Solved

Connection problem with site to site vpn using asa 5505 and Checkpoint NGX R65

Posted on 2010-08-12
4
1,502 Views
Last Modified: 2012-05-10
Hi,
I need to do a site to site vpn to one of our clients, and they asked us to have all our vpn traffic to go out as our public ip interface (because they have the same subnet) on the firewall, and they do some sort of a domain decryption rule so it will decrypt any traffic that is not coming from our public IP so it will fail to pass the vpn tunnel.
They also provided us with this link, and they said it will help us in the config;
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800b07ed.shtml

attached is our config, please check and let me know what am I doing wrong here.

please keep in mind that we provide employees with client vpn to our network, and once I did this config, they are unable to connect.

I can have the client VPN as a separate question if you wish, just let me know.
 

ASA Version 7.2(4) 
!
hostname asa
domain-name my-company.local

interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 75.150.x2.y2 255.255.255.248 
!
interface Vlan3
 shutdown
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address dhcp 

 domain-name my-company.local
object-group service Nagios-Monitoring tcp
 port-object eq 25000
object-group service RDP tcp
 port-object eq 3389
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip any 192.168.10.0 255.255.255.0 
access-list outside_access_in remark PING
access-list outside_access_in extended permit icmp any any 
access-list outside_access_in extended permit tcp 173.15.x.0 255.255.255.248 any eq 3389 
access-list outside_access_in extended permit tcp host 207.150.x1.y1 any eq 3389 
access-list split standard permit 192.168.1.0 255.255.255.0 
access-list tunnel_splitTunnelAcl standard permit any 
access-list mycompany_Remote_Users_splitTunnelAcl standard permit any 
access-list outside_in extended permit tcp any host 75.150.x2.y2 eq 3389 
access-list 110 extended permit tcp host 173.15.x3.1 host 192.168.1.10 eq 3389 
access-list MOBILE_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0 
access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 10.1.40.0 255.255.255.0 
access-list outside_cryptomap_1 extended permit ip 192.168.1.0 255.255.255.0 10.1.40.0 255.255.255.0 
pager lines 24
logging enable
logging console notifications
logging monitor notifications
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool VPN 192.168.10.1-192.168.10.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 192.168.1.10 3389 netmask 255.255.255.255 
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 75.150.x4.y4 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server YPDC01_RADIUS protocol radius
aaa-server YPDC01_RADIUS (inside) host 192.168.1.10
 key ypconnect123
aaa authentication ssh console LOCAL 
http server enable
http 192.168.1.0 255.255.255.0 inside
http 207.150.x1.y1 255.255.255.255 outside
http 173.15.x.0 255.255.255.248 outside
snmp-server location Malvern
snmp-server contact ESP
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set myset esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto dynamic-map outside_dyn_map 65000 set transform-set myset
crypto dynamic-map outside_dyn_map 65020 set pfs group1
crypto dynamic-map outside_dyn_map 65020 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 65040 set pfs group1
crypto dynamic-map outside_dyn_map 65040 set transform-set myset
crypto dynamic-map outside_dyn_map 65060 set pfs group1
crypto dynamic-map outside_dyn_map 65060 set transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set pfs 
crypto map outside_map 1 set peer 209.36.x5.y5 
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address 
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 15
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd dns 68.87.64.146 68.87.75.194
!
dhcpd address 192.168.1.100-192.168.1.198 inside
dhcpd dns 68.87.64.146 68.87.75.194 interface inside
dhcpd lease 288000 interface inside
dhcpd ping_timeout 500 interface inside
!

group-policy tunnel internal
group-policy tunnel attributes
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value tunnel_splitTunnelAcl
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server value 4.2.2.2
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split
 default-domain none
 split-dns none
 intercept-dhcp 255.255.255.255 disable
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 nac disable
 nac-sq-period 300
 nac-reval-period 36000
 nac-default-acl none
 address-pools none
 smartcard-removal-disconnect enable
 client-firewall none
 client-access-rule none
 webvpn
  functions url-entry
  html-content-filter none
  homepage none
  keep-alive-ignore 4
  http-comp gzip
  filter none
  url-list none
  customization value DfltCustomization
  port-forward none
  port-forward-name value Application Access
  sso-server none
  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
  svc none
  svc keep-installer installed
  svc keepalive none
  svc rekey time none
  svc rekey method none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
group-policy MOBILE internal
group-policy MOBILE attributes
 dns-server value 192.168.1.10
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value MOBILE_splitTunnelAcl
 default-domain value my-company.local
group-policy mycompany_Remote_Users internal
group-policy mycompany_Remote_Users attributes
 dns-server value 192.168.1.10
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value mycompany_Remote_Users_splitTunnelAcl
 default-domain value my-company.local
username VPNuser password mCjTNnPkztj619dX encrypted privilege 15
tunnel-group mycompany-VPN type ipsec-ra
tunnel-group mycompany-VPN general-attributes
 address-pool VPN
tunnel-group mycompany-VPN ipsec-attributes
 pre-shared-key *
tunnel-group MOBILE type ipsec-ra
tunnel-group MOBILE general-attributes
 address-pool VPN
 authentication-server-group YPDC01_RADIUS
 default-group-policy MOBILE
tunnel-group MOBILE ipsec-attributes
 pre-shared-key *
tunnel-group 209.36.x5.y5 type ipsec-l2l
tunnel-group 209.36.x5.y5 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:e9caaa04803c95a7bb91be0b5fe5f609
: end

Open in new window

0
Comment
Question by:Shando1971
  • 3
4 Comments
 

Author Comment

by:Shando1971
ID: 33425548
Here is the debug output I get when I try to rdp to a server on their site.
Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 00 01 51 80
      Payload Transform
        Next Payload: None
        Reserved: 00
        Payload Length: 36
        Transform #: 3
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Group Description: Group 2
        Encryption Algorithm: 3DES-CBC
        Hash Algorithm: MD5
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 00 01 51 80
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56
  Payload Vendor ID
    Next Payload: None
    Reserved: 00
    Payload Length: 24
    Data (In Hex):
      40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
      c0 00 00 00
Aug 12 15:01:25 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 12 15:01:25 [IKEv1]: IP = 209.36.x5.y5, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Aug 12 15:01:32 [IKEv1]: IP = 209.36.x5.y5, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 220

ISAKMP Header
  Initiator COOKIE: dc 4e e1 e1 07 4e ee 28
  Responder COOKIE: 00 00 00 00 00 00 00 00
  Next Payload: Security Association
  Version: 1.0
  Exchange Type: Identity Protection (Main Mode)
  Flags: (none)
  MessageID: 00000000
  Length: 220
  Payload Security Association
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 128
    DOI: IPsec
    Situation:(SIT_IDENTITY_ONLY)
    Payload Proposal
      Next Payload: None
      Reserved: 00
      Payload Length: 116
      Proposal #: 1
      Protocol-Id: PROTO_ISAKMP
      SPI Size: 0
      # of transforms: 3
      Payload Transform
        Next Payload: Transform
        Reserved: 00
        Payload Length: 36
        Transform #: 1
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Group Description: Group 2
        Encryption Algorithm: 3DES-CBC
        Hash Algorithm: MD5
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 00 01 51 80
      Payload Transform
        Next Payload: Transform
        Reserved: 00
        Payload Length: 36
        Transform #: 2
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Group Description: Group 2
        Encryption Algorithm: 3DES-CBC
        Hash Algorithm: SHA1
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 00 01 51 80
      Payload Transform
        Next Payload: None
        Reserved: 00
        Payload Length: 36
        Transform #: 3
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Group Description: Group 2
        Encryption Algorithm: 3DES-CBC
        Hash Algorithm: MD5
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 00 01 51 80
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56
  Payload Vendor ID
    Next Payload: None
    Reserved: 00
    Payload Length: 24
    Data (In Hex):
      40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
      c0 00 00 00
Aug 12 15:01:40 [IKEv1]: IP = 209.36.x5.y5, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 220

ISAKMP Header
  Initiator COOKIE: dc 4e e1 e1 07 4e ee 28
  Responder COOKIE: 00 00 00 00 00 00 00 00
  Next Payload: Security Association
  Version: 1.0
  Exchange Type: Identity Protection (Main Mode)
  Flags: (none)
  MessageID: 00000000
  Length: 220
  Payload Security Association
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 128
    DOI: IPsec
    Situation:(SIT_IDENTITY_ONLY)
    Payload Proposal
      Next Payload: None
      Reserved: 00
      Payload Length: 116
      Proposal #: 1
      Protocol-Id: PROTO_ISAKMP
      SPI Size: 0
      # of transforms: 3
      Payload Transform
        Next Payload: Transform
        Reserved: 00
        Payload Length: 36
        Transform #: 1
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Group Description: Group 2
        Encryption Algorithm: 3DES-CBC
        Hash Algorithm: MD5
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 00 01 51 80
      Payload Transform
        Next Payload: Transform
        Reserved: 00
        Payload Length: 36
        Transform #: 2
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Group Description: Group 2
        Encryption Algorithm: 3DES-CBC
        Hash Algorithm: SHA1
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 00 01 51 80
      Payload Transform
        Next Payload: None
        Reserved: 00
        Payload Length: 36
        Transform #: 3
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Group Description: Group 2
        Encryption Algorithm: 3DES-CBC
        Hash Algorithm: MD5
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 00 01 51 80
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56
  Payload Vendor ID
    Next Payload: None
    Reserved: 00
    Payload Length: 24
    Data (In Hex):
      40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
      c0 00 00 00
%ASA-3-713902: IP = 209.36.x5.y5, Removing peer from peer table failed, no match!
%ASA-4-713903: IP = 209.36.x5.y5, Error: Unable to remove PeerTblEntry
Aug 12 15:01:48 [IKEv1 DEBUG]: IP = 209.36.x5.y5, IKE MM Initiator FSM error history (struct &0x41fc8c0)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY
Aug 12 15:01:48 [IKEv1 DEBUG]: IP = 209.36.x5.y5, IKE SA MM:e1e14edc terminating:  flags 0x01000022, refcnt 0, tuncnt 0
Aug 12 15:01:48 [IKEv1 DEBUG]: IP = 209.36.x5.y5, sending delete/delete with reason message
Aug 12 15:01:48 [IKEv1]: IP = 209.36.x5.y5, Removing peer from peer table failed, no match!
Aug 12 15:01:48 [IKEv1]: IP = 209.36.x5.y5, Error: Unable to remove PeerTblEntry

Open in new window

0
 

Author Comment

by:Shando1971
ID: 33425581
And here is the show crypto isakmp/ipsec sa.




asa# show crypto isakmp sa



   Active SA: 1

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1



1   IKE Peer: 209.36.x5.y5

    Type    : L2L             Role    : initiator

    Rekey   : no              State   : MM_ACTIVE

asa# show crypto ipsec sa

interface: outside

    Crypto map tag: outside_map, seq num: 1, local addr: 75.150.x2.y2



      access-list outside_cryptomap_1 permit ip 192.168.1.0 255.255.255.0 10.1.40.0 255.255.255.0

      local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (10.1.40.0/255.255.255.0/0/0)

      current_peer: 209.36.x5.y5



      #pkts encaps: 2, #pkts encrypt: 2, #pkts digest: 2

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 2, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0



      local crypto endpt.: 75.150.x2.y2, remote crypto endpt.: 209.36.x5.y5



      path mtu 1500, ipsec overhead 58, media mtu 1500

      current outbound spi: DFF35A9F



    inbound esp sas:

      spi: 0x9D35CE6B (2637549163)

         transform: esp-3des esp-md5-hmac none

         in use settings ={L2L, Tunnel, PFS Group 2, }

         slot: 0, conn_id: 4, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (3825000/28713)

         IV size: 8 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0xDFF35A9F (3757267615)

         transform: esp-3des esp-md5-hmac none

         in use settings ={L2L, Tunnel, PFS Group 2, }

         slot: 0, conn_id: 4, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (3824999/28713)

         IV size: 8 bytes

         replay detection support: Y

Open in new window

0
 

Expert Comment

by:rody82
ID: 33441356
I remember having a very similar issue:

When using certs, devices using their FQDN for authentication.
Try setting hostname based authentication on the devices:

crypto isakmp identity hostname

if it doesnt work, please provide debug outputs after the suggested change.
0
 

Accepted Solution

by:
Shando1971 earned 0 total points
ID: 33441439
We were able to fix the issue, thank you.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now