Site to Site VPN - ASA 5505 to ISA 2006 - Security Mismatch

[chapers]

Hi, first post here so hello all.

I am trying to create a site to site VPN between an ASA 5505 and ISA Server 2006. I'm having trouble connecting the two end points. I believe there is a security mismatch. I have checked the IPSec and IKE settings numerous times, followed several guides to no avail. Quick overview of the network. Internal network behind ASA is 192.168.0.0/24. Remote site internal range is 10.213.60.0 /24. Is there anything in my config which I am missing / shouldn't be there? I ran a trace on the ASA and traffic is able to leave the default gateway (194.101.11.2) Also, when I plug into switchport 1 (part of vlan 1 - internal) I set up my local IP address as 192.168.0.4 but I am unable to get internet access. I need vlan 1 traffic to know where to route to so I can get Internet access. How do I achieve this? Thanks in advance, Rob

ASA Config:

ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
description ****INTERNAL LAN****
security-level 0
ip address 192.168.0.3 255.255.255.0
!
interface Vlan2
nameif outside
description ****INTERNET ACCESS****
security-level 100
ip address xxx.xxx.11.6 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 10.213.60.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.0.0 255.255.255.0 10.213.60.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit object-group TCPUDP any any eq www
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 0 access-list outside_nat0_outbound
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 194.101.11.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 inside
http redirect inside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 10.213.63.249
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 3600
crypto map outside_map 1 set security-association lifetime kilobytes 100000
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
client-update enable
telnet timeout 5
ssh timeout 5
console timeout 0

tunnel-group 10.213.63.249 type ipsec-l2l
tunnel-group 10.213.63.249 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:0a74177e994f1daf6ad82e4114afce3e
: end

 

[unclerico]

1) your security levels are backwards. inside should be 100 and outside should be 0
2) bypass NAT on the inside interface, not the outside
3) can you post the Phase 1 and Phase 2 settings from the ISA server including the SA lifetimes??
4) you need to either remove the outside_access_in ACL or tighten it up a lot better than it is.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[chapers]

1) Security levels reversed, thanks.
2) How do I bypass NAT on the inside?
3) ISA Phase 1 Settings: 3DES, SHA-1, Group 2
ISA Phase 2 Settings: 3DES, SHA-1, PFS Group 2, Generate New Key ever 100000 KB Generate New Key Every 3600 Seconds

4) I will tighten up later as soon as I can test connectivity to the ISA / vice versa

Thanks for you help, Rob

 

[unclerico]

2) How do I bypass NAT on the inside?

just move your nat (outside) 0 to nat (inside) 0 access-list <acl_name>

At this point I would run some debugs on the ASA. debug crypto isakmp and post the output here.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[chapers]

Thanks, I will make the NAT change and post the debug outputs on Monday.

 

[chapers]

I am now able to ping the ASA's outside interface (eth0/0) from the ISA Server which is an improvement. But I cannot ping the 192.168.0.0 range which sits on the internal range behind the ASA. How am I able to route / forward VLAN 1 traffic to the outside interface so clients can reach the remote site and also get internet access?

 

[unclerico]

when you tried to ping a host in the 192.168.0/24 range did you ping from the ISA server or a host behind the ISA server??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[chapers]

From the ISA Server.

 

[unclerico]

try it from a host behind the ISA server

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[chapers]

When I ping from behind the ISA I get a request timed out, but I can ping the ASA outside interface. When I ping the internal range from the ISA itself I get a 'Negotiating IP Security'. Any ideas? Thanks.

 

[unclerico]

have you tried to run debugs on the ASA??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[chapers]

I ran ISAKMP and IPSEC debugs when trying to ping an internal host behind the ISA. Here is the output:

ciscoasa(config)# Dec 24 01:17:46 [IKEv1 DEBUG]: Pitcher: received a key acquire
message, spi 0x0
Dec 24 01:17:46 [IKEv1]: IP = 10.213.63.249, IKE Initiator: New Phase 1, Intf NP
Identity Ifc, IKE Peer 10.213.63.249 local Proxy Address 192.168.0.0, remote P
roxy Address 10.213.60.0, Crypto map (outside_map)
Dec 24 01:17:46 [IKEv1 DEBUG]: IP = 10.213.63.249, constructing ISAKMP SA payloa
d
Dec 24 01:17:46 [IKEv1 DEBUG]: IP = 10.213.63.249, constructing Fragmentation VI
D + extended capabilities payload
Dec 24 01:17:46 [IKEv1]: IP = 10.213.63.249, IKE_DECODE SENDING Message (msgid=0
) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
Dec 24 01:17:48 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Dec 24 01:17:48 [IKEv1]: IP = 10.213.63.249, Queuing KEY-ACQUIRE messages to be
processed when P1 SA is complete.
Dec 24 01:17:50 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Dec 24 01:17:50 [IKEv1]: IP = 10.213.63.249, Queuing KEY-ACQUIRE messages to be
processed when P1 SA is complete.
Dec 24 01:17:52 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Dec 24 01:17:52 [IKEv1]: IP = 10.213.63.249, Queuing KEY-ACQUIRE messages to be
processed when P1 SA is complete.
Dec 24 01:17:54 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Dec 24 01:17:54 [IKEv1]: IP = 10.213.63.249, Queuing KEY-ACQUIRE messages to be
processed when P1 SA is complete.
Dec 24 01:17:54 [IKEv1]: IP = 10.213.63.249, IKE_DECODE RESENDING Message (msgid
=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
Dec 24 01:18:02 [IKEv1]: IP = 10.213.63.249, IKE_DECODE RESENDING Message (msgid
=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
Dec 24 01:18:10 [IKEv1]: IP = 10.213.63.249, IKE_DECODE RESENDING Message (msgid
=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
Dec 24 01:18:18 [IKEv1 DEBUG]: IP = 10.213.63.249, IKE MM Initiator FSM error hi
story (struct &0x3ddaa98) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2,
EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_
SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2,
EV_RETRY
Dec 24 01:18:18 [IKEv1 DEBUG]: IP = 10.213.63.249, IKE SA MM:4c67b187 terminatin
g: flags 0x01000022, refcnt 0, tuncnt 0
Dec 24 01:18:18 [IKEv1 DEBUG]: IP = 10.213.63.249, sending delete/delete with re
ason message
Dec 24 01:18:18 [IKEv1]: IP = 10.213.63.249, Removing peer from peer table faile
d, no match!
Dec 24 01:18:18 [IKEv1]: IP = 10.213.63.249, Error: Unable to remove PeerTblEntr
y

 

[unclerico]

do you have a firewall in front of this ISA server that could be blocking ports?? is the peer address 10.213.63.249 the real address??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)