Firewall Wizards mailing list archives
Re: asa 5505 vpn ipsec l2l problem
From: Hrvoje Popovski <hrvoje () srce hr>
Date: Sat, 03 Oct 2009 14:38:47 +0200
> If you're not seeing IPsec build the tunnel with debug crypto, I would
guess that traffic is getting NAT'd out, and not hitting the tunnel (by the way, you probably only need debug crypto ipsec 5, not 100...)Do you have NAT setup on the 5505? If you do, do you have a NAT exclude ACL setup that excludes "your device networks -> remote device networks"?-- Eric
hello eveyone, first thanks everyone who replay on my post.I can't established SA, crypto acl is the same on both ends, well they tell me so. I can't see config on other side but maybe from log that i can se on my ASA i think that problem is on my side. I realy don't know maybe problem is in licence (10 inside hosts) but i have only 2 inside hosts (192.168.11.11 and 11.12).
I will try to apply crypto acl with ip rule and see what happens. --------------------------------- log: Ignoring msg to mark SA with specified coordinates <abcMap, 1> dead debug crypto engine, ipsec 127 and ipsec 127 gave me nothing --------------------------------- my asa: ciscoasa# sh crypto isakmp sa There are no isakmp sas ciscoasa# sh crypto ipsec sa There are no ipsec sas --------------------------------- my asa - 22.22.22.22 other asa - 33.33.33.33 ----------------------------------------------- config on 33.33.33.33 asa: access-list acl1 permit tcp host 10.1.100.13 eq 4000 host 192.168.11.11 access-list acl1 permit tcp host 10.1.110.250 eq 4000 host 192.168.11.11access-list acl1 permit tcp host 10.1.100.105 eq ftp host 192.168.11.11 eq ftp
access-list acl1 permit tcp host 10.1.100.105 eq ftp-data host 192.168.11.11 access-list acl1 permit tcp host 10.1.100.13 eq 4000 host 192.168.11.12 access-list acl1 permit tcp host 10.1.110.250 eq 4000 host 192.168.11.12 access-list acl1 permit tcp host 10.1.100.105 eq ftp host 192.168.11.12 access-list acl1 permit tcp host 10.1.100.105 eq ftp-data host 192.168.11.12 transform-set esp-3des esp-md5-hmacisakmp key * address 22.22.22.22 netmask 255.255.255.255 no-xauth no-config-mode
this is all information that i know ------------------------------------------------- here is my config - 22.22.22.22 asa: ASA Version 7.2(4) ! hostname ciscoasa domain-name default.domain.invalid names ! interface Vlan1 nameif inside security-level 100 ip address 192.168.11.254 255.255.255.0 ! interface Vlan2 nameif outside security-level 10 ip address 22.22.22.22 255.255.255.0 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! boot system disk0:/asa724-k8.bin ftp mode passive clock timezone CEST 1 clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00 dns server-group DefaultDNS domain-name default.domain.invalid access-list NoNAT extended permit ip host 192.168.11.11 host 10.1.100.13 access-list NoNAT extended permit ip host 192.168.11.11 host 10.1.100.105 access-list NoNAT extended permit ip host 192.168.11.11 host 10.1.110.250 access-list NoNAT extended permit ip host 192.168.11.12 host 10.1.100.13 access-list NoNAT extended permit ip host 192.168.11.12 host 10.1.100.105 access-list NoNAT extended permit ip host 192.168.11.12 host 10.1.110.250access-list ACL1 extended permit tcp host 192.168.11.11 host 10.1.100.13 eq 4000 access-list ACL1 extended permit tcp host 192.168.11.11 host 10.1.110.250 eq 4000 access-list ACL1 extended permit tcp host 192.168.11.11 eq ftp host 10.1.100.105 eq ftp access-list ACL1 extended permit tcp host 192.168.11.11 host 10.1.100.105 eq ftp-data access-list ACL1 extended permit tcp host 192.168.11.12 host 10.1.100.13 eq 4000 access-list ACL1 extended permit tcp host 192.168.11.12 host 10.1.110.250 eq 4000 access-list ACL1 extended permit tcp host 192.168.11.12 host 10.1.100.105 eq ftp access-list ACL1 extended permit tcp host 192.168.11.12 host 10.1.100.105 eq ftp-data
pager lines 24 logging enable logging timestamp logging buffer-size 10000 logging buffered debugging logging asdm informational mtu inside 1500 mtu outside 1500 icmp unreachable rate-limit 1 burst-size 1 icmp permit any inside icmp permit any outside asdm image disk0:/asdm-522.bin no asdm history enable arp timeout 14400 nat-control nat (inside) 0 access-list NoNAT static (inside,outside) 192.168.113.11 192.168.11.11 netmask 255.255.255.255 static (inside,outside) 192.168.113.12 192.168.11.12 netmask 255.255.255.255 *i need this static nat but not for now* route inside 192.168.10.0 255.255.255.0 192.168.11.1 1 route outside 0.0.0.0 0.0.0.0 22.22.22.1 1 crypto ipsec transform-set ESP-AES256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto map abcMap 1 match address ACL1 crypto map abcMap 1 set peer 33.33.33.33 crypto map abcMap 1 set transform-set ESP-3DES-MD5 crypto map abcMap 1 set security-association lifetime seconds 3600 crypto map abcMap 1 set security-association lifetime kilobytes 2560 crypto map abcMap interface outside crypto isakmp identity address crypto isakmp enable outside crypto isakmp policy 1 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 crypto isakmp policy 2 authentication pre-share encryption aes hash sha group 2 lifetime 86400 crypto isakmp nat-traversal 20 ntp server 192.168.10.2 ntp server 192.168.10.3 ssl encryption des-sha1 tunnel-group DefaultL2LGroup ipsec-attributes isakmp keepalive threshold 120 retry 10 tunnel-group DefaultRAGroup ipsec-attributes isakmp keepalive threshold 120 retry 10 tunnel-group 33.33.33.33 type ipsec-l2l tunnel-group 33.33.33.33 ipsec-attributes pre-shared-key * ! ! prompt hostname context Cryptochecksum:ad3bf9e8fef81844b866e79c1b0c8e2f : end -- /hrvoje _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- asa 5505 vpn ipsec l2l problem Hrvoje Popovski (Oct 02)
- Re: asa 5505 vpn ipsec l2l problem Christopher J. Wargaski (Oct 02)
- Re: asa 5505 vpn ipsec l2l problem Paul Melson (Oct 02)
- Re: asa 5505 vpn ipsec l2l problem Farrukh Haroon (Oct 02)
- Re: asa 5505 vpn ipsec l2l problem Eric Gearhart (Oct 02)
- Re: asa 5505 vpn ipsec l2l problem Hrvoje Popovski (Oct 04)
- Re: asa 5505 vpn ipsec l2l problem Eric Gearhart (Oct 08)
- Re: asa 5505 vpn ipsec l2l problem craig . wilson (Oct 08)
- Re: asa 5505 vpn ipsec l2l problem Farrukh Haroon (Oct 08)
- Re: asa 5505 vpn ipsec l2l problem Hrvoje Popovski (Oct 04)