troubleshooting Question

Cisco ASA 5505 to CheckPoint FW VPN tunnel and management of ASA through tunnel

Avatar of einangen
einangen asked on
VPNInternet Protocol SecurityCisco
1 Comment1 Solution1909 ViewsLast Modified:

I am trying to set up a VPN tunnel from some remote location to our central firewall.  There is a Cisco ASA 5505 on the remote location, a CheckPoint firewall in our main location.

I would like every last bit of data to go through the tunnel, including management of the ASA itself.  The CheckPoint firewall is supposed to take care of the "firewalling", so nothing needs to be filtered at the remote location, except the fact that _only_ traffic to or from our main network should be allowed, no internet access.

The problem is, if I can manage the ASA through the tunnel, the tunnel itself is useless, but if the tunnel is in use, I cannot manage the ASA.  

With the config I am running now, posted below, I seem able to initiate the tunnel from the remote location, but every time I try pinging or otherwise contact the remote location from the main network, I get an error like this:
%ASA-3-313001: Denied ICMP type=8, code=0 from on interface utside%ASA-3-713042: IKE Initiator unable to find policy: Intf utside, Src: <ip of ASA>, Dst: <ip of my computer>

I am at a loss as to how I can make the IKE initiator find a policy, as I can't say I know where to make it look, so to say. :-)

The config below is modified to cut some of the insignificant crap and disguise some of the network topology and passwords.

I am fairly certain this is an ACL/crypto map problem, but I have been staring at this for so long, I am probably too blinded by it all to see the solution.

I would have given a lot more points for this solution, but I am fairly new to

: Saved
ASA Version 8.2(1)
terminal width 150
hostname asa-lakseveien
enable password * encrypted
passwd  * encrypted
name <some internal network ip> ADM_gml
name <some internal network ip> SS_server_gml
name <some internal network ip> SS_server
name <some internal network ip> ADM_server
<--- A few more internal networks ---->
name <network address of the remote location> VPN_lakseveien
name <ip of domain controller/DNS> hkdc02
name <ip of checkpoint firewall> hkgw01
interface Vlan81
 nameif innside
 security-level 100
 ip address <ip of "innside" interface - private address>
interface Vlan99
 nameif utside
 security-level 0
 ip address <ip of "utside" interface - public address>
interface Ethernet0/0
 switchport access vlan 99
interface Ethernet0/1
 switchport access vlan 81
interface Ethernet0/2
 switchport access vlan 81
interface Ethernet0/3
 switchport access vlan 81
interface Ethernet0/4
 switchport access vlan 81
interface Ethernet0/5
 switchport access vlan 81
interface Ethernet0/6
 switchport access vlan 81
interface Ethernet0/7
 switchport access vlan 81
boot system disk0:/asa821-k8.bin
no ftp mode passive
clock timezone CET 1
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup innside
dns domain-lookup utside
dns server-group DefaultDNS
dns server-group hk_dns
 name-server hkdc01
 name-server hkdc02
dns-group hk_dns
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group icmp-type grp_ICMP_allowed
 icmp-object echo-reply
 icmp-object echo
 icmp-object unreachable
 icmp-object time-exceeded
object-group network grp_hk_ss_nett
 network-object SS_server_gml
 network-object SS_arbst_gml
 network-object SS_server
object-group network grp_hk_adm_nett
 network-object ADM_gml
 network-object ADM_server
object-group protocol grp_proto
 protocol-object tcp
 protocol-object udp
 protocol-object icmp
 protocol-object ip
object-group network grp_VPN_innside
 description Innsiden av VPN-nettet
 network-object VPN_lakseveien
object-group network grp_hk_nett
 group-object grp_hk_ss_nett
 group-object grp_hk_adm_nett
object-group network grp_hk_alle_nett
 group-object grp_hk_nett
 group-object grp_VPN_innside
 network-object <ip of "utside" interface>
access-list acl_alle extended permit object-group grp_proto object-group grp_hk_alle_nett object-group grp_hk_alle_nett
access-list acl_alle extended permit object-group grp_proto host <ip of "innside" interface> object-group grp_hk_alle_nett
access-list acl_alle extended permit object-group grp_proto host <ip of "utside" interface> object-group grp_hk_alle_nett
pager lines 40
logging enable
logging timestamp
logging list syslog_informational level informational
logging list syslog_notifications level notifications
logging buffer-size 16384
logging console syslog_notifications
logging buffered syslog_notifications
logging trap syslog_notifications
logging history syslog_notifications
logging asdm syslog_notifications
logging device-id hostname
logging host utside hksyslog
logging flash-bufferwrap
mtu innside 1500
mtu utside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
access-group acl_alle in interface innside
access-group acl_alle out interface innside
access-group acl_alle in interface utside
access-group acl_alle out interface utside
route utside hkgw01 tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication serial console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
http server enable
http ADM_it innside
http VPN_lakseveien innside
http ADM_server innside
http ADM_gml innside
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 4608000
crypto map cryptomap 1 match address acl_alle
crypto map cryptomap 1 set peer hkgw01
crypto map cryptomap 1 set transform-set ESP-AES-256-SHA
crypto map cryptomap interface innside
crypto map cryptomap interface utside
crypto isakmp enable innside
crypto isakmp enable utside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
crypto isakmp am-disable
telnet timeout 5
ssh scopy enable
ssh ADM_it innside
ssh ADM_server innside
ssh ADM_gml innside
ssh VPN_lakseveien innside
ssh timeout 30
ssh version 2
console timeout 0
management-access innside
tunnel-group <ip of external firewall> type ipsec-l2l
tunnel-group <ip of external firewall> ipsec-attributes
 pre-shared-key *
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
service-policy global_policy global
prompt hostname context
: end

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 1 Answer and 1 Comment.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 1 Comment.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros