Cisco site-to-site & Remote Access VPN on ASA / PIX 1

[Richy321]

Hi all,

I would really appreciate any help on trying to solve this!

I am have got some site to site VPNs running properly between a Cisco ASA 5520 and 857 routers, but have come unstuck when trying to add remote-access functionality onto the same ASA. The Cisco VPN Dialler connects to the ASA, both phases 1 and 2 complete, but the device can't access anything on the inside LAN.

Due to the site to site VPN's being in production I have managed to replicate the same problems on an old PIX 515e with similar configuration.

The message I appear to be getting from syslogging is:

%PIX-3-713042: IKE Initiator unable to find policy: Intf outside, Src: 10.0.100.2, Dst: 10.0.85.1

I have googled this message, and tried various solutions (one found on this site) but to no avail. I even followed the Cisco guide to adding further site-to-site or remote accss VPN's to existing firewalls already configured with site-to-site VPN's.

I have attached the config below from the demo PIX, I have been going round in circles with this one and just can't suss out whats wrong. I am guessing there will be something obvious I have overlooked!

FYI - inside LAN is 10.0.100.0/23, outside LAN is 10.0.90.0/24, IP LOCAL POOL is: 10.0.85.0/24

CONFIG:

*********************

!
hostname pixfirewall
enable password IzEj8ss2X5XVdHWh encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0
nameif outside
security-level 0
ip address 10.0.90.1 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.0.100.68 255.255.254.0
!
boot system flash:/pix804.bin
ftp mode passive
object-group network SITE_TO_SITE_VPNS
network-object 10.0.78.0 255.255.255.0
network-object 10.0.79.0 255.255.255.0
network-object 10.0.80.0 255.255.255.0
network-object 10.0.85.0 255.255.255.0
object-group network INSIDE_LAN
description Inside Network Hosts
network-object 10.0.100.0 255.255.254.0
access-list INSIDE_ACCESS_TO_HW extended permit ip object-group INSIDE_LAN object-group SITE_TO_SITE_VPNS
access-list INSIDE_ACCESS_OUT extended permit ip object-group INSIDE_LAN any
access-list OUTSIDE_ACCESS_IN extended permit ip 10.1.1.0 255.255.255.0 object-group INSIDE_LAN
access-list remote_access_split_tunnel standard permit 10.0.100.0 255.255.255.0
pager lines 24
logging enable
logging trap debugging
logging host inside 10.0.100.104
mtu outside 1500
mtu inside 1500
ip local pool DHCP_SCOPE 10.0.85.1-10.0.85.10 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list INSIDE_ACCESS_TO_HW
nat (inside) 1 10.0.100.0 255.255.254.0
access-group OUTSIDE_ACCESS_IN in interface outside
route outside 0.0.0.0 0.0.0.0 10.0.90.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set STS_TRANS_SET esp-aes-256 esp-sha-hmac
crypto ipsec transform-set RA_TRAMSFORM esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 43200
crypto ipsec security-association lifetime kilobytes 46080000
crypto dynamic-map outside_dyn_map 20 set transform-set RA_TRAMSFORM
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 43200
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 46080000
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map HOMEWORKERS 10 match address INSIDE_ACCESS_TO_HW
crypto map HOMEWORKERS 10 set peer 123.123.123.123 122.122.122.122 121.121.121.121
crypto map HOMEWORKERS 10 set transform-set STS_TRANS_SET
crypto map HOMEWORKERS 10 set security-association lifetime seconds 28800
crypto map HOMEWORKERS 10 set security-association lifetime kilobytes 4608000
crypto map HOMEWORKERS 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map HOMEWORKERS interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy ravpn internal
group-policy ravpn attributes
dns-server value 10.0.100.1
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value remote_access_split_tunnel
username bob123 password Ar/YOfOkJfPnyZYM encrypted
tunnel-group 121.121.121.121 type ipsec-l2l
tunnel-group 121.121.121.121 ipsec-attributes
pre-shared-key *
tunnel-group 122.122.122.122 type ipsec-l2l
tunnel-group 122.122.122.122 ipsec-attributes
pre-shared-key *
tunnel-group 123.123.123.123 type ipsec-l2l
tunnel-group 123.123.123.123 ipsec-attributes
pre-shared-key *
tunnel-group ravpn type remote-access
tunnel-group ravpn general-attributes
address-pool DHCP_SCOPE
default-group-policy ravpn
tunnel-group ravpn ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:d8034e23e7d413a1b5d08dc301697c58
: end

************

Again, any help really appreciated!!!



Rich.
CCNA - preparing for SNPA exam

 

[burtsbees]

I am no good with the PIX, but for the local vpn address pool, you need a nonat acl entry and that is what you use for NAT---you NAT the rest but the first statement denies the vpn pool. I do not see that in your config. The symptom of the vpn traffic being NATted is no remote LAN access.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[Richy321]

Hi, thanks for the response

I added the ACL you detailed above, doing a show access-list shows that the inside_access_out ACL first line denies any traffic designed for the VPN.

I still get the same as before, from digging the ACL for the NAT0 is getting plenty of hits, so it looks like traffic is hitting its destination, but any reply packets are getting dropped as the ASA / PIX can't handle them.

Hope this extra bit of info helps...

Rich.

Rich.
CCNA - preparing for SNPA exam

 

[unclerico]

add this statement to begin with:

crypto isakmp nat-traversal

if adding that doesn't work then post back with your new nat0 acl

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[Richy321]

Hi,

thanks for the reply, I will try this when I am back in the office tomorrow morning.



Rich.
CCNA - preparing for SNPA exam

 

[Richy321]

Hi,

I have entered the crypto isakmp nat-transversal, but still get the same problem, in that it connects but can't get access to inside systems.

The show access-list gives the following:

access-list INSIDE_ACCESS_TO_HW; 4 elements
access-list INSIDE_ACCESS_TO_HW line 1 extended permit ip object-group INSIDE_LAN object-group SITE_TO_SITE_VPNS 0xd99d182a

********************************************************

access-list INSIDE_ACCESS_TO_HW line 1 extended permit ip 10.0.100.0 255.255.254.0 10.0.78.0 255.255.255.0 (hitcnt=0) 0x23b80c24
access-list INSIDE_ACCESS_TO_HW line 1 extended permit ip 10.0.100.0 255.255.254.0 10.0.79.0 255.255.255.0 (hitcnt=0) 0x8d977ee0
access-list INSIDE_ACCESS_TO_HW line 1 extended permit ip 10.0.100.0 255.255.254.0 10.0.80.0 255.255.255.0 (hitcnt=0) 0x2cdf06ea
access-list INSIDE_ACCESS_TO_HW line 1 extended permit ip 10.0.100.0 255.255.254.0 10.0.85.0 255.255.255.0 (hitcnt=1619) 0xd44cf052

********************************************************

access-list INSIDE_ACCESS_OUT; 2 elements
access-list INSIDE_ACCESS_OUT line 1 extended deny ip 10.0.100.0 255.255.254.0 any (hitcnt=0) 0x25da496f
access-list INSIDE_ACCESS_OUT line 2 extended permit ip object-group INSIDE_LAN any 0xd2c17c55
access-list INSIDE_ACCESS_OUT line 2 extended permit ip 10.0.100.0 255.255.254.0 any (hitcnt=0) 0x6626b578
access-list OUTSIDE_ACCESS_IN; 1 elements
access-list OUTSIDE_ACCESS_IN line 1 extended permit ip 10.1.1.0 255.255.255.0 object-group INSIDE_LAN 0xf83cea45
access-list OUTSIDE_ACCESS_IN line 1 extended permit ip 10.1.1.0 255.255.255.0 10.0.100.0 255.255.254.0 (hitcnt=0) 0x2cf91b7b
access-list remote_access_split_tunnel; 1 elements
access-list remote_access_split_tunnel line 1 standard permit 10.0.100.0 255.255.255.0 (hitcnt=0) 0xcbd7f1d5

The NAT0 ACL is INSIDE_ACCESS_TO_HW

The relevent ACL counter shows traffic going through, so to me looks like the NAT0 statement is at least being hit on return traffic.

Thanks again,
Rich.

Rich.
CCNA - preparing for SNPA exam

 

[unclerico]

Is there anything else in your logs?? Your config looks good.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[Richy321]

Hi, I will check out the logs at work tomorrow to see if they have changed since the two additions above.

Fingers crossed there is something obvious!

Thabks for your help, will post my findings tomorrow.

Rich


Rich.
CCNA - preparing for SNPA exam

 

[Richy321]

Hi, right then I have debugged the crypto isakmp and crypto ipsec traffic, I get lines confirming phase 1 and 2 are complete - so far so good!

Straight after Phase 2 completes I get the lots of the following:

%PIX-7-609001: Built local-host inside:10.0.100.1
%PIX-7-609002: Teardown local-host inside:10.0.100.1 duration 0:00:00
%PIX-7-715077: Pitcher: received a key acquire message, spi 0x0
%PIX-3-713042: IKE Initiator unable to find policy: Intf outside, Src: 10.0.100.1, Dst: 10.0.85.1
%PIX-7-609001: Built local-host inside:10.0.100.1
%PIX-7-609002: Teardown local-host inside:10.0.100.1 duration 0:00:00
%PIX-7-609001: Built local-host inside:10.0.100.1
%PIX-7-609002: Teardown local-host inside:10.0.100.1 duration 0:00:00
%PIX-7-715077: Pitcher: received a key acquire message, spi 0x0
%PIX-3-713042: IKE Initiator unable to find policy: Intf outside, Src: 10.0.100.1, Dst: 10.0.85.1

10.0.100.1 is the DNS Server & the server I am testing connectivity too using Remote Desktop.

There isn't anything else in the logs that looks out of hte ordinary, lots of lines when the phase 1 and phase 2 parts of the VPN come up, but that appears successful.

This one really has my stumped! I am running Version 8.0(4) on the PIX and ASA at present... bug maybe?

Regards,
Rich

Rich.
CCNA - preparing for SNPA exam

 

[burtsbees]

Nah...really sounds like firewall. I had that problem once and a backwards topology another time...right uncle? I was so flustered, and uncle pointed out Windoze Firewall---I am so used to using Linux that I forgot about it!

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[Richy321]

Burstbees - good call, that Windoze firewall has caught me out before, but turning it off and reconnecting the VPN didn't help this time :-(

The remote server I am testing connectivity too is a 2003 Server, running DNS, etc. so no firewall that end, the client is XP with the latest VPN V5 dialler available from Cisco.

I have tried down-grading from 8.0(4) to 8.0(3) to see if it was IOS specific, but still the same result :-(

Regards,

Rich.
CCNA - preparing for SNPA exam

 

[Richy321]

Just a thought... does anybody reading this have a sample configuration of an ASA or Pix with version 8 of the software that is configured for both Site to Site and Remote Access VPN's?

The ones I have found online relate to Version 7 of the software, also the Cisco guide I followed seems to be written for version 7.

Regards,

Rich.
CCNA - preparing for SNPA exam

 

[unclerico]

looking at your log posting I think I know what is going on. Your crypto acl for your l2l vpn has your ra vpn pool included. When traffic is sent from your internal lan to your ra vpn pool the crypto process thinks that it should be included in a l2l tunnel. do this:
- create two distinct acls; one for your nat0 and one for your crypto map. something like this:

object-group network SITE_TO_SITE_VPNS
  network-object 10.0.78.0 255.255.255.0 
  network-object 10.0.79.0 255.255.255.0 
  network-object 10.0.80.0 255.255.255.0

object-group network NONAT_ADDRESS_RANGES
  network-object 10.0.78.0 255.255.255.0 
  network-object 10.0.79.0 255.255.255.0 
  network-object 10.0.80.0 255.255.255.0
  network-object 10.0.85.0 255.255.255.0

access-list nonat_inside extended permit ip object-group INSIDE_LAN object-group NONAT_ADDRESS_RANGES 

access-list crypto_acl extended permit ip object-group INSIDE_LAN object-group SITE_TO_SITE_VPNS

- change your crypto map to use the new crypto_acl

crypto map HOMEWORKERS 10 match address crypto_acl

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[Richy321]

unclerico - THANKS SO SO MUCH!!! It works!!! Thanks to everyone else for posting suggestions as well!

After doing the changes detailed in that post it fired into life!

Below is the final working configuration, hopefully it will be of help to others trying to configure both site to site and remote access VPNs on PIX / ASA's running IOS V8

************************************************************

PIX DEMO CONFIG!!!!!

PIX Version 8.0(3)
!
hostname pixfirewall
enable password IzEj8ss2X5XVdHWh encrypted
names
dns-guard
!
interface Ethernet0
nameif outside
security-level 0
ip address 10.0.90.1 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.0.100.68 255.255.254.0
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system flash:/pix803.bin
ftp mode passive
object-group network SITE_TO_SITE_VPNS
network-object 10.0.78.0 255.255.255.0
network-object 10.0.79.0 255.255.255.0
network-object 10.0.80.0 255.255.255.0
object-group network INSIDE_LAN
description Inside Network Hosts
network-object 10.0.100.0 255.255.254.0
object-group network NONAT_ADDRESS_RANGES
network-object 10.0.78.0 255.255.255.0
network-object 10.0.79.0 255.255.255.0
network-object 10.0.80.0 255.255.255.0
network-object 10.0.85.0 255.255.255.0
access-list NONAT_INSIDE extended permit ip object-group INSIDE_LAN object-group NONAT_ADDRESS_RANGES
access-list INSIDE_ACCESS_OUT extended deny ip 10.0.100.0 255.255.254.0 any
access-list INSIDE_ACCESS_OUT extended permit ip object-group INSIDE_LAN any
access-list OUTSIDE_ACCESS_IN extended permit ip 10.1.1.0 255.255.255.0 object-group INSIDE_LAN
access-list remote_access_split_tunnel standard permit 10.0.100.0 255.255.255.0
access-list CRYPTO_ACL extended permit ip object-group INSIDE_LAN object-group SITE_TO_SITE_VPNS
pager lines 24
logging enable
logging trap debugging
logging host inside 10.0.100.104
mtu outside 1500
mtu inside 1500
ip local pool DHCP_SCOPE 10.0.85.1-10.0.85.10 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT_INSIDE
nat (inside) 1 10.0.100.0 255.255.254.0
access-group OUTSIDE_ACCESS_IN in interface outside
route outside 0.0.0.0 0.0.0.0 10.0.90.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set STS_TRANS_SET esp-aes-256 esp-sha-hmac
crypto ipsec transform-set RA_TRAMSFORM esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 43200
crypto ipsec security-association lifetime kilobytes 46080000
crypto dynamic-map outside_dyn_map 20 set transform-set RA_TRAMSFORM
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map HOMEWORKERS 10 match address CRYPTO_ACL
crypto map HOMEWORKERS 10 set peer 123.123.123.123 122.122.122.122 121.121.121.121
crypto map HOMEWORKERS 10 set transform-set STS_TRANS_SET
crypto map HOMEWORKERS 10 set security-association lifetime seconds 28800
crypto map HOMEWORKERS 10 set security-association lifetime kilobytes 4608000
crypto map HOMEWORKERS 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map HOMEWORKERS interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
group-policy remotevpn internal
group-policy remotevpn attributes
dns-server value 10.0.100.1
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value remote_access_split_tunnel
username bob123 password Ar/YOfOkJfPnyZYM encrypted
tunnel-group 121.121.121.121 type ipsec-l2l
tunnel-group 121.121.121.121 ipsec-attributes
pre-shared-key *
tunnel-group 122.122.122.122 type ipsec-l2l
tunnel-group 122.122.122.122 ipsec-attributes
pre-shared-key *
tunnel-group 123.123.123.123 type ipsec-l2l
tunnel-group 123.123.123.123 ipsec-attributes
pre-shared-key *
tunnel-group remotevpn type remote-access
tunnel-group remotevpn general-attributes
address-pool DHCP_SCOPE
default-group-policy remotevpn
tunnel-group remotevpn ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:2f05ec74b4b3e96cb33e92def03bbdb7
: end

***********************************************************

Thanks again all!!!!!


Rich.
CCNA - preparing for SNPA exam

 

[unclerico]

beaners. i'm glad you got it up and running. there's nothing worse than being so close yet so far away

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[stubnski]

Ricky321,

Thank Unclerico with a star if he was very helpful to you


Stubnski

 

[Richy321]

I had awarded him with a lucky star! I didn't realise you could... Thanks for letting me know.

Rich.

Rich.
CCNA - preparing for SNPA exam

 

[VinceWhirlwind]

This forum is starting to get completely gummed-up with posts about ASAs & Pixs instead of "Cisco - Routers".

You may be missing out on advice from the people who only look at the "Cisco - ASA" and "Cisco - Pix" forums.