Site-to-Site VPN setup between a ASA v7.0 & CheckPoint R7 (revised )
I hoping someone can shed some light on what I'm doing wrong with this ASA config.
Objective: Setup a site-to-site vpn between a client's data centre & a telco's data centre.
VPN devices: client = ASA v7.0 (8) telco = Checkpoint R70
Client's internal network - 10.10.11.0 /24 Outside static ip (local peer) = X.X.57.114
Telco's encryption domain - 216.13.128.40 /29 outside ip (remote peer) = A.B.185.194 internal host ip 216.13.128.15
The ASA has some existing vpn connections setup, so this particular setup will be an additional vpn. Below is a description of the config for the ASA which I manage. I do not have access to the Checkpoint.
Testing results: So far after 4 sets of tests we're yet to get past Phase 2...at least on my side .
Typical results on first pass:
5|Sep 26 2011 12:00:27|713904: IP = 216.123.185.194, Received encrypted packet with no matching SA, dropping
5|Sep 26 2011 12:00:27|713904: IP = 216.123.185.194, Received encrypted packet with no matching SA, dropping
5|Sep 26 2011 12:00:25|713904: IP = 216.123.185.194, Received encrypted packet with no matching SA, dropping
5|Sep 26 2011 12:00:23|713904: IP = 216.123.185.194, Received encrypted packet with no matching SA, dropping
4|Sep 26 2011 12:00:23|113019: Group = 216.123.185.194, Username = 216.123.185.194, IP = 216.123.185.194, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found
3|Sep 26 2011 12:00:23|713902: Group = 216.123.185.194, IP = 216.123.185.194, Removing peer from correlator table failed, no match!
3|Sep 26 2011 12:00:23|713902: Group = 216.123.185.194, IP = 216.123.185.194, QM FSM error (P2 struct &0x2ebff80, mess id 0x4ec876f)!
3|Sep 26 2011 12:00:23|713061: Group = 216.123.185.194, IP = 216.123.185.194, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 216.13.128.40/255.255.255.
5|Sep 26 2011 12:00:23|713119: Group = 216.123.185.194, IP = 216.123.185.194, PHASE 1 COMPLETED
6|Sep 26 2011 12:00:23|113009: AAA retrieved default group policy (DfltGrpPolicy) for user = 216.123.185.194
4|Sep 26 2011 12:00:23|713903: Group = 216.123.185.194, IP = 216.123.185.194, Freeing previously allocated memory for authorization-dn-attribute
5|Sep 26 2011 12:00:23|713904: IP = 216.123.185.194, Received encrypted packet with no matching SA, dropping
5|Sep 26 2011 12:00:19|713904: IP = 216.123.185.194, Received encrypted packet with no matching SA, dropping
5|Sep 26 2011 12:00:19|713904: IP = 216.123.185.194, Received encrypted packet with no matching SA, dropping
5|Sep 26 2011 12:00:17|713904: IP = 216.123.185.194, Received encrypted packet with no matching SA, dropping
5|Sep 26 2011 12:00:15|713904: IP = 216.123.185.194, Received encrypted packet with no matching SA, dropping
5|Sep 26 2011 12:00:15|713904: IP = 216.123.185.194, Received encrypted packet with no matching SA, dropping
5|Sep 26 2011 12:00:13|713904: IP = 216.123.185.194, Received encrypted packet with no matching SA, dropping
5|Sep 26 2011 12:00:11|713904: IP = 216.123.185.194, Received encrypted packet with no matching SA, dropping
5|Sep 26 2011 12:00:11|713904: IP = 216.123.185.194, Received encrypted packet with no matching SA, dropping
5|Sep 26 2011 12:00:09|713904: IP = 216.123.185.194, Received encrypted packet with no matching SA, dropping
5|Sep 26 2011 12:00:07|713904: IP = 216.123.185.194, Received encrypted packet with no matching SA, dropping
5|Sep 26 2011 12:00:07|713904: IP = 216.123.185.194, Received encrypted packet with no matching SA, dropping
After some changes on my end again.....
3|Oct 03 2011 13:25:17|713902: Group = 216.123.185.194, IP = 216.123.185.194, Removing peer from correlator table failed, no match!
3|Oct 03 2011 13:25:17|713902: Group = 216.123.185.194, IP = 216.123.185.194, QM FSM error (P2 struct &0x332d5e0, mess id 0xf0d02aaa)!
3|Oct 03 2011 13:25:17|713061: Group = 216.123.185.194, IP = 216.123.185.194, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 216.13.128.40/255.255.255.
5|Oct 03 2011 13:25:17|713119: Group = 216.123.185.194, IP = 216.123.185.194, PHASE 1 COMPLETED
6|Oct 03 2011 13:25:17|113009: AAA retrieved default group policy (DfltGrpPolicy) for user = 216.123.185.194
4|Oct 03 2011 13:25:17|713903: Group = 216.123.185.194, IP = 216.123.185.194, Freeing previously allocated memory for authorization-dn-attribute
4|Oct 03 2011 13:25:17|113019: Group = 216.123.185.194, Username = 216.123.185.194, IP = 216.123.185.194, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found
3|Oct 03 2011 13:25:17|713902: Group = 216.123.185.194, IP = 216.123.185.194, Removing peer from correlator table failed, no match!
3|Oct 03 2011 13:25:17|713902: Group = 216.123.185.194, IP = 216.123.185.194, QM FSM error (P2 struct &0x2ec6328, mess id 0xe7bad623)!
3|Oct 03 2011 13:25:17|713061: Group = 216.123.185.194, IP = 216.123.185.194, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 216.13.128.40/255.255.255.
5|Oct 03 2011 13:25:17|713119: Group = 216.123.185.194, IP = 216.123.185.194, PHASE 1 COMPLETED
6|Oct 03 2011 13:25:17|113009: AAA retrieved default group policy (DfltGrpPolicy) for user = 216.123.185.194
4|Oct 03 2011 13:25:17|713903: Group = 216.123.185.194, IP = 216.123.185.194, Freeing previously allocated memory for authorization-dn-attribute
4|Oct 03 2011 13:25:17|113019: Group = 216.123.185.194, Username = 216.123.185.194, IP = 216.123.185.194, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found
3|Oct 03 2011 13:25:17|713902: Group = 216.123.185.194, IP = 216.123.185.194, Removing peer from correlator table failed, no match!
3|Oct 03 2011 13:25:17|713902: Group = 216.123.185.194, IP = 216.123.185.194, QM FSM error (P2 struct &0x2ec0828, mess id 0x5cd87b30)!
3|Oct 03 2011 13:25:17|713061: Group = 216.123.185.194, IP = 216.123.185.194, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 216.13.128.40/255.255.255.
5|Oct 03 2011 13:25:17|713119: Group = 216.123.185.194, IP = 216.123.185.194, PHASE 1 COMPLETED
After a discussion with the checkpoint admin today...apparently I should have been using one of the addresses they mentioned, and doing some NATING for it to work. SInce they have an internal 10.10.0.0 network which could cause an issue.
The address I should use is 216.13.128.15 and NAT that to my internal ip.
Info from the Checkpoint admin:
216.13.128.14
216.13.128.15
216.13.128.16
(Server address to be used to test traffic – customer to NAT to other address if necessary)
How do I construct a new nat statement to effect this requirement?
Any direction would be greatly appreciated. Also you can ignore my previous post about disabling the SA lifetime kilobytes setting.
Thanks
ASA Version 7.0(8)
!
hostname BLAHBLAHFW02
domain-name cisco.com
enable password N8iVIoABOjhNrEKz encrypted
passwd 2NOok0J6OZxGHfk3 encrypted
names
dns-guard
!
interface Ethernet0/0
nameif external
security-level 0
ip address X.X.57.114 255.255.255.240
!
interface Ethernet0/1
nameif internal
security-level 100
ip address 10.10.11.1 255.255.255.0
!
interface Ethernet0/2
nameif DMZ
security-level 50
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/3
nameif
security-level 100
ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.100.1 255.255.255.0
management-only
!
banner motd * This system is the property of Mtrex Networks. Any unathorized access is prohibited and all prosecutor will be fined and/or punished to the fullest extent of the law*
ftp mode passive
dns domain-lookup external
dns domain-lookup internal
dns domain-lookup DMZ
dns domain-lookup management
dns name-server X.X.63.21
dns name-server X.X.63.53
dns name-server X.X.255.198
access-list 110 extended permit ip any any
access-list 100 extended permit icmp any any echo-reply
access-list 100 extended permit icmp any any time-exceeded
access-list 100 extended permit icmp any any source-quench
access-list 100 extended permit icmp any any unreachable
access-list inside_nat0_outbound extended permit ip 10.10.11.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.80.0.0 255.255.254.0 10.10.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.10.11.0 255.255.255.0 host 216.13.128.15
access-list inside_nat0_outbound extended permit ip 10.10.11.0 255.255.255.0 host 216.13.128.40
access-list hidatavpn-acl extended permit ip 10.80.0.0 255.255.254.0 10.10.1.0 255.255.255.0
access-list rbsvpn-acl extended permit ip 10.10.11.0 255.255.255.0 216.13.128.40 255.255.255.248
pager lines 24
logging enable
logging asdm informational
mtu external 1500
mtu internal 1500
mtu DMZ 1500
mtu management 1500
mtu rbs 1500
ip local pool vpnpool 192.168.20.100-192.168.20.
no failover
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (external) 10 interface
nat (internal) 0 access-list inside_nat0_outbound
nat (internal) 10 access-list 110
access-group 100 in interface external
route external 0.0.0.0 0.0.0.0 208.113.57.113 1
route internal 10.80.0.0 255.248.0.0 10.10.11.2 1
route internal 10.64.0.0 255.248.0.0 10.10.11.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy mtrexvpn internal
group-policy mtrexvpn attributes
vpn-tunnel-protocol IPSec
default-domain value ciso.com
webvpn
username tech password CGJdVH6QlNHzQSjw encrypted
username vito password NE3Exf6jS9pZ8bQp encrypted
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
http server enable
http X.X.X.112 255.255.255.240 external
http X.X.X.39 255.255.255.255 external
http X.X.X.162 255.255.255.255 external
http 10.10.11.0 255.255.255.0 internal
http 192.168.100.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set hidata esp-3des esp-sha-hmac
crypto ipsec transform-set rbsvpn esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map external_dyn_map 10 set transform-set ESP-3DES-SHA
crypto dynamic-map external_dyn_map 10 set security-association lifetime seconds 288000
crypto dynamic-map external_dyn_map 10 set security-association lifetime kilobytes 4608000
crypto dynamic-map external_dyn_map 10 set reverse-route
crypto map external_map 10 ipsec-isakmp dynamic external_dyn_map
crypto map hidata-map 5 match address rbsvpn-acl
crypto map hidata-map 5 set peer A.B.185.194
crypto map hidata-map 5 set transform-set rbsvpn
crypto map hidata-map 5 set security-association lifetime seconds 3600
crypto map hidata-map 5 set security-association lifetime kilobytes 4608000
crypto map hidata-map 10 match address hidatavpn-acl
crypto map hidata-map 10 set peer 1.1.1.228
crypto map hidata-map 10 set transform-set hidata
crypto map hidata-map 10 set security-association lifetime seconds 28800
crypto map hidata-map 10 set security-association lifetime kilobytes 4608000
crypto map hidata-map interface external
isakmp enable external
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 43200
isakmp policy 2 authentication pre-share
isakmp policy 2 encryption 3des
isakmp policy 2 hash md5
isakmp policy 2 group 2
isakmp policy 2 lifetime 86400
isakmp nat-traversal 20
tunnel-group mtrexvpn type ipsec-ra
tunnel-group mtrexvpn general-attributes
address-pool vpnpool
default-group-policy mtrexvpn
tunnel-group mtrexvpn ipsec-attributes
pre-shared-key *
tunnel-group 1.1.1.228 type ipsec-l2l
tunnel-group 1.1.1.228 ipsec-attributes
pre-shared-key *
tunnel-group A.B185.194 type ipsec-l2l
tunnel-group A.B.185.194 ipsec-attributes
pre-shared-key *
telnet 10.10.11.0 255.255.255.0 internal
telnet 192.168.100.0 255.255.255.0 internal
telnet 192.168.20.0 255.255.255.0 internal
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 external
ssh timeout 5
console timeout 0
management-access internal
dhcpd address 192.168.100.2-192.168.100.
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:b8f8dc9ab2b
: end
Objective: Setup a site-to-site vpn between a client's data centre & a telco's data centre.
VPN devices: client = ASA v7.0 (8) telco = Checkpoint R70
Client's internal network - 10.10.11.0 /24 Outside static ip (local peer) = X.X.57.114
Telco's encryption domain - 216.13.128.40 /29 outside ip (remote peer) = A.B.185.194 internal host ip 216.13.128.15
The ASA has some existing vpn connections setup, so this particular setup will be an additional vpn. Below is a description of the config for the ASA which I manage. I do not have access to the Checkpoint.
Testing results: So far after 4 sets of tests we're yet to get past Phase 2...at least on my side .
Typical results on first pass:
5|Sep 26 2011 12:00:27|713904: IP = 216.123.185.194, Received encrypted packet with no matching SA, dropping
5|Sep 26 2011 12:00:27|713904: IP = 216.123.185.194, Received encrypted packet with no matching SA, dropping
5|Sep 26 2011 12:00:25|713904: IP = 216.123.185.194, Received encrypted packet with no matching SA, dropping
5|Sep 26 2011 12:00:23|713904: IP = 216.123.185.194, Received encrypted packet with no matching SA, dropping
4|Sep 26 2011 12:00:23|113019: Group = 216.123.185.194, Username = 216.123.185.194, IP = 216.123.185.194, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found
3|Sep 26 2011 12:00:23|713902: Group = 216.123.185.194, IP = 216.123.185.194, Removing peer from correlator table failed, no match!
3|Sep 26 2011 12:00:23|713902: Group = 216.123.185.194, IP = 216.123.185.194, QM FSM error (P2 struct &0x2ebff80, mess id 0x4ec876f)!
3|Sep 26 2011 12:00:23|713061: Group = 216.123.185.194, IP = 216.123.185.194, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 216.13.128.40/255.255.255.
5|Sep 26 2011 12:00:23|713119: Group = 216.123.185.194, IP = 216.123.185.194, PHASE 1 COMPLETED
6|Sep 26 2011 12:00:23|113009: AAA retrieved default group policy (DfltGrpPolicy) for user = 216.123.185.194
4|Sep 26 2011 12:00:23|713903: Group = 216.123.185.194, IP = 216.123.185.194, Freeing previously allocated memory for authorization-dn-attribute
5|Sep 26 2011 12:00:23|713904: IP = 216.123.185.194, Received encrypted packet with no matching SA, dropping
5|Sep 26 2011 12:00:19|713904: IP = 216.123.185.194, Received encrypted packet with no matching SA, dropping
5|Sep 26 2011 12:00:19|713904: IP = 216.123.185.194, Received encrypted packet with no matching SA, dropping
5|Sep 26 2011 12:00:17|713904: IP = 216.123.185.194, Received encrypted packet with no matching SA, dropping
5|Sep 26 2011 12:00:15|713904: IP = 216.123.185.194, Received encrypted packet with no matching SA, dropping
5|Sep 26 2011 12:00:15|713904: IP = 216.123.185.194, Received encrypted packet with no matching SA, dropping
5|Sep 26 2011 12:00:13|713904: IP = 216.123.185.194, Received encrypted packet with no matching SA, dropping
5|Sep 26 2011 12:00:11|713904: IP = 216.123.185.194, Received encrypted packet with no matching SA, dropping
5|Sep 26 2011 12:00:11|713904: IP = 216.123.185.194, Received encrypted packet with no matching SA, dropping
5|Sep 26 2011 12:00:09|713904: IP = 216.123.185.194, Received encrypted packet with no matching SA, dropping
5|Sep 26 2011 12:00:07|713904: IP = 216.123.185.194, Received encrypted packet with no matching SA, dropping
5|Sep 26 2011 12:00:07|713904: IP = 216.123.185.194, Received encrypted packet with no matching SA, dropping
After some changes on my end again.....
3|Oct 03 2011 13:25:17|713902: Group = 216.123.185.194, IP = 216.123.185.194, Removing peer from correlator table failed, no match!
3|Oct 03 2011 13:25:17|713902: Group = 216.123.185.194, IP = 216.123.185.194, QM FSM error (P2 struct &0x332d5e0, mess id 0xf0d02aaa)!
3|Oct 03 2011 13:25:17|713061: Group = 216.123.185.194, IP = 216.123.185.194, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 216.13.128.40/255.255.255.
5|Oct 03 2011 13:25:17|713119: Group = 216.123.185.194, IP = 216.123.185.194, PHASE 1 COMPLETED
6|Oct 03 2011 13:25:17|113009: AAA retrieved default group policy (DfltGrpPolicy) for user = 216.123.185.194
4|Oct 03 2011 13:25:17|713903: Group = 216.123.185.194, IP = 216.123.185.194, Freeing previously allocated memory for authorization-dn-attribute
4|Oct 03 2011 13:25:17|113019: Group = 216.123.185.194, Username = 216.123.185.194, IP = 216.123.185.194, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found
3|Oct 03 2011 13:25:17|713902: Group = 216.123.185.194, IP = 216.123.185.194, Removing peer from correlator table failed, no match!
3|Oct 03 2011 13:25:17|713902: Group = 216.123.185.194, IP = 216.123.185.194, QM FSM error (P2 struct &0x2ec6328, mess id 0xe7bad623)!
3|Oct 03 2011 13:25:17|713061: Group = 216.123.185.194, IP = 216.123.185.194, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 216.13.128.40/255.255.255.
5|Oct 03 2011 13:25:17|713119: Group = 216.123.185.194, IP = 216.123.185.194, PHASE 1 COMPLETED
6|Oct 03 2011 13:25:17|113009: AAA retrieved default group policy (DfltGrpPolicy) for user = 216.123.185.194
4|Oct 03 2011 13:25:17|713903: Group = 216.123.185.194, IP = 216.123.185.194, Freeing previously allocated memory for authorization-dn-attribute
4|Oct 03 2011 13:25:17|113019: Group = 216.123.185.194, Username = 216.123.185.194, IP = 216.123.185.194, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found
3|Oct 03 2011 13:25:17|713902: Group = 216.123.185.194, IP = 216.123.185.194, Removing peer from correlator table failed, no match!
3|Oct 03 2011 13:25:17|713902: Group = 216.123.185.194, IP = 216.123.185.194, QM FSM error (P2 struct &0x2ec0828, mess id 0x5cd87b30)!
3|Oct 03 2011 13:25:17|713061: Group = 216.123.185.194, IP = 216.123.185.194, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 216.13.128.40/255.255.255.
5|Oct 03 2011 13:25:17|713119: Group = 216.123.185.194, IP = 216.123.185.194, PHASE 1 COMPLETED
After a discussion with the checkpoint admin today...apparently I should have been using one of the addresses they mentioned, and doing some NATING for it to work. SInce they have an internal 10.10.0.0 network which could cause an issue.
The address I should use is 216.13.128.15 and NAT that to my internal ip.
Info from the Checkpoint admin:
216.13.128.14
216.13.128.15
216.13.128.16
(Server address to be used to test traffic – customer to NAT to other address if necessary)
How do I construct a new nat statement to effect this requirement?
Any direction would be greatly appreciated. Also you can ignore my previous post about disabling the SA lifetime kilobytes setting.
Thanks
ASA Version 7.0(8)
!
hostname BLAHBLAHFW02
domain-name cisco.com
enable password N8iVIoABOjhNrEKz encrypted
passwd 2NOok0J6OZxGHfk3 encrypted
names
dns-guard
!
interface Ethernet0/0
nameif external
security-level 0
ip address X.X.57.114 255.255.255.240
!
interface Ethernet0/1
nameif internal
security-level 100
ip address 10.10.11.1 255.255.255.0
!
interface Ethernet0/2
nameif DMZ
security-level 50
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/3
nameif
security-level 100
ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.100.1 255.255.255.0
management-only
!
banner motd * This system is the property of Mtrex Networks. Any unathorized access is prohibited and all prosecutor will be fined and/or punished to the fullest extent of the law*
ftp mode passive
dns domain-lookup external
dns domain-lookup internal
dns domain-lookup DMZ
dns domain-lookup management
dns name-server X.X.63.21
dns name-server X.X.63.53
dns name-server X.X.255.198
access-list 110 extended permit ip any any
access-list 100 extended permit icmp any any echo-reply
access-list 100 extended permit icmp any any time-exceeded
access-list 100 extended permit icmp any any source-quench
access-list 100 extended permit icmp any any unreachable
access-list inside_nat0_outbound extended permit ip 10.10.11.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.80.0.0 255.255.254.0 10.10.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.10.11.0 255.255.255.0 host 216.13.128.15
access-list inside_nat0_outbound extended permit ip 10.10.11.0 255.255.255.0 host 216.13.128.40
access-list hidatavpn-acl extended permit ip 10.80.0.0 255.255.254.0 10.10.1.0 255.255.255.0
access-list rbsvpn-acl extended permit ip 10.10.11.0 255.255.255.0 216.13.128.40 255.255.255.248
pager lines 24
logging enable
logging asdm informational
mtu external 1500
mtu internal 1500
mtu DMZ 1500
mtu management 1500
mtu rbs 1500
ip local pool vpnpool 192.168.20.100-192.168.20.
no failover
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (external) 10 interface
nat (internal) 0 access-list inside_nat0_outbound
nat (internal) 10 access-list 110
access-group 100 in interface external
route external 0.0.0.0 0.0.0.0 208.113.57.113 1
route internal 10.80.0.0 255.248.0.0 10.10.11.2 1
route internal 10.64.0.0 255.248.0.0 10.10.11.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy mtrexvpn internal
group-policy mtrexvpn attributes
vpn-tunnel-protocol IPSec
default-domain value ciso.com
webvpn
username tech password CGJdVH6QlNHzQSjw encrypted
username vito password NE3Exf6jS9pZ8bQp encrypted
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
http server enable
http X.X.X.112 255.255.255.240 external
http X.X.X.39 255.255.255.255 external
http X.X.X.162 255.255.255.255 external
http 10.10.11.0 255.255.255.0 internal
http 192.168.100.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set hidata esp-3des esp-sha-hmac
crypto ipsec transform-set rbsvpn esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map external_dyn_map 10 set transform-set ESP-3DES-SHA
crypto dynamic-map external_dyn_map 10 set security-association lifetime seconds 288000
crypto dynamic-map external_dyn_map 10 set security-association lifetime kilobytes 4608000
crypto dynamic-map external_dyn_map 10 set reverse-route
crypto map external_map 10 ipsec-isakmp dynamic external_dyn_map
crypto map hidata-map 5 match address rbsvpn-acl
crypto map hidata-map 5 set peer A.B.185.194
crypto map hidata-map 5 set transform-set rbsvpn
crypto map hidata-map 5 set security-association lifetime seconds 3600
crypto map hidata-map 5 set security-association lifetime kilobytes 4608000
crypto map hidata-map 10 match address hidatavpn-acl
crypto map hidata-map 10 set peer 1.1.1.228
crypto map hidata-map 10 set transform-set hidata
crypto map hidata-map 10 set security-association lifetime seconds 28800
crypto map hidata-map 10 set security-association lifetime kilobytes 4608000
crypto map hidata-map interface external
isakmp enable external
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 43200
isakmp policy 2 authentication pre-share
isakmp policy 2 encryption 3des
isakmp policy 2 hash md5
isakmp policy 2 group 2
isakmp policy 2 lifetime 86400
isakmp nat-traversal 20
tunnel-group mtrexvpn type ipsec-ra
tunnel-group mtrexvpn general-attributes
address-pool vpnpool
default-group-policy mtrexvpn
tunnel-group mtrexvpn ipsec-attributes
pre-shared-key *
tunnel-group 1.1.1.228 type ipsec-l2l
tunnel-group 1.1.1.228 ipsec-attributes
pre-shared-key *
tunnel-group A.B185.194 type ipsec-l2l
tunnel-group A.B.185.194 ipsec-attributes
pre-shared-key *
telnet 10.10.11.0 255.255.255.0 internal
telnet 192.168.100.0 255.255.255.0 internal
telnet 192.168.20.0 255.255.255.0 internal
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 external
ssh timeout 5
console timeout 0
management-access internal
dhcpd address 192.168.100.2-192.168.100.
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:b8f8dc9ab2b
: end
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
In progress. Thanks
ASKER
The solution was to blow away the original configs and setup a new encryption domain which included a router down-stream of the FW. One of the router interfaces was used to form the encryption domain.
The vpn formed and packets were seen to be encrypted & decrypted in both directions.
What was causing the issues were:
1. there was a dynamic map present - priority setting of the crypto maps is important in such instances
2. ASA lifetime kilobytes size cannot be zero - apparently the checkpoint R7 can
Thanks to everyone for their input it was greatly appreciated.
jmeggers:
yes we intend to upgrade the FW as soon as the possible. we just moved our secondary site to Peer1 hosting and would be doing the upgrade once everything reached steady-state.
Thanks again
The vpn formed and packets were seen to be encrypted & decrypted in both directions.
What was causing the issues were:
1. there was a dynamic map present - priority setting of the crypto maps is important in such instances
2. ASA lifetime kilobytes size cannot be zero - apparently the checkpoint R7 can
Thanks to everyone for their input it was greatly appreciated.
jmeggers:
yes we intend to upgrade the FW as soon as the possible. we just moved our secondary site to Peer1 hosting and would be doing the upgrade once everything reached steady-state.
Thanks again
ASKER
Thanks for your comments. I'll have to take another look at the NAT & Global statements on firewall. Looks like I might be missing a policy or two.
The firmware upgrade may be a challenge since cisco support may have lapsed...that i'll have to check as well.
I'll let you know the outcome over the next 48hrs.