Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Cisco ASA 5510 VPN configuration

Posted on 2011-04-25
3
Medium Priority
?
671 Views
Last Modified: 2012-08-14
Hello,

I am having issues getting past phase 2. I am gettting a 'No SPI to identify Phase 2 SA" error.

here are the configs...


HOST.......................




asdm image disk0:/asdm-508.bin
asdm location 192.168.72.100 255.255.255.255 INSIDE
no asdm history enable
: Saved
:
ASA Version 7.0(8)
!
hostname SixPines5510
domain-name
enable password  encrypted
passwd  encrypted
names
dns-guard
!
interface Ethernet0/0
 description Outside interface to Cbeyond
 nameif OUTSIDE
 security-level 0
 ip address 72.54.197.28 255.255.255.248
!
interface Ethernet0/1
 description Inside interface to internal network
 nameif INSIDE
 security-level 100
 ip address 192.168.72.2 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.71.2 255.255.255.0
 management-only
!
banner exec  ANY unauthorized access will be prosecuted to the fullest extent of the law.
banner login Six Pines VPN firewall/router
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring 1 Sun Apr 2:00 last Sun Oct 2:00
dns domain-lookup INSIDE
dns name-server 66.180.96.12
dns name-server 64.180.96.12
same-security-traffic permit intra-interface
object-group service Citrix1494 tcp
 port-object eq citrix-ica
 port-object eq www
 port-object eq https
 port-object range 445 447
object-group network ValleywoodInternalNetwork
 network-object 192.168.72.0 255.255.255.0
access-list Outside-ACL extended permit tcp any host 72.54.197.26 object-group Citrix1494
access-list INSIDE_nat0_inbound extended permit ip 192.168.72.0 255.255.255.0 192.168.74.0 255.255.255.0
access-list OUTSIDE_cryptomap_1 extended permit ip 192.168.72.0 255.255.255.0 interface OUTSIDE
access-list outside_1_cryptomap extended permit ip 192.168.74.0 255.255.255.0 object-group ValleywoodInternalNetwork
access-list INSIDE_nat0_outbound extended permit ip 192.168.72.0 255.255.255.0 interface OUTSIDE
pager lines 24
logging enable
logging asdm informational
logging mail critical
logging from-address Cisco5510@thedavidlawfirm.com
mtu OUTSIDE 1500
mtu INSIDE 1500
mtu management 1500
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
nat-control
global (OUTSIDE) 1 interface
nat (INSIDE) 0 access-list INSIDE_nat0_outbound
nat (INSIDE) 0 access-list INSIDE_nat0_inbound outside
nat (INSIDE) 1 0.0.0.0 0.0.0.0
static (INSIDE,OUTSIDE) 72.54.197.26 192.168.72.100 netmask 255.255.255.255
access-group Outside-ACL in interface OUTSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 72.54.197.25 100
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username root password  encrypted privilege 15
http server enable
http 192.168.72.0 255.255.255.0 INSIDE
http 192.168.71.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map OUTSIDE_map 1 match address OUTSIDE_cryptomap_1
crypto map OUTSIDE_map 1 set peer 72.54.197.28
crypto map OUTSIDE_map 1 set transform-set ESP-3DES-SHA
crypto map OUTSIDE_map 1 set security-association lifetime seconds 28800
crypto map OUTSIDE_map 1 set security-association lifetime kilobytes 4608000
crypto map OUTSIDE_map interface OUTSIDE
isakmp enable OUTSIDE
isakmp enable INSIDE
isakmp enable management
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal  20
tunnel-group 72.54.178.126 type ipsec-l2l
tunnel-group 72.54.178.126 ipsec-attributes
 pre-shared-key *
telnet 192.168.74.0 255.255.255.0 INSIDE
telnet 192.168.73.0 255.255.255.0 INSIDE
telnet 192.168.72.0 255.255.255.0 INSIDE
telnet 192.168.71.0 255.255.255.0 management
telnet timeout 5
ssh timeout 5
console timeout 0
management-access INSIDE
dhcpd address 192.168.71.3-192.168.71.254 management
dhcpd dns 66.180.96.12 64.180.96.12
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
smtp-server 66.180.96.57
Cryptochecksum:14c64137de77c452e346b7f9f3aa31ea
: end


: Saved







REMOTE............


:
ASA Version 8.2(1)
!
hostname ValleywoodVPN
domain-name  encrypted
passwd  encrypted
names
name 192.168.72.0 Sixpines description VPN Traffic
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.74.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 72.54.178.126 255.255.255.252
!
interface Vlan5
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address dhcp
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name
object-group network SixpinesInternalNetwork
 network-object Sixpines 255.255.255.0
access-list outside_1_cryptomap extended deny ip 192.168.74.0 255.255.255.0 Sixpines 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.74.0 255.255.255.0 Sixpines 255.255.255.0
access-list outside_cryptomap_1 extended permit ip any Sixpines 255.255.255.0
pager lines 24
logging enable
logging asdm informational
logging class vpn asdm debugging
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 72.54.178.125 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.74.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 72.54.197.28
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 8.8.8.8 8.8.4.4
dhcpd auto_config outside
!
dhcpd address 192.168.74.101-192.168.74.132 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd domain  interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 enable inside
tunnel-group 72.54.197.28 type ipsec-l2l
tunnel-group 72.54.197.28 ipsec-attributes
 pre-shared-key *
!
!
prompt hostname context
Cryptochecksum:340c30bdca6a66046c60b45ab9e6511f
: end
asdm location Sixpines 255.255.255.0 inside
no asdm history enable




0
Comment
Question by:charlietaylor
  • 3
3 Comments
 

Author Comment

by:charlietaylor
ID: 35463613
Error I am getting:

Connection terminated for peer 72.54.197.28. Reason: Peer Terminate Remote Proxy N/A, Local Proxy N/A
0
 

Accepted Solution

by:
charlietaylor earned 0 total points
ID: 35463933
upgraded both sides to 8.3 and problem went away
0
 

Author Closing Comment

by:charlietaylor
ID: 35463938
never heard back from experts exchange and kept plugging away until it worked
0

Featured Post

Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
Considering cloud tradeoffs and determining the right mix for your organization.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question