcl
access-list no-nat permit ip 192.168.15.0 255.255.255.0 10.10.10.0 255.255.255.0 (network that you want remote users to see)
Sorry I was just giving an example in the first config.
ASKER
Would I need to do anything after that to let them access the HUB network then? (192.168.1.0/24)
I believe these statements allow for that. Once connected try to ping one of the hosts on the 192.168.1.0 network.
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
oops and also add this to the acl's
access-list no-nat permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list ipsec permit ip 10.10.10.0 255.255.255.0 192.168.15.0 255.255.255.0
access-list no-nat permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list ipsec permit ip 10.10.10.0 255.255.255.0 192.168.15.0 255.255.255.0
the last acl should be
access-list ipsec permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list ipsec permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0
ASKER
Alright.
Here's the config as it stands now...
ASA Version 7.2(4)
!
hostname hostname
domain-name domain.com
enable password <password> encrypted
passwd <password> encrypted
!
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.15.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.0.248 255.255.255.0
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 10.10.100.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
!
dns server-group DefaultDNS
domain-name tollgas.com
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!
access-list ipsec extended permit ip 192.168.15.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list ipsec permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list ipsec extended permit ip 10.10.10.0 255.255.255.0 192.168.15.0 255.255.255.0
access-list no-nat extended permit ip 192.168.15.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list no-nat extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list no-nat extended permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list remoteusers_splitTunnelAcl extended permit ip 192.168.15.0 255.255.255.0 10.10.10.0 255.255.255.0
!
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
!
ip local pool remoteUserIPpool 10.10.10.1-10.10.10.254
!
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
!
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
!
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
!
http server enable
http 192.168.15.0 255.255.255.0 inside
!
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
!
crypto ipsec transform-set primaryTransformSet esp-des esp-md5-hmac
crypto dynamic-map outsideDynamicMap 20 set transform-set primaryTransformSet
crypto map primaryCryptoMap 21 match address ipsec
crypto map primaryCryptoMap 21 set peer <IP of HUB 1710>
crypto map primaryCryptoMap 21 set transform-set primaryTransformSet
crypto map primaryCryptoMap 65535 ipsec-isakmp dynamic outsideDynamicMap
crypto map primaryCryptoMap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 21
authentication pre-share
encryption des
hash md5
group 1
lifetime 7200
!
telnet timeout 5
ssh timeout 5
console timeout 0
!
!
group-policy remoteusers internal
group-policy remoteusers attributes
vpn-idle-timeout 30
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value remoteusers_splitTunnelAcl
!
username testVPNuser password 2ydLgHrVzyJixLyT encrypted
!
tunnel-group <IP of HUB 1710> type ipsec-l2l
tunnel-group <IP of HUB 1710> ipsec-attributes
pre-shared-key *
tunnel-group remoteusers type ipsec-ra
tunnel-group remoteusers general-attributes
address-pool remoteUserIPpool
default-group-policy remoteusers
tunnel-group remoteusers ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Here's what I'm getting from a laptop in the (outside) network (192.168.0.x) connecting via software client to the (outside) interface....
1 14:29:50.671 11/10/08 Sev=Warning/2 IKE/0xE300009B
Invalid SPI size (PayloadNotify:116)
2 14:29:50.671 11/10/08 Sev=Warning/3 IKE/0xA3000058
Received malformed message or negotiation no longer active (message id: 0x00000000)
3 14:29:55.718 11/10/08 Sev=Warning/2 IKE/0xE300009B
Fragmented msg rcvd with no associated SA (PacketReceiver:133)
4 14:29:55.718 11/10/08 Sev=Warning/2 IKE/0xE300009B
Fragmented msg rcvd with no associated SA (PacketReceiver:133)
5 14:30:00.718 11/10/08 Sev=Warning/2 IKE/0xE300009B
Fragmented msg rcvd with no associated SA (PacketReceiver:133)
6 14:30:00.718 11/10/08 Sev=Warning/2 IKE/0xE300009B
Fragmented msg rcvd with no associated SA (PacketReceiver:133)
7 14:30:05.718 11/10/08 Sev=Warning/2 IKE/0xE300009B
Fragmented msg rcvd with no associated SA (PacketReceiver:133)
8 14:30:05.718 11/10/08 Sev=Warning/2 IKE/0xE300009B
Fragmented msg rcvd with no associated SA (PacketReceiver:133)
Here's the config as it stands now...
ASA Version 7.2(4)
!
hostname hostname
domain-name domain.com
enable password <password> encrypted
passwd <password> encrypted
!
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.15.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.0.248 255.255.255.0
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 10.10.100.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
!
dns server-group DefaultDNS
domain-name tollgas.com
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!
access-list ipsec extended permit ip 192.168.15.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list ipsec permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list ipsec extended permit ip 10.10.10.0 255.255.255.0 192.168.15.0 255.255.255.0
access-list no-nat extended permit ip 192.168.15.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list no-nat extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list no-nat extended permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list remoteusers_splitTunnelAcl
!
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
!
ip local pool remoteUserIPpool 10.10.10.1-10.10.10.254
!
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
!
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
!
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
!
http server enable
http 192.168.15.0 255.255.255.0 inside
!
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
!
crypto ipsec transform-set primaryTransformSet esp-des esp-md5-hmac
crypto dynamic-map outsideDynamicMap 20 set transform-set primaryTransformSet
crypto map primaryCryptoMap 21 match address ipsec
crypto map primaryCryptoMap 21 set peer <IP of HUB 1710>
crypto map primaryCryptoMap 21 set transform-set primaryTransformSet
crypto map primaryCryptoMap 65535 ipsec-isakmp dynamic outsideDynamicMap
crypto map primaryCryptoMap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 21
authentication pre-share
encryption des
hash md5
group 1
lifetime 7200
!
telnet timeout 5
ssh timeout 5
console timeout 0
!
!
group-policy remoteusers internal
group-policy remoteusers attributes
vpn-idle-timeout 30
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value remoteusers_splitTunnelAcl
!
username testVPNuser password 2ydLgHrVzyJixLyT encrypted
!
tunnel-group <IP of HUB 1710> type ipsec-l2l
tunnel-group <IP of HUB 1710> ipsec-attributes
pre-shared-key *
tunnel-group remoteusers type ipsec-ra
tunnel-group remoteusers general-attributes
address-pool remoteUserIPpool
default-group-policy remoteusers
tunnel-group remoteusers ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Here's what I'm getting from a laptop in the (outside) network (192.168.0.x) connecting via software client to the (outside) interface....
1 14:29:50.671 11/10/08 Sev=Warning/2 IKE/0xE300009B
Invalid SPI size (PayloadNotify:116)
2 14:29:50.671 11/10/08 Sev=Warning/3 IKE/0xA3000058
Received malformed message or negotiation no longer active (message id: 0x00000000)
3 14:29:55.718 11/10/08 Sev=Warning/2 IKE/0xE300009B
Fragmented msg rcvd with no associated SA (PacketReceiver:133)
4 14:29:55.718 11/10/08 Sev=Warning/2 IKE/0xE300009B
Fragmented msg rcvd with no associated SA (PacketReceiver:133)
5 14:30:00.718 11/10/08 Sev=Warning/2 IKE/0xE300009B
Fragmented msg rcvd with no associated SA (PacketReceiver:133)
6 14:30:00.718 11/10/08 Sev=Warning/2 IKE/0xE300009B
Fragmented msg rcvd with no associated SA (PacketReceiver:133)
7 14:30:05.718 11/10/08 Sev=Warning/2 IKE/0xE300009B
Fragmented msg rcvd with no associated SA (PacketReceiver:133)
8 14:30:05.718 11/10/08 Sev=Warning/2 IKE/0xE300009B
Fragmented msg rcvd with no associated SA (PacketReceiver:133)
Does it prompt you for the usename and password?
ASKER
Nope
what version of cisco vpn client are you using?
ASKER
5.0.02.0090
You might have to change the encryption I don't think version 5 will use des/md5. Try using 3des/md5 and see if that works.
ASKER
New Config:
ASA Version 7.2(4)
!
hostname hostname
domain-name domain.com
enable password dNfKG7AX49Kx69an encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.15.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.0.248 255.255.255.0
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 10.10.100.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name domain.com
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!
access-list ipsec extended permit ip 192.168.15.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list ipsec extended permit ip 10.10.10.0 255.255.255.0 192.168.15.0 255.255.255.0
access-list ipsec extended permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list no-nat extended permit ip 192.168.15.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list no-nat extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list no-nat extended permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list remoteusers_splitTunnelAcl extended permit ip 192.168.15.0 255.255.255.0 10.10.10.0 255.255.255.0
!
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
!
ip local pool remoteUserIPpool 10.10.10.1-10.10.10.254
!
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
!
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
!
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
!
http server enable
http 192.168.15.0 255.255.255.0 inside
!
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
!
crypto ipsec transform-set primaryTransformSet esp-des esp-md5-hmac
crypto ipsec transform-set remoteUserTransformSet esp-3des esp-md5-hmac
!
crypto dynamic-map outsideDynamicMap 20 set transform-set primaryTransformSet remoteUserTransformSet
crypto map primaryCryptoMap 21 match address ipsec
crypto map primaryCryptoMap 21 set peer <IP of HUB 1710>
crypto map primaryCryptoMap 21 set transform-set primaryTransformSet
crypto map primaryCryptoMap 65535 ipsec-isakmp dynamic outsideDynamicMap
crypto map primaryCryptoMap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 21
authentication pre-share
encryption des
hash md5
group 1
lifetime 7200
!
telnet timeout 5
ssh timeout 5
console timeout 0
!
group-policy remoteusers internal
group-policy remoteusers attributes
vpn-idle-timeout 30
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value remoteusers_splitTunnelAcl
!
username testVPNuser password 2ydLgHrVzyJixLyT encrypted
!
tunnel-group <IP of HUB 1710> type ipsec-l2l
tunnel-group <IP of HUB 1710> ipsec-attributes
pre-shared-key *
tunnel-group remoteusers type ipsec-ra
tunnel-group remoteusers general-attributes
address-pool remoteUserIPpool
default-group-policy remoteusers
tunnel-group remoteusers ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
New Debug Information:
25 15:23:52.562 11/10/08 Sev=Warning/2 IKE/0xE300009B
Invalid SPI size (PayloadNotify:116)
26 15:23:52.562 11/10/08 Sev=Warning/3 IKE/0xA3000058
Received malformed message or negotiation no longer active (message id: 0x00000000)
27 15:23:57.875 11/10/08 Sev=Warning/2 IKE/0xE300009B
Fragmented msg rcvd with no associated SA (PacketReceiver:133)
28 15:23:57.875 11/10/08 Sev=Warning/2 IKE/0xE300009B
Fragmented msg rcvd with no associated SA (PacketReceiver:133)
29 15:24:02.875 11/10/08 Sev=Warning/2 IKE/0xE300009B
Fragmented msg rcvd with no associated SA (PacketReceiver:133)
30 15:24:02.875 11/10/08 Sev=Warning/2 IKE/0xE300009B
Fragmented msg rcvd with no associated SA (PacketReceiver:133)
31 15:24:07.875 11/10/08 Sev=Warning/2 IKE/0xE300009B
Fragmented msg rcvd with no associated SA (PacketReceiver:133)
32 15:24:07.875 11/10/08 Sev=Warning/2 IKE/0xE300009B
Fragmented msg rcvd with no associated SA (PacketReceiver:133)
ASA Version 7.2(4)
!
hostname hostname
domain-name domain.com
enable password dNfKG7AX49Kx69an encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.15.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.0.248 255.255.255.0
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 10.10.100.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name domain.com
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!
access-list ipsec extended permit ip 192.168.15.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list ipsec extended permit ip 10.10.10.0 255.255.255.0 192.168.15.0 255.255.255.0
access-list ipsec extended permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list no-nat extended permit ip 192.168.15.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list no-nat extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list no-nat extended permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list remoteusers_splitTunnelAcl
!
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
!
ip local pool remoteUserIPpool 10.10.10.1-10.10.10.254
!
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
!
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
!
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
!
http server enable
http 192.168.15.0 255.255.255.0 inside
!
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
!
crypto ipsec transform-set primaryTransformSet esp-des esp-md5-hmac
crypto ipsec transform-set remoteUserTransformSet esp-3des esp-md5-hmac
!
crypto dynamic-map outsideDynamicMap 20 set transform-set primaryTransformSet remoteUserTransformSet
crypto map primaryCryptoMap 21 match address ipsec
crypto map primaryCryptoMap 21 set peer <IP of HUB 1710>
crypto map primaryCryptoMap 21 set transform-set primaryTransformSet
crypto map primaryCryptoMap 65535 ipsec-isakmp dynamic outsideDynamicMap
crypto map primaryCryptoMap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 21
authentication pre-share
encryption des
hash md5
group 1
lifetime 7200
!
telnet timeout 5
ssh timeout 5
console timeout 0
!
group-policy remoteusers internal
group-policy remoteusers attributes
vpn-idle-timeout 30
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value remoteusers_splitTunnelAcl
!
username testVPNuser password 2ydLgHrVzyJixLyT encrypted
!
tunnel-group <IP of HUB 1710> type ipsec-l2l
tunnel-group <IP of HUB 1710> ipsec-attributes
pre-shared-key *
tunnel-group remoteusers type ipsec-ra
tunnel-group remoteusers general-attributes
address-pool remoteUserIPpool
default-group-policy remoteusers
tunnel-group remoteusers ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
New Debug Information:
25 15:23:52.562 11/10/08 Sev=Warning/2 IKE/0xE300009B
Invalid SPI size (PayloadNotify:116)
26 15:23:52.562 11/10/08 Sev=Warning/3 IKE/0xA3000058
Received malformed message or negotiation no longer active (message id: 0x00000000)
27 15:23:57.875 11/10/08 Sev=Warning/2 IKE/0xE300009B
Fragmented msg rcvd with no associated SA (PacketReceiver:133)
28 15:23:57.875 11/10/08 Sev=Warning/2 IKE/0xE300009B
Fragmented msg rcvd with no associated SA (PacketReceiver:133)
29 15:24:02.875 11/10/08 Sev=Warning/2 IKE/0xE300009B
Fragmented msg rcvd with no associated SA (PacketReceiver:133)
30 15:24:02.875 11/10/08 Sev=Warning/2 IKE/0xE300009B
Fragmented msg rcvd with no associated SA (PacketReceiver:133)
31 15:24:07.875 11/10/08 Sev=Warning/2 IKE/0xE300009B
Fragmented msg rcvd with no associated SA (PacketReceiver:133)
32 15:24:07.875 11/10/08 Sev=Warning/2 IKE/0xE300009B
Fragmented msg rcvd with no associated SA (PacketReceiver:133)
ASKER
Verified both Pre-Shared-Keys just for good measure... they match.
also add another crypto isakmp policy statement for 3des/md5
crypto isakmp policy 31
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 31
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
ASKER
Again, you're a genius!
I can login and establish a tunnel... I can ping from a host in the 192.168.15.0/24 network to the host that is software-vpn-connected with a 10.10.10.0/24 address. I cannot however ping from the 10.10.10.0/24 client to the 192.168.15.0/24 client, or into the 192.168.1.0/24 client.
Any ideas?
I can login and establish a tunnel... I can ping from a host in the 192.168.15.0/24 network to the host that is software-vpn-connected with a 10.10.10.0/24 address. I cannot however ping from the 10.10.10.0/24 client to the 192.168.15.0/24 client, or into the 192.168.1.0/24 client.
Any ideas?
Where are pinging from? The DMZ or an outside line?
try this command
icmp permit any any
Also I believe you would have to create another ACL on the router to allow the 10.10.10.0/24 network.
access-list 131 permit ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.0.255
try this command
icmp permit any any
Also I believe you would have to create another ACL on the router to allow the 10.10.10.0/24 network.
access-list 131 permit ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.0.255
ASKER
Pinging from an outside source, connected via Cisco VPN Client to the ASA.
Ping from the Software client to 192.168.15.x - no reply
Ping from the Software client to 192.168.1.x - no reply
Ping from computer attached via wire to the ASA
Ping to 192.168.1.x - reply
Ping to 10.10.10.x - reply
I'm not as concerned with the getting into the 192.168.1.x network as there will need to be routes inserted to do so, however, the not being able to ping into the 192.168.15.x network from the software client troubles me a bit.
Ping from the Software client to 192.168.15.x - no reply
Ping from the Software client to 192.168.1.x - no reply
Ping from computer attached via wire to the ASA
Ping to 192.168.1.x - reply
Ping to 10.10.10.x - reply
I'm not as concerned with the getting into the 192.168.1.x network as there will need to be routes inserted to do so, however, the not being able to ping into the 192.168.15.x network from the software client troubles me a bit.
also Remove these ACL
no access-list ipsec extended permit ip 10.10.10.0 255.255.255.0 192.168.15.0 255.255.255.0
no access-list no-nat extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
no access-list ipsec extended permit ip 10.10.10.0 255.255.255.0 192.168.15.0 255.255.255.0
no access-list no-nat extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
ASKER
If I do an 'ipconfig' and look at the ip address information I receive via Cisco VPN Client, I don't get a gateway. Could this cause a problem?
No you don't need a gateway. The only proble you would have on the client side is if the the network of the host is the same as the network that it is connecting to. For example is the ASA is on the 192.168.15.0/24 network then the host trying to connect would have to have a different network i.e 192.168.100.0/24
ASKER
Alright, that's what I though -- figured I would ask...
Here's the config as it stands:
ASA Version 7.2(4)
!
hostname Rose-ASA
domain-name domain.com
enable password dNfKG7AX49Kx69an encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.15.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.0.248 255.255.255.0
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 10.10.100.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name domain.com
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!
access-list ipsec extended permit ip 192.168.15.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list ipsec extended permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list no-nat extended permit ip 192.168.15.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list no-nat extended permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list remoteusers_splitTunnelAcl extended permit ip 192.168.15.0 255.255.255.0 10.10.10.0 255.255.255.0
!
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
!
ip local pool remoteUserIPpool 10.10.10.1-10.10.10.254
!
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
!
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
!
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
!
http server enable
http 192.168.15.0 255.255.255.0 inside
!
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
!
crypto ipsec transform-set primaryTransformSet esp-des esp-md5-hmac
crypto ipsec transform-set remoteUserTransformSet esp-3des esp-md5-hmac
!
crypto dynamic-map outsideDynamicMap 20 set transform-set primaryTransformSet remoteUserTransformSet
crypto map primaryCryptoMap 21 match address ipsec
crypto map primaryCryptoMap 21 set peer <IP of HUB 1710>
crypto map primaryCryptoMap 21 set transform-set primaryTransformSet
crypto map primaryCryptoMap 65535 ipsec-isakmp dynamic outsideDynamicMap
crypto map primaryCryptoMap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 21
authentication pre-share
encryption des
hash md5
group 1
lifetime 7200
crypto isakmp policy 31
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
!
telnet timeout 5
ssh timeout 5
console timeout 0
!
!
group-policy remoteusers internal
group-policy remoteusers attributes
vpn-idle-timeout 30
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value remoteusers_splitTunnelAcl
!
username testVPNuser password 2ydLgHrVzyJixLyT encrypted
!
tunnel-group <IP of HUB 1710> type ipsec-l2l
tunnel-group <IP of HUB 1710> ipsec-attributes
pre-shared-key *
tunnel-group remoteusers type ipsec-ra
tunnel-group remoteusers general-attributes
address-pool remoteUserIPpool
default-group-policy remoteusers
tunnel-group remoteusers ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Same symptoms... you'll notice that we 'inspect icmp' which ensures all ICMP traffic passes but is logged.
Here's the config as it stands:
ASA Version 7.2(4)
!
hostname Rose-ASA
domain-name domain.com
enable password dNfKG7AX49Kx69an encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.15.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.0.248 255.255.255.0
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 10.10.100.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name domain.com
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!
access-list ipsec extended permit ip 192.168.15.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list ipsec extended permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list no-nat extended permit ip 192.168.15.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list no-nat extended permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list remoteusers_splitTunnelAcl
!
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
!
ip local pool remoteUserIPpool 10.10.10.1-10.10.10.254
!
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
!
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
!
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
!
http server enable
http 192.168.15.0 255.255.255.0 inside
!
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
!
crypto ipsec transform-set primaryTransformSet esp-des esp-md5-hmac
crypto ipsec transform-set remoteUserTransformSet esp-3des esp-md5-hmac
!
crypto dynamic-map outsideDynamicMap 20 set transform-set primaryTransformSet remoteUserTransformSet
crypto map primaryCryptoMap 21 match address ipsec
crypto map primaryCryptoMap 21 set peer <IP of HUB 1710>
crypto map primaryCryptoMap 21 set transform-set primaryTransformSet
crypto map primaryCryptoMap 65535 ipsec-isakmp dynamic outsideDynamicMap
crypto map primaryCryptoMap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 21
authentication pre-share
encryption des
hash md5
group 1
lifetime 7200
crypto isakmp policy 31
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
!
telnet timeout 5
ssh timeout 5
console timeout 0
!
!
group-policy remoteusers internal
group-policy remoteusers attributes
vpn-idle-timeout 30
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value remoteusers_splitTunnelAcl
!
username testVPNuser password 2ydLgHrVzyJixLyT encrypted
!
tunnel-group <IP of HUB 1710> type ipsec-l2l
tunnel-group <IP of HUB 1710> ipsec-attributes
pre-shared-key *
tunnel-group remoteusers type ipsec-ra
tunnel-group remoteusers general-attributes
address-pool remoteUserIPpool
default-group-policy remoteusers
tunnel-group remoteusers ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Same symptoms... you'll notice that we 'inspect icmp' which ensures all ICMP traffic passes but is logged.
try this
icmp permit any inside (test the pings after this command and if it still doesn't work take out the inspection for ICMP).
policy-map global_policy
class inspection_default
no inspect icmp
icmp permit any inside (test the pings after this command and if it still doesn't work take out the inspection for ICMP).
policy-map global_policy
class inspection_default
no inspect icmp
ASKER
tried that as well (including removing the inspection), still no go... I also tried to reach a file share via:
\\<IP in the 192.168.15.x network>
that didn't work either, which rules out (I think) a problem with ICMP
\\<IP in the 192.168.15.x network>
that didn't work either, which rules out (I think) a problem with ICMP
The host that you are trying access the network from does it have a router in front of it? If so what is the Lan IP range?
ASKER
Just checked, and I CANNOT ping from the device connected by wire to the ASA to the software-connected client.
oh just noticed you didn't have this in the config try
isakmp nat-traversal 20
isakmp nat-traversal 20
ASKER
the computer that i'm connecting from is connected to the switch that is also feeding the (outside) connection of the ASA....
so...
(switch)
/ \
ASA (outside) (host I'm connecting via software from)
/ (10.10.10.1)
(host I'm connecting to)
(192.168.15.144)
so...
(switch)
/ \
ASA (outside) (host I'm connecting via software from)
/ (10.10.10.1)
(host I'm connecting to)
(192.168.15.144)
ASKER
Added "isakmp nat-traversal 20" but still no go pinging from 10.10.10.1 to 192.168.15.144 or vice versa
Have you been connected this whole time? If so disconnect and reconnect because if you make changes while you are connected you will not see them until you reconnect.
ASKER
Still no go. Disconnected and reconnected the software client.
Ok, can you post your config again please.
ASKER
Sure,
ASA Version 7.2(4)
!
hostname hostname
domain-name domain.com
enable password dNfKG7AX49Kx69an encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.15.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.0.248 255.255.255.0
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 10.10.100.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name domain.com
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!
access-list ipsec extended permit ip 192.168.15.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list ipsec extended permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list no-nat extended permit ip 192.168.15.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list no-nat extended permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list remoteusers_splitTunnelAcl extended permit ip 192.168.15.0 255.255.255.0 10.10.10.0 255.255.255.0
!
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
!
ip local pool remoteUserIPpool 10.10.10.1-10.10.10.254
!
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
!
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
!
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
!
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
!
http server enable
http 192.168.15.0 255.255.255.0 inside
!
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
!
crypto ipsec transform-set primaryTransformSet esp-des esp-md5-hmac
crypto ipsec transform-set remoteUserTransformSet esp-3des esp-md5-hmac
!
crypto dynamic-map outsideDynamicMap 20 set transform-set primaryTransformSet remoteUserTransformSet
crypto map primaryCryptoMap 21 match address ipsec
crypto map primaryCryptoMap 21 set peer <IP of HUB 1710>
crypto map primaryCryptoMap 21 set transform-set primaryTransformSet
crypto map primaryCryptoMap 65535 ipsec-isakmp dynamic outsideDynamicMap
crypto map primaryCryptoMap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 21
authentication pre-share
encryption des
hash md5
group 1
lifetime 7200
crypto isakmp policy 31
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 20
!
telnet timeout 5
ssh timeout 5
console timeout 0
!
group-policy remoteusers internal
group-policy remoteusers attributes
vpn-idle-timeout 30
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value remoteusers_splitTunnelAcl
!
username testVPNuser password 2ydLgHrVzyJixLyT encrypted
!
tunnel-group <IP of HUB 1710> type ipsec-l2l
tunnel-group <IP of HUB 1710> ipsec-attributes
pre-shared-key *
tunnel-group remoteusers type ipsec-ra
tunnel-group remoteusers general-attributes
address-pool remoteUserIPpool
default-group-policy remoteusers
tunnel-group remoteusers ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
ASA Version 7.2(4)
!
hostname hostname
domain-name domain.com
enable password dNfKG7AX49Kx69an encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.15.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.0.248 255.255.255.0
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 10.10.100.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name domain.com
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!
access-list ipsec extended permit ip 192.168.15.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list ipsec extended permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list no-nat extended permit ip 192.168.15.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list no-nat extended permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list remoteusers_splitTunnelAcl
!
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
!
ip local pool remoteUserIPpool 10.10.10.1-10.10.10.254
!
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
!
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
!
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
!
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
!
http server enable
http 192.168.15.0 255.255.255.0 inside
!
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
!
crypto ipsec transform-set primaryTransformSet esp-des esp-md5-hmac
crypto ipsec transform-set remoteUserTransformSet esp-3des esp-md5-hmac
!
crypto dynamic-map outsideDynamicMap 20 set transform-set primaryTransformSet remoteUserTransformSet
crypto map primaryCryptoMap 21 match address ipsec
crypto map primaryCryptoMap 21 set peer <IP of HUB 1710>
crypto map primaryCryptoMap 21 set transform-set primaryTransformSet
crypto map primaryCryptoMap 65535 ipsec-isakmp dynamic outsideDynamicMap
crypto map primaryCryptoMap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 21
authentication pre-share
encryption des
hash md5
group 1
lifetime 7200
crypto isakmp policy 31
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 20
!
telnet timeout 5
ssh timeout 5
console timeout 0
!
group-policy remoteusers internal
group-policy remoteusers attributes
vpn-idle-timeout 30
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value remoteusers_splitTunnelAcl
!
username testVPNuser password 2ydLgHrVzyJixLyT encrypted
!
tunnel-group <IP of HUB 1710> type ipsec-l2l
tunnel-group <IP of HUB 1710> ipsec-attributes
pre-shared-key *
tunnel-group remoteusers type ipsec-ra
tunnel-group remoteusers general-attributes
address-pool remoteUserIPpool
default-group-policy remoteusers
tunnel-group remoteusers ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
also can you post the info for the VPN client.
ASKER
Did you mean the debug information for the VPN client? If so, I turned up the verbosity on a few of the parameters so I would actually get output... here's what came through:
16 17:14:33.453 11/10/08 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 192.168.0.248.
17 17:14:33.468 11/10/08 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 192.168.0.248
18 17:14:33.468 11/10/08 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 192.168.0.248
19 17:14:33.468 11/10/08 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from 192.168.0.248
20 17:14:33.468 11/10/08 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
21 17:14:33.468 11/10/08 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
22 17:14:33.468 11/10/08 Sev=Info/5 IKE/0x63000001
Peer supports DPD
23 17:14:33.468 11/10/08 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
24 17:14:33.468 11/10/08 Sev=Info/5 IKE/0x63000001
Peer supports IKE fragmentation payloads
25 17:14:33.484 11/10/08 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
26 17:14:33.484 11/10/08 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONT ACT, NAT-D, NAT-D, VID(?), VID(Unity)) to 192.168.0.248
27 17:14:33.484 11/10/08 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0x0766, Remote Port = 0x01F4
28 17:14:33.484 11/10/08 Sev=Info/5 IKE/0x63000072
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end is NOT behind a NAT device
29 17:14:33.484 11/10/08 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 192.168.0.248
30 17:14:33.484 11/10/08 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 192.168.0.248
31 17:14:33.937 11/10/08 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
32 17:14:33.937 11/10/08 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
33 17:14:36.890 11/10/08 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 192.168.0.248
34 17:14:36.890 11/10/08 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 192.168.0.248
35 17:14:36.890 11/10/08 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 192.168.0.248
36 17:14:36.890 11/10/08 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 192.168.0.248
37 17:14:36.921 11/10/08 Sev=Info/5 IKE/0x6300005E
Client sending a firewall request to concentrator
38 17:14:36.921 11/10/08 Sev=Info/5 IKE/0x6300005D
Firewall Policy: Product=Cisco Systems Integrated Client Firewall, Capability= (Centralized Protection Policy).
39 17:14:36.921 11/10/08 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 192.168.0.248
40 17:14:36.953 11/10/08 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 192.168.0.248
41 17:14:36.953 11/10/08 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 192.168.0.248
42 17:14:36.953 11/10/08 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 10.10.10.1
43 17:14:36.953 11/10/08 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000000
44 17:14:36.953 11/10/08 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUD E (# of split_nets), value = 0x00000001
45 17:14:36.953 11/10/08 Sev=Info/5 IKE/0x6300000F
SPLIT_NET #1
subnet = 192.168.15.0
mask = 255.255.255.0
protocol = 0
src port = 0
dest port=0
46 17:14:36.953 11/10/08 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000
47 17:14:36.953 11/10/08 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc ASA5505 Version 7.2(4) built by builders on Sun 06-Apr-08 13:39
48 17:14:36.953 11/10/08 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_RE MOVAL_DISC ONNECT: , value = 0x00000001
49 17:14:36.953 11/10/08 Sev=Info/4 IKE/0x63000056
Received a key request from Driver: Local IP = 10.10.10.1, GW IP = 192.168.0.248, Remote IP = 0.0.0.0
50 17:14:36.953 11/10/08 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 192.168.0.248
51 17:14:36.968 11/10/08 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 192.168.0.248
52 17:14:36.968 11/10/08 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIM E) from 192.168.0.248
53 17:14:36.968 11/10/08 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds
54 17:14:36.968 11/10/08 Sev=Info/5 IKE/0x63000047
This SA has already been alive for 3 seconds, setting expiry to 86397 seconds from now
55 17:14:36.968 11/10/08 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 192.168.0.248
56 17:14:36.968 11/10/08 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK QM *(HASH, SA, NON, ID, ID, NOTIFY:STATUS_RESP_LIFETIM E) from 192.168.0.248
57 17:14:36.968 11/10/08 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 28800 seconds
58 17:14:36.968 11/10/08 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH) to 192.168.0.248
59 17:14:36.968 11/10/08 Sev=Info/5 IKE/0x63000059
Loading IPsec SA (MsgID=E878B160 OUTBOUND SPI = 0x68242E09 INBOUND SPI = 0xAFD274D3)
60 17:14:36.968 11/10/08 Sev=Info/5 IKE/0x63000025
Loaded OUTBOUND ESP SPI: 0x68242E09
61 17:14:36.968 11/10/08 Sev=Info/5 IKE/0x63000026
Loaded INBOUND ESP SPI: 0xAFD274D3
62 17:14:37.593 11/10/08 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
63 17:14:37.593 11/10/08 Sev=Info/4 IPSEC/0x63700010
Created a new key structure
64 17:14:37.593 11/10/08 Sev=Info/4 IPSEC/0x6370000F
Added key with SPI=0x092e2468 into key list
65 17:14:37.593 11/10/08 Sev=Info/4 IPSEC/0x63700010
Created a new key structure
66 17:14:37.593 11/10/08 Sev=Info/4 IPSEC/0x6370000F
Added key with SPI=0xd374d2af into key list
67 17:14:37.593 11/10/08 Sev=Info/4 IPSEC/0x6370002F
Assigned VA private interface addr 10.10.10.1
68 17:14:37.593 11/10/08 Sev=Info/4 IPSEC/0x63700037
Configure public interface: 192.168.0.191. SG: 192.168.0.248
16 17:14:33.453 11/10/08 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 192.168.0.248.
17 17:14:33.468 11/10/08 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 192.168.0.248
18 17:14:33.468 11/10/08 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 192.168.0.248
19 17:14:33.468 11/10/08 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from 192.168.0.248
20 17:14:33.468 11/10/08 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
21 17:14:33.468 11/10/08 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
22 17:14:33.468 11/10/08 Sev=Info/5 IKE/0x63000001
Peer supports DPD
23 17:14:33.468 11/10/08 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
24 17:14:33.468 11/10/08 Sev=Info/5 IKE/0x63000001
Peer supports IKE fragmentation payloads
25 17:14:33.484 11/10/08 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
26 17:14:33.484 11/10/08 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONT
27 17:14:33.484 11/10/08 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0x0766, Remote Port = 0x01F4
28 17:14:33.484 11/10/08 Sev=Info/5 IKE/0x63000072
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end is NOT behind a NAT device
29 17:14:33.484 11/10/08 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 192.168.0.248
30 17:14:33.484 11/10/08 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 192.168.0.248
31 17:14:33.937 11/10/08 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
32 17:14:33.937 11/10/08 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
33 17:14:36.890 11/10/08 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 192.168.0.248
34 17:14:36.890 11/10/08 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 192.168.0.248
35 17:14:36.890 11/10/08 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 192.168.0.248
36 17:14:36.890 11/10/08 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 192.168.0.248
37 17:14:36.921 11/10/08 Sev=Info/5 IKE/0x6300005E
Client sending a firewall request to concentrator
38 17:14:36.921 11/10/08 Sev=Info/5 IKE/0x6300005D
Firewall Policy: Product=Cisco Systems Integrated Client Firewall, Capability= (Centralized Protection Policy).
39 17:14:36.921 11/10/08 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 192.168.0.248
40 17:14:36.953 11/10/08 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 192.168.0.248
41 17:14:36.953 11/10/08 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 192.168.0.248
42 17:14:36.953 11/10/08 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 10.10.10.1
43 17:14:36.953 11/10/08 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000000
44 17:14:36.953 11/10/08 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUD
45 17:14:36.953 11/10/08 Sev=Info/5 IKE/0x6300000F
SPLIT_NET #1
subnet = 192.168.15.0
mask = 255.255.255.0
protocol = 0
src port = 0
dest port=0
46 17:14:36.953 11/10/08 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000
47 17:14:36.953 11/10/08 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc ASA5505 Version 7.2(4) built by builders on Sun 06-Apr-08 13:39
48 17:14:36.953 11/10/08 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_RE
49 17:14:36.953 11/10/08 Sev=Info/4 IKE/0x63000056
Received a key request from Driver: Local IP = 10.10.10.1, GW IP = 192.168.0.248, Remote IP = 0.0.0.0
50 17:14:36.953 11/10/08 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 192.168.0.248
51 17:14:36.968 11/10/08 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 192.168.0.248
52 17:14:36.968 11/10/08 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIM
53 17:14:36.968 11/10/08 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds
54 17:14:36.968 11/10/08 Sev=Info/5 IKE/0x63000047
This SA has already been alive for 3 seconds, setting expiry to 86397 seconds from now
55 17:14:36.968 11/10/08 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 192.168.0.248
56 17:14:36.968 11/10/08 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK QM *(HASH, SA, NON, ID, ID, NOTIFY:STATUS_RESP_LIFETIM
57 17:14:36.968 11/10/08 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 28800 seconds
58 17:14:36.968 11/10/08 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH) to 192.168.0.248
59 17:14:36.968 11/10/08 Sev=Info/5 IKE/0x63000059
Loading IPsec SA (MsgID=E878B160 OUTBOUND SPI = 0x68242E09 INBOUND SPI = 0xAFD274D3)
60 17:14:36.968 11/10/08 Sev=Info/5 IKE/0x63000025
Loaded OUTBOUND ESP SPI: 0x68242E09
61 17:14:36.968 11/10/08 Sev=Info/5 IKE/0x63000026
Loaded INBOUND ESP SPI: 0xAFD274D3
62 17:14:37.593 11/10/08 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
63 17:14:37.593 11/10/08 Sev=Info/4 IPSEC/0x63700010
Created a new key structure
64 17:14:37.593 11/10/08 Sev=Info/4 IPSEC/0x6370000F
Added key with SPI=0x092e2468 into key list
65 17:14:37.593 11/10/08 Sev=Info/4 IPSEC/0x63700010
Created a new key structure
66 17:14:37.593 11/10/08 Sev=Info/4 IPSEC/0x6370000F
Added key with SPI=0xd374d2af into key list
67 17:14:37.593 11/10/08 Sev=Info/4 IPSEC/0x6370002F
Assigned VA private interface addr 10.10.10.1
68 17:14:37.593 11/10/08 Sev=Info/4 IPSEC/0x63700037
Configure public interface: 192.168.0.191. SG: 192.168.0.248
I actually meant the IP sec information on the transport tab. If you click on modify for your connection then go to the transport tab what settings are checked?
ASKER
"Enable Transport Tuning"
IPSec over UDP (NAT/PAT)
IPSec over UDP (NAT/PAT)
do a sh run sysopt for me and paste output here.
ASKER
There is no output from that command for me.
ok, enter this command in it might be different for 7.2 so if the first one does't work try the 2nd
sysopt connection permit-ipsec
or
sysopt connection permit-vpn
sysopt connection permit-ipsec
or
sysopt connection permit-vpn
ASKER
applied the first command... still no output when running sh run sysopt
still cant ping
still cant ping
ok, enter this command in it might be different for 7.2 so if the first one does't work try the 2nd
sysopt connection permit-ipsec
or
sysopt connection permit-vpn
sysopt connection permit-ipsec
or
sysopt connection permit-vpn
ok enter in the 2nd one. I believe that is the conrrect one for version 7.2
ASKER
sorry... meant to say I tried both... both provide the same outcome
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hey There,
Tried that as well... still no joy. I think I'm going to worry about it when it goes into production. It could be my test environment or something. Thank you so much for all of your help, you've more than surpassed any expectation I had.
500 points, more than deserved!
Tried that as well... still no joy. I think I'm going to worry about it when it goes into production. It could be my test environment or something. Thank you so much for all of your help, you've more than surpassed any expectation I had.
500 points, more than deserved!
ASKER
Thanks again!
Good luck thanks for the points.
All your crypto maps will stay the same. The only thing that will be different is the Pre-shared key. It will look like this.
tunnel-group (IP of HUB 1710) type ipsec-l2l
tunnel-group (IP of HUB 1710) ipsec-attributes
pre-shared-key secret key
As for VPN it would look something like this
access-list remoteusers_splitTunnelAcl
access-list no-nat permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0 (network that you want remote users to see)
ip local pool remoteusers 10.10.10.1-10.10.10.254 (range of ip's you want he remote users to have when connected)
crypto dynamic-map outside_dyn_map 20 set transform-set 3DES/MD5 (you can change this to whatever fits for you)
crypto map mymap 65535 ipsec-isakmp dynamic outside_dyn_map
group-policy remoteusers internal
group-policy remoteusers attributes
vpn-idle-timeout 30
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value remoteusers_splitTunnelAcl
tunnel-group remoteusers type ipsec-ra
tunnel-group remoteusers general-attributes
address-pool remoteusers
default-group-policy remoteusers
tunnel-group remoteusers ipsec-attributes
pre-shared-key secret key