Solved

IPSec tunnel not working through ASA

Posted on 2011-02-11
20
2,357 Views
Last Modified: 2012-05-11
I am having a fit trying to configur an IPSec tunnel through our ASA 5505.  We are attempting to connect multiple Netgear FVS318v3 routers on our internal network through the ASA to a hosted Cisco VPN concentrator.  The Netgear connects up fine and we can access the hosted network fine from several remote locations (including my home which is NAT'd by a Linksys router) as well as if we bypass the ASA and connect directly to our ISPs router.  However, when connected to the ASA the VPN tunnel shows established, but no traffic will pass either way across the tunnel.

The ASA is running version 8.0(4).  I have allowed IPSec, isakmp, and UDP 4500 on the ASAs external interface and also enabled NAT-T.  I have also verified that the hosting company has NAT-T enabled on the concentrator.

I'd like to avoid static NATing a public IP to each device inside as when these go out into the field they will be used on a myriad of networks.  Including placing multiple routers on a single network with a NAT'd Internet connection.  Any ideas are greatly appreciated and just let me know if more information is needed.
0
Comment
Question by:tchaplin
  • 8
  • 7
  • 2
  • +2
20 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34872252
Did you check the logging on the asa? Did that show anything?
0
 
LVL 6

Expert Comment

by:mahrens007
ID: 34872424
could you post your config?
0
 

Author Comment

by:tchaplin
ID: 34874142
@erniebeek

I turned debug logging on for IPSec passthrough and attempted to ping a server on the remote network.  The only entries I found in the logging that looked remotely relevant were these:

%ASA-7-609001: Built local-host outside:64.XXX.XXX.XXX
%ASA-3-305006: regular translation creation failed for protocol 50 src inside:19
2.168.2.204 dst outside:64.XXX.XXX.XXX
%ASA-7-609002: Teardown local-host outside:64.XXX.XXX.XXX duration 0:00:00

Where 64.XXX.XXX.XXX is the remote concentrators IP and 192.168.2.204 is the address of the Netgear on the network behind the ASA.
0
 

Author Comment

by:tchaplin
ID: 34874202
@mahrens007

Here is the current config

: Saved
:
ASA Version 8.0(4)
!
hostname Hostname
domain-name domain.local
enable password XXXXXXXXXX encrypted
passwd XXXXXXX encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.2.2 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address XXX.XXX.XXX.XXX 255.255.255.252
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name galactic-empire.local
object-group service DM_INLINE_SERVICE_1
 service-object gre
 service-object tcp eq 40000
 service-object tcp eq ftp
 service-object tcp eq ftp-data
 service-object tcp eq www
 service-object tcp eq https
 service-object tcp eq pop3
 service-object tcp eq smtp
 service-object tcp eq 3389
 service-object icmp
 service-object tcp eq pptp
 service-object tcp eq 3390
 service-object tcp eq 3391
 service-object tcp eq 3392
 service-object tcp eq 3393
 service-object esp
 service-object udp eq isakmp
 service-object udp eq 4500
 service-object tcp-udp eq 10000
access-list acl_out extended permit gre any interface outside
access-list acl_out extended permit tcp any interface outside eq pptp
access-list 100 extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list 100 extended permit ip 192.168.2.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list 100 extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any host XXX.XXX.XXX.XXX
pager lines 24
logging enable
logging buffer-size 20000
logging buffered debugging
mtu inside 1500
mtu outside 1500
ip local pool clientpool 192.168.4.1-192.168.4.100
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 192.168.2.129 smtp netmask 255.255.255.255
static (inside,outside) tcp interface pop3 192.168.2.129 pop3 netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.2.32 ftp netmask 255.255.255.255
static (inside,outside) tcp interface 40000 192.168.2.32 40000 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.2.189 3389 netmask 255.255.255.255
static (inside,outside) tcp interface pptp 192.168.2.3 pptp netmask 255.255.255.255
static (inside,outside) tcp interface 3390 192.168.2.11 3389 netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.2.30 www netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.2.3 https netmask 255.255.255.255
static (inside,outside) tcp interface 3391 192.168.2.182 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 3392 192.168.2.3 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 3393 192.168.2.10 3389 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 YYY.YYY.YYY.YYY 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association life
time seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association life
time kilobytes 4608000
crypto dynamic-map cisco 1 set transform-set myset
crypto dynamic-map cisco 1 set security-association lifetime seconds 28800
crypto dynamic-map cisco 1 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 set security-association lifetime seconds 28800
crypto map outside_map 65535 set security-association lifetime kilobytes 4608000
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
crypto map dyn-map interface outside
crypto isakmp enable outside
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal 60
no vpn-addr-assign aaa
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 60
ssh timeout 5
console timeout 0
l2tp tunnel hello 30
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption rc4-sha1
group-policy IpsecPolicy internal
group-policy IpsecPolicy attributes
 dns-server value 192.168.2.3
 default-domain value domain.local
 user-authentication disable
tunnel-group DefaultL2LGroup general-attributes
 default-group-policy IpsecPolicy
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *
tunnel-group unityclient type remote-access
tunnel-group unityclient general-attributes
 address-pool clientpool
 authorization-server-group LOCAL
 default-group-policy IpsecPolicy
tunnel-group unityclient ipsec-attributes
 pre-shared-key *
tunnel-group SecondL2LGroup type ipsec-l2l
tunnel-group SecondL2LGroup general-attributes
 default-group-policy IpsecPolicy
tunnel-group SecondL2LGroup ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect pptp
  inspect ipsec-pass-thru
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:fce2b13a6c215d4d99cac54809c485e2
: end
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34874208
regular translation creation failed for protocol 50 src inside:192.168.2.204 dst outside:64.XXX.XXX.XXX

Protocol 50 is ESP which is used for IPSec. So it looks like you didn't allow that (or not completely correct).
Perhaps you could post a sanitized configuration here so we can have a look at it.

Do you have a rule like:
access-list outside_access_in extended permit esp host x.x.x.x host y.y.y.y
?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34874213
Damn! that fast :)
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34874225
Ok, so you got the ESP.

Let me check on the config.
0
 
LVL 9

Expert Comment

by:Cheever000
ID: 34875044
It does not look like NAT-T is taking place, which side is initiating traffic.  The error you posted is exactly what you would expect to see with out NAT-T.
0
 

Author Comment

by:tchaplin
ID: 34875206
I have a PC attached to the Netgear which then attaches to the ASA5505 which connects us to the Internet.  I have heard back from the hosting company and the device on the other end is an ASA5520.  They have double verified that NAT-T is enabled and port 4500 is open on their end.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 

Author Comment

by:tchaplin
ID: 34875512
@Cheever000

Sorry, just realized I didn't really answer your question.  The Netgear is initiating the tunnel and I have been testing by attempting to initiate traffic from the PC to servers on the hosted network.  I have also attempted to ping in the reverse direction though.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34875557
They have double verified that NAT-T is enabled and port 4500 is open on their end

Did they also check the inspect rules:

policy-map global_policy
 class inspection_default
  inspect pptp
  inspect ipsec-pass-thru

?
0
 

Author Comment

by:tchaplin
ID: 34899634
I'm working to get a copy of the running config from their ASA which I'll post here asap.  Any other questions or info I should be requesting from them?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34899662
Not yet. I think it is a good idea to first have the remote config. After that the questions might come automatically ;)
0
 

Author Comment

by:tchaplin
ID: 34903234
Here is a fairly sanitized running config from the ASA 5520 on the remote end.


: Saved
:
ASA Version 8.3(2)
!
hostname yyyyyyyyyyyyyy
enable password xxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxxxxxx encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.5.44.254 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa832-k8.bin
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server xxx.xxx.xxx.xxx
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network GCI-APP01
 host 10.5.44.12
object network GCI-APP02
 host 10.5.44.13
object network GCI-DC01
 host 10.5.44.10
object network GCI-SQL01
 host 10.5.44.11
object network AExt1
 host xxx.xxx.xxx.xxx
object network AExt2
 host xxx.xxx.xxx.xxx
object network B-APP01_Ext
 host xxx.xxx.xxx.xxx
object network B-APP02_Ext
 host xxx.xxx.xxx.xxx
object network B-DC01_Ext
 host xxx.xxx.xxx.xxx
object network B-SQL01_Ext
 host xxx.xxx.xxx.xxx
object network NETWORK_OBJ_10.5.44.0_24
 subnet 10.5.44.0 255.255.255.0
object network POS_Test_Network
 subnet 192.168.0.0 255.255.255.248
object network NETWORK_OBJ_192.168.2.0_24
 subnet 192.168.2.0 255.255.255.0
object-group network DM_INLINE_NETWORK_1
network-object object B-APP01
network-object object B-APP02
object-group service DM_INLINE_TCP_1 tcp
port-object eq 242
port-object eq 3389
port-object eq 51968
access-list outside_access_in extended permit tcp any object B-SQL01 eq 3389
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_TCP_1
access-list outside_1_cryptomap extended permit ip 10.5.44.0 255.255.255.0 object POS_Test_Network
access-list outside_cryptomap_65535.2 extended permit ip 10.5.44.0 255.255.255.0 192.168.0.8 255.255.255.248
access-list outside_cryptomap_65535.1 extended permit ip 10.5.44.0 255.255.255.0 object POS_Test_Network
access-list outside_cryptomap_65535.10 extended permit ip 10.5.44.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_1_cryptomap_1 extended permit ip 10.5.44.0 255.255.255.0 192.168.2.0 255.255.255.0
pager lines 24
logging enable
logging history critical
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
arp timeout 14400
nat (inside,outside) source static NETWORK_OBJ_10.5.44.0_24 NETWORK_OBJ_10.5.44.0_24 destination static POS_Test_Network POS_Test_Network
nat (inside,outside) source static NETWORK_OBJ_10.5.44.0_24 NETWORK_OBJ_10.5.44.0_24 destination static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24
!
object network B-APP01
nat (any,any) static B-APP01_Ext dns
object network B-APP02
nat (any,any) static B-APP02_Ext dns
object network B-DC01
nat (any,any) static B-DC01_Ext dns
object network B-SQL01
nat (any,any) static B-SQL01_Ext dns
!
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 GGG.GGG.GGG.GGG 1
route inside 10.1.0.0 255.255.255.0 10.5.44.1 1
route inside 10.5.0.0 255.255.0.0 10.5.44.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 1 match address outside_cryptomap_65535.1
crypto dynamic-map outside_dyn_map 1 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 2 match address outside_cryptomap_65535.2
crypto dynamic-map outside_dyn_map 2 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 10 match address outside_cryptomap_65535.10
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_1_cryptomap_1
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer xxx.xxx.xxx.xxx
crypto map outside_map 1 set transform-set ESP-AES-128-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
ssh timeout 5
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption des-sha1 aes256-sha1 aes128-sha1 3des-sha1
webvpn
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *****
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
pre-shared-key *****
tunnel-group DynamicPolicy type ipsec-l2l
tunnel-group DynamicPolicy ipsec-attributes
pre-shared-key *****
isakmp keepalive disable
0
 
LVL 9

Accepted Solution

by:
Cheever000 earned 168 total points
ID: 34905829
unless I am missing something there isn't a hint of NAT-T in that config, I could be blind it is early.
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 332 total points
ID: 34905896
No Cheever000, you're not blind (as far as I can see :)

I'm missing:
crypto isakmp nat-traversal 60

For starters.
0
 

Author Comment

by:tchaplin
ID: 34907592
A bit of devils advocate before I calll them on this.  Isn't "crypto isakmp nat-traversal 20" the default for ASAs now?  i.e. it wouldn't show up in the config unless it was turned off or the timeout was changed.  I've asked them to double check previously and they sent me a screenshot from ASDM with the box for NAT Traversal checked.
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 332 total points
ID: 34907679
You are right, 20 is the default.

But.........

Crypto isakmp nat-traversal is not turned on by default, so it should show. There was a bug in an earlier version not showing it when it was at 20.
0
 
LVL 33

Expert Comment

by:digitap
ID: 35145573
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Suggested Solutions

Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now