• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2290
  • Last Modified:

Site to Site Cisco VPN with one side dynamic IP

Trying to connect to sites with ASA5505 one side has dymanic IP. What am I missing? Thanks!
MAIN SITE CONFIG
: Saved
:
ASA Version 8.0(2) 
!
hostname nfd-main
domain-name acf.org
enable password B5Vos7Kq2KWr encrypted
names
name 192.168.247.3 SBS_Server
name 192.168.246.0 steve_house
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.247.10 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 74.*.*.74 255.255.255.248 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name acffcu.org
access-list outside_1_cryptomap extended permit ip 192.168.247.0 255.255.255.0 steve_house 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.247.0 255.255.255.0 steve_house 255.255.255.0 
access-list inbound extended permit tcp any interface outside eq smtp 
access-list inbound extended permit tcp any interface outside eq www 
access-list inbound extended permit tcp any interface outside eq https 
access-list inbound extended permit tcp any interface outside eq 444 
access-list inbound extended permit tcp any interface outside eq 4125 
access-list outside_cryptomap_65535.1 extended permit ip 192.168.247.0 255.255.255.0 steve_house 255.255.255.0 
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-611.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp SBS_Server smtp netmask 255.255.255.255  dns 
static (inside,outside) tcp interface www SBS_Server www netmask 255.255.255.255  dns 
static (inside,outside) tcp interface https SBS_Server https netmask 255.255.255.255  dns 
static (inside,outside) tcp interface 444 SBS_Server 444 netmask 255.255.255.255  dns 
static (inside,outside) tcp interface 4125 SBS_Server 4125 netmask 255.255.255.255  dns 
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 74.94.34.78 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.247.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto dynamic-map outside_dyn_map 1 match address outside_cryptomap_65535.1
crypto dynamic-map outside_dyn_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs 
crypto map outside_map 1 set peer 4.2.2.2 
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map0 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map0 interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
 
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
tunnel-group steve_house type ipsec-l2l
tunnel-group steve_house ipsec-attributes
 pre-shared-key *
prompt hostname context 
Cryptochecksum:a251f66590a6afb12bf466e7fe5f02c2
: end
asdm image disk0:/asdm-611.bin
asdm location steve_house 255.255.255.0 inside
no asdm history enable
 
Remote Site Config
: Saved
:
ASA Version 8.0(2) 
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyXU24 encrypted
names
name 192.168.247.0 acffcu
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.246.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list outside_1_cryptomap extended permit ip 192.168.246.0 
 
255.255.255.0 acffcu 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.246.0 
 
255.255.255.0 acffcu 255.255.255.0 
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-611.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 
 
0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 
 
sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 255.255.255.0 outside
http 192.168.246.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 74.*.*.74 
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set phase1-mode aggressive 
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.246.100-192.168.246.200 inside
dhcpd auto_config outside interface inside
dhcpd update dns both interface inside
dhcpd enable inside
!
 
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
tunnel-group 74.94.34.74 type ipsec-l2l
tunnel-group 74.94.34.74 ipsec-attributes
 pre-shared-key *
prompt hostname context 
Cryptochecksum:653a65036bfa816a977c0fb099f5ddb6
: end
asdm image disk0:/asdm-611.bin
asdm location acffcu 255.255.255.0 inside
no asdm history enable

Open in new window

0
mtman69
Asked:
mtman69
  • 5
  • 5
1 Solution
 
MikeKaneCommented:
At the remote site, your nonats and crypto are missing destinations.   The destination is the subnet on the other side of the VPN.  The nonats and cryptos must match on each side.  

On the remote side I don't see the preshared key defined.  Your isakmp groups don't match either.  

With the VPN setup, both sides must have matching settings or the tunnel won't build.  
HAve a look at this doc from cisco, it outlines a static to dynamic VPN.    
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml

Hope that helps.  


0
 
3nerdsCommented:
mtman69:

As MikeKane pointed out there are a couple of missing or off things in your current config. If you go through and clear your current crypto items out these items I have added for you below will give you a good base and should allow for you to bring up the tunnel. Just remember you can only bring the tunnel up from the remote side as the main site site can not start the tunnel as it doesn't know were to  go seeing you have a dynamic end. You will also have to provide the pre-shared key as I didn't want to take any liberty on those. You also may want to scrub you IP's a bit better in the future to keep the kiddies from causing you any problems. I also prefer to use more specific no nat acl's but thats just getting nit picky.

Good Luck!

MAIN:
crypto ipsec transform-set mydes esp-3des esp-sha-hmac
crypto dynamic-map dynmap 1 set transform-set mydes
crypto map dyn-map 10 ipsec-isakmp dynamic dynmap
crypto map dyn-map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
 
tunnel-group steve_house type ipsec-l2l
tunnel-group steve_house ipsec-attributes
 pre-shared-key *
 
REMOTE:

access-list outside_1_cryptomap extended permit ip 192.168.246.0 255.255.255.0 192.168.247.0 255.255.255.0

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 74.94.34.74
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
 
 tunnel-group 74.94.34.74 type ipsec-l2l
tunnel-group 74.94.34.74 ipsec-attributes
 pre-shared-key *

If you just want to use what I have here as a template feel free.

Regards,

3nerds
0
 
mtman69Author Commented:
Thanks for the help read and made some changed still doesn't seem to be working. Here are current configs, thanks for the help! Maybe I have been staring at this for too long today....

Main:
: Saved
:
ASA Version 8.0(2) 
!
hostname nfd-main
domain-name a.org
enable password B5Vos7Kq2fWr encrypted
names
name 192.168.247.3 SBS_Server
name 192.168.246.0 steve_house
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.247.10 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 74.*.*.* 255.255.255.248 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd B5Vos7Kq2fa1IKWr encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name a.org
access-list outside_1_cryptomap extended permit ip 192.168.247.0 255.255.255.0 steve_house 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.247.0 255.255.255.0 steve_house 255.255.255.0 
access-list outside_cryptomap extended permit ip 192.168.247.0 255.255.255.0 steve_house 255.255.255.0 
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-611.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 74.*.*.* 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.247.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set mydes esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto dynamic-map dynmap 1 set transform-set mydes
crypto dynamic-map steve_house 1 match address outside_cryptomap
crypto dynamic-map steve_house 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs 
crypto map outside_map 1 set peer 4.2.2.2 
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map dyn-map 1 ipsec-isakmp dynamic steve_house
crypto map dyn-map 10 ipsec-isakmp dynamic dynmap
crypto map dyn-map interface outside
crypto isakmp identity address 
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
 
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
tunnel-group steve_house type ipsec-l2l
tunnel-group steve_house ipsec-attributes
 pre-shared-key *
prompt hostname context 
Cryptochecksum:966cfe4ba90ef5ee1f09a59219611724
: end
asdm image disk0:/asdm-611.bin
asdm location steve_house 255.255.255.0 inside
no asdm history enable
 
Remote:
: Saved
:
ASA Version 8.0(2) 
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt24 encrypted
names
name 192.168.247.0 acffcu
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.246.1 255.255.255.0 
 ospf cost 10
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute 
 ospf cost 10
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list outside_1_cryptomap extended permit ip 192.168.246.0 255.255.255.0 acffcu 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.246.0 255.255.255.0 acffcu 255.255.255.0 
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-611.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 255.255.255.0 outside
http 192.168.246.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs 
crypto map outside_map 1 set peer 74.*.*.* 
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set phase1-mode aggressive 
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.246.100-192.168.246.200 inside
dhcpd auto_config outside interface inside
dhcpd update dns both interface inside
dhcpd enable inside
!
 
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
tunnel-group 74.*.*.* type ipsec-l2l
tunnel-group 74.*.*.* ipsec-attributes
 pre-shared-key *
prompt hostname context 
Cryptochecksum:f9989d6bb256aa1de70c4a735c83c4e8
: end
asdm image disk0:/asdm-611.bin
asdm location acffcu 255.255.255.0 inside
no asdm history enable

Open in new window

0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
3nerdsCommented:
mtman69

Do on the remote side.

no crypto map outside_map 1 set pfs


Then from the remote site if you ping and IP address on the main side what happens and what messages appear in the ASDM. You should be able to see the events scroll by on the home page of the ASDM I need to know what error you are getting when it attempts to set up the vpn tunnel.



Regards,

3nerds
0
 
mtman69Author Commented:
Did no crypto map outside_map 1 set pfs on remote, tried ping to host on other side from remote and got these messages:
IP = 74.*.*.74, IKE Initiator: New Phase 1, Intf inside, IKE Peer 74.*.*.74  local Proxy Address 192.168.246.0, remote Proxy Address 192.168.247.0,  Crypto map (outside_map)
Built outbound UDP connection 3153 for outside:74.*.*.74/500 (74.*.*.74/500) to NP Identity Ifc:10.1.10.83/500 (10.1.10.83/500)
IP = 74.*.*.74, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping
IP = 74.*.*.74, Information Exchange processing failed
IP = 74.*.*.74, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
IP = 74.*.*.74, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping
IP = 74.*.*.74, Information Exchange processing failed
IP = 74.*.*.74, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
IP = 74.*.*.74, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping
IP = 74.*.*.74, Information Exchange processing failed
IP = 74.*.*.74, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
IP = 74.*.*.74, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping
IP = 74.*.*.74, Information Exchange processing failed
IP = 74.*.*.74, Removing peer from peer table failed, no match!
IP = 74.*.*.74, Error: Unable to remove PeerTblEntry
Teardown UDP connection 3153 for outside:74.*.*.74/500 to NP Identity Ifc:10.1.10.83/500 duration 0:02:24 bytes 1616

Open in new window

0
 
3nerdsCommented:
Little more clean up:

Main Side:

no crypto dynamic-map steve_house 1 match address outside_cryptomap
no crypto dynamic-map steve_house 1 set transform-set ESP-3DES-SHA
no crypto map outside_map 1 match address outside_1_cryptomap
no crypto map outside_map 1 set pfs
no crypto map outside_map 1 set peer 4.2.2.2
no crypto map outside_map 1 set transform-set ESP-3DES-SHA


Are you able to do the same test again and give me the messages from the main site as well the remote site?

Could you then repaste the configs for me.

Thanks,

3nerds
0
 
mtman69Author Commented:
3nerds, thanks for your help! Did commands you requested on main site. See attached logs and configs.

Mike
Remote Log:
 
4|May 19 2009|04:04:58|713903|||||IP = 74.*.*.74, Error: Unable to remove PeerTblEntry
3|May 19 2009|04:04:58|713902|||||IP = 74.*.*.74, Removing peer from peer table failed, no match!
4|May 19 2009|04:04:50|713903|||||IP = 74.*.*.74, Information Exchange processing failed
5|May 19 2009|04:04:50|713904|||||IP = 74.*.*.74, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping
6|May 19 2009|04:04:42|713219|||||IP = 74.*.*.74, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
4|May 19 2009|04:04:42|713903|||||IP = 74.*.*.74, Information Exchange processing failed
5|May 19 2009|04:04:42|713904|||||IP = 74.*.*.74, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping
6|May 19 2009|04:04:37|302015|192.168.0.248|161|192.168.246.100|1031|Built outbound UDP connection 3455 for outside:192.168.0.248/161 (192.168.0.248/161) to inside:192.168.246.100/1031 (10.1.10.83/2344)
6|May 19 2009|04:04:37|305011|192.168.246.100|1031|10.1.10.83|2344|Built dynamic UDP translation from inside:192.168.246.100/1031 to outside:10.1.10.83/2344
6|May 19 2009|04:04:36|713219|||||IP = 74.*.*.74, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
4|May 19 2009|04:04:34|713903|||||IP = 74.*.*.74, Information Exchange processing failed
5|May 19 2009|04:04:34|713904|||||IP = 74.*.*.74, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping
6|May 19 2009|04:04:31|713219|||||IP = 74.*.*.74, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
4|May 19 2009|04:04:26|713903|||||IP = 74.*.*.74, Information Exchange processing failed
5|May 19 2009|04:04:26|713904|||||IP = 74.*.*.74, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping
6|May 19 2009|04:04:26|302015|74.*.*.74|500|10.1.10.83|500|Built outbound UDP connection 3452 for outside:74.*.*.74/500 (74.*.*.74/500) to NP Identity Ifc:10.1.10.83/500 (10.1.10.83/500)
5|May 19 2009|04:04:26|713041|||||IP = 74.*.*.74, IKE Initiator: New Phase 1, Intf inside, IKE Peer 74.*.*.74  local Proxy Address 192.168.246.0, remote Proxy Address 192.168.247.0,  Crypto map (outside_map)
 
Main Log:
 
6|May 19 2009|03:04:46|302015|192.168.44.1|123|SBS_Server|123|Built outbound UDP connection 3892 for outside:192.168.44.1/123 (192.168.44.1/123) to inside:SBS_Server/123 (74.*.*.74/200)
6|May 19 2009|03:04:46|302015|192.168.242.1|123|SBS_Server|123|Built outbound UDP connection 3891 for outside:192.168.242.1/123 (192.168.242.1/123) to inside:SBS_Server/123 (74.*.*.74/200)
6|May 19 2009|03:04:46|305011|SBS_Server|123|74.*.*.74|200|Built dynamic UDP translation from inside:SBS_Server/123 to outside:74.*.*.74/200
6|May 19 2009|03:04:18|302014|67.223.74.141|41945|SBS_Server|443|Teardown TCP connection 3890 for outside:67.223.74.141/41945 to inside:SBS_Server/443 duration 0:00:01 bytes 43699 TCP FINs
6|May 19 2009|03:04:16|302014|67.223.74.141|41864|SBS_Server|443|Teardown TCP connection 3889 for outside:67.223.74.141/41864 to inside:SBS_Server/443 duration 0:00:02 bytes 1439 TCP FINs
6|May 19 2009|03:04:16|302013|67.223.74.141|41945|SBS_Server|443|Built inbound TCP connection 3890 for outside:67.223.74.141/41945 (67.223.74.141/41945) to inside:SBS_Server/443 (74.*.*.74/443)
6|May 19 2009|03:04:14|302014|67.223.74.141|41839|SBS_Server|443|Teardown TCP connection 3888 for outside:67.223.74.141/41839 to inside:SBS_Server/443 duration 0:00:00 bytes 1608 TCP FINs
6|May 19 2009|03:04:14|302013|67.223.74.141|41864|SBS_Server|443|Built inbound TCP connection 3889 for outside:67.223.74.141/41864 (67.223.74.141/41864) to inside:SBS_Server/443 (74.*.*.74/443)
6|May 19 2009|03:04:14|302013|67.223.74.141|41839|SBS_Server|443|Built inbound TCP connection 3888 for outside:67.223.74.141/41839 (67.223.74.141/41839) to inside:SBS_Server/443 (74.*.*.74/443)
6|May 19 2009|03:04:09|305012|SBS_Server|123|74.*.*.74|199|Teardown dynamic UDP translation from inside:SBS_Server/123 to outside:74.*.*.74/199 duration 0:02:30
4|May 19 2009|03:03:44|713903|||||Group = DefaultRAGroup, IP = 173.*.*.198, Error: Unable to remove PeerTblEntry
3|May 19 2009|03:03:44|713902|||||Group = DefaultRAGroup, IP = 173.*.*.198, Removing peer from peer table failed, no match!
6|May 19 2009|03:03:41|302016|64.73.32.135|123|SBS_Server|123|Teardown UDP connection 3868 for outside:64.73.32.135/123 to inside:SBS_Server/123 duration 0:02:01 bytes 96
4|May 19 2009|03:03:36|713903|||||Group = DefaultRAGroup, IP = 173.*.*.198, Error: Unable to remove PeerTblEntry
3|May 19 2009|03:03:36|713902|||||Group = DefaultRAGroup, IP = 173.*.*.198, Removing peer from peer table failed, no match!
4|May 19 2009|03:03:28|713903|||||Group = DefaultRAGroup, IP = 173.*.*.198, Error: Unable to remove PeerTblEntry
3|May 19 2009|03:03:28|713902|||||Group = DefaultRAGroup, IP = 173.*.*.198, Removing peer from peer table failed, no match!
4|May 19 2009|03:03:20|713903|||||Group = DefaultRAGroup, IP = 173.*.*.198, Error: Unable to remove PeerTblEntry
3|May 19 2009|03:03:20|713902|||||Group = DefaultRAGroup, IP = 173.*.*.198, Removing peer from peer table failed, no match!
6|May 19 2009|03:03:20|302015|173.*.*.198|500|74.*.*.74|500|Built inbound UDP connection 3887 for outside:173.*.*.198/500 (173.*.*.198/500) to NP Identity Ifc:74.*.*.74/500 (74.*.*.74/500)
 
 
 
Current Configs:
 
Remote
 
: Saved
:
ASA Version 8.0(2) 
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
names
name 192.168.247.0 acffcu
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.246.1 255.255.255.0 
 ospf cost 10
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute 
 ospf cost 10
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list outside_1_cryptomap extended permit ip 192.168.246.0 255.255.255.0 acffcu 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.246.0 255.255.255.0 acffcu 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-611.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 255.255.255.0 outside
http 192.168.246.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 74.*.*.74 
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set phase1-mode aggressive 
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.246.100-192.168.246.200 inside
dhcpd auto_config outside interface inside
dhcpd update dns both interface inside
dhcpd enable inside
!
 
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
tunnel-group 74.*.*.74 type ipsec-l2l
tunnel-group 74.*.*.74 ipsec-attributes
 pre-shared-key *
prompt hostname context 
Cryptochecksum:fdeece2271b7012d88e3dcc2721c9c32
: end
asdm image disk0:/asdm-611.bin
asdm location acffcu 255.255.255.0 inside
no asdm history enable
 
 
Main:
 
: Saved
:
ASA Version 8.0(2) 
!
hostname nfd-main
domain-name acffcu.org
enable password B5Vos7Kq2fa1IKWr encrypted
names
name 192.168.247.3 SBS_Server
name 192.168.246.0 steve_house
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.247.10 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 74.*.*.74 255.255.255.248 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd B5Vos7Kq2KWr encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name acffcu.org
access-list outside_1_cryptomap extended permit ip 192.168.247.0 255.255.255.0 steve_house 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.247.0 255.255.255.0 steve_house 255.255.255.0 
access-list outside_cryptomap extended permit ip 192.168.247.0 255.255.255.0 steve_house 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-611.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 74.94.34.78 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.247.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set mydes esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto dynamic-map dynmap 1 set transform-set mydes
crypto map dyn-map 1 ipsec-isakmp dynamic steve_house
crypto map dyn-map 10 ipsec-isakmp dynamic dynmap
crypto map dyn-map interface outside
crypto isakmp identity address 
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
telnet SBS_Server 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
 
threat-detection basic-threat
threat-detection scanning-threat shun
threat-detection statistics
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
tunnel-group steve_house type ipsec-l2l
tunnel-group steve_house ipsec-attributes
 pre-shared-key *
prompt hostname context 
Cryptochecksum:5f8e289ebbb8faeebd103fff711a7866
: end
asdm image disk0:/asdm-611.bin
asdm location steve_house 255.255.255.0 inside
no asdm history enable

Open in new window

0
 
3nerdsCommented:
ok do the following on the Main site:

no tunnel-group steve_house type ipsec-l2l
no tunnel-group steve_house ipsec-attributes
 pre-shared-key *

tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *

Remote side:


no crypto map outside_map 1 set phase1-mode aggressive

Make sure you set the pre-shared keys are the same on both ends.


And if you would please test again and report the logs.

Good Luck,

3nerds
0
 
mtman69Author Commented:
OK, ran commands and tested. Phase 1 completes now but other errors.
Logs:
 
Remote:
 
4|May 19 2009|05:24:41|113019|||||Group = 74.*.*.74, Username = 74.*.*.74, IP = 74.*.*.74, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Unknown
3|May 19 2009|05:24:41|713902|||||Group = 74.*.*.74, IP = 74.*.*.74, Removing peer from correlator table failed, no match!
1|May 19 2009|05:24:41|713900|||||Group = 74.*.*.74, IP = 74.*.*.74, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
5|May 19 2009|05:24:41|713050|||||Group = 74.*.*.74, IP = 74.*.*.74, Connection terminated for peer 74.*.*.74.  Reason: Peer Terminate  Remote Proxy N/A, Local Proxy N/A
3|May 19 2009|05:24:40|713119|||||Group = 74.*.*.74, IP = 74.*.*.74, PHASE 1 COMPLETED
6|May 19 2009|05:24:40|113009|||||AAA retrieved default group policy (DfltGrpPolicy) for user = 74.*.*.74
4|May 19 2009|05:24:40|713903|||||Group = 74.*.*.74, IP = 74.*.*.74, Freeing previously allocated memory for authorization-dn-attributes
5|May 19 2009|05:24:40|713041|||||IP = 74.*.*.74, IKE Initiator: New Phase 1, Intf inside, IKE Peer 74.*.*.74  local Proxy Address 192.168.246.0, remote Proxy Address 192.168.247.0,  Crypto map (outside_map)
4|May 19 2009|05:24:35|113019|||||Group = 74.*.*.74, Username = 74.*.*.74, IP = 74.*.*.74, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Unknown
3|May 19 2009|05:24:35|713902|||||Group = 74.*.*.74, IP = 74.*.*.74, Removing peer from correlator table failed, no match!
1|May 19 2009|05:24:35|713900|||||Group = 74.*.*.74, IP = 74.*.*.74, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
5|May 19 2009|05:24:35|713050|||||Group = 74.*.*.74, IP = 74.*.*.74, Connection terminated for peer 74.*.*.74.  Reason: Peer Terminate  Remote Proxy N/A, Local Proxy N/A
3|May 19 2009|05:24:35|713119|||||Group = 74.*.*.74, IP = 74.*.*.74, PHASE 1 COMPLETED
6|May 19 2009|05:24:35|113009|||||AAA retrieved default group policy (DfltGrpPolicy) for user = 74.*.*.74
4|May 19 2009|05:24:35|713903|||||Group = 74.*.*.74, IP = 74.*.*.74, Freeing previously allocated memory for authorization-dn-attributes
5|May 19 2009|05:24:35|713041|||||IP = 74.*.*.74, IKE Initiator: New Phase 1, Intf inside, IKE Peer 74.*.*.74  local Proxy Address 192.168.246.0, remote Proxy Address 192.168.247.0,  Crypto map (outside_map)
 
Main:
 
4|May 19 2009|04:23:57|113019|||||Group = DefaultRAGroup, Username = , IP = 173.*.*.198, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Unknown
3|May 19 2009|04:23:57|713902|||||Group = DefaultRAGroup, IP = 173.*.*.198, Removing peer from correlator table failed, no match!
3|May 19 2009|04:23:57|713902|||||Group = DefaultRAGroup, IP = 173.*.*.198, QM FSM error (P2 struct &0xd3df7f70, mess id 0xb66d5b79)!
3|May 19 2009|04:23:57|713127|||||Group = DefaultRAGroup, IP = 173.*.*.198, Xauth required but selected Proposal does not support xauth,  Check priorities of ike xauth proposals in ike proposal list
3|May 19 2009|04:23:57|713119|||||Group = DefaultRAGroup, IP = 173.*.*.198, PHASE 1 COMPLETED
3|May 19 2009|04:23:57|713119|||||Group = DefaultRAGroup, IP = 173.*.*.198, PHASE 1 COMPLETED
6|May 19 2009|04:23:57|113009|||||AAA retrieved default group policy (DfltGrpPolicy) for user = DefaultRAGroup
4|May 19 2009|04:23:57|713903|||||Group = DefaultRAGroup, IP = 173.*.*.198, Freeing previously allocated memory for authorization-dn-attributes
6|May 19 2009|04:23:56|305012|192.168.247.21|2022|74.*.*.74|2141|Teardown dynamic TCP translation from inside:192.168.247.21/2022 to outside:74.*.*.74/2141 duration 0:00:30
4|May 19 2009|04:23:52|113019|||||Group = DefaultRAGroup, Username = , IP = 173.*.*.198, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Unknown
3|May 19 2009|04:23:52|713902|||||Group = DefaultRAGroup, IP = 173.*.*.198, Removing peer from correlator table failed, no match!
3|May 19 2009|04:23:52|713902|||||Group = DefaultRAGroup, IP = 173.*.*.198, QM FSM error (P2 struct &0xd3df7f20, mess id 0xecf47fba)!
3|May 19 2009|04:23:52|713127|||||Group = DefaultRAGroup, IP = 173.*.*.198, Xauth required but selected Proposal does not support xauth,  Check priorities of ike xauth proposals in ike proposal list
3|May 19 2009|04:23:52|713119|||||Group = DefaultRAGroup, IP = 173.*.*.198, PHASE 1 COMPLETED
3|May 19 2009|04:23:52|713119|||||Group = DefaultRAGroup, IP = 173.*.*.198, PHASE 1 COMPLETED
6|May 19 2009|04:23:52|113009|||||AAA retrieved default group policy (DfltGrpPolicy) for user = DefaultRAGroup
4|May 19 2009|04:23:52|713903|||||Group = DefaultRAGroup, IP = 173.*.*.198, Freeing previously allocated memory for authorization-dn-attributes
 
Configs:
 
Remote
 
: Saved
:
ASA Version 8.0(2) 
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIytU24 encrypted
names
name 192.168.247.0 acffcu
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.246.1 255.255.255.0 
 ospf cost 10
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute 
 ospf cost 10
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list outside_1_cryptomap extended permit ip 192.168.246.0 255.255.255.0 acffcu 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.246.0 255.255.255.0 acffcu 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-611.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.246.0 255.255.255.0 inside
http 0.0.0.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 74.*.*.74 
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp identity address 
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.246.100-192.168.246.200 inside
dhcpd auto_config outside interface inside
dhcpd update dns both interface inside
dhcpd enable inside
!
 
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
tunnel-group 74.*.*.74 type ipsec-l2l
tunnel-group 74.*.*.74 ipsec-attributes
 pre-shared-key *
prompt hostname context 
Cryptochecksum:040c8e27f2b226deb5ad0402bd1554b9
: end
asdm image disk0:/asdm-611.bin
asdm location acffcu 255.255.255.0 inside
no asdm history enable
 
 
Main:
 
: Saved
:
ASA Version 8.0(2) 
!
hostname nfd-main
domain-name acffcu.org
enable password B5Vos7KqKWr encrypted
names
name 192.168.247.3 SBS_Server
name 192.168.246.0 steve_house
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.247.10 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 74.*.*.74 255.255.255.248 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd B5Vos7Kq2fa1IKWr encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name acffcu.org
access-list outside_1_cryptomap extended permit ip 192.168.247.0 255.255.255.0 steve_house 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.247.0 255.255.255.0 steve_house 255.255.255.0 
access-list outside_cryptomap extended permit ip 192.168.247.0 255.255.255.0 steve_house 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-611.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 74.*.*.78 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set mydes esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto dynamic-map dynmap 1 set transform-set mydes
crypto map dyn-map 1 ipsec-isakmp dynamic steve_house
crypto map dyn-map 10 ipsec-isakmp dynamic dynmap
crypto map dyn-map interface outside
crypto isakmp identity address 
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
telnet SBS_Server 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
 
threat-detection basic-threat
threat-detection scanning-threat shun
threat-detection statistics
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group steve_house type ipsec-l2l
prompt hostname context 
Cryptochecksum:5f8e289ebbb8faeebd103fff711a7866
: end
asdm image disk0:/asdm-611.bin
asdm location steve_house 255.255.255.0 inside
no asdm history enable

Open in new window

0
 
3nerdsCommented:
add this to the main side:

tunnel-group DefaultRAGroup ipsec-attributes
isakmp ikev1-user-authentication none


Test and post please.

Sorry for the small changes and then posts, when I normally troubleshoot I am the one having to do the leg work and small changes are my friend =)

Good Luck,

3nerds
0
 
mtman69Author Commented:
3nerds, you rock! The tunnel is up and working fine. I didn't mind the small changes. I appreciate all of you help with this!

Mike
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now