Solved

Cisco VPN between Concentrator 3000 and ASA 5505

Posted on 2010-08-26
26
1,654 Views
Last Modified: 2012-05-10
I am trying to establish a Lan to Lan connection between two locations and the tunnel phase 1 is coming up but it stops at phase 2 giving me the following error

Connection terminated for peer 64.0.98.195.  Reason: Peer Terminate  Remote Proxy N/A, Local Proxy N/A
ASA Version 7.2(4) 
!
hostname Savannah-ASA
domain-name www.dawnmist.com
enable password zWKz5LEv5u2PzDdj encrypted
passwd zWKz5LEv5u2PzDdj encrypted
names
name 192.168.100.0 tampa-network
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 64.0.98.196 255.255.255.224 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!             
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name www.dawnmist.com
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 tampa-network 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 tampa-network 255.255.255.0 
access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 tampa-network 255.255.255.0 
access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 any 
access-list inside_access_in extended permit icmp any any 
access-list outside_access_in remark Clean Up Rule with logging.
access-list outside_access_in extended permit ip tampa-network 255.255.255.0 any 
pager lines 24
logging enable
logging console informational
logging monitor debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 64.0.98.193 1
route outside tampa-network 255.255.255.0 64.0.98.195 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL 
http server enable
http 216.251.225.55 255.255.255.255 outside
http 192.168.1.0 255.255.255.0 inside
http 75.68.243.143 255.255.255.255 outside
http 75.67.243.143 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 64.0.98.195 
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp identity address 
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption aes
 hash md5
 group 2      
 lifetime 86400
crypto isakmp nat-traversal  20
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 5
ssh 75.67.243.143 255.255.255.255 outside
ssh 173.65.65.197 255.255.255.255 outside
ssh 216.251.225.55 255.255.255.255 outside
ssh timeout 5
console timeout 0
management-access outside
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd enable inside
!

username pcconection password EmomzQnne30VORPA encrypted privilege 15
username admin password 31Nzf4.jOv71JR3g encrypted
username erik password bujbE/OOQ/F8OzY/ encrypted privilege 15
tunnel-group 64.0.98.195 type ipsec-l2l
tunnel-group 64.0.98.195 ipsec-attributes
 pre-shared-key *
!             
class-map global-class
 match default-inspection-traffic
!
!
policy-map global-policy
 class global-class
  inspect ftp 
  inspect icmp 
!
service-policy global-policy global
prompt hostname context 
Cryptochecksum:715d5c0cbc670472f476c8b95bac98ca
: end

Open in new window

0
Comment
Question by:Shaun McNicholas
  • 18
  • 8
26 Comments
 
LVL 2

Expert Comment

by:nmcnair
ID: 33538251
Can you upload a screenshot of the ltl config on the 3000
0
 
LVL 9

Author Comment

by:Shaun McNicholas
ID: 33538301
0
 
LVL 2

Expert Comment

by:nmcnair
ID: 33538782
Looking at screenshot you haven't put in the phase 2 ACL information (the last 2 boxes which say local network and remote network)..Those boxes need to mirror the cryptomap you put on the ASA:
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 tampa-network 255.255.255.0

So on the ASA you defined local traffic as 192.168.1.0 255.255.255.0 and remote traffic as tampa-network which is defined in the config as 192.168.100.0 255.255.255.0..So on the 3000 you need to mirror those entries and it wants to use wildwards intead of the tradiational subnet mask..You can find the wildcard mask from the subnet mask with any subnet calculator online (http://www.subnet-calculator.com/)..In this case on the 3000 you want to put these entries:

Local Network
IP Address: 192.168.100.0
Wildcard: 0.0.0.255

Remote Network:
IP address: 192.168.1.0
Wildcard: 0.0.0.255

I would also change the routing setting to reverse route..You can turn on reverse route on the ASA too with the following line:
crypto map outside_map 1 set reverse-route

Let me know how it goes..
0
 
LVL 9

Author Comment

by:Shaun McNicholas
ID: 33541964
That'e where I figured the problem was happening and I've tried a dozen times or more to put those entries in the VPN - I even created them as Network Lists - but it just won't accept the entries.

Every time I try to put those in the LTL page and hit apply - it looks like it's accepting the entries but then when you go back to the LTL config page it isn't selected or nothing is in the IP/Wildcard or in the select menus.

Any suggestions on what else could be causing that config to not work?
0
 
LVL 2

Expert Comment

by:nmcnair
ID: 33542361
What version of software are you running on the 3000?
0
 
LVL 9

Author Comment

by:Shaun McNicholas
ID: 33542474
This is from the System Status screen. I just took over the IT department here a few months ago so I inherited this thing. I may need to go ahead and purchase another ASA but if this thing is capable of handling the tunnel I'd rather not spend any more on it for an office of three people.
Screen-shot-2010-08-27-at-10.34..png
0
 
LVL 2

Expert Comment

by:nmcnair
ID: 33542554
OK that code is a bit old, but still shouldn't be the problem...Do you see anything in the log from when you attempt to update the ltl? Does it generate any message when trying to make the change?
0
 
LVL 2

Expert Comment

by:nmcnair
ID: 33542569
Just so you know the latest software release for that box is "Software for VPN 3005 Concentrators  4.7.2.P" released in Aug of 08..Do you have SMARTnet? We could try updating the software.
0
 
LVL 9

Author Comment

by:Shaun McNicholas
ID: 33542775
I'm not sure if I have access to SMARTnet or not - I just purchased the ASA so I probably do. Maybe I'll just try to update the software on this thing and see if that does the trick. I am assuming this error in the 3000 is pretty much saying the same thing as the errors I see in the ASA


All IPSec SA proposals found unacceptable!

I'll see if I can figure out how to get into the SMARTnet - haven't been in there for like 8 years!
0
 
LVL 9

Author Comment

by:Shaun McNicholas
ID: 33545420
I am still unable to get this tunnel to come up - Phase 1 is successful but Phase 2 still does not establish correctly.
I do not have access to SMARTnet so I do not have the available software to update this 3000 Concentrator - I assume that will probably solve the issue it's probably a discrepency between the IKE proposals -

I get the following on the 3000
Phase 1 completed
group 64.0.98.196 connected
LTL tunnel to headend device 64.0.98.196 connected
Received remote ip proxy address 192.168.1.0 mask 255.255.255.0 protocol 0, port 0
Next line is
QM FSM error (P2 struct &0x361f5a0, mess id 0x8bfabd0c)!

It then just disconnects and tries again!

AM I SOL - Or is there a way to get the updated version of the OS for the ASA from Cisco without SMARTnet?
0
 
LVL 9

Author Comment

by:Shaun McNicholas
ID: 33545969
Ok I got the tunnel to come up going through all the settings and trying every available IKE proposal.
Finally

But now I can't ping between networks - on the ASA it says:

No translation group found for udp src outside:64.0.98.200/53 dst inside:192.168.1.2

192.168.1.2 is my laptop where I am running a perpetual ping from that address to 192.168.100.2 (my local Tampa network DNS server)
0
 
LVL 9

Author Comment

by:Shaun McNicholas
ID: 33546006
When I turn on debugging the error is
IPSEC: Received a non-IPSEC packet (protocol= ICMP) from 192.168.100.2 to 192.168.1.2
0
 
LVL 2

Expert Comment

by:nmcnair
ID: 33546207
its definitely the fact that you can't enter the remote and local networks on the LTL on the 3000..We need to figure out why it doesn't like what you are putting in. Have you tried deleting the profile and building a new one from scratch. If it still doesn't work can you send me a screenshot of what you type in before you hit apply?
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 9

Author Comment

by:Shaun McNicholas
ID: 33546335
Sorry I didn't clarify that one - I was able to get those to go in - I had routing set to Network Auto-Discovery so it wouldn't let me tell it to discover the network - and then define the network - DUH!

Routing is set to none and now it let me put the Network Lists in there - I've tried entering them using IP address and mask directly in the L2L page and using Network Lists but in both cases I get the following error on the 3000:

Tunnel rejected: Policy not found for Src:192.168.1.0, Dst: 192.168.100.0!

And it still shows this on the ASA:
IPSEC: Received a non-IPSEC packet (protocol= ICMP) from 192.168.100.2 to 192.168.1.2

So I've been looking at the SAs and Rules
I have an SA for L2L: tunnel_to_savannah
That looks like the screen capture below
Screen-shot-2010-08-27-at-4.45.2.png
0
 
LVL 9

Author Comment

by:Shaun McNicholas
ID: 33583183
Anyone have any more suggestions on getting my routing to work properly between my Cisco 3k and my ASA? I am still unable to communicate between sites even though my tunnel is now fully established. I am stuck! Please help!
0
 
LVL 9

Author Comment

by:Shaun McNicholas
ID: 33596079
I've upgraded my Cisco 3000 Concentrator to 4.7.2P and my configuration is still not routing through my tunnel.
My 3k says it completes both Phase 1 and Phase 2 and logs no other errors so I can only assume that the error is somewhere in the ASA Configuration. If you look at the configuration at the beginning of this question - is there something missing in the tunnel or the routing that will enable the transport between these two boxes?
0
 
LVL 9

Author Comment

by:Shaun McNicholas
ID: 33596096
The ping from a computer behind the ASA to a computer on the 192.160.100.0 network still creates the following error
IPSEC: Received a non-IPSEC packet (protocol= ICMP) from 192.168.100.2 to 192.168.1.2
0
 
LVL 2

Accepted Solution

by:
nmcnair earned 500 total points
ID: 33597262
DO you have routing set to reverse route? You either need to have reverse route injection enabled or you need to create a static route to the other network. Enable reverse route on both sides..
0
 
LVL 9

Author Comment

by:Shaun McNicholas
ID: 33597676
Here's the current config and the reverse route screen from the 3k
: Saved
:
ASA Version 7.2(4) 
hostname Savannah-ASA
domain-name www.dawnmist.com
enable password zWKz5LEv5u2PzDdj encrypted
passwd zWKz5LEv5u2PzDdj encrypted
names
name 192.168.100.0 tampa-network
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 interface Vlan2
 nameif outside
 security-level 0
 ip address 64.0.98.196 255.255.255.224 
 interface Ethernet0/0
 switchport access vlan 2
 interface Ethernet0/1
 interface Ethernet0/2
 interface Ethernet0/3
 interface Ethernet0/4
 interface Ethernet0/5
 interface Ethernet0/6
 interface Ethernet0/7
 ftp mode passive
dns server-group DefaultDNS
 domain-name www.dawnmist.com
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 tampa-network 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 tampa-network 255.255.255.0 
access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 tampa-network 255.255.255.0 
access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 any 
access-list inside_access_in extended permit icmp any any 
access-list outside_access_in remark Clean Up Rule with logging.
access-list outside_access_in extended permit ip tampa-network 255.255.255.0 any 
pager lines 24
logging enable
logging console emergencies
logging monitor debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 64.0.98.193 1
route outside tampa-network 255.255.255.0 64.0.98.195 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL 
http server enable
http 75.67.243.143 255.255.255.255 outside
http 75.68.243.143 255.255.255.255 outside
http 192.168.1.0 255.255.255.0 inside
http 216.251.225.55 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 64.0.98.195 
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set reverse-route
crypto map outside_map interface outside
crypto isakmp identity address 
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption aes
 hash md5
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 5
ssh 75.67.243.143 255.255.255.255 outside
ssh 173.65.65.197 255.255.255.255 outside
ssh 216.251.225.55 255.255.255.255 outside
ssh timeout 5
console timeout 0
management-access outside
dhcpd dns 65.106.1.196 192.168.100.2
dhcpd auto_config outside
 dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd enable inside
 username pcconection password EmomzQnne30VORPA encrypted privilege 15
username admin password 31Nzf4.jOv71JR3g encrypted
username erik password bujbE/OOQ/F8OzY/ encrypted privilege 15
tunnel-group 64.0.98.195 type ipsec-l2l
tunnel-group 64.0.98.195 ipsec-attributes
 pre-shared-key *
 class-map global-class
 match default-inspection-traffic
  policy-map global-policy
 class global-class
  inspect ftp 
  inspect icmp 
 service-policy global-policy global
prompt hostname context 
Cryptochecksum:393b21c6f4a432f888b064f51b6d92bc
: end

Open in new window

Screen-shot-2010-09-03-at-11.28..png
0
 
LVL 9

Author Comment

by:Shaun McNicholas
ID: 33597737
This is my static routing table on the 3k
Screen-shot-2010-09-03-at-11.34..png
0
 
LVL 9

Author Comment

by:Shaun McNicholas
ID: 33598472
I just tried setting up OSPF between routers and it appears to be negotiating the network discover between networks but still doesn't ping and the following is what appears when logging on the console is on.

I deleted the static routes and enabled OSPF on the inside and outside interfaces of the 3k and then enabled the OSPF on the ASA - it then looks like it's negotiating and gets the routes in the routing tables in both routers but my suspicion is still that I am missing some kind of permissions in the routing maps on the ASA
%ASA-7-715047: Group = 64.0.98.195, IP = 64.0.98.195, processing hash payload
%ASA-7-715076: Group = 64.0.98.195, IP = 64.0.98.195, Computing hash for ISAKMP
%ASA-7-609001: Built local-host inside:192.168.1.2
%ASA-7-609001: Built local-host outside:192.168.100.2
%ASA-7-609002: Teardown local-host inside:192.168.1.2 duration 0:00:00
%ASA-7-609002: Teardown local-host outside:192.168.100.2 duration 0:00:00
%ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
%ASA-5-713041: IP = 64.0.98.195, IKE Initiator: New Phase 1, Intf inside, IKE Peer 64.0.98.195  local Proxy Address 192.168.1.0, remote Proxy Address 192.168.100.0,  Crypto map (outside_map)
%ASA-7-713236: IP = 64.0.98.195, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 96
%ASA-7-715047: Group = 64.0.98.195, IP = 64.0.98.195, processing ID payload
%ASA-7-714011: Group = 64.0.98.195, IP = 64.0.98.195, ID_IPV4_ADDR ID received
64.0.98.195

Open in new window

0
 
LVL 2

Expert Comment

by:nmcnair
ID: 33598610
can you post the latest version of your ASA config
0
 
LVL 9

Author Comment

by:Shaun McNicholas
ID: 33598896
Here's the current ASA
: Saved
:
ASA Version 7.2(4)
!
hostname Savannah-ASA
domain-name www.dawnmist.com
enable password zWKz5LEv5u2PzDdj encrypted
passwd zWKz5LEv5u2PzDdj encrypted
names
name 192.168.100.0 tampa-network
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 64.0.98.196 255.255.255.224
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name www.dawnmist.com
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 tampa-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 tampa-network 255.255.255.0
access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 tampa-network 255.255.255.0
access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 any
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit tcp any any
access-list inside_access_in extended permit udp any any
access-list inside_access_in extended permit esp any any
access-list inside_access_in extended permit ospf any any
access-list outside_access_in remark Clean Up Rule with logging.
access-list outside_access_in extended permit ip tampa-network 255.255.255.0 any
access-list standard standard permit any
pager lines 24
logging enable
logging console emergencies
logging monitor debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 64.0.98.193 1
route outside tampa-network 255.255.255.0 64.0.98.195 1
!
router ospf 2
 network 192.168.1.0 255.255.255.0 area 2
 network tampa-network 255.255.255.0 area 1
 log-adj-changes
!
router rip
 network 192.168.1.0
 network tampa-network
 version 2
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http 75.67.243.143 255.255.255.255 outside
http 75.68.243.143 255.255.255.255 outside
http 192.168.1.0 255.255.255.0 inside
http 216.251.225.55 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 64.0.98.195
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set reverse-route
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption aes
 hash md5
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 5
ssh 75.67.243.143 255.255.255.255 outside
ssh 173.65.65.197 255.255.255.255 outside
ssh 216.251.225.55 255.255.255.255 outside
ssh timeout 5
console timeout 0
management-access outside
dhcpd dns 65.106.1.196 192.168.100.2
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd enable inside
!

username pcconection password EmomzQnne30VORPA encrypted privilege 15
username admin password 31Nzf4.jOv71JR3g encrypted
username erik password bujbE/OOQ/F8OzY/ encrypted privilege 15
tunnel-group 64.0.98.195 type ipsec-l2l
tunnel-group 64.0.98.195 ipsec-attributes
 pre-shared-key *
!
class-map global-class
 match default-inspection-traffic
!
!
policy-map global-policy
 class global-class
  inspect ftp
  inspect icmp
!
service-policy global-policy global
prompt hostname context
Cryptochecksum:393b21c6f4a432f888b064f51b6d92bc
: end

Open in new window

0
 
LVL 9

Author Comment

by:Shaun McNicholas
ID: 33673325
I have been unable to resolve this issue - just letting everyone know - I have an open case now with Cisco and should get some attention from one of their techs today. I sent the current configs over to the tech yesterday and he said that everything appears to be correct from the configurations. I'll let everyone know what we discover once I get some time to work on the issue live with the tech at Cisco.
0
 
LVL 9

Author Comment

by:Shaun McNicholas
ID: 33674168
Ok I solved the issues finally after many different configuration changes and options - it appears that most of the tunnelling was configured correctly after some final changes done on 9/3/2010 but the internal network in the Tampa office is using a Astaro Firewall system running on Linux and I had to define a static route to the network based on the local ip address of the Cisco VPN 3000 Concentrator instead of the public IP address. So requests from the External network were getting to the appropriate locations but when information would get returned it got lost in the default Tampa network because the local router in the Tampa network didn't have the right gateway address for the next hop for the remote network. I am not sure why the VPN debugging was giving me errors before saying something was amis in the VPN configurations - but its all working perfectly now. Thank you everyone for your assistance. I will be spreading the points among those who have offered various pieces of this puzzle!
0
 
LVL 9

Author Closing Comment

by:Shaun McNicholas
ID: 33674206
It appears that this was the primary reason for the errors in the VPN configs for the tunneling but if you look at my last post you'll see there were some additional configuration changes that I needed to make in my primary router in my home office network. They're using a very piecemeal setup here that I've inherited with several different VPNs routers etc... so it's been very difficult to setup something like this - that should be pretty straight forward! Anyway I got it working - thanks for sticking with this and helping me figure out what was going on!
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now