Solved

Site to Site Cisco VPN with one side dynamic IP

Posted on 2009-05-18
11
2,182 Views
Last Modified: 2012-05-07
Trying to connect to sites with ASA5505 one side has dymanic IP. What am I missing? Thanks!
MAIN SITE CONFIG

: Saved

:

ASA Version 8.0(2) 

!

hostname nfd-main

domain-name acf.org

enable password B5Vos7Kq2KWr encrypted

names

name 192.168.247.3 SBS_Server

name 192.168.246.0 steve_house

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 192.168.247.10 255.255.255.0 

!

interface Vlan2

 nameif outside

 security-level 0

 ip address 74.*.*.74 255.255.255.248 

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

 domain-name acffcu.org

access-list outside_1_cryptomap extended permit ip 192.168.247.0 255.255.255.0 steve_house 255.255.255.0 

access-list inside_nat0_outbound extended permit ip 192.168.247.0 255.255.255.0 steve_house 255.255.255.0 

access-list inbound extended permit tcp any interface outside eq smtp 

access-list inbound extended permit tcp any interface outside eq www 

access-list inbound extended permit tcp any interface outside eq https 

access-list inbound extended permit tcp any interface outside eq 444 

access-list inbound extended permit tcp any interface outside eq 4125 

access-list outside_cryptomap_65535.1 extended permit ip 192.168.247.0 255.255.255.0 steve_house 255.255.255.0 

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-611.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface smtp SBS_Server smtp netmask 255.255.255.255  dns 

static (inside,outside) tcp interface www SBS_Server www netmask 255.255.255.255  dns 

static (inside,outside) tcp interface https SBS_Server https netmask 255.255.255.255  dns 

static (inside,outside) tcp interface 444 SBS_Server 444 netmask 255.255.255.255  dns 

static (inside,outside) tcp interface 4125 SBS_Server 4125 netmask 255.255.255.255  dns 

access-group inbound in interface outside

route outside 0.0.0.0 0.0.0.0 74.94.34.78 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.247.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 

crypto dynamic-map outside_dyn_map 1 match address outside_cryptomap_65535.1

crypto dynamic-map outside_dyn_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs 

crypto map outside_map 1 set peer 4.2.2.2 

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map0 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map0 interface outside

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!
 

threat-detection basic-threat

threat-detection statistics access-list

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny  

  inspect sunrpc 

  inspect xdmcp 

  inspect sip  

  inspect netbios 

  inspect tftp 

!

service-policy global_policy global

tunnel-group steve_house type ipsec-l2l

tunnel-group steve_house ipsec-attributes

 pre-shared-key *

prompt hostname context 

Cryptochecksum:a251f66590a6afb12bf466e7fe5f02c2

: end

asdm image disk0:/asdm-611.bin

asdm location steve_house 255.255.255.0 inside

no asdm history enable
 

Remote Site Config

: Saved

:

ASA Version 8.0(2) 

!

hostname ciscoasa

domain-name default.domain.invalid

enable password 8Ry2YjIyXU24 encrypted

names

name 192.168.247.0 acffcu

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 192.168.246.1 255.255.255.0 

!

interface Vlan2

 nameif outside

 security-level 0

 ip address dhcp setroute 

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns server-group DefaultDNS

 domain-name default.domain.invalid

access-list outside_1_cryptomap extended permit ip 192.168.246.0 
 

255.255.255.0 acffcu 255.255.255.0 

access-list inside_nat0_outbound extended permit ip 192.168.246.0 
 

255.255.255.0 acffcu 255.255.255.0 

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-611.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 
 

0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 
 

sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 0.0.0.0 255.255.255.0 outside

http 192.168.246.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer 74.*.*.74 

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 1 set phase1-mode aggressive 

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.246.100-192.168.246.200 inside

dhcpd auto_config outside interface inside

dhcpd update dns both interface inside

dhcpd enable inside

!
 

threat-detection basic-threat

threat-detection statistics access-list

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny  

  inspect sunrpc 

  inspect xdmcp 

  inspect sip  

  inspect netbios 

  inspect tftp 

!

service-policy global_policy global

tunnel-group 74.94.34.74 type ipsec-l2l

tunnel-group 74.94.34.74 ipsec-attributes

 pre-shared-key *

prompt hostname context 

Cryptochecksum:653a65036bfa816a977c0fb099f5ddb6

: end

asdm image disk0:/asdm-611.bin

asdm location acffcu 255.255.255.0 inside

no asdm history enable

Open in new window

0
Comment
Question by:mtman69
  • 5
  • 5
11 Comments
 
LVL 33

Expert Comment

by:MikeKane
ID: 24416109
At the remote site, your nonats and crypto are missing destinations.   The destination is the subnet on the other side of the VPN.  The nonats and cryptos must match on each side.  

On the remote side I don't see the preshared key defined.  Your isakmp groups don't match either.  

With the VPN setup, both sides must have matching settings or the tunnel won't build.  
HAve a look at this doc from cisco, it outlines a static to dynamic VPN.    
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml

Hope that helps.  


0
 
LVL 13

Expert Comment

by:3nerds
ID: 24416267
mtman69:

As MikeKane pointed out there are a couple of missing or off things in your current config. If you go through and clear your current crypto items out these items I have added for you below will give you a good base and should allow for you to bring up the tunnel. Just remember you can only bring the tunnel up from the remote side as the main site site can not start the tunnel as it doesn't know were to  go seeing you have a dynamic end. You will also have to provide the pre-shared key as I didn't want to take any liberty on those. You also may want to scrub you IP's a bit better in the future to keep the kiddies from causing you any problems. I also prefer to use more specific no nat acl's but thats just getting nit picky.

Good Luck!

MAIN:
crypto ipsec transform-set mydes esp-3des esp-sha-hmac
crypto dynamic-map dynmap 1 set transform-set mydes
crypto map dyn-map 10 ipsec-isakmp dynamic dynmap
crypto map dyn-map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
 
tunnel-group steve_house type ipsec-l2l
tunnel-group steve_house ipsec-attributes
 pre-shared-key *
 
REMOTE:

access-list outside_1_cryptomap extended permit ip 192.168.246.0 255.255.255.0 192.168.247.0 255.255.255.0

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 74.94.34.74
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
 
 tunnel-group 74.94.34.74 type ipsec-l2l
tunnel-group 74.94.34.74 ipsec-attributes
 pre-shared-key *

If you just want to use what I have here as a template feel free.

Regards,

3nerds
0
 

Author Comment

by:mtman69
ID: 24416847
Thanks for the help read and made some changed still doesn't seem to be working. Here are current configs, thanks for the help! Maybe I have been staring at this for too long today....

Main:

: Saved

:

ASA Version 8.0(2) 

!

hostname nfd-main

domain-name a.org

enable password B5Vos7Kq2fWr encrypted

names

name 192.168.247.3 SBS_Server

name 192.168.246.0 steve_house

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 192.168.247.10 255.255.255.0 

!

interface Vlan2

 nameif outside

 security-level 0

 ip address 74.*.*.* 255.255.255.248 

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd B5Vos7Kq2fa1IKWr encrypted

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

 domain-name a.org

access-list outside_1_cryptomap extended permit ip 192.168.247.0 255.255.255.0 steve_house 255.255.255.0 

access-list inside_nat0_outbound extended permit ip 192.168.247.0 255.255.255.0 steve_house 255.255.255.0 

access-list outside_cryptomap extended permit ip 192.168.247.0 255.255.255.0 steve_house 255.255.255.0 

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-611.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

access-group inbound in interface outside

route outside 0.0.0.0 0.0.0.0 74.*.*.* 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.247.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 

crypto ipsec transform-set mydes esp-3des esp-sha-hmac 

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 

crypto dynamic-map dynmap 1 set transform-set mydes

crypto dynamic-map steve_house 1 match address outside_cryptomap

crypto dynamic-map steve_house 1 set transform-set ESP-3DES-SHA

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs 

crypto map outside_map 1 set peer 4.2.2.2 

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map dyn-map 1 ipsec-isakmp dynamic steve_house

crypto map dyn-map 10 ipsec-isakmp dynamic dynmap

crypto map dyn-map interface outside

crypto isakmp identity address 

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!
 

threat-detection basic-threat

threat-detection statistics access-list

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny  

  inspect sunrpc 

  inspect xdmcp 

  inspect sip  

  inspect netbios 

  inspect tftp 

!

service-policy global_policy global

tunnel-group steve_house type ipsec-l2l

tunnel-group steve_house ipsec-attributes

 pre-shared-key *

prompt hostname context 

Cryptochecksum:966cfe4ba90ef5ee1f09a59219611724

: end

asdm image disk0:/asdm-611.bin

asdm location steve_house 255.255.255.0 inside

no asdm history enable
 

Remote:

: Saved

:

ASA Version 8.0(2) 

!

hostname ciscoasa

domain-name default.domain.invalid

enable password 8Ry2YjIyt24 encrypted

names

name 192.168.247.0 acffcu

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 192.168.246.1 255.255.255.0 

 ospf cost 10

!

interface Vlan2

 nameif outside

 security-level 0

 ip address dhcp setroute 

 ospf cost 10

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

 domain-name default.domain.invalid

access-list outside_1_cryptomap extended permit ip 192.168.246.0 255.255.255.0 acffcu 255.255.255.0 

access-list inside_nat0_outbound extended permit ip 192.168.246.0 255.255.255.0 acffcu 255.255.255.0 

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-611.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 0.0.0.0 255.255.255.0 outside

http 192.168.246.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs 

crypto map outside_map 1 set peer 74.*.*.* 

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 1 set phase1-mode aggressive 

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.246.100-192.168.246.200 inside

dhcpd auto_config outside interface inside

dhcpd update dns both interface inside

dhcpd enable inside

!
 

threat-detection basic-threat

threat-detection statistics access-list

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny  

  inspect sunrpc 

  inspect xdmcp 

  inspect sip  

  inspect netbios 

  inspect tftp 

!

service-policy global_policy global

tunnel-group 74.*.*.* type ipsec-l2l

tunnel-group 74.*.*.* ipsec-attributes

 pre-shared-key *

prompt hostname context 

Cryptochecksum:f9989d6bb256aa1de70c4a735c83c4e8

: end

asdm image disk0:/asdm-611.bin

asdm location acffcu 255.255.255.0 inside

no asdm history enable

Open in new window

0
 
LVL 13

Expert Comment

by:3nerds
ID: 24421423
mtman69

Do on the remote side.

no crypto map outside_map 1 set pfs


Then from the remote site if you ping and IP address on the main side what happens and what messages appear in the ASDM. You should be able to see the events scroll by on the home page of the ASDM I need to know what error you are getting when it attempts to set up the vpn tunnel.



Regards,

3nerds
0
 

Author Comment

by:mtman69
ID: 24422673
Did no crypto map outside_map 1 set pfs on remote, tried ping to host on other side from remote and got these messages:
IP = 74.*.*.74, IKE Initiator: New Phase 1, Intf inside, IKE Peer 74.*.*.74  local Proxy Address 192.168.246.0, remote Proxy Address 192.168.247.0,  Crypto map (outside_map)

Built outbound UDP connection 3153 for outside:74.*.*.74/500 (74.*.*.74/500) to NP Identity Ifc:10.1.10.83/500 (10.1.10.83/500)

IP = 74.*.*.74, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping

IP = 74.*.*.74, Information Exchange processing failed

IP = 74.*.*.74, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

IP = 74.*.*.74, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping

IP = 74.*.*.74, Information Exchange processing failed

IP = 74.*.*.74, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

IP = 74.*.*.74, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping

IP = 74.*.*.74, Information Exchange processing failed

IP = 74.*.*.74, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

IP = 74.*.*.74, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping

IP = 74.*.*.74, Information Exchange processing failed

IP = 74.*.*.74, Removing peer from peer table failed, no match!

IP = 74.*.*.74, Error: Unable to remove PeerTblEntry

Teardown UDP connection 3153 for outside:74.*.*.74/500 to NP Identity Ifc:10.1.10.83/500 duration 0:02:24 bytes 1616

Open in new window

0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 13

Expert Comment

by:3nerds
ID: 24422851
Little more clean up:

Main Side:

no crypto dynamic-map steve_house 1 match address outside_cryptomap
no crypto dynamic-map steve_house 1 set transform-set ESP-3DES-SHA
no crypto map outside_map 1 match address outside_1_cryptomap
no crypto map outside_map 1 set pfs
no crypto map outside_map 1 set peer 4.2.2.2
no crypto map outside_map 1 set transform-set ESP-3DES-SHA


Are you able to do the same test again and give me the messages from the main site as well the remote site?

Could you then repaste the configs for me.

Thanks,

3nerds
0
 

Author Comment

by:mtman69
ID: 24423023
3nerds, thanks for your help! Did commands you requested on main site. See attached logs and configs.

Mike
Remote Log:
 

4|May 19 2009|04:04:58|713903|||||IP = 74.*.*.74, Error: Unable to remove PeerTblEntry

3|May 19 2009|04:04:58|713902|||||IP = 74.*.*.74, Removing peer from peer table failed, no match!

4|May 19 2009|04:04:50|713903|||||IP = 74.*.*.74, Information Exchange processing failed

5|May 19 2009|04:04:50|713904|||||IP = 74.*.*.74, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping

6|May 19 2009|04:04:42|713219|||||IP = 74.*.*.74, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

4|May 19 2009|04:04:42|713903|||||IP = 74.*.*.74, Information Exchange processing failed

5|May 19 2009|04:04:42|713904|||||IP = 74.*.*.74, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping

6|May 19 2009|04:04:37|302015|192.168.0.248|161|192.168.246.100|1031|Built outbound UDP connection 3455 for outside:192.168.0.248/161 (192.168.0.248/161) to inside:192.168.246.100/1031 (10.1.10.83/2344)

6|May 19 2009|04:04:37|305011|192.168.246.100|1031|10.1.10.83|2344|Built dynamic UDP translation from inside:192.168.246.100/1031 to outside:10.1.10.83/2344

6|May 19 2009|04:04:36|713219|||||IP = 74.*.*.74, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

4|May 19 2009|04:04:34|713903|||||IP = 74.*.*.74, Information Exchange processing failed

5|May 19 2009|04:04:34|713904|||||IP = 74.*.*.74, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping

6|May 19 2009|04:04:31|713219|||||IP = 74.*.*.74, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

4|May 19 2009|04:04:26|713903|||||IP = 74.*.*.74, Information Exchange processing failed

5|May 19 2009|04:04:26|713904|||||IP = 74.*.*.74, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping

6|May 19 2009|04:04:26|302015|74.*.*.74|500|10.1.10.83|500|Built outbound UDP connection 3452 for outside:74.*.*.74/500 (74.*.*.74/500) to NP Identity Ifc:10.1.10.83/500 (10.1.10.83/500)

5|May 19 2009|04:04:26|713041|||||IP = 74.*.*.74, IKE Initiator: New Phase 1, Intf inside, IKE Peer 74.*.*.74  local Proxy Address 192.168.246.0, remote Proxy Address 192.168.247.0,  Crypto map (outside_map)
 

Main Log:
 

6|May 19 2009|03:04:46|302015|192.168.44.1|123|SBS_Server|123|Built outbound UDP connection 3892 for outside:192.168.44.1/123 (192.168.44.1/123) to inside:SBS_Server/123 (74.*.*.74/200)

6|May 19 2009|03:04:46|302015|192.168.242.1|123|SBS_Server|123|Built outbound UDP connection 3891 for outside:192.168.242.1/123 (192.168.242.1/123) to inside:SBS_Server/123 (74.*.*.74/200)

6|May 19 2009|03:04:46|305011|SBS_Server|123|74.*.*.74|200|Built dynamic UDP translation from inside:SBS_Server/123 to outside:74.*.*.74/200

6|May 19 2009|03:04:18|302014|67.223.74.141|41945|SBS_Server|443|Teardown TCP connection 3890 for outside:67.223.74.141/41945 to inside:SBS_Server/443 duration 0:00:01 bytes 43699 TCP FINs

6|May 19 2009|03:04:16|302014|67.223.74.141|41864|SBS_Server|443|Teardown TCP connection 3889 for outside:67.223.74.141/41864 to inside:SBS_Server/443 duration 0:00:02 bytes 1439 TCP FINs

6|May 19 2009|03:04:16|302013|67.223.74.141|41945|SBS_Server|443|Built inbound TCP connection 3890 for outside:67.223.74.141/41945 (67.223.74.141/41945) to inside:SBS_Server/443 (74.*.*.74/443)

6|May 19 2009|03:04:14|302014|67.223.74.141|41839|SBS_Server|443|Teardown TCP connection 3888 for outside:67.223.74.141/41839 to inside:SBS_Server/443 duration 0:00:00 bytes 1608 TCP FINs

6|May 19 2009|03:04:14|302013|67.223.74.141|41864|SBS_Server|443|Built inbound TCP connection 3889 for outside:67.223.74.141/41864 (67.223.74.141/41864) to inside:SBS_Server/443 (74.*.*.74/443)

6|May 19 2009|03:04:14|302013|67.223.74.141|41839|SBS_Server|443|Built inbound TCP connection 3888 for outside:67.223.74.141/41839 (67.223.74.141/41839) to inside:SBS_Server/443 (74.*.*.74/443)

6|May 19 2009|03:04:09|305012|SBS_Server|123|74.*.*.74|199|Teardown dynamic UDP translation from inside:SBS_Server/123 to outside:74.*.*.74/199 duration 0:02:30

4|May 19 2009|03:03:44|713903|||||Group = DefaultRAGroup, IP = 173.*.*.198, Error: Unable to remove PeerTblEntry

3|May 19 2009|03:03:44|713902|||||Group = DefaultRAGroup, IP = 173.*.*.198, Removing peer from peer table failed, no match!

6|May 19 2009|03:03:41|302016|64.73.32.135|123|SBS_Server|123|Teardown UDP connection 3868 for outside:64.73.32.135/123 to inside:SBS_Server/123 duration 0:02:01 bytes 96

4|May 19 2009|03:03:36|713903|||||Group = DefaultRAGroup, IP = 173.*.*.198, Error: Unable to remove PeerTblEntry

3|May 19 2009|03:03:36|713902|||||Group = DefaultRAGroup, IP = 173.*.*.198, Removing peer from peer table failed, no match!

4|May 19 2009|03:03:28|713903|||||Group = DefaultRAGroup, IP = 173.*.*.198, Error: Unable to remove PeerTblEntry

3|May 19 2009|03:03:28|713902|||||Group = DefaultRAGroup, IP = 173.*.*.198, Removing peer from peer table failed, no match!

4|May 19 2009|03:03:20|713903|||||Group = DefaultRAGroup, IP = 173.*.*.198, Error: Unable to remove PeerTblEntry

3|May 19 2009|03:03:20|713902|||||Group = DefaultRAGroup, IP = 173.*.*.198, Removing peer from peer table failed, no match!

6|May 19 2009|03:03:20|302015|173.*.*.198|500|74.*.*.74|500|Built inbound UDP connection 3887 for outside:173.*.*.198/500 (173.*.*.198/500) to NP Identity Ifc:74.*.*.74/500 (74.*.*.74/500)
 
 
 

Current Configs:
 

Remote
 

: Saved

:

ASA Version 8.0(2) 

!

hostname ciscoasa

domain-name default.domain.invalid

enable password 8Ry2YjIyt7RRXU24 encrypted

names

name 192.168.247.0 acffcu

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 192.168.246.1 255.255.255.0 

 ospf cost 10

!

interface Vlan2

 nameif outside

 security-level 0

 ip address dhcp setroute 

 ospf cost 10

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

 domain-name default.domain.invalid

access-list outside_1_cryptomap extended permit ip 192.168.246.0 255.255.255.0 acffcu 255.255.255.0 

access-list inside_nat0_outbound extended permit ip 192.168.246.0 255.255.255.0 acffcu 255.255.255.0 

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-611.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 0.0.0.0 255.255.255.0 outside

http 192.168.246.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer 74.*.*.74 

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 1 set phase1-mode aggressive 

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.246.100-192.168.246.200 inside

dhcpd auto_config outside interface inside

dhcpd update dns both interface inside

dhcpd enable inside

!
 

threat-detection basic-threat

threat-detection statistics access-list

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny  

  inspect sunrpc 

  inspect xdmcp 

  inspect sip  

  inspect netbios 

  inspect tftp 

!

service-policy global_policy global

tunnel-group 74.*.*.74 type ipsec-l2l

tunnel-group 74.*.*.74 ipsec-attributes

 pre-shared-key *

prompt hostname context 

Cryptochecksum:fdeece2271b7012d88e3dcc2721c9c32

: end

asdm image disk0:/asdm-611.bin

asdm location acffcu 255.255.255.0 inside

no asdm history enable
 
 

Main:
 

: Saved

:

ASA Version 8.0(2) 

!

hostname nfd-main

domain-name acffcu.org

enable password B5Vos7Kq2fa1IKWr encrypted

names

name 192.168.247.3 SBS_Server

name 192.168.246.0 steve_house

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 192.168.247.10 255.255.255.0 

!

interface Vlan2

 nameif outside

 security-level 0

 ip address 74.*.*.74 255.255.255.248 

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd B5Vos7Kq2KWr encrypted

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

 domain-name acffcu.org

access-list outside_1_cryptomap extended permit ip 192.168.247.0 255.255.255.0 steve_house 255.255.255.0 

access-list inside_nat0_outbound extended permit ip 192.168.247.0 255.255.255.0 steve_house 255.255.255.0 

access-list outside_cryptomap extended permit ip 192.168.247.0 255.255.255.0 steve_house 255.255.255.0 

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-611.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

access-group inbound in interface outside

route outside 0.0.0.0 0.0.0.0 74.94.34.78 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.247.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 

crypto ipsec transform-set mydes esp-3des esp-sha-hmac 

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 

crypto dynamic-map dynmap 1 set transform-set mydes

crypto map dyn-map 1 ipsec-isakmp dynamic steve_house

crypto map dyn-map 10 ipsec-isakmp dynamic dynmap

crypto map dyn-map interface outside

crypto isakmp identity address 

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

no crypto isakmp nat-traversal

telnet SBS_Server 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!
 

threat-detection basic-threat

threat-detection scanning-threat shun

threat-detection statistics

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny  

  inspect sunrpc 

  inspect xdmcp 

  inspect sip  

  inspect netbios 

  inspect tftp 

!

service-policy global_policy global

tunnel-group steve_house type ipsec-l2l

tunnel-group steve_house ipsec-attributes

 pre-shared-key *

prompt hostname context 

Cryptochecksum:5f8e289ebbb8faeebd103fff711a7866

: end

asdm image disk0:/asdm-611.bin

asdm location steve_house 255.255.255.0 inside

no asdm history enable

Open in new window

0
 
LVL 13

Expert Comment

by:3nerds
ID: 24423200
ok do the following on the Main site:

no tunnel-group steve_house type ipsec-l2l
no tunnel-group steve_house ipsec-attributes
 pre-shared-key *

tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *

Remote side:


no crypto map outside_map 1 set phase1-mode aggressive

Make sure you set the pre-shared keys are the same on both ends.


And if you would please test again and report the logs.

Good Luck,

3nerds
0
 

Author Comment

by:mtman69
ID: 24423922
OK, ran commands and tested. Phase 1 completes now but other errors.
Logs:
 

Remote:
 

4|May 19 2009|05:24:41|113019|||||Group = 74.*.*.74, Username = 74.*.*.74, IP = 74.*.*.74, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Unknown

3|May 19 2009|05:24:41|713902|||||Group = 74.*.*.74, IP = 74.*.*.74, Removing peer from correlator table failed, no match!

1|May 19 2009|05:24:41|713900|||||Group = 74.*.*.74, IP = 74.*.*.74, construct_ipsec_delete(): No SPI to identify Phase 2 SA!

5|May 19 2009|05:24:41|713050|||||Group = 74.*.*.74, IP = 74.*.*.74, Connection terminated for peer 74.*.*.74.  Reason: Peer Terminate  Remote Proxy N/A, Local Proxy N/A

3|May 19 2009|05:24:40|713119|||||Group = 74.*.*.74, IP = 74.*.*.74, PHASE 1 COMPLETED

6|May 19 2009|05:24:40|113009|||||AAA retrieved default group policy (DfltGrpPolicy) for user = 74.*.*.74

4|May 19 2009|05:24:40|713903|||||Group = 74.*.*.74, IP = 74.*.*.74, Freeing previously allocated memory for authorization-dn-attributes

5|May 19 2009|05:24:40|713041|||||IP = 74.*.*.74, IKE Initiator: New Phase 1, Intf inside, IKE Peer 74.*.*.74  local Proxy Address 192.168.246.0, remote Proxy Address 192.168.247.0,  Crypto map (outside_map)

4|May 19 2009|05:24:35|113019|||||Group = 74.*.*.74, Username = 74.*.*.74, IP = 74.*.*.74, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Unknown

3|May 19 2009|05:24:35|713902|||||Group = 74.*.*.74, IP = 74.*.*.74, Removing peer from correlator table failed, no match!

1|May 19 2009|05:24:35|713900|||||Group = 74.*.*.74, IP = 74.*.*.74, construct_ipsec_delete(): No SPI to identify Phase 2 SA!

5|May 19 2009|05:24:35|713050|||||Group = 74.*.*.74, IP = 74.*.*.74, Connection terminated for peer 74.*.*.74.  Reason: Peer Terminate  Remote Proxy N/A, Local Proxy N/A

3|May 19 2009|05:24:35|713119|||||Group = 74.*.*.74, IP = 74.*.*.74, PHASE 1 COMPLETED

6|May 19 2009|05:24:35|113009|||||AAA retrieved default group policy (DfltGrpPolicy) for user = 74.*.*.74

4|May 19 2009|05:24:35|713903|||||Group = 74.*.*.74, IP = 74.*.*.74, Freeing previously allocated memory for authorization-dn-attributes

5|May 19 2009|05:24:35|713041|||||IP = 74.*.*.74, IKE Initiator: New Phase 1, Intf inside, IKE Peer 74.*.*.74  local Proxy Address 192.168.246.0, remote Proxy Address 192.168.247.0,  Crypto map (outside_map)
 

Main:
 

4|May 19 2009|04:23:57|113019|||||Group = DefaultRAGroup, Username = , IP = 173.*.*.198, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Unknown

3|May 19 2009|04:23:57|713902|||||Group = DefaultRAGroup, IP = 173.*.*.198, Removing peer from correlator table failed, no match!

3|May 19 2009|04:23:57|713902|||||Group = DefaultRAGroup, IP = 173.*.*.198, QM FSM error (P2 struct &0xd3df7f70, mess id 0xb66d5b79)!

3|May 19 2009|04:23:57|713127|||||Group = DefaultRAGroup, IP = 173.*.*.198, Xauth required but selected Proposal does not support xauth,  Check priorities of ike xauth proposals in ike proposal list

3|May 19 2009|04:23:57|713119|||||Group = DefaultRAGroup, IP = 173.*.*.198, PHASE 1 COMPLETED

3|May 19 2009|04:23:57|713119|||||Group = DefaultRAGroup, IP = 173.*.*.198, PHASE 1 COMPLETED

6|May 19 2009|04:23:57|113009|||||AAA retrieved default group policy (DfltGrpPolicy) for user = DefaultRAGroup

4|May 19 2009|04:23:57|713903|||||Group = DefaultRAGroup, IP = 173.*.*.198, Freeing previously allocated memory for authorization-dn-attributes

6|May 19 2009|04:23:56|305012|192.168.247.21|2022|74.*.*.74|2141|Teardown dynamic TCP translation from inside:192.168.247.21/2022 to outside:74.*.*.74/2141 duration 0:00:30

4|May 19 2009|04:23:52|113019|||||Group = DefaultRAGroup, Username = , IP = 173.*.*.198, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Unknown

3|May 19 2009|04:23:52|713902|||||Group = DefaultRAGroup, IP = 173.*.*.198, Removing peer from correlator table failed, no match!

3|May 19 2009|04:23:52|713902|||||Group = DefaultRAGroup, IP = 173.*.*.198, QM FSM error (P2 struct &0xd3df7f20, mess id 0xecf47fba)!

3|May 19 2009|04:23:52|713127|||||Group = DefaultRAGroup, IP = 173.*.*.198, Xauth required but selected Proposal does not support xauth,  Check priorities of ike xauth proposals in ike proposal list

3|May 19 2009|04:23:52|713119|||||Group = DefaultRAGroup, IP = 173.*.*.198, PHASE 1 COMPLETED

3|May 19 2009|04:23:52|713119|||||Group = DefaultRAGroup, IP = 173.*.*.198, PHASE 1 COMPLETED

6|May 19 2009|04:23:52|113009|||||AAA retrieved default group policy (DfltGrpPolicy) for user = DefaultRAGroup

4|May 19 2009|04:23:52|713903|||||Group = DefaultRAGroup, IP = 173.*.*.198, Freeing previously allocated memory for authorization-dn-attributes
 

Configs:
 

Remote
 

: Saved

:

ASA Version 8.0(2) 

!

hostname ciscoasa

domain-name default.domain.invalid

enable password 8Ry2YjIytU24 encrypted

names

name 192.168.247.0 acffcu

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 192.168.246.1 255.255.255.0 

 ospf cost 10

!

interface Vlan2

 nameif outside

 security-level 0

 ip address dhcp setroute 

 ospf cost 10

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

 domain-name default.domain.invalid

access-list outside_1_cryptomap extended permit ip 192.168.246.0 255.255.255.0 acffcu 255.255.255.0 

access-list inside_nat0_outbound extended permit ip 192.168.246.0 255.255.255.0 acffcu 255.255.255.0 

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-611.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.246.0 255.255.255.0 inside

http 0.0.0.0 255.255.255.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer 74.*.*.74 

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp identity address 

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.246.100-192.168.246.200 inside

dhcpd auto_config outside interface inside

dhcpd update dns both interface inside

dhcpd enable inside

!
 

threat-detection basic-threat

threat-detection statistics access-list

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny  

  inspect sunrpc 

  inspect xdmcp 

  inspect sip  

  inspect netbios 

  inspect tftp 

!

service-policy global_policy global

tunnel-group 74.*.*.74 type ipsec-l2l

tunnel-group 74.*.*.74 ipsec-attributes

 pre-shared-key *

prompt hostname context 

Cryptochecksum:040c8e27f2b226deb5ad0402bd1554b9

: end

asdm image disk0:/asdm-611.bin

asdm location acffcu 255.255.255.0 inside

no asdm history enable
 
 

Main:
 

: Saved

:

ASA Version 8.0(2) 

!

hostname nfd-main

domain-name acffcu.org

enable password B5Vos7KqKWr encrypted

names

name 192.168.247.3 SBS_Server

name 192.168.246.0 steve_house

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 192.168.247.10 255.255.255.0 

!

interface Vlan2

 nameif outside

 security-level 0

 ip address 74.*.*.74 255.255.255.248 

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd B5Vos7Kq2fa1IKWr encrypted

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

 domain-name acffcu.org

access-list outside_1_cryptomap extended permit ip 192.168.247.0 255.255.255.0 steve_house 255.255.255.0 

access-list inside_nat0_outbound extended permit ip 192.168.247.0 255.255.255.0 steve_house 255.255.255.0 

access-list outside_cryptomap extended permit ip 192.168.247.0 255.255.255.0 steve_house 255.255.255.0 

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-611.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

access-group inbound in interface outside

route outside 0.0.0.0 0.0.0.0 74.*.*.78 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 

crypto ipsec transform-set mydes esp-3des esp-sha-hmac 

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 

crypto dynamic-map dynmap 1 set transform-set mydes

crypto map dyn-map 1 ipsec-isakmp dynamic steve_house

crypto map dyn-map 10 ipsec-isakmp dynamic dynmap

crypto map dyn-map interface outside

crypto isakmp identity address 

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

no crypto isakmp nat-traversal

telnet SBS_Server 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!
 

threat-detection basic-threat

threat-detection scanning-threat shun

threat-detection statistics

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny  

  inspect sunrpc 

  inspect xdmcp 

  inspect sip  

  inspect netbios 

  inspect tftp 

!

service-policy global_policy global

tunnel-group DefaultRAGroup ipsec-attributes

 pre-shared-key *

tunnel-group steve_house type ipsec-l2l

prompt hostname context 

Cryptochecksum:5f8e289ebbb8faeebd103fff711a7866

: end

asdm image disk0:/asdm-611.bin

asdm location steve_house 255.255.255.0 inside

no asdm history enable

Open in new window

0
 
LVL 13

Accepted Solution

by:
3nerds earned 500 total points
ID: 24424065
add this to the main side:

tunnel-group DefaultRAGroup ipsec-attributes
isakmp ikev1-user-authentication none


Test and post please.

Sorry for the small changes and then posts, when I normally troubleshoot I am the one having to do the leg work and small changes are my friend =)

Good Luck,

3nerds
0
 

Author Comment

by:mtman69
ID: 24424156
3nerds, you rock! The tunnel is up and working fine. I didn't mind the small changes. I appreciate all of you help with this!

Mike
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now