Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ASA 5505 using both site-to-site and remote access IPSEC VPNs

Status
Not open for further replies.

bsols

Technical User
Jul 29, 2005
47
US
Hello,

I'm attempting to reconfigure an in-place ASA5505 to support both site-to-site VPNS (in place and working for some time) and remote access VPNs (where I'm stuck). The issue I'm running into is this - the VPN client connection will pass phase 1 and authenticate the user. Immediately after successful authentication, the connection will drop and I will find the following error in the ASA log:

rejecting IPSEC tunnel, no matching crypto map entry for remote proxy 192.168.251.XXX(IP address assigned by the ASA's DHCP pool for remote access) on interface outside.

My configuration looks like this. Any assistance would be greatly appreciated.

hostname REMOTEASA
enable password XXXXXXXX encrypted
passwd XXXXXXX encrypted
names
name 192.0.0.0 MainOffice
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 10.10.10.1 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list 101 extended permit ip 192.168.1.0 255.255.255.0 MainOffice 255.255.255.0
access-list 101 extended permit ip MainOffice 255.255.255.0 192.168.1.0 255.255.255.0
access-list 102 extended permit ip any any
access-list 102 extended permit ip MainOffice 255.255.255.0 192.168.1.0 255.255.255.0
access-list 102 extended permit udp any any
access-list 102 extended permit tcp any any
access-list 103 extended permit ip 192.168.251.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 103 extended permit ip 192.168.1.0 255.255.255.0 192.168.251.0 255.255.255.0
access-list NO_NAT_RA extended permit ip 192.168.1.0 255.255.255.0 192.168.251.0 255.255.255.0
access-list NO_NAT_RA extended permit ip 192.168.1.0 255.255.255.0 MainOffice 255.255.255.0
access-list Split standard permit 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool RAPool 192.168.251.100-192.168.251.120
icmp unreachable rate-limit 10 burst-size 5
no asdm history
enable arp
timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 0 192.168.251.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 102 in interface inside
route outside 0.0.0.0 0.0.0.0 10.10.10.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable http 192.168.1.0 255.255.255.0 inside
http CityOffice 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps
snmp authentication
crypto ipsec transform-set CryptoSet esp-aes-256 esp-sha-hmac
crypto ipsec transform-set RA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dyn1 1 match address RemoteIPs
crypto dynamic-map dyn1 1 set transform-set RA
crypto map outside_map0 1 match address 101
crypto map outside_map0 1 set peer 20.20.20.1
crypto map outside_map0 1 set transform-set CryptoSet
crypto map outside_map0 interface outside
crypto map mymap 100 ipsec-isakmp dynamic dyn1
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 3600
crypto isakmp policy 100
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
vpn-addr-assign local reuse-delay 5
telnet 192.168.1.0 255.255.255.0 inside
telnet MainOffice 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics
tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
vpn-filter value 101
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split
group-policy R_A internal
group-policy R_A attributes
vpn-tunnel-protocol IPSec
group-lock value RAGroup
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split
username testuser password XXXXXXXX encrypted privilege 15
username testuser attributes
vpn-group-policy R_A
tunnel-group 20.20.20.1 type ipsec-l2l
tunnel-group 20.20.20.1 ipsec-attributes
pre-shared-key *
tunnel-group RAGroup type remote-access
tunnel-group RAGroup general-attributes
address-pool RAPool
tunnel-group RAGroup ipsec-attributes
pre-shared-key *
!
!
!
policy-map global_policy
class class-default
set connection decrement-ttl
!
service-policy global_policy global
prompt hostname context

 


You have your crypto maps wrong. Both L2L and RA should be on the same outside-map0, with different sequences. The dynamic map s/b 65535.
There are 2 ways to fix all this.
1. Remove everything that was added for the remote access tunnel. Use ASDM VPN wizard.
Change preferences to display commands before they are sent to the appliance to see what they are.
2. See below.

REMOVE:
crypto dynamic-map dyn1 1 match address RemoteIPs
crypto map mymap 100 ipsec-isakmp dynamic dyn1

REPLACE:
crypto ipsec transform-set RA esp-3des esp-sha-hmac
WITH:
crypto ipsec transform-set RA ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

REPLACE:
crypto dynamic-map dyn1 1 set transform-set RA
WITH:
crypto dynamic-map RA 65535 set transform-set RA

ADD:
crypto dynamic-map RA 65535 set pfs <--- this line is optional !
crypto map outside_map0 65535 ipsec-isakmp dynamic RA

DO:
no crypto map outside_map0 interface outside
crypto map outside_map0 interface outside
 
A quick addition: the last two lines will stop and re-start your L2L tunnel.
Let me know how this works out.
 
Thank you. I'm going on site to do this today and will follow up.
 
Ok, I first attempted to make the changes you suggested, which allowed me to connect but I couldn't get any traffic to pass. Next I opted to remove all of the remote access configuration and start from scratch using the ADSM wizard. This also allowed me to connect but not pass traffic. Here's the configuration running right now. site-to-site working fine. can login using the RA1 group and preshared key. User authenticates and the connection is established. From the ASA logs, I see no ACL blocks, only connections being created when trying to ping or otherwise access stuff on the internal network, but I can't get any ping responses or access to internal resources. I'm certain we're close, but something is still missing. Here's the running config (cleansed):

ASA Version 8.2(1)
!
hostname REMOTEASA
enable password XXXXX encrypted
passwd XXXXX encrypted
names
name 192.0.0.0 MainOffice
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list 101 extended permit ip 192.168.1.0 255.255.255.0 MainOffice 255.255.
255.0
access-list 101 extended permit ip MainOffice 255.255.255.0 192.168.1.0 255.255.
255.0
access-list 101 extended permit ip 192.168.1.0 255.255.255.0 192.168.252.0 255.
255.255.0
access-list 101 extended permit ip 192.168.252.0 255.255.255.0 192.168.1.0 25
5.255.255.0
access-list 102 extended permit ip any any
access-list 102 extended permit ip MainOffice 255.255.255.0 192.168.1.0 255.255.
255.0
access-list 102 extended permit udp any any
access-list 102 extended permit tcp any any
access-list RA1_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool IPPool 192.168.252.100-192.168.252.120 mask 255.255.255.0
icmp unreachable rate-limit 10 burst-size 5
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 102 in interface inside
route outside 0.0.0.0 0.0.0.0 24.97.236.49 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http MainOffice 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set CryptoSet esp-aes-256 esp-sha-hmac
crypto ipsec transform-set RA esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto map outside_map0 1 match address 101
crypto map outside_map0 1 set peer 20.20.20.1
crypto map outside_map0 1 set transform-set CryptoSet
crypto map outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map0 interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 3600
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.1.0 255.255.255.0 inside
telnet MainOffice 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
internal-password enable
group-policy RA1_1 internal
group-policy RA1_1 attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RA1_splitTunnelAcl
group-policy RA1 internal
username testuser password XXXXXXXXXXX encrypted privilege 15
username testuser attributes
vpn-group-policy RA1
tunnel-group 20.20.20.1 type ipsec-l2l
tunnel-group 20.20.20.1 ipsec-attributes
pre-shared-key *
tunnel-group RA1 type remote-access
tunnel-group RA1 general-attributes
address-pool IPPool
default-group-policy RA1_1
tunnel-group RA1 ipsec-attributes
pre-shared-key *
!
!
!
policy-map global_policy
class class-default
set connection decrement-ttl
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:8de048a9fe9af9658d82231ce5f7dc97
: end
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top