Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2821
  • Last Modified:

Site-to-Site VPN setup between a ASA v7.0 & CheckPoint R7 (revised )

I hoping someone can shed some light on what I'm doing wrong with this ASA config.

Objective: Setup a site-to-site vpn between a client's data centre & a telco's data centre.
VPN devices: client = ASA v7.0 (8)   telco = Checkpoint R70
Client's internal network - 10.10.11.0 /24  Outside static ip (local peer) = X.X.57.114
Telco's encryption domain - 216.13.128.40 /29  outside ip (remote peer) = A.B.185.194 internal host ip 216.13.128.15
The ASA has some existing vpn connections setup, so this particular setup will be an additional vpn.  Below is a description of the config for the ASA which I manage. I do not have access to the Checkpoint.

Testing results: So far after 4 sets of tests we're yet to get past Phase 2...at least on my side .
Typical results on first pass:
5|Sep 26 2011 12:00:27|713904: IP = 216.123.185.194, Received encrypted packet with no matching SA, dropping
5|Sep 26 2011 12:00:27|713904: IP = 216.123.185.194, Received encrypted packet with no matching SA, dropping
5|Sep 26 2011 12:00:25|713904: IP = 216.123.185.194, Received encrypted packet with no matching SA, dropping
5|Sep 26 2011 12:00:23|713904: IP = 216.123.185.194, Received encrypted packet with no matching SA, dropping
4|Sep 26 2011 12:00:23|113019: Group = 216.123.185.194, Username = 216.123.185.194, IP = 216.123.185.194, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found
3|Sep 26 2011 12:00:23|713902: Group = 216.123.185.194, IP = 216.123.185.194, Removing peer from correlator table failed, no match!
3|Sep 26 2011 12:00:23|713902: Group = 216.123.185.194, IP = 216.123.185.194, QM FSM error (P2 struct &0x2ebff80, mess id 0x4ec876f)!
3|Sep 26 2011 12:00:23|713061: Group = 216.123.185.194, IP = 216.123.185.194, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 216.13.128.40/255.255.255.248/0/0 local proxy 216.13.128.15/255.255.255.255/0/0 on interface external
5|Sep 26 2011 12:00:23|713119: Group = 216.123.185.194, IP = 216.123.185.194, PHASE 1 COMPLETED
6|Sep 26 2011 12:00:23|113009: AAA retrieved default group policy (DfltGrpPolicy) for user = 216.123.185.194
4|Sep 26 2011 12:00:23|713903: Group = 216.123.185.194, IP = 216.123.185.194, Freeing previously allocated memory for authorization-dn-attributes
5|Sep 26 2011 12:00:23|713904: IP = 216.123.185.194, Received encrypted packet with no matching SA, dropping
5|Sep 26 2011 12:00:19|713904: IP = 216.123.185.194, Received encrypted packet with no matching SA, dropping
5|Sep 26 2011 12:00:19|713904: IP = 216.123.185.194, Received encrypted packet with no matching SA, dropping
5|Sep 26 2011 12:00:17|713904: IP = 216.123.185.194, Received encrypted packet with no matching SA, dropping
5|Sep 26 2011 12:00:15|713904: IP = 216.123.185.194, Received encrypted packet with no matching SA, dropping
5|Sep 26 2011 12:00:15|713904: IP = 216.123.185.194, Received encrypted packet with no matching SA, dropping
5|Sep 26 2011 12:00:13|713904: IP = 216.123.185.194, Received encrypted packet with no matching SA, dropping
5|Sep 26 2011 12:00:11|713904: IP = 216.123.185.194, Received encrypted packet with no matching SA, dropping
5|Sep 26 2011 12:00:11|713904: IP = 216.123.185.194, Received encrypted packet with no matching SA, dropping
5|Sep 26 2011 12:00:09|713904: IP = 216.123.185.194, Received encrypted packet with no matching SA, dropping
5|Sep 26 2011 12:00:07|713904: IP = 216.123.185.194, Received encrypted packet with no matching SA, dropping
5|Sep 26 2011 12:00:07|713904: IP = 216.123.185.194, Received encrypted packet with no matching SA, dropping



After some changes on my end again.....
3|Oct 03 2011 13:25:17|713902: Group = 216.123.185.194, IP = 216.123.185.194, Removing peer from correlator table failed, no match!
3|Oct 03 2011 13:25:17|713902: Group = 216.123.185.194, IP = 216.123.185.194, QM FSM error (P2 struct &0x332d5e0, mess id 0xf0d02aaa)!
3|Oct 03 2011 13:25:17|713061: Group = 216.123.185.194, IP = 216.123.185.194, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 216.13.128.40/255.255.255.248/0/0 local proxy 216.13.128.15/255.255.255.255/0/0 on interface external
5|Oct 03 2011 13:25:17|713119: Group = 216.123.185.194, IP = 216.123.185.194, PHASE 1 COMPLETED
6|Oct 03 2011 13:25:17|113009: AAA retrieved default group policy (DfltGrpPolicy) for user = 216.123.185.194
4|Oct 03 2011 13:25:17|713903: Group = 216.123.185.194, IP = 216.123.185.194, Freeing previously allocated memory for authorization-dn-attributes
4|Oct 03 2011 13:25:17|113019: Group = 216.123.185.194, Username = 216.123.185.194, IP = 216.123.185.194, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found
3|Oct 03 2011 13:25:17|713902: Group = 216.123.185.194, IP = 216.123.185.194, Removing peer from correlator table failed, no match!
3|Oct 03 2011 13:25:17|713902: Group = 216.123.185.194, IP = 216.123.185.194, QM FSM error (P2 struct &0x2ec6328, mess id 0xe7bad623)!
3|Oct 03 2011 13:25:17|713061: Group = 216.123.185.194, IP = 216.123.185.194, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 216.13.128.40/255.255.255.248/0/0 local proxy 216.13.128.15/255.255.255.255/0/0 on interface external
5|Oct 03 2011 13:25:17|713119: Group = 216.123.185.194, IP = 216.123.185.194, PHASE 1 COMPLETED
6|Oct 03 2011 13:25:17|113009: AAA retrieved default group policy (DfltGrpPolicy) for user = 216.123.185.194
4|Oct 03 2011 13:25:17|713903: Group = 216.123.185.194, IP = 216.123.185.194, Freeing previously allocated memory for authorization-dn-attributes
4|Oct 03 2011 13:25:17|113019: Group = 216.123.185.194, Username = 216.123.185.194, IP = 216.123.185.194, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found
3|Oct 03 2011 13:25:17|713902: Group = 216.123.185.194, IP = 216.123.185.194, Removing peer from correlator table failed, no match!
3|Oct 03 2011 13:25:17|713902: Group = 216.123.185.194, IP = 216.123.185.194, QM FSM error (P2 struct &0x2ec0828, mess id 0x5cd87b30)!
3|Oct 03 2011 13:25:17|713061: Group = 216.123.185.194, IP = 216.123.185.194, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 216.13.128.40/255.255.255.248/0/0 local proxy 216.13.128.15/255.255.255.255/0/0 on interface external
5|Oct 03 2011 13:25:17|713119: Group = 216.123.185.194, IP = 216.123.185.194, PHASE 1 COMPLETED


After a discussion with the checkpoint admin today...apparently I should have been using one of the addresses they mentioned, and doing some NATING for it to work. SInce they have an internal 10.10.0.0 network which could cause an issue.
The address I should use is 216.13.128.15 and NAT that to my internal ip.

Info from the Checkpoint admin:
216.13.128.14
216.13.128.15
216.13.128.16
(Server address to be used to test traffic – customer to NAT to other address if necessary)

How do I construct a new nat statement to effect this requirement?

Any direction would be greatly appreciated. Also you can ignore my previous post about disabling the SA lifetime kilobytes setting.

Thanks

ASA Version 7.0(8)
!
hostname BLAHBLAHFW02
domain-name cisco.com
enable password N8iVIoABOjhNrEKz encrypted
passwd 2NOok0J6OZxGHfk3 encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif external
 security-level 0
 ip address X.X.57.114 255.255.255.240
!
interface Ethernet0/1
 nameif internal
 security-level 100
 ip address 10.10.11.1 255.255.255.0
!
interface Ethernet0/2
 nameif DMZ
 security-level 50
 ip address 192.168.2.1 255.255.255.0
!            
interface Ethernet0/3
 nameif
 security-level 100
 ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.100.1 255.255.255.0
 management-only
!
banner motd * This system is the property of Mtrex Networks.  Any unathorized access is prohibited and all prosecutor will be fined and/or punished to the fullest extent of the law*
ftp mode passive
dns domain-lookup external
dns domain-lookup internal
dns domain-lookup DMZ
dns domain-lookup management
dns name-server X.X.63.21
dns name-server X.X.63.53
dns name-server X.X.255.198
access-list 110 extended permit ip any any
access-list 100 extended permit icmp any any echo-reply
access-list 100 extended permit icmp any any time-exceeded
access-list 100 extended permit icmp any any source-quench
access-list 100 extended permit icmp any any unreachable
access-list inside_nat0_outbound extended permit ip 10.10.11.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.80.0.0 255.255.254.0 10.10.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.10.11.0 255.255.255.0 host 216.13.128.15
access-list inside_nat0_outbound extended permit ip 10.10.11.0 255.255.255.0 host 216.13.128.40
access-list hidatavpn-acl extended permit ip 10.80.0.0 255.255.254.0 10.10.1.0 255.255.255.0
access-list rbsvpn-acl extended permit ip 10.10.11.0 255.255.255.0 216.13.128.40 255.255.255.248
pager lines 24
logging enable
logging asdm informational
mtu external 1500
mtu internal 1500
mtu DMZ 1500
mtu management 1500
mtu rbs 1500
ip local pool vpnpool 192.168.20.100-192.168.20.150 mask 255.255.255.0
no failover
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (external) 10 interface
nat (internal) 0 access-list inside_nat0_outbound
nat (internal) 10 access-list 110
access-group 100 in interface external
route external 0.0.0.0 0.0.0.0 208.113.57.113 1
route internal 10.80.0.0 255.248.0.0 10.10.11.2 1
route internal 10.64.0.0 255.248.0.0 10.10.11.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy mtrexvpn internal
group-policy mtrexvpn attributes
 vpn-tunnel-protocol IPSec
 default-domain value ciso.com
 webvpn
username tech password CGJdVH6QlNHzQSjw encrypted
username vito password NE3Exf6jS9pZ8bQp encrypted
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
http server enable
http X.X.X.112 255.255.255.240 external
http X.X.X.39 255.255.255.255 external
http X.X.X.162 255.255.255.255 external
http 10.10.11.0 255.255.255.0 internal
http 192.168.100.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set hidata esp-3des esp-sha-hmac
crypto ipsec transform-set rbsvpn esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map external_dyn_map 10 set transform-set ESP-3DES-SHA
crypto dynamic-map external_dyn_map 10 set security-association lifetime seconds 288000
crypto dynamic-map external_dyn_map 10 set security-association lifetime kilobytes 4608000
crypto dynamic-map external_dyn_map 10 set reverse-route
crypto map external_map 10 ipsec-isakmp dynamic external_dyn_map
crypto map hidata-map 5 match address rbsvpn-acl
crypto map hidata-map 5 set peer A.B.185.194
crypto map hidata-map 5 set transform-set rbsvpn
crypto map hidata-map 5 set security-association lifetime seconds 3600
crypto map hidata-map 5 set security-association lifetime kilobytes 4608000
crypto map hidata-map 10 match address hidatavpn-acl
crypto map hidata-map 10 set peer 1.1.1.228
crypto map hidata-map 10 set transform-set hidata
crypto map hidata-map 10 set security-association lifetime seconds 28800
crypto map hidata-map 10 set security-association lifetime kilobytes 4608000
crypto map hidata-map interface external
isakmp enable external
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 43200
isakmp policy 2 authentication pre-share
isakmp policy 2 encryption 3des
isakmp policy 2 hash md5
isakmp policy 2 group 2
isakmp policy 2 lifetime 86400
isakmp nat-traversal  20
tunnel-group mtrexvpn type ipsec-ra
tunnel-group mtrexvpn general-attributes
 address-pool vpnpool
 default-group-policy mtrexvpn
tunnel-group mtrexvpn ipsec-attributes
 pre-shared-key *
tunnel-group 1.1.1.228 type ipsec-l2l
tunnel-group 1.1.1.228 ipsec-attributes
 pre-shared-key *
tunnel-group A.B185.194 type ipsec-l2l
tunnel-group A.B.185.194 ipsec-attributes
 pre-shared-key *
telnet 10.10.11.0 255.255.255.0 internal
telnet 192.168.100.0 255.255.255.0 internal
telnet 192.168.20.0 255.255.255.0 internal
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 external
ssh timeout 5
console timeout 0
management-access internal
dhcpd address 192.168.100.2-192.168.100.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
Cryptochecksum:b8f8dc9ab2bde193d902abca7de5b8ca
: end
1
starport
Asked:
starport
  • 3
  • 2
2 Solutions
 
jmeggersSr. Network and Security EngineerCommented:
I have no Checkpoint experience but since no one has posted anything, I'll jump in.  

I recently did a similar outbound NAT configuration which seemed to work:

access-list nat-VPN extended permit ip 10.0.0.0 255.0.0.0 host 10.192.12.20    <= policy NAT ACL

access-list VPN_Tunnel extended permit ip host 10.194.66.42 host 10.192.12.20  <= encryption ACL

global (outside) 1 interface
global (outside) 2 10.194.66.42                               <= outside NATed address of VPN traffic
nat (outside) 1 <inside nets> <mask>
nat (inside) 2 access-list nat-VPN
nat (inside) 1 access-list outbound_nat

crypto map outside_map 10 match address VPN_Tunnel
crypto map outside_map 10 set peer a.b.c.85
crypto map outside_map 10 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5    
 group 2
 lifetime 86400
0
 
jmeggersSr. Network and Security EngineerCommented:
Incidentally, if that's your ASA, you might want to consider updating the code.  Version 7.0 is very old (probably end of life by now) and there have been a lot of updates and bug-fixes. The most recent version is 8.4.  The update from 7.2 all the way to 8.2 should be pretty painless for you, but there are significant changes in moving to 8.3 and later.  You might be able to just go straight to 8.2 (changes between 7.2 and 8.0 were predominantly related to SSL VPN) but if I were doing it, I'd go to 7.2, then 8.0, then 8.2 just to minimize risk.
0
 
starportAuthor Commented:
Hi jmeggers:
Thanks for your comments. I'll have to take another look at the NAT & Global statements on firewall. Looks like I might be missing a policy or two.
The firmware upgrade may be a challenge since cisco support may have lapsed...that i'll have to check as well.

I'll let you know the outcome over the next 48hrs.
0
 
starportAuthor Commented:
In progress. Thanks
0
 
starportAuthor Commented:
The solution was to blow away the original configs and setup a new encryption domain which included a router down-stream of the FW. One of the router interfaces was used to form the encryption domain.
The vpn formed and packets were seen to be encrypted & decrypted in both directions.
What was causing the issues were:
1. there was a dynamic map present - priority setting of the crypto maps is important in such instances
2. ASA lifetime kilobytes size cannot be zero - apparently the checkpoint R7 can

Thanks to everyone for their input it was greatly appreciated.

jmeggers:
yes we intend to upgrade the FW as soon as the possible. we just moved our secondary site to Peer1 hosting and would be doing the upgrade once everything reached steady-state.

Thanks again
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now