ASA 5510 Configuration - Basic 1

[RMurr34]

Hello Forum Members,

This is my first attempt at configuring an ASA device.
I have limited experience with the Pix 515E. I'm looking
for some experienced folks to look over my config and point
out anything that is incorrect. Any help would be greatly
appreciated. In particular, my ACLs and NAT entries.


WHAT I NEED

On my INSIDE interface my Exchange 2007 server will sit.
We only allow HTTPS access to it.

On my DMZ interface I have an FTP and Web Server. I need
to be able to allow site visitors to submit an email from
a page on the site.

I need a site-to-site VPN connection between two offices.


WHAT I'M EXPERIENCING

I have Internet connectivity from the inside.

I cannot connect via my site-to-site

I cannot get to my FTP or Web servers


MY CONFIGURATION


ASA Version 8.0(2)
!
hostname asa5510
domain-name my.domainname.com
enable password riBdCf1fnvp8w.If encrypted
names
name 76.191.xxx.xx PERIM-RTR
!
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address 76.191.xxx.xx 255.255.255.224
!
interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.60.1 255.255.255.0
!
interface Ethernet0/2
speed 100
duplex full
nameif dmz
security-level 50
ip address 192.168.61.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone PST -8
dns server-group DefaultDNS
domain-name my.domainname.com
access-list outside_access_dmz extended permit tcp any host 76.191.xxx.xx eq ftp
access-list outside_access_dmz extended permit tcp any host 76.191.xxx.xx eq 3389
access-list outside_access_dmz extended permit tcp any host 76.191.xxx.xx eq www
access-list outside_access_dmz extended permit tcp any host 76.191.xxx.xx eq smtp
access-list outside_access_dmz extended permit icmp any host 76.191.xxx.xx echo
access-list outside_access_dmz extended permit icmp any host 76.191.xxx.xx echo
access-list inside_nat0_outbound extended permit ip 192.168.60.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_access_inside extended permit ip 192.168.60.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_access_inside extended permit ip 192.168.60.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list inside_access_inside extended permit ip 192.168.60.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list inside_access_inside extended permit ip 192.168.60.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list inside_access_inside extended permit ip 192.168.60.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list outside_cryptomap_10 extended permit ip 192.168.60.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list outside_access_inside extended permit tcp any host 76.191.xxx.xx eq https
access-list outside_access_inside extended permit tcp any host 76.191.xxx.xx eq smtp
access-list outside_access_inside extended permit tcp any host 76.191.xxx.xx eq www
access-list outside_access_inside extended permit icmp any host 76.191.xxx.xx echo
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface dmz
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit 192.168.10.0 255.255.255.0 inside
icmp permit 192.168.20.0 255.255.255.0 inside
icmp permit 192.168.30.0 255.255.255.0 inside
icmp permit 192.168.40.0 255.255.255.0 inside
icmp permit 192.168.50.0 255.255.255.0 inside
icmp permit 192.168.60.0 255.255.255.0 inside
no asdm history enable
arp timeout 14400
nat-control
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0
static (dmz,outside) 76.191.xxx.xx 192.168.61.75 netmask 255.255.255.255
static (inside,dmz) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (inside,dmz) 192.168.20.0 192.168.20.0 netmask 255.255.255.0
static (inside,dmz) 192.168.30.0 192.168.30.0 netmask 255.255.255.0
static (inside,dmz) 192.168.40.0 192.168.40.0 netmask 255.255.255.0
static (inside,dmz) 192.168.50.0 192.168.50.0 netmask 255.255.255.0
static (inside,dmz) 192.168.60.0 192.168.60.0 netmask 255.255.255.0
static (inside,outside) 76.191.xxx.xx 192.168.60.94 netmask 255.255.255.255
access-group inside_access_inside in interface outside
access-group outside_access_dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 PERIM-RTR 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.10.0 255.255.255.0 inside
http 192.168.60.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 10 match address outside_cryptomap_10
crypto map outside_map 10 set peer 67.40.xxx.xxx
crypto map outside_map 10 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
username ggoasa password LfNpagedAlpUdogd encrypted
tunnel-group 67.40.xxx.xxx type ipsec-l2l
tunnel-group 67.40.xxx.xxx ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:4dd6ee8a34ae35600a3543496aaac949
: end

 

[unclerico]

You are applying your ACL's in the wrong direction:

access-group inside_access_inside in interface outside
access-group outside_access_dmz in interface dmz

The first entry is applied on traffic entering the outside interface from the outside. The second entry is is applied to traffic entering the dmz interface from the dmz.

What you want is this:
combine your outside_access_dmz and outside_access_inside ACL's into one ACL:

access-list outside_access_in extended permit tcp any host 76.191.xxx.xx eq ftp
access-list outside_access_in extended permit tcp any host 76.191.xxx.xx eq 3389
access-list outside_access_in extended permit tcp any host 76.191.xxx.xx eq www
access-list outside_access_in extended permit tcp any host 76.191.xxx.xx eq smtp
access-list outside_access_in extended permit icmp any host 76.191.xxx.xx echo
access-list outside_access_in extended permit icmp any host 76.191.xxx.xx echo
access-list outside_access_in extended permit tcp any host 76.191.xxx.xx eq https
access-list outside_access_in extended permit tcp any host 76.191.xxx.xx eq smtp
access-list outside_access_in extended permit tcp any host 76.191.xxx.xx eq www
access-list outside_access_in extended permit icmp any host 76.191.xxx.xx echo

and then do this:

no access-group inside_access_inside in interface outside
no access-group outside_access_dmz in interface dmz
access-group outside_access_in in interface outside
access-group inside_access_inside in interface inside

if you want to allow your web-server in the dmz to relay e-mail to your exchange server then you'll need to create a new ACL and apply it inbound on the dmz interface:

access-list dmz_access_in extended permit tcp host 192.168.61.75 host <inside_exchange_address> eq smtp
access-list dmz_access_in extended deny ip any interface inside
access-list dmz_access_in extended permit ip any interface outside

and then apply the ACL incoming on the DMZ interface:

access-group dmz_access_in in interface dmz

You may also find that you need to disable NAT for communication from the webserver in the DMZ to the Exchange server inside:

static (dmz,inside) 192.168.61.75 192.168.61.75 netmask 255.255.255.255

Be sure to add the dmz web address into your Exchange server for relaying

As for your L2L VPN, what type of device is at the other end? What output do you get from a debug crypto isakmp sa?

There's a lot in this post so I may have missed a thing or two, but make the changes above and post back your findings.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[RMurr34]

UncleRico,

First of all, thanks for your assistance. It is GREATLY appreciated.

The device at the other end of my tunnel is a PIX 515e. I have that configured properly.

Regarding my webserver, I have SMTP server installed on it. I do not want to relay mail through my Exchange server.

One other thing I should point out, this 'site' is a colo facility. I will eventually move some of my other corp servers to this facility with my Exchange server. Our other offices will only access these servers via the site-to-site. I figure once I get the one site-to-site up I can get the others configured easily with the assistance you've already provided.

Thanks again for your help.

 

[RMurr34]

UncleRico, I've made the changes to my ACLs and access-groups.
However, when I add access-group inside_access_in in interface inside
I lose Internet connectivity from my server on the inside interface.

When I run debug on isakmp here's what I get:

Dec 15 11:52:11 [IKEv1]: IP = 67.40.xxx.xxx, Information Exchange processing failed
Dec 15 11:52:43 [IKEv1]: IP = 67.40.xxx.xxx, Removing peer from peer table failed, no match!
Dec 15 11:52:43 [IKEv1]: IP = 67.40.xxx.xxx, Error: Unable to remove PeerTblEntry
Dec 15 11:52:45 [IKEv1]: IP = 67.40.xxx.xxx, Information Exchange processing failed




hostname dumdumium
domain-name my.domainname.com
enable password riBdCf1fnvp8w.If encrypted
names
name 76.191.xxx.xxx PERIM-RTR
!
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address 76.191.xxx.xx 255.255.255.224
!
interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.60.1 255.255.255.0
!
interface Ethernet0/2
speed 100
duplex full
nameif dmz
security-level 50
ip address 192.168.61.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone PST -8
dns server-group DefaultDNS
domain-name my.domainname.com
access-list inside_access_in extended permit ip 192.168.60.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_access_in extended permit ip 192.168.60.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list inside_access_in extended permit ip 192.168.60.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list inside_access_in extended permit ip 192.168.60.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list inside_access_in extended permit ip 192.168.60.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.60.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list outside_cryptomap_10 extended permit ip 192.168.60.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list outside_access_in extended permit tcp any host 76.191.xxx.xx eq ftp
access-list outside_access_in extended permit tcp any host 76.191.xxx.xx eq 3389
access-list outside_access_in extended permit tcp any host 76.191.xxx.xx eq www
access-list outside_access_in extended permit tcp any host 76.191.xxx.xx eq smtp
access-list outside_access_in extended permit icmp any host 76.191.xxx.xx echo
access-list outside_access_in extended permit icmp any host 76.191.xxx.xx echo
access-list outside_access_in extended permit tcp any host 76.191.xxx.xx eq https
access-list outside_access_in extended permit tcp any host 76.191.xxx.xx eq smtp
access-list outside_access_in extended permit tcp any host 76.191.xxx.xx eq www
access-list outside_access_in extended permit icmp any host 76.191.xxx.xx echo
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any unreachable
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface dmz
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit 192.168.10.0 255.255.255.0 inside
icmp permit 192.168.20.0 255.255.255.0 inside
icmp permit 192.168.30.0 255.255.255.0 inside
icmp permit 192.168.40.0 255.255.255.0 inside
icmp permit 192.168.50.0 255.255.255.0 inside
icmp permit 192.168.60.0 255.255.255.0 inside
no asdm history enable
arp timeout 14400
nat-control
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0
static (dmz,outside) 76.191.xxx.xx 192.168.61.75 netmask 255.255.255.255
static (inside,dmz) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (inside,dmz) 192.168.20.0 192.168.20.0 netmask 255.255.255.0
static (inside,dmz) 192.168.30.0 192.168.30.0 netmask 255.255.255.0
static (inside,dmz) 192.168.40.0 192.168.40.0 netmask 255.255.255.0
static (inside,dmz) 192.168.50.0 192.168.50.0 netmask 255.255.255.0
static (inside,dmz) 192.168.60.0 192.168.60.0 netmask 255.255.255.0
static (inside,outside) 76.191.xxx.xx 192.168.60.94 netmask 255.255.255.255
static (dmz,outside) 76.191.xxx.xx 192.168.61.55 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 PERIM-RTR 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.60.0 255.255.255.0 inside
http 192.168.10.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 10 match address outside_cryptomap_10
crypto map outside_map 10 set peer 67.40.185.236
crypto map outside_map 10 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
username asa password LfNpagedAlpUdogd encrypted
tunnel-group 67.40.xxx.xxx type ipsec-l2l
tunnel-group 67.40.xxx.xxx ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:7c8c77b84fb496e399ae1164dc74995a

 

[unclerico]

You'll want to add in a new ACE to your inside_access_in ACL:

ASA(config)# access-list inside_access_in extended permit tcp any any eq http

Of if you don't want to restrict outbound communications just open it up as:

ASA(config)# access-list inside_access_in extended permit ip any any

As for your L2L issue, it is failing in Phase 1 and negotation with the peer in particular. Have you double and triple-checked that the peer specified here:

crypto map outside_map 10 set peer 67.40.185.236

and here
[/code]
tunnel-group 67.40.xxx.xxx type ipsec-l2l
[/code]
are the same (you spelled out the first address but not the second so I can't be sure they are the same)? If so, are you 100% sure that is the address configured on the remote device? Is the remote device configured? Could you post its config??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[RMurr34]

I'm 100% sure that that is the correct IP for the remote PIX 515.

Also, i added the ACLs you posted and I couldn't get Internet access after doing so.

Here's the config from my remote host:

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto map newmap 60 ipsec-isakmp
crypto map newmap 60 match address 120
crypto map newmap 60 set peer 76.191.xxx.xx
crypto map newmap 60 set transform-set myset

crypto map newmap interface outside
isakmp enable outside
isakmp key ******** address 76.191.xxx.xx netmask 255.255.255.255 no-xauth no-conf
ig-mode

isakmp identity address
isakmp keepalive 10
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400

 

[unclerico]

The attributes for Phase 1 must be identical on both devices. On the ASA you have this:

crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400

and on the PIX you have this:

isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400

Your Phase 2 settings also must match so take a look at those. See what I'm saying here??

As for your lack of access to the Internet when the inside_access_in ACL is applied, is it only for that one particular host or is it for all hosts??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[RMurr34]

UncleRico,

Good news! I have some success. I'm able to get to my ftp and webserver
from the outside and I have Internet access from the inside. Thanks much
my friend.

Now...regarding the VPN. After further review I left off some of my config
from my PIX 515e. Here's the VPN config:

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto map newmap 20 ipsec-isakmp
crypto map newmap 20 match address 120
crypto map newmap 20 set peer 67.xxx.xxx.xxx
crypto map newmap 20 set transform-set myset
crypto map newmap 30 ipsec-isakmp
crypto map newmap 30 match address 130
crypto map newmap 30 set peer 66.xxx.xxx.xxx
crypto map newmap 30 set transform-set myset
crypto map newmap 40 ipsec-isakmp
crypto map newmap 40 match address 140
crypto map newmap 40 set peer 68.xxx.xxx.xxx
crypto map newmap 40 set transform-set myset
crypto map newmap 50 ipsec-isakmp
crypto map newmap 50 match address 150
crypto map newmap 50 set peer 66.xxx.xxx.xxx
crypto map newmap 50 set transform-set myset
crypto map newmap interface outside
isakmp enable outside
isakmp key ******** address 66.xxx.xxx.xxx netmask 255.255.255.255 no-xauth no-con
fig-mode
isakmp key ******** address 66.xxx.xxx.xxx netmask 255.255.255.255 no-xauth no-con
fig-mode
isakmp key ******** address 68.xxx.xxx.xxx netmask 255.255.255.255 no-xauth no-con
fig-mode
isakmp key ******** address 67.xxx.xxx.xxx netmask 255.255.255.255 no-xauth no-c
onfig-mode
isakmp identity address
isakmp keepalive 10
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400


I removed the config for the ASA in order to start fresh. When I do the tunnel is
there a device I should configure first (ASA or PIX)? The PIX seems pretty easy to
configure as I've done some of the ones listed. It seems as though the ASA is a
little more difficult. I've found a bunch of sites with suggested configurations but
I can't seem to pick the one to use?

 

[unclerico]

That's good to hear!!!

As for the VPN config, it doesn't matter which device you configure first. All that matters is your Authentication/Encryption/Key Exchange/Hash settings must match identically for both Phase 1 and Phase 2 on both devices. Your ASA has the following:

Authetication: ESP
Encryption: aes-256
Hash: SHA
Key Management: DH Group 5

You need to either change your PIX to match your ASA or vice versa.

One last thing is I would definitely not use DES as the encryption as it is only 56-bit. I would change it to use at least 3DES (168-bit) or AES.

it says it's for an ASA to a PIX but the config is for an ASA to an ASA:

http://cisco.com/en/US/products/ps6120/products_configuration_example09186a0080950890.shtml

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[RMurr34]

UncleRico,

I've made changes to my ASA to reflect those on my PIX.
Once I get it to connect then I can go back and make the
changes to the encryption as you recommended. I just don't
want to make changes on my PIX because that will affect
the working tunnels I have with our other offices (correct?).

I still cannot ping or connect to going either way.



ASA5510

access-list 101 extended permit ip 192.168.60.0 255.255.255.0 192.168.10.0 255.255.255.0

crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
crypto map newmap 10 match address 101
crypto map newmap 10 set peer 67.40.185.236
crypto map newmap 10 set transform-set FirstSet
crypto map newmap interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 1
lifetime 1000
crypto isakmp policy 20
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400

tunnel-group 67.40.185.236 type ipsec-l2l
tunnel-group 67.40.185.236 ipsec-attributes
pre-shared-key *



PIX515e

access-list 160 permit ip 192.168.10.0 255.255.255.0 192.168.60.0 255.255.255.0

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto map newmap 60 ipsec-isakmp
crypto map newmap 60 match address 160
crypto map newmap 60 set peer 76.xxx.xxx.xxx
crypto map newmap 60 set transform-set myset
crypto map newmap interface outside
isakmp enable outside

isakmp key ******** address 76.xxx.xxx.xxx netmask 255.255.255.255 no-xauth no-co
nfig-mode
isakmp identity address
isakmp keepalive 10
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400

 

[unclerico]

what do you get when you do a

- show crypto isakmp sa
- debug crypto isakmp 7

Post those results. Also, I noticed that on your ASA your transform-set is using ESP-3DES while your PIX is using ESP-DES

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[RMurr34]

show crypto isakmp sa returns "There are no isakmp sas"

debug crypto isakmp 7 returns absolutely nothing. I tried pinging something to get some type of result but nada.

I'm sure that's not right

 

[unclerico]

Hmmm, very interesting. Your Phase 1 attributes look good so it should at least get through that part. Can you post full scrubbed configs from both devices?

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[RMurr34]

Here you go! One quick question. I did notice that my domain-name on the ASA
is formated like my.domain.com and on my pix it's mydomain.com. Could that be
the cause of this problem?


ASA Version 8.0(2)
!
hostname dumdumium
domain-name my.domain.com
enable password riBdCf1fnvp8w.If encrypted
names
name 76.xxx.xxx.33 PERIM-RTR
!
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address 76.xxx.xxx.34 255.255.255.224
!
interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.60.1 255.255.255.0
!
interface Ethernet0/2
speed 100
duplex full
nameif dmz
security-level 50
ip address 192.168.61.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone PST -8
dns server-group DefaultDNS
domain-name my.domain.com
access-list inside_access_in extended permit ip 192.168.60.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_access_in extended permit ip 192.168.60.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list inside_access_in extended permit ip 192.168.60.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list inside_access_in extended permit ip 192.168.60.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list inside_access_in extended permit ip 192.168.60.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list 101 extended permit ip 192.168.60.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list outside_access_in extended permit tcp any host 76.xxx.xxx.xxx eq ftp
access-list outside_access_in extended permit tcp any host 76.xxx.xxx.xxx eq 3389
access-list outside_access_in extended permit tcp any host 76.xxx.xxx.xxx eq www
access-list outside_access_in extended permit tcp any host 76.xxx.xxx.xxx eq smtp
access-list outside_access_in extended permit icmp any host 76.xxx.xxx.xxx echo
access-list outside_access_in extended permit icmp any host 76.xxx.xxx.xxx echo
access-list outside_access_in extended permit tcp any host 76.xxx.xxx.xxx eq https
access-list outside_access_in extended permit tcp any host 76.xxx.xxx.xxx eq smtp
access-list outside_access_in extended permit tcp any host 76.xxx.xxx.xxx eq www
access-list outside_access_in extended permit icmp any host 76.xxx.xxx.xxx echo
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any unreachable
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface dmz
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit 192.168.10.0 255.255.255.0 inside
icmp permit 192.168.20.0 255.255.255.0 inside
icmp permit 192.168.30.0 255.255.255.0 inside
icmp permit 192.168.40.0 255.255.255.0 inside
icmp permit 192.168.50.0 255.255.255.0 inside
icmp permit 192.168.60.0 255.255.255.0 inside
icmp permit 192.168.61.0 255.255.255.0 inside
no asdm history enable
arp timeout 14400
nat-control
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0
static (dmz,outside) 76.xxx.xxx.36 192.168.61.75 netmask 255.255.255.255
static (inside,dmz) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (inside,dmz) 192.168.20.0 192.168.20.0 netmask 255.255.255.0
static (inside,dmz) 192.168.30.0 192.168.30.0 netmask 255.255.255.0
static (inside,dmz) 192.168.40.0 192.168.40.0 netmask 255.255.255.0
static (inside,dmz) 192.168.50.0 192.168.50.0 netmask 255.255.255.0
static (inside,dmz) 192.168.60.0 192.168.60.0 netmask 255.255.255.0
static (inside,outside) 76.xxx.xxx.xxx 192.168.60.94 netmask 255.255.255.255
static (dmz,outside) 76.xxx.xxx.xxx 192.168.61.55 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 PERIM-RTR 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.60.0 255.255.255.0 inside
http 192.168.10.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set FirstSet esp-des esp-md5-hmac
crypto map newmap 10 match address 101
crypto map newmap 10 set peer 67.xxx.xxx.xxx
crypto map newmap 10 set transform-set FirstSet
crypto map newmap interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 1
lifetime 1000
crypto isakmp policy 20
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
username asa password LfNpagedAlpUdogd encrypted
tunnel-group 67.xxx.xxx.xxx type ipsec-l2l
tunnel-group 67.xxx.xxx.xxx ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:0acabcbe4af95b1c8874c36dd1792bfd
: end



PIX 515E

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security4
enable password QThYQ9HqZm8/Dimm encrypted
passwd riBdCf1fnvp8w.If encrypted
hostname ununnilium
domain-name mydomain.com
clock timezone PST -8
clock summer-time PDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
no names
name 192.168.20.0 SanFranLocal
object-group network SeattleLocal
network-object 192.168.13.0 255.255.255.0
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 permit tcp any eq ftp host 67.xxx.xxx.xxx eq ftp
access-list 100 permit icmp any host 67.xxx.xxx.xxx
access-list 100 permit icmp any host 67.xxx.xxx.xxx
access-list 100 permit tcp any host 67.xxx.xxx.xxx eq www
access-list 100 permit tcp any host 67.xxx.xxx.xxx eq https
access-list 100 permit tcp any host 67.xxx.xxx.xxx eq smtp
access-list 100 permit tcp any host 67.xxx.xxx.xxx
access-list 100 permit udp any host 67.xxx.xxx.xxx
access-list 100 permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list 100 permit ip 192.168.10.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list 100 permit ip 19.168.10.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list 100 permit ip 192.168.10.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list 100 permit tcp any host 192.168.30.0 eq https
access-list 100 permit tcp any host 67.xxx.xxx.xxx eq ftp
access-list 100 permit tcp any host 67.xxx.xxx.xxx eq 3389
access-list 100 permit ip 192.168.10.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list dmz permit tcp host 192.168.19.75 eq ftp any
access-list dmz permit tcp host 192.168.19.75 eq 3389 any
access-list 101 permit udp any eq 4500 any eq 4500
access-list 120 permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list 130 permit ip 192.168.10.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list 140 permit ip 192.168.10.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list dmzout permit tcp any host 67.xxx.xxx.xxx eq 3389
access-list dmzout permit udp any host 67.xxx.xxx.xxx eq 3389
access-list 150 permit ip 192.168.10.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list 160 permit ip 192.168.10.0 255.255.255.0 192.168.60.0 255.255.255.0
pager lines 24
logging on
logging trap notifications
logging facility 23
logging host inside 192.168.10.2
icmp permit 192.168.20.0 255.255.255.0 outside
icmp permit any outside
icmp permit 192.168.19.0 255.255.255.0 outside
icmp permit 192.168.50.0 255.255.255.0 outside
icmp permit 192.168.20.0 255.255.255.0 inside
icmp permit 192.168.13.0 255.255.255.0 inside
icmp permit 192.168.10.0 255.255.255.0 inside
icmp permit any inside
icmp permit 192.168.50.0 255.255.255.0 inside
icmp permit 192.168.60.0 255.255.255.0 inside
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside 67.xxx.xxx.xxx 255.255.255.248
ip address inside 192.168.10.1 255.255.255.0
ip address DMZ 192.168.19.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 0.0.0.0 0.0.0.0 inside
pdm location 0.0.0.0 0.0.0.0 outside
pdm group SeattleLocal inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list 100
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (DMZ,outside) 67.xxx.xxx.xxx 192.168.19.75 netmask 255.255.255.255 0 0
static (inside,DMZ) 192.168.10.0 192.168.10.0 netmask 255.255.255.0 0 0
static (inside,DMZ) 192.168.20.0 192.168.20.0 netmask 255.255.255.0 0 0
static (inside,DMZ) 192.168.30.0 192.168.30.0 netmask 255.255.255.0 0 0
static (inside,DMZ) 192.168.40.0 192.168.40.0 netmask 255.255.255.0 0 0
static (inside,outside) 67.xxx.xxx.xxx 192.168.10.94 netmask 255.255.255.255 0 0
access-group 100 in interface outside
access-group dmz in interface DMZ
route outside 0.0.0.0 0.0.0.0 67.40.185.238 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
http 192.168.13.0 255.255.255.0 inside
http 192.168.10.0 255.255.255.0 inside
http 192.168.30.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection tcpmss 1300
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto map newmap 20 ipsec-isakmp
crypto map newmap 20 match address 120
crypto map newmap 20 set peer 67.xxx.xxx.xxx
crypto map newmap 20 set transform-set myset
crypto map newmap 30 ipsec-isakmp
crypto map newmap 30 match address 130
crypto map newmap 30 set peer 66.xxx.xxx.xxx
crypto map newmap 30 set transform-set myset
crypto map newmap 40 ipsec-isakmp
crypto map newmap 40 match address 140
crypto map newmap 40 set peer 68.xxx.xxx.xxx
crypto map newmap 40 set transform-set myset
crypto map newmap 50 ipsec-isakmp
crypto map newmap 50 match address 150
crypto map newmap 50 set peer 66.xxx.xxx.xxx
crypto map newmap 50 set transform-set myset
crypto map newmap 60 ipsec-isakmp
crypto map newmap 60 match address 160
crypto map newmap 60 set peer 76.xxx.xxx.xxx
crypto map newmap 60 set transform-set myset
crypto map newmap interface outside
isakmp enable outside
isakmp key ******** address 66.xxx.xxx.xxx netmask 255.255.255.255 no-xauth no-con
fig-mode
isakmp key ******** address 68.xxx.xxx.xxx netmask 255.255.255.255 no-xauth no-con
fig-mode
isakmp key ******** address 67.xxx.xxx.xxx netmask 255.255.255.255 no-xauth no-c
onfig-mode
isakmp key ******** address 66.xxx.xxx.xxx netmask 255.255.255.255 no-xauth no-con
fig-mode
isakmp key ******** address 76.xxx.xxx.xxx netmask 255.255.255.255 no-xauth no-co
nfig-mode
isakmp identity address
isakmp keepalive 10
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet 192.168.10.0 255.255.255.0 inside
telnet timeout 30
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
management-access inside
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain mydomain.com
dhcpd auto_config outside
username pix password EyEE30g6TUJH1n/2 encrypted privilege 2
terminal width 80
Cryptochecksum:8cbcdf0f0fbebc0f4e0ff350fd50f4b2

 

[unclerico]

Could that be the cause of this problem?

No it wouldn't have anything to do with it

On your ASA create a new ACL and then add a new NAT exemption statement:

ASA(config)# access-list nonat extended permit ip 192.168.60.0 255.255.255.0 192.168.10.0 255.255.255.0

ASA(config)# nat (inside) 0 access-list nonat

The above won't necessarily stop you from connecting but you'll need it anyway to bypass NAT.

Everything else looks good to me. When you pinged the remote device did you ping it from the ASA using the outside interface as the source or the inside interface as the source(or vice versa, from the PIX)?? Can you post the contents of the following commands (from both devices):
- sh crypto isakmp sa
- sh crypto ipsec sa
- debug crypto isakmp sa
- debug crypto ipsec sa
- sh sysopt

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[unclerico]

I forgot one last thing. On your PIX add the following ACE to ACL 100:

PIX(config)# access-list 100 extended permit ip 192.168.10.0 255.255.255.0 192.168.60.0 255.255.255.0

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[RMurr34]

This is from my PIX when I run those commands:

SHOW CRYPTO ISAKMP SA (PIX)


ununnilium(config)# show crypto isakmp sa
Total : 5
Embryonic : 0
dst src state pending created
68.xxx.xxx.xxx 67.xxx.xxx.xxx QM_IDLE 0 0
66.xxx.xxx.xxx 67.xxx.xxx.xxx QM_IDLE 0 0
67.xxx.xxx.xxx 66.xxx.xxx.xxx QM_IDLE 0 0
67.xxx.xxx.xxx 67.xxx.xxx.xxx QM_IDLE 0 0
76.xxx.xxx.xxx 67.xxx.xxx.xxx QM_IDLE 0 0

ununnilium(config)# sho crypto ipsec sa


interface: outside
Crypto map tag: newmap, local addr. 67.xxx.xxx.xxx

local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.60.0/255.255.255.0/0/0)
current_peer: 76.xxx.xxx.xxx:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 583, #pkts encrypt: 583, #pkts digest 583
#pkts decaps: 2701, #pkts decrypt: 2701, #pkts verify 2701
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 67.xxx.xxx.xxx, remote crypto endpt.: 76.xxx.xxx.xxx
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: 75d3bad4

inbound esp sas:
spi: 0xe5f02fe9(3857723369)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 5, crypto map: newmap
sa timing: remaining key lifetime (k/sec): (4607945/24597)
IV size: 8 bytes
replay detection support: Y


inbound ah sas:


inbound pcp sas:


outbound esp sas:
spi: 0x75d3bad4(1976810196)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 6, crypto map: newmap
sa timing: remaining key lifetime (k/sec): (4607382/24597)
IV size: 8 bytes
replay detection support: Y


outbound ah sas:


outbound pcp sas:


SHOW SYSOPT (PIX)

ununnilium(config)# show sysopt
no sysopt connection timewait
sysopt connection tcpmss 1300
sysopt connection tcpmss minimum 0
no sysopt nodnsalias inbound
no sysopt nodnsalias outbound
no sysopt radius ignore-secret
no sysopt uauth allow-http-cache
sysopt connection permit-ipsec
no sysopt connection permit-pptp
no sysopt connection permit-l2tp
no sysopt ipsec pl-compatible

DEBUG RESULTS (PIX)

ununnilium(config)#
ISAKMP (0): deleting SA: src 67.xxx.xxx.xxx, dst 76.xxx.xxx.xxx
ISADB: reaper checking SA 0x11ebfb4, conn_id = 0
ISADB: reaper checking SA 0x10c2a24, conn_id = 0
ISADB: reaper checking SA 0x10c31f4, conn_id = 0
ISADB: reaper checking SA 0x129ab84, conn_id = 0
ISADB: reaper checking SA 0x10ca2cc, conn_id = 0 DELETE IT!

VPN Peer: ISAKMP: Peer ip:76.xxx.xxx.xxx/500 Ref cnt decremented to:3 Total VPN P
eers:4
ISADB: reaper checking SA 0x11ebfb4, conn_id = 0
ISADB: reaper checking SA 0x10c2a24, conn_id = 0
ISADB: reaper checking SA 0x10c31f4, conn_id = 0
ISADB: reaper checking SA 0x129ab84, conn_id = 0
ISADB: reaper checking SA 0x10f4a0c, conn_id = 0
ISAKMP (0): sending NOTIFY message 36136 protocol 1
crypto_isakmp_process_block:src:76.xxx.xxx.xxx, dest:67.xxx.xxx.xxx spt:500 dpt:50
0
ISAKMP (0): processing NOTIFY payload 36137 protocol 1
spi 0, message ID = 87596230
ISAMKP (0): received DPD_R_U_THERE_ACK from peer 76.xxx.xxx.xxx
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:76.xxx.xxx.xxx, dest:67.xxx.xxx.xxx spt:500 dpt:50
0
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
spi 0, message ID = 2035877162
ISAMKP (0): received DPD_R_U_THERE from peer 76.xxx.xxx.xxx
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:76.xxx.xxx.xxx, dest:67.xxx.xxx.xxx spt:500 dpt:50
0
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
spi 0, message ID = 1976485198
ISAMKP (0): received DPD_R_U_THERE from peer 76.xxx.xxx.xxx
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 1
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 1000
ISAKMP (0): atts are acceptable. Next payload is 3
ISAKMP (0): processing vendor id payload

ISAKMP (0:0): vendor ID is NAT-T
ISAKMP (0): processing vendor id payload

ISAKMP (0:0): vendor ID is NAT-T
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3
ISAKMP (0:0): Detected port floating
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:66.xxx.xxx.xxx, dest:67.xxx.xxx.xxx spt:500 dpt:500

OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to another IOS box!

ISAKMP (0:0): Detected NAT-D payload
ISAKMP (0:0): NAT match MINE hash
ISAKMP (0:0): Detected NAT-D payload
ISAKMP (0:0): NAT match HIS hash
ISAKMP (0:0): constructed HIS NAT-D
ISAKMP (0:0): constructed MINE NAT-D
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:66.xxx.xxx.xxx, dest:67.xxx.xxx.xxx spt:500 dpt:500

OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated

ISAKMP (0): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
VPN Peer: ISAKMP: Peer ip:66.xxx.xxx.xxx/500 Ref cnt incremented to:4 Total VPN Pe
ers:4
ISAKMP (0): sending NOTIFY message 36136 protocol 1
crypto_isakmp_process_block:src:76.xxx.xxx.xxx, dest:67.xxx.xxx.xxx spt:500 dpt:50
0
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
spi 0, message ID = 1274877
ISAMKP (0): received DPD_R_U_THERE from peer 76.xxx.xxx.xxx
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:76.xxx.xxx.xxx, dest:67.xxx.xxx.xxx spt:500 dpt:50
0
ISAKMP (0): processing NOTIFY payload 36137 protocol 1
spi 0, message ID = 4099978840
ISAMKP (0): received DPD_R_U_THERE_ACK from peer 76.xxx.xxx.xxx
return status is IKMP_NO_ERR_NO_TRANS

 

[unclerico]

It looks to me like you've got both Phase 1 and Phase 2 success. Is it still not working?? If not can you post the contents of those same show commands from the ASA??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[RMurr34]

This is from my ASA. After turning on debug I don't see any output. Also, I don't have the sysopt command available.

SHOW CRYPTO ISAKMP SA (ASA)

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: 67.xxx.xxx.xxx
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE


SHOW CRYPTO IPSEC SA (ASA)


dumdumium(config)# sh crypto ipsec sa
interface: outside
Crypto map tag: newmap, seq num: 10, local addr: 76.191.108.34

access-list 101 permit ip 192.168.60.0 255.255.255.0 192.168.10.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.60.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
current_peer: 67.xxx.xxx.xxx

#pkts encaps: 5236, #pkts encrypt: 5236, #pkts digest: 5236
#pkts decaps: 4149, #pkts decrypt: 4149, #pkts verify: 4149
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 5236, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 76.xxx.xxx.xxx, remote crypto endpt.: 67.xxx.xxx.xxx

path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: E5F02FE9

inbound esp sas:
spi: 0x75D3BAD4 (1976810196)
transform: esp-des esp-md5-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4096, crypto-map: newmap
sa timing: remaining key lifetime (kB/sec): (4271308/22761)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0xE5F02FE9 (3857723369)
transform: esp-des esp-md5-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4096, crypto-map: newmap
sa timing: remaining key lifetime (kB/sec): (4274500/22761)
IV size: 8 bytes
replay detection support: Y


SHOW SYSOPT (ASA)

I do not have that command as an option

 

[RMurr34]

When I try to ping something from either side I get no success.