Firewall Wizards mailing list archives

Re: asa 5505 vpn ipsec l2l problem

From: Farrukh Haroon <farrukhharoon () gmail com>
Date: Mon, 5 Oct 2009 09:14:18 +0300

I don't know if you got my older email, here it is again:

Run these three debugs
debug crypto engine
debug crypto isakmp 127
debug crypto ipsec 127
and then see if you get any more meaningful debugs.

Its better to clear both Phase 1 and Phase 2 before you run the debugs (just
in case the SAs are already established).

Also try removing the crypto map from the interface and re-applying it!

Please also check the logging levels on your ASA 'show logging'

logging buffered 7
logging monitor 7  (save/log the telnet session after issuing the 'terminal
monitor' command)


Regards

Farrukh



On Sat, Oct 3, 2009 at 3:38 PM, Hrvoje Popovski <hrvoje () srce hr> wrote:

 > If you're not seeing IPsec build the tunnel with debug crypto, I would

guess that traffic is getting NAT'd out, and not hitting the tunnel (by
the way, you probably only need debug crypto ipsec 5, not 100...)


Do you have NAT setup on the 5505? If you do, do you have a NAT exclude
ACL setup that excludes "your device networks -> remote device networks"?

--
Eric

hello eveyone,

first thanks everyone who replay on my post.
I can't established SA, crypto acl is the same on both ends, well they tell
me so. I can't see config on other side but maybe from log that i can se on
my ASA i think that problem is on my side. I realy don't know maybe problem
is in licence (10 inside hosts) but i have only 2 inside hosts
(192.168.11.11 and 11.12).
I will try to apply crypto acl with ip rule and see what happens.

---------------------------------
log:
Ignoring msg to mark SA with specified coordinates <abcMap, 1> dead

debug crypto engine, ipsec 127 and ipsec 127 gave me nothing

---------------------------------
my asa:
ciscoasa# sh crypto isakmp sa
There are no isakmp sas

ciscoasa# sh crypto ipsec sa
There are no ipsec sas
---------------------------------
my asa - 22.22.22.22
other asa - 33.33.33.33
-----------------------------------------------
config on 33.33.33.33 asa:
access-list acl1 permit tcp host 10.1.100.13 eq 4000 host 192.168.11.11
access-list acl1 permit tcp host 10.1.110.250 eq 4000 host 192.168.11.11
access-list acl1 permit tcp host 10.1.100.105 eq ftp host 192.168.11.11 eq
ftp
access-list acl1 permit tcp host 10.1.100.105 eq ftp-data host
192.168.11.11
access-list acl1 permit tcp host 10.1.100.13 eq 4000 host 192.168.11.12
access-list acl1 permit tcp host 10.1.110.250 eq 4000 host 192.168.11.12
access-list acl1 permit tcp host 10.1.100.105 eq ftp host 192.168.11.12
access-list acl1 permit tcp host 10.1.100.105 eq ftp-data host
192.168.11.12

transform-set esp-3des esp-md5-hmac

isakmp key * address 22.22.22.22 netmask 255.255.255.255 no-xauth
no-config-mode

this is all information that i know

-------------------------------------------------

here is my config - 22.22.22.22 asa:

ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.11.254 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 10
 ip address 22.22.22.22 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa724-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list NoNAT extended permit ip host 192.168.11.11 host 10.1.100.13
access-list NoNAT extended permit ip host 192.168.11.11 host 10.1.100.105
access-list NoNAT extended permit ip host 192.168.11.11 host 10.1.110.250
access-list NoNAT extended permit ip host 192.168.11.12 host 10.1.100.13
access-list NoNAT extended permit ip host 192.168.11.12 host 10.1.100.105
access-list NoNAT extended permit ip host 192.168.11.12 host 10.1.110.250
access-list ACL1 extended permit tcp host 192.168.11.11 host 10.1.100.13 eq
4000
access-list ACL1 extended permit tcp host 192.168.11.11 host 10.1.110.250
eq 4000
access-list ACL1 extended permit tcp host 192.168.11.11 eq ftp host
10.1.100.105 eq ftp
access-list ACL1 extended permit tcp host 192.168.11.11 host 10.1.100.105
eq ftp-data
access-list ACL1 extended permit tcp host 192.168.11.12 host 10.1.100.13 eq
4000
access-list ACL1 extended permit tcp host 192.168.11.12 host 10.1.110.250
eq 4000
access-list ACL1 extended permit tcp host 192.168.11.12 host 10.1.100.105
eq ftp
access-list ACL1 extended permit tcp host 192.168.11.12 host 10.1.100.105
eq ftp-data
pager lines 24
logging enable
logging timestamp
logging buffer-size 10000
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
nat (inside) 0 access-list NoNAT
static (inside,outside) 192.168.113.11 192.168.11.11 netmask
255.255.255.255
static (inside,outside) 192.168.113.12 192.168.11.12 netmask
255.255.255.255
*i need this static nat but not for now*
route inside 192.168.10.0 255.255.255.0 192.168.11.1 1
route outside 0.0.0.0 0.0.0.0 22.22.22.1 1

crypto ipsec transform-set ESP-AES256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map abcMap 1 match address ACL1
crypto map abcMap 1 set peer 33.33.33.33
crypto map abcMap 1 set transform-set ESP-3DES-MD5
crypto map abcMap 1 set security-association lifetime seconds 3600
crypto map abcMap 1 set security-association lifetime kilobytes 2560
crypto map abcMap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 2
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20

ntp server 192.168.10.2
ntp server 192.168.10.3
ssl encryption des-sha1

tunnel-group DefaultL2LGroup ipsec-attributes
 isakmp keepalive threshold 120 retry 10
tunnel-group DefaultRAGroup ipsec-attributes
 isakmp keepalive threshold 120 retry 10
tunnel-group 33.33.33.33 type ipsec-l2l
tunnel-group 33.33.33.33 ipsec-attributes
 pre-shared-key *

!
!
prompt hostname context
Cryptochecksum:ad3bf9e8fef81844b866e79c1b0c8e2f
: end

--

/hrvoje

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

asa 5505 vpn ipsec l2l problem Hrvoje Popovski (Oct 02)
- Re: asa 5505 vpn ipsec l2l problem Christopher J. Wargaski (Oct 02)
- Re: asa 5505 vpn ipsec l2l problem Paul Melson (Oct 02)
- Re: asa 5505 vpn ipsec l2l problem Farrukh Haroon (Oct 02)
- Re: asa 5505 vpn ipsec l2l problem Eric Gearhart (Oct 02)
  - Re: asa 5505 vpn ipsec l2l problem Hrvoje Popovski (Oct 04)
    - Re: asa 5505 vpn ipsec l2l problem Eric Gearhart (Oct 08)
    - Re: asa 5505 vpn ipsec l2l problem craig . wilson (Oct 08)
    - Re: asa 5505 vpn ipsec l2l problem Farrukh Haroon (Oct 08)