[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1088
  • Last Modified:

ISA 2006 to Cisco ASA 5505 IPSEC VPN

Hi all,

recently a remote site of ours moved location and had to have a new VPN router intstalled so I thought to go for Cisco ASA because it was an upgrade over the existing cisco router at the office and was very inexpensive.  However I now cannot get IPSEC to bring up a tunel between the remote site and head office.

HO Details:
Local Networks - 192.168.0.0/24, 10.21.21.0/24
ISA 2006 IP - X.X.X.X

Remote Site Details:
Local Networks - 192.168.20.0/24
CISCO ASA [version 8.2(5)] IP - Y.Y.Y.Y
DG at that site: Z.Z.Z.Z

After setting things up at both sides when I pinged from the inside interface of the ASA to the HO inside network.  I got the following in the logs:
Routing failed to locate next hop for icmp from NP Identity Ifc:192.168.20.254/0 to inside:192.168.0.1/0

After a reboot of the router I saw the following appear in the logs:
IP = X.X.X.X, IKE Initiator: New Phase 1, Intf inside, IKE Peer X.X.X.X  local Proxy Address 192.168.20.0, remote Proxy Address 10.21.21.0,  Crypto map (outside_map)
IP = X.X.X.X, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Then it seems to repeat these log entries after a while.

The ISA server is showing that the remote office is initiating the IPSEC tunnel but after around 5 minutes it shows a status of failed and the tunnel trying to re-initialise.

Both sites are running on the same ISP and initially I thought this could be a block at the ASA end (the ISA currently performs IPSEC tunneling with 4 other remote sites) but I did an NMAP of the remote sites public IP and got the following:

Starting Nmap 5.51 ( http://nmap.org ) at 2011-10-18 18:16 E. Australia Standard Time
Initiating Parallel DNS resolution of 1 host. at 18:16
Completed Parallel DNS resolution of 1 host. at 18:16, 0.04s elapsed
Initiating IPProto Scan at 18:16
Scanning hidden.lnk.telstra.net (Y.Y.Y.Y) [2 ports]
Completed IPProto Scan at 18:16, 3.17s elapsed (2 total ports)
Nmap scan report for hidden.lnk.telstra.net (Y.Y.Y.Y)
Host is up.
PROTOCOL STATE         SERVICE
50       open|filtered esp
51       open|filtered ah
Read data files from: C:\Program Files (x86)\Nmap
Nmap done: 1 IP address (1 host up) scanned in 3.25 seconds
           Raw packets sent: 4 (80B) | Rcvd: 7 (602B)

I tested this against one of our remote office routers and it matches the results so I am assuming that there is no blocking from the ISP.  I also contacted an engineer from Telstra who logged into their router before the ASA and confirmed that there was no block and could see the packets passing through.

I've been through multiple examples online (including some from EE) and just cannot seem to make it work.
--------------------------------------------------------------------------------------------
ISA Config:
Phase1 Details Phase2 Details
ASA Config:
 
: Saved
:
ASA Version 8.2(5)
!
hostname ROUTER
domain-name hidden.com.au
enable password .dH9K/LPE1233vSF encrypted
passwd 2KFQ423IdI.2KYOU encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.20.254 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address Y.Y.Y.Y 255.255.255.252
!
ftp mode passive
clock timezone EST 10
clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
dns server-group DefaultDNS
 domain-name hidden.com.au
object-group network DM_INLINE_NETWORK_1
 network-object 10.21.21.0 255.255.255.0
 network-object 192.168.0.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.20.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 Z.Z.Z.Z 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 100000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer X.X.X.X
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 28800
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username root password h9xxnQJB3dM38B7F encrypted privilege 15
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X ipsec-attributes
 pre-shared-key *****
!
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:2a9501c2273d9b9d50664439677ccc0f
: end

Open in new window


--------------------------------------------------------------------------------------------

(pause for breath)

I am certain that it should be much simpler than this, but unfortunately I just am not seeming to get it.

Can anyone see where I am going wrong or offer advise on how to diagnose this issue further?
0
Dealer_Solutions
Asked:
Dealer_Solutions
  • 3
1 Solution
 
Dealer_SolutionsAuthor Commented:
Just to make things weirder I tried setting up a VPN from the ASA to an old SonicWall device and the VPN connected.

Could it be possible that ISA2006 and CISCO ASA [version 8.2(5)] have an incompatability when using IPSEC?
0
 
shadowmantxCommented:
I seen mismatches in VPN tunnels phases.  One thing to do is set AES for both sides.  I have seen AES tunnel work while a DES or 3DES not.
0
 
Dealer_SolutionsAuthor Commented:
I have resolved the issue.

it turns out there was some filtering on the cisco router at the head office blocking ISAKMP to the remote office location.  Updated the ACL's on the Cisco router and it's now fully functional.
0
 
Dealer_SolutionsAuthor Commented:
resolved ourselves.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now