ASA 5505 experts, please help. VPN problem - Time Sensitive

hi all,

i installed an asa 5505 then created VPNs to 2 different sites, one work, and one doesnt.

The one that doesnt work, only works one-way.

here is the info that could help you, help me.

ASA site info:external ip     64.*.*.22
internal 10.3.3.1

Remote site external IP: 208.*.*.163
internal ip 10.1.1.1

Dont know why it works with 1, but no the other.. not sure what im missing in the config.
I would like to get this resolved as soon as posible, one site down :(

ASA running conf:

: Saved
:
ASA Version 7.2(3)
!
hostname ciscoasa
domain-name *
enable password u1N2uiTOMgtVzzpC encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.3.3.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 64.*.*.22 255.255.255.252
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name *
access-list outside_1_cryptomap extended permit ip host 64.*.*.22 host 208.*.*.242
access-list outside_1_cryptomap extended permit ip 10.3.3.0 255.255.255.0 host 208.*.*.242
access-list outside_1_cryptomap extended permit ip 10.3.3.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.0.0.0 255.255.255.0 host 64.*.*.22
access-list outside_1_cryptomap extended permit ip 10.0.0.0 255.255.255.0 host 10.3.3.1
access-list outside_1_cryptomap extended permit ip host 64.*.*.22 host 208.*.*.163
access-list outside_1_cryptomap extended permit ip 10.3.3.0 255.255.255.0 host 208.*.*.163
access-list outside_1_cryptomap extended permit ip 10.3.3.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 host 64.*.*.22
access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 host 10.3.3.1
access-list outside_1_cryptomap extended permit ip host 208.*.*.163 host 64.*.*.22
access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 10.3.3.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip host 64.*.*.22 host 208.*.*.242
access-list inside_nat0_outbound extended permit ip 10.3.3.0 255.255.255.0 host 208.*.*.242
access-list inside_nat0_outbound extended permit ip 10.3.3.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip host 64.*.*.22 host 208.*.*.163
access-list inside_nat0_outbound extended permit ip 10.3.3.0 255.255.255.0 host 208.*.*.163
access-list inside_nat0_outbound extended permit ip 10.3.3.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 host 64.*.*.22
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.3.3.0 255.255.255.0
access-list rdp-capture extended permit tcp any interface outside eq 3389
access-list 100 extended permit ip 10.3.3.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list 100 extended permit ip 10.3.3.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 100 extended permit ip 10.1.1.0 255.255.255.0 10.3.3.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip host 64.*.*.22 host 208.*.*.163
access-list outside_20_cryptomap extended permit ip 10.1.1.0 255.255.255.0 10.3.3.0 255.255.255.0
access-list outside_20_cryptomap extended permit ip 10.3.3.0 255.255.255.0 10.1.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
monitor-interface inside
monitor-interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 64.*.*.21 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 208.*.*.163 255.255.255.255 outside
http 10.1.1.0 255.255.255.255 inside
http 10.0.0.0 255.255.255.255 inside
http 67.*.*.34 255.255.255.255 outside
http 208.*.*.242 255.255.255.255 outside
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 208.49.31.242
crypto map outside_map 1 set transform-set ESP-DES-MD5
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set peer 208.*.*.163
crypto map outside_map 2 set transform-set ESP-DES-MD5
crypto map outside_map 2 set nat-t-disable
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash md5
 group 1
 lifetime 86400
crypto isakmp nat-traversal  20
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
username admin password X4zeva05OugtPWs0 encrypted
tunnel-group 208.*.*.242 type ipsec-l2l
tunnel-group 208.*.*.242 ipsec-attributes
 pre-shared-key *
tunnel-group 208.*.*.163 type ipsec-l2l
tunnel-group 208.*.*.163 ipsec-attributes
 pre-shared-key *
prompt hostname context
Cryptochecksum:d57c7a87f1b00e162644059a0ed948ce
: end
asdm image disk0:/asdm-523.bin
no asdm history enable



ComptxAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
JFrederick29Connect With a Mentor Commented:
Change this:

conf t
access-list outside_2_cryptomap extended permit ip 10.3.3.0 255.255.255.0 10.1.1.0 255.255.255.0
no access-list outside_2_cryptomap extended permit ip host 64.*.*.22 host 208.*.*.163

The remote end crypto ACL should be the reverse:

access-list outside_2_cryptomap extended permit ip 10.1.1.0 255.255.255.0 10.3.3.0 255.255.255.0
0
 
ComptxAuthor Commented:
Added

access-list outside_2_cryptomap extended permit ip 10.3.3.0 255.255.255.0 10.1.1.0 255.255.255.0
no access-list outside_2_cryptomap extended permit ip host 64.*.*.22 host 208.*.*.163
access-list outside_2_cryptomap extended permit ip 10.1.1.0 255.255.255.0 10.3.3.0 255.255.255.0

And now the vpn tunnel is established!!

But...

Cannot rdp, or do anything from the remote to the ASA, here is what i get when i try.

3      Apr 30 2009      07:29:16      713042                   IKE Initiator unable to find policy: Intf outside, Src: 10.3.3.54, Dst: 10.1.1.104



We're getting there!!



0
 
ccsistaffCommented:
The message makes it appear that the IKE policies are slightly off, though if the tunnel is active, it is not likely.  Verify the IKE policies are the same on both ends and also try removing the nat-t-disable option in the second sequence for the outside map.  

no crypto map outside_map 2 set nat-t-disable
0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
ComptxAuthor Commented:
ok, tried the   no crypto map outside_map 2 set nat-t-disable  command, but still no traffic flows. Seems the settings are the same both ends.
0
 
ComptxAuthor Commented:
Well, now that the VPN shows active between sites, theres no longer 1-way traffic. now theres no traffic at all.
0
 
ComptxAuthor Commented:
getting this now again.



3      Apr 30 2009      08:05:21      713902                   Group = 208.*.*.242, IP = 208.*.*.242, QM FSM error (P2 struct &0x3cf0a50, mess id 0xbe21b51b)!

1      Apr 30 2009      08:05:21      713900                   Group = 208.*.*.242, IP = 208.*.*.242, construct_ipsec_delete(): No SPI to identify Phase 2 SA!

3      Apr 30 2009      08:05:21      713902                   Group = 208.*.*.242, IP = 208.*.*.242, Removing peer from correlator table failed, no match!

5      Apr 30 2009      08:05:23      713041                   Group = 208.*.*.242, IP = 208.*.*.242, IKE Initiator: New Phase 2, Intf inside, IKE Peer 208.49.31.242  local Proxy Address 10.3.3.0, remote Proxy Address 10.1.1.0,  Crypto map (outside_map)

5      Apr 30 2009      08:05:23      713068                   Group = 208.*.*.242, IP = 208.*.*.242, Received non-routine Notify message: Invalid ID info (18)
0
 
JFrederick29Commented:
Can you post the config from both sides (local and remote).
0
 
ComptxAuthor Commented:
I can post you the ASA one, the other side is a SonicWall 2040Pro that already had the VPN before. (i changed old vpn router for the asa)

Also, the asa also connets to the main site's SonicWall, and that sonic wall has the same settings as the sonicwall in remote that is failing to connect.

: Saved
:
ASA Version 7.2(3)
!
hostname ciscoasa
domain-name *
enable password u1N2uiTOMgtVzzpC encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.3.3.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 64.*.*.22 255.255.255.252
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name *
access-list outside_1_cryptomap extended permit ip host 64.*.*.22 host 208.*.*.242
access-list outside_1_cryptomap extended permit ip 10.3.3.0 255.255.255.0 host 208.*.*.242
access-list outside_1_cryptomap extended permit ip 10.3.3.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.0.0.0 255.255.255.0 host 64.*.*.22
access-list outside_1_cryptomap extended permit ip 10.0.0.0 255.255.255.0 host 10.3.3.1
access-list outside_1_cryptomap extended permit ip host 64.*.*.22 host 208.*.*.163
access-list outside_1_cryptomap extended permit ip 10.3.3.0 255.255.255.0 host 208.*.*.163
access-list outside_1_cryptomap extended permit ip 10.3.3.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 host 64.*.*.22
access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 host 10.3.3.1
access-list outside_1_cryptomap extended permit ip host 208.*.*.163 host 64.*.*.22
access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 10.3.3.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip host 64.*.*.22 host 208.*.*.242
access-list inside_nat0_outbound extended permit ip 10.3.3.0 255.255.255.0 host 208.*.*.242
access-list inside_nat0_outbound extended permit ip 10.3.3.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip host 64.*.*.22 host 208.*.*.163
access-list inside_nat0_outbound extended permit ip 10.3.3.0 255.255.255.0 host 208.*.*.163
access-list inside_nat0_outbound extended permit ip 10.3.3.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 host 64.*.*.22
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.3.3.0 255.255.255.0
access-list rdp-capture extended permit tcp any interface outside eq 3389
access-list 100 extended permit ip 10.3.3.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list 100 extended permit ip 10.3.3.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 100 extended permit ip 10.1.1.0 255.255.255.0 10.3.3.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 10.3.3.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 10.1.1.0 255.255.255.0 10.3.3.0 255.255.255.0
access-list outside_20_cryptomap extended permit ip 10.1.1.0 255.255.255.0 10.3.3.0 255.255.255.0
access-list outside_20_cryptomap extended permit ip 10.3.3.0 255.255.255.0 10.1.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
monitor-interface inside
monitor-interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 64.*.*.21 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 208.*.*.163 255.255.255.255 outside
http 10.1.1.0 255.255.255.255 inside
http 10.0.0.0 255.255.255.255 inside
http 67.*.*.34 255.255.255.255 outside
http 208.*.*.242 255.255.255.255 outside
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 208.*.*.242
crypto map outside_map 1 set transform-set ESP-DES-MD5
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set peer 208.*.*.163
crypto map outside_map 2 set transform-set ESP-DES-MD5
crypto map outside_map 2 set phase1-mode aggressive group1
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash md5
 group 1
 lifetime 86400
crypto isakmp nat-traversal  20
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
username admin password X4zeva05OugtPWs0 encrypted
tunnel-group 208.*.*.242 type ipsec-l2l
tunnel-group 208.*.*.242 ipsec-attributes
 pre-shared-key *
tunnel-group 208.*.*.163 type ipsec-l2l
tunnel-group 208.*.*.163 ipsec-attributes
 pre-shared-key *
prompt hostname context
Cryptochecksum:a809eb917818b6440916553f97aeb68c
: end
asdm image disk0:/asdm-523.bin
no asdm history enable

0
 
JFrederick29Connect With a Mentor Commented:
Remove this from the ASA:

conf t
no crypto map outside_map 2 set phase1-mode aggressive group1

Also, remove this as it overlaps between your tunnels:

no access-list outside_1_cryptomap extended permit ip 10.3.3.0 255.255.255.0 10.1.1.0 255.255.255.0

And remove this since it only needs to cover the one direction:

conf t
no access-list outside_2_cryptomap extended permit ip 10.1.1.0 255.255.255.0 10.3.3.0 255.255.255.0

On the Sonicwall config:

Make sure the interesting traffic rule is 10.1.1.0 255.255.255.0 to 10.3.3.0 255.255.255.0

0
 
ccsistaffCommented:
Sometimes, with Cisco to <Other Vendor> configurations for VPN, the sequence number of the Crypto Map makes a difference.  In one such experience I've had, the NetGear unit wanted to be Crypto Map sequence number 1 or it wouldn't work.  

Unfortunately, in order to test this with your setup, you'll have to take down the other tunnel.
0
 
ComptxAuthor Commented:
JF, once again, Thanks alot.

After removing those entries that you told me, traffic started flowing both ways.

I saw this in log tho, and has both my internal ips on it..

6      Apr 30 2009      08:32:50      106015      10.0.0.23      10.3.3.57       Deny TCP (no connection) from 10.0.0.23/80 to 10.3.3.57/1672 flags RST  on interface outside

Why would it be denying traffic like that?
0
 
JFrederick29Commented:
This is most likely a normal teardown log message.  Are you able to access 10.0.0.23 on port 80?
0
 
ComptxAuthor Commented:
Ah well, i guess its fine, nothing important from .23 to go to the ASA site.

Thanks alot!!
0
All Courses

From novice to tech pro — start learning today.