[Config] site to site VPN issues using Cisco ASA 5500 to Router

Author	All Replies
rsreese join:2004-02-17 Saint Augustine, FL	[Config] site to site VPN issues using Cisco ASA 5500 to Router Hey everyone I've been having a bit of a snag when trying to connect to point via VPN. One end is a ASA5505 and the other is a 3725 router. The network on the router side I'm trying to access is 172.16.2.x and on the ASA side 172.31.12.x. I am able to initiate the connection from the ASA side but not from the router side. I am unable to transfer any data between to two hosts: # sh crypto isakmp sa Active SA: 2 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 2 1 IKE Peer: x.x.x.x. Type : user Role : responder Rekey : no State : AM_ACTIVE 2 IKE Peer: x.x.x.x Type : L2L Role : initiator Rekey : no State : MM_ACTIVE #sh crypto isakmp sa dst src state conn-id slot status x.x.x.x x.x.x.x QM_IDLE 1 0 ACTIVE There no pong to my ping requests though. Also I've tried other services that fail. Here are my configurations. If anyone see's anything wrong feel free to let me know :-). router ! ! Last configuration change at 18:42:49 EST Tue Nov 11 2008 by rsreese ! NVRAM config last updated at 18:32:07 EST Tue Nov 11 2008 by rsreese ! version 12.4 service timestamps debug datetime msec service timestamps log datetime service password-encryption ! hostname 3725router ! boot-start-marker boot system flash:/c3725-adventerprisek9-mz.124-21.bin boot-end-marker ! logging buffered 8192 debugging logging console informational enable secret 5 ! aaa new-model ! ! aaa authentication login default local aaa authentication ppp default local aaa authorization exec default local aaa authorization network default local ! aaa session-id common clock timezone EST -5 clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00 network-clock-participate slot 1 network-clock-participate slot 2 no ip source-route ! ip traffic-export profile IDS-SNORT interface FastEthernet0/0 bidirectional mac-address 000c.2989.f93a ip cef ! ! no ip dhcp use vrf connected ip dhcp excluded-address 172.16.2.1 ip dhcp excluded-address 172.16.3.1 ! ip dhcp pool VLAN2clients network 172.16.2.0 255.255.255.0 default-router 172.16.2.1 option 66 ip 172.16.2.10 option 150 ip 172.16.2.10 dns-server 68.87.74.162 68.87.68.162 68.87.73.242 ! ip dhcp pool VLAN3clients network 172.16.3.0 255.255.255.0 default-router 172.16.3.1 dns-server 68.87.74.162 68.87.68.162 68.87.73.242 ! ip dhcp pool DEBIAN host 172.16.2.6 255.255.255.0 hardware-address 0004.e29c.4345 ! ! ip domain name neocipher.net ip name-server 68.87.74.162 ip name-server 68.87.68.162 ip inspect udp idle-time 900 ip inspect name SDM_LOW cuseeme ip inspect name SDM_LOW dns ip inspect name SDM_LOW ftp ip inspect name SDM_LOW h323 ip inspect name SDM_LOW https ip inspect name SDM_LOW icmp ip inspect name SDM_LOW netshow ip inspect name SDM_LOW rcmd ip inspect name SDM_LOW realaudio ip inspect name SDM_LOW rtsp ip inspect name SDM_LOW sqlnet ip inspect name SDM_LOW streamworks ip inspect name SDM_LOW tftp ip inspect name SDM_LOW tcp ip inspect name SDM_LOW udp ip inspect name SDM_LOW vdolive ip inspect name SDM_LOW imap ip inspect name SDM_LOW pop3 ip inspect name SDM_LOW esmtp ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 ip ips sdf location flash://256MB.sdf ip ips notify SDEE ip ips name sdm_ips_rule vpdn enable ! ! ! ! ! ! ! ! ! ! ! ip ssh authentication-retries 2 ! ! crypto isakmp policy 3 encr 3des authentication pre-share group 2 ! crypto isakmp policy 10 authentication pre-share crypto isakmp key address 1.1.1.1 no-xauth crypto isakmp key address 10.0.0.2 no-xauth ! crypto isakmp client configuration group VPN-Users key dns 68.87.74.162 68.87.68.162 domain neocipher.net pool VPN_POOL acl 115 include-local-lan netmask 255.255.255.0 crypto isakmp profile IKE-PROFILE match identity group VPN-Users client authentication list default isakmp authorization list default client configuration address initiate client configuration address respond virtual-template 1 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac mode transport ! crypto ipsec profile IPSEC_PROFILE1 set transform-set ESP-3DES-SHA set isakmp-profile IKE-PROFILE ! ! crypto dynamic-map DYNMAP 10 set transform-set ESP-3DES-SHA ! ! crypto map CLIENTMAP client authentication list default crypto map CLIENTMAP isakmp authorization list default crypto map CLIENTMAP client configuration address respond crypto map CLIENTMAP 1 ipsec-isakmp set peer 1.1.1.1 set transform-set ESP-3DES-SHA match address 100 crypto map CLIENTMAP 10 ipsec-isakmp dynamic DYNMAP ! ! ! ! interface Loopback0 ip address 192.168.0.1 255.255.255.0 no ip unreachables ip virtual-reassembly ! interface Tunnel0 description HE.net no ip address ipv6 address 2001:470:1F06:3B6::2/64 ipv6 enable tunnel source tunnel destination 209.51.161.14 tunnel mode ipv6ip ! interface Null0 no ip unreachables ! interface FastEthernet0/0 description $ETH-WAN$$FW_OUTSIDE$ ip address dhcp client-id FastEthernet0/0 hostname 3725router ip access-group 104 in no ip unreachables ip nat outside ip inspect SDM_LOW out ip ips sdm_ips_rule in ip virtual-reassembly duplex auto speed auto crypto map CLIENTMAP ! interface Serial0/0 description $FW_OUTSIDE$ ip address 10.0.0.1 255.255.240.0 ip access-group 105 in ip verify unicast reverse-path no ip unreachables ip inspect SDM_LOW out ip virtual-reassembly clock rate 2000000 crypto map CLIENTMAP ! interface FastEthernet0/1 no ip address no ip unreachables ip virtual-reassembly duplex auto speed auto ! interface FastEthernet0/1.2 description $FW_INSIDE$ encapsulation dot1Q 2 ip address 172.16.2.1 255.255.255.0 ip access-group 101 in no ip unreachables ip nat inside ip virtual-reassembly ipv6 address ipv6 enable ! interface FastEthernet0/1.3 description $FW_INSIDE$ encapsulation dot1Q 3 ip address 172.16.3.1 255.255.255.0 ip access-group 102 in no ip unreachables ip nat inside ip virtual-reassembly ! interface FastEthernet0/1.10 ! interface Serial0/1 no ip address no ip unreachables shutdown clock rate 2000000 ! interface Virtual-Template1 type tunnel description $FW_INSIDE$ ip unnumbered Loopback0 ip access-group 103 in no ip unreachables ip virtual-reassembly tunnel mode ipsec ipv4 tunnel protection ipsec profile IPSEC_PROFILE1 ! ip local pool VPN_POOL 192.168.0.100 192.168.0.105 ip forward-protocol nd ip route 172.16.10.0 255.255.255.0 10.0.0.2 ip route 172.31.12.0 255.255.255.0 1.1.1.1 ! ! ip http server ip http authentication local ip http secure-server ip http timeout-policy idle 600 life 86400 requests 10000 ip nat translation udp-timeout 900 ip nat inside source list 1 interface FastEthernet0/0 overload ! logging trap debugging logging origin-id hostname logging 172.16.2.6 access-list 1 permit 172.16.2.0 0.0.0.255 access-list 1 permit 172.16.3.0 0.0.0.255 access-list 100 permit ip 172.16.2.0 0.0.0.255 172.16.10.0 0.0.0.255 access-list 100 permit ip 172.16.2.0 0.0.0.255 172.31.12.0 0.0.0.255 access-list 101 remark SDM_ACL Category=17 access-list 101 permit ahp any host 172.16.2.1 access-list 101 permit esp any host 172.16.2.1 access-list 101 permit udp any host 172.16.2.1 eq isakmp access-list 101 permit udp any host 172.16.2.1 eq non500-isakmp access-list 101 permit ip 172.16.10.0 0.0.0.255 172.16.2.0 0.0.0.255 access-list 101 permit ip 172.31.12.0 0.0.0.255 172.16.2.0 0.0.0.255 access-list 101 deny ip 10.0.0.0 0.0.15.255 any log access-list 101 deny ip 192.168.0.0 0.0.0.255 any log access-list 101 deny ip 172.16.3.0 0.0.0.255 any log access-list 101 deny ip host 255.255.255.255 any log access-list 101 deny ip 127.0.0.0 0.255.255.255 any log access-list 101 deny tcp any any range 1 chargen log access-list 101 deny tcp any any eq whois log access-list 101 deny tcp any any eq 93 log access-list 101 deny tcp any any range 135 139 log access-list 101 deny tcp any any eq 445 log access-list 101 deny tcp any any range exec 518 log access-list 101 deny tcp any any eq uucp log access-list 101 permit ip any any access-list 102 deny ip 172.16.2.0 0.0.0.255 any log access-list 102 deny ip 10.0.0.0 0.0.15.255 any log access-list 102 deny ip 192.168.0.0 0.0.0.255 any log access-list 102 deny ip host 255.255.255.255 any log access-list 102 deny ip 127.0.0.0 0.255.255.255 any log access-list 102 permit ip any any access-list 103 deny ip 172.16.2.0 0.0.0.255 any access-list 103 deny ip 10.0.0.0 0.0.15.255 any access-list 103 deny ip 172.16.3.0 0.0.0.255 any access-list 103 deny ip host 255.255.255.255 any access-list 103 deny ip 127.0.0.0 0.255.255.255 any access-list 103 permit ip any any access-list 104 permit udp host 205.152.132.23 eq domain any access-list 104 permit udp host 205.152.144.23 eq domain any access-list 104 remark Auto generated by SDM for NTP (123) 129.6.15.29 access-list 104 permit udp host 129.6.15.29 eq ntp any eq ntp access-list 104 permit ahp any any access-list 104 permit esp any any access-list 104 permit udp any any eq isakmp access-list 104 permit udp any any eq non500-isakmp access-list 104 deny ip 10.0.0.0 0.0.15.255 any log access-list 104 permit ip 172.16.10.0 0.0.0.255 172.16.2.0 0.0.0.255 access-list 104 deny ip 172.16.2.0 0.0.0.255 any log access-list 104 deny ip 192.168.0.0 0.0.0.255 any log access-list 104 deny ip 172.16.3.0 0.0.0.255 any log access-list 104 permit udp any eq bootps any eq bootpc access-list 104 permit icmp any any echo-reply access-list 104 permit icmp any any time-exceeded access-list 104 permit icmp any any unreachable access-list 104 deny icmp any any echo log access-list 104 deny icmp any any mask-request log access-list 104 deny icmp any any redirect log access-list 104 deny ip 10.0.0.0 0.255.255.255 any log access-list 104 deny ip 172.16.0.0 0.15.255.255 any log access-list 104 deny ip 192.168.0.0 0.0.255.255 any log access-list 104 deny ip 127.0.0.0 0.255.255.255 any log access-list 104 deny ip 224.0.0.0 15.255.255.255 any log access-list 104 deny ip host 255.255.255.255 any log access-list 104 deny tcp any any range 6000 6063 log access-list 104 deny tcp any any eq 6667 log access-list 104 deny tcp any any range 12345 12346 log access-list 104 deny tcp any any eq 31337 log access-list 104 deny udp any any eq 2049 log access-list 104 deny udp any any eq 31337 log access-list 104 deny udp any any range 33400 34400 log access-list 104 deny ip any any log access-list 105 permit udp host 129.6.15.29 eq ntp host 10.0.0.1 eq ntp access-list 105 permit ahp host 10.0.0.2 host 10.0.0.1 access-list 105 permit esp host 10.0.0.2 host 10.0.0.1 access-list 105 permit udp host 10.0.0.2 host 10.0.0.1 eq isakmp access-list 105 permit udp host 10.0.0.2 host 10.0.0.1 eq non500-isakmp access-list 105 permit ip 172.16.10.0 0.0.0.255 172.16.2.0 0.0.0.255 access-list 105 permit udp host 10.0.0.2 host 172.16.2.10 eq tftp access-list 105 permit udp host 10.0.0.2 host 172.16.2.5 eq syslog access-list 105 deny ip 172.16.2.0 0.0.0.255 any access-list 105 deny ip 192.168.0.0 0.0.0.255 any access-list 105 deny ip 172.16.3.0 0.0.0.255 any access-list 105 permit icmp any host 10.0.0.1 echo-reply access-list 105 permit icmp any host 10.0.0.1 time-exceeded access-list 105 permit icmp any host 10.0.0.1 unreachable access-list 105 deny ip 10.0.0.0 0.255.255.255 any access-list 105 deny ip 172.16.0.0 0.15.255.255 any access-list 105 deny ip 192.168.0.0 0.0.255.255 any access-list 105 deny ip 127.0.0.0 0.255.255.255 any access-list 105 deny ip host 255.255.255.255 any access-list 105 deny ip host 0.0.0.0 any access-list 105 deny ip any any log access-list 115 permit ip 172.16.0.0 0.0.255.255 any access-list 120 deny ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.0.255 access-list 120 permit ip 172.16.0.0 0.0.255.255 any snmp-server community public RO ipv6 route 2001:470:1F07:3B6::/64 FastEthernet0/1.2 ipv6 route ::/0 Tunnel0 ! ! ! ! control-plane ! ! ! ! ! ! ! ! ! ! line con 0 line aux 0 line vty 0 4 password 7 transport input ssh line vty 5 903 transport input ssh ! ntp clock-period 17180644 ntp server 129.6.15.29 source FastEthernet0/0 prefer ! end ASA : Saved : ASA Version 7.2(4) ! hostname bambam domain-name neocipher.net enable password asfsdf encrypted passwd asdfasdfasd encrypted names ! interface Vlan1 nameif inside security-level 100 ip address 172.31.12.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 pppoe client vpdn group ppoe ip address pppoe setroute ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! ftp mode passive dns server-group DefaultDNS domain-name neocipher.net access-list nonat extended permit ip 172.31.12.0 255.255.255.0 172.31.0.0 255.255.0.0 access-list nonat extended permit ip 172.31.12.0 255.255.255.0 172.16.2.0 255.255.255.0 access-list nonat extended permit ip 172.31.12.0 255.255.255.0 172.31.1.0 255.255.255.0 access-list nonat extended permit ip 172.31.12.0 255.255.255.0 192.168.10.96 255.255.255.240 access-list nonat extended permit ip any 192.168.10.96 255.255.255.240 access-list VPNUSERS_splitTunnelAcl standard permit 172.31.12.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 172.31.12.0 255.255.255.0 172.31.1.0 255.255.255.0 access-list outside_3_cryptomap extended permit ip 172.31.12.0 255.255.255.0 172.16.2.0 255.255.255.0 access-list VPNUSERS_splitTunnelAcl_1 standard permit 172.31.12.0 255.255.255.0 pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 ip local pool vpn-pool 192.168.10.100-192.168.10.110 mask 255.255.255.0 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-524.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list nonat nat (inside) 1 0.0.0.0 0.0.0.0 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute aaa authentication ssh console LOCAL http server enable http 0.0.0.0 0.0.0.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac crypto dynamic-map outside_dyn_map 20 set pfs group1 crypto dynamic-map outside_dyn_map 20 set transform-set 3DES-SHA crypto dynamic-map outside_dyn_map 40 set pfs group1 crypto dynamic-map outside_dyn_map 40 set transform-set 3DES-SHA crypto dynamic-map outside_dyn_map 60 set pfs group1 crypto dynamic-map outside_dyn_map 60 set transform-set 3DES-SHA crypto dynamic-map outside_dyn_map 80 set pfs group1 crypto dynamic-map outside_dyn_map 80 set transform-set 3DES-SHA crypto map outside_map 2 match address outside_2_cryptomap crypto map outside_map 2 set pfs group1 crypto map outside_map 2 set peer X.X.X.X crypto map outside_map 2 set transform-set 3DES-SHA crypto map outside_map 3 match address outside_3_cryptomap crypto map outside_map 3 set pfs group1 crypto map outside_map 3 set peer 2.2.2.2 crypto map outside_map 3 set transform-set 3DES-SHA crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 30 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 crypto isakmp nat-traversal 20 telnet timeout 5 ssh 0.0.0.0 0.0.0.0 inside ssh 0.0.0.0 0.0.0.0 outside ssh timeout 5 console timeout 0 ! dhcpd address 172.31.12.5-172.31.12.36 inside dhcpd dns 205.152.144.23 205.152.150.23 interface inside dhcpd enable inside ! group-policy VPNUSERS internal group-policy VPNUSERS attributes dns-server value 205.152.144.23 vpn-tunnel-protocol IPSec split-tunnel-policy tunnelspecified split-tunnel-network-list value VPNUSERS_splitTunnelAcl_1 username ashields password asdfasdfads encrypted privilege 15 username ashields attributes vpn-group-policy VPNUSERS tunnel-group VPNUSERS type ipsec-ra tunnel-group VPNUSERS general-attributes address-pool vpn-pool default-group-policy VPNUSERS tunnel-group VPNUSERS ipsec-attributes pre-shared-key * tunnel-group X.X.X.X type ipsec-l2l tunnel-group X.X.X.X ipsec-attributes pre-shared-key * tunnel-group 2.2.2.2 type ipsec-l2l tunnel-group 2.2.2.2 ipsec-attributes pre-shared-key * ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global prompt hostname context Cryptochecksum:de5d70ccd8ab55620d371d9c63bfcfb1 : end asdm image disk0:/asdm-524.bin asdm location 172.31.1.0 255.255.255.0 inside no asdm history enable
	to forum · permalink · · 2008-11-11 20:57:46 ·
kubaff join:2007-06-14 kenya	Re: [Config] site to site VPN issues using Cisco ASA 5500 to Rou you need to EXCLUDE the INTERESTING traffic from being NAT'd on the router. Use an extended AccessList and make sure it's the FIRST ACL to be processed ip nat inside source list 1 interface FastEthernet0/0 overload # access-list 1 permit 172.16.2.0 0.0.0.255 # access-list 1 permit 172.16.3.0 0.0.0.255 Change ACL to access-list xx deny 172.16.2.0 0.0.0.255 172.16.10.0 0.0.0.255 access-list xx deny 172.16.3.0 0.0.0.255 172.31.12.0 0.0.0.255 access-list xx permit 172.16.2.0 0.0.0.255 any access-list xx permit 172.16.3.0 0.0.0.255 any ip nat inside source list x interface FastEthernet0/0 overload
	to forum · permalink · · 2008-11-12 04:36:22 ·
rsreese join:2004-02-17 Saint Augustine, FL	reply to rsreese kubaff, I changed the ACL for NAT as you mentioned to the following extended ACL's but it still didn't work: access-list 150 deny ip 172.16.2.0 0.0.0.255 172.31.12.0 0.0.0.255 access-list 150 permit ip 172.16.2.0 0.0.0.255 any Any other ideas?
	to forum · permalink · · 2008-11-12 08:47:00 ·
aryoba Premium,MVM join:2002-08-22	There is this forum FAQ link providing IPSec tunnel sample configuration between PIX (or ASA) and router. »Cisco Forum FAQ »Various Site-to-Site IPSec VPN: Cisco, Juniper, Checkpoint, Sonicwall, Zywall
	to forum · permalink · · 2008-11-12 09:21:56 ·
rsreese join:2004-02-17 Saint Augustine, FL 1 edit	reply to rsreese I've been able to connect to the ASA to other ASA and PIX devices but not to the router. I imagine is something like a ACL issue or something I'm missing. Thanks for the links though. I'm assuming since the ASA side can initiate the connection that there is a problem with the router side of things.
	to forum · permalink · · 2008-11-12 09:26:29 ·
kubaff join:2007-06-14 kenya	reply to rsreese It's all in the NATing. I had a similar situation between a PIX and 2811 You need to make sure that the INTERESTING TRAFFIC in EXCLUDED from the Global NAT statement. In addition the "reverse" ACL (10) attached to the Crypto map. access-list 10 permit 172.16.2.0 0.0.0.255 172.16.10.0 0.0.0.255 access-list 10 permit 172.16.3.0 0.0.0.255 172.31.12.0 0.0.0.255 crypto map CLIENTMAP 1 ipsec-isakmp set peer 1.1.1.1 set transform-set ESP-3DES-SHA match address 10 access-list 11 deny 172.16.2.0 0.0.0.255 172.16.10.0 0.0.0.255 access-list 11 deny 172.16.3.0 0.0.0.255 172.31.12.0 0.0.0.255 access-list 11 permit 172.16.2.0 0.0.0.255 any access-list 11 permit 172.16.3.0 0.0.0.255 any ip nat inside source list 11 interface FastEthernet0/0 overload
	to forum · permalink · · 2008-11-13 02:13:23 ·
rsreese join:2004-02-17 Saint Augustine, FL 1 edit	kubaff, I did something similar but used extended ACL's since standard didn't allow for the source IP to be listed: access-list 150 deny ip 172.16.2.0 0.0.0.255 172.31.12.0 0.0.0.255 access-list 150 permit ip 172.16.2.0 0.0.0.255 any access-list 150 permit ip 172.16.3.0 0.0.0.255 any I actually got the whole thing to work at one point last night by setting 'set pfs group1' to 'crypto map CLIENTMAP 1 ipsec-isakmp' but then I changed something when cleaning up and broke it. Slightly frustrating... Here's the most recent config for the router: version 12.4 service timestamps debug datetime msec service timestamps log datetime service password-encryption ! hostname 3725router ! boot-start-marker boot system flash:/c3725-adventerprisek9-mz.124-21.bin boot-end-marker ! logging buffered 8192 debugging logging console informational enable secret 5 $1$BUZ8$sNjxnHHht1NP3co5Vkj2o0 ! aaa new-model ! ! aaa authentication login default local aaa authentication ppp default local aaa authorization exec default local aaa authorization network default local ! aaa session-id common clock timezone EST -5 clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00 network-clock-participate slot 1 network-clock-participate slot 2 no ip source-route ! ip traffic-export profile IDS-SNORT interface FastEthernet0/0 bidirectional mac-address 000c.2989.f93a ip cef ! ! no ip dhcp use vrf connected ip dhcp excluded-address 172.16.2.1 ip dhcp excluded-address 172.16.3.1 ! ip dhcp pool VLAN2clients network 172.16.2.0 255.255.255.0 default-router 172.16.2.1 option 66 ip 172.16.2.10 option 150 ip 172.16.2.10 dns-server 68.87.74.162 68.87.68.162 68.87.73.242 ! ip dhcp pool VLAN3clients network 172.16.3.0 255.255.255.0 default-router 172.16.3.1 dns-server 68.87.74.162 68.87.68.162 68.87.73.242 ! ip dhcp pool DEBIAN host 172.16.2.6 255.255.255.0 hardware-address 0004.e29c.4345 ! ! ip domain name neocipher.net ip name-server 68.87.74.162 ip name-server 68.87.68.162 ip inspect udp idle-time 900 ip inspect name SDM_LOW cuseeme ip inspect name SDM_LOW dns ip inspect name SDM_LOW ftp ip inspect name SDM_LOW h323 ip inspect name SDM_LOW https ip inspect name SDM_LOW icmp ip inspect name SDM_LOW netshow ip inspect name SDM_LOW rcmd ip inspect name SDM_LOW realaudio ip inspect name SDM_LOW rtsp ip inspect name SDM_LOW sqlnet ip inspect name SDM_LOW streamworks ip inspect name SDM_LOW tftp ip inspect name SDM_LOW tcp ip inspect name SDM_LOW udp ip inspect name SDM_LOW vdolive ip inspect name SDM_LOW imap ip inspect name SDM_LOW pop3 ip inspect name SDM_LOW esmtp ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 ip ips sdf location flash://256MB.sdf ip ips notify SDEE ip ips name sdm_ips_rule vpdn enable ! ! ! crypto isakmp policy 3 encr 3des authentication pre-share group 2 ! crypto isakmp policy 10 authentication pre-share crypto isakmp key key address 2.2.2.2 no-xauth crypto isakmp key key address 10.0.0.2 no-xauth ! crypto isakmp client configuration group VPN-Users key key dns 68.87.74.162 68.87.68.162 domain neocipher.net pool VPN_POOL acl 115 include-local-lan netmask 255.255.255.0 crypto isakmp profile IKE-PROFILE match identity group VPN-Users client authentication list default isakmp authorization list default client configuration address initiate client configuration address respond virtual-template 1 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac mode transport ! crypto ipsec profile IPSEC_PROFILE1 set transform-set ESP-3DES-SHA set isakmp-profile IKE-PROFILE ! ! crypto dynamic-map DYNMAP 10 set transform-set ESP-3DES-SHA ! ! crypto map CLIENTMAP client authentication list default crypto map CLIENTMAP isakmp authorization list default crypto map CLIENTMAP client configuration address respond crypto map CLIENTMAP 1 ipsec-isakmp set peer 2.2.2.2 set transform-set ESP-3DES-SHA set pfs group1 match address 100 crypto map CLIENTMAP 10 ipsec-isakmp dynamic DYNMAP ! ! ! ! interface Loopback0 ip address 192.168.0.1 255.255.255.0 no ip unreachables ip virtual-reassembly ! interface Tunnel0 description HE.net no ip address ipv6 address 2001:470:1F06:3B6::2/64 ipv6 enable tunnel source 78.18.222.115 tunnel destination 209.51.161.14 tunnel mode ipv6ip ! interface Null0 no ip unreachables ! interface FastEthernet0/0 description $ETH-WAN$$FW_OUTSIDE$ ip address dhcp client-id FastEthernet0/0 hostname 3725router ip access-group 104 in no ip unreachables ip nat outside ip inspect SDM_LOW out ip ips sdm_ips_rule in ip virtual-reassembly duplex auto speed auto crypto map CLIENTMAP ! interface Serial0/0 description $FW_OUTSIDE$ ip address 10.0.0.1 255.255.240.0 ip access-group 105 in ip verify unicast reverse-path no ip unreachables ip inspect SDM_LOW out ip virtual-reassembly clock rate 2000000 crypto map CLIENTMAP ! interface FastEthernet0/1 no ip address no ip unreachables ip virtual-reassembly duplex auto speed auto ! interface FastEthernet0/1.2 description $FW_INSIDE$ encapsulation dot1Q 2 ip address 172.16.2.1 255.255.255.0 ip access-group 101 in no ip unreachables ip nat inside ip virtual-reassembly ipv6 address 2001:470:880D::1/64 ipv6 enable ! interface FastEthernet0/1.3 description $FW_INSIDE$ encapsulation dot1Q 3 ip address 172.16.3.1 255.255.255.0 ip access-group 102 in no ip unreachables ip virtual-reassembly ! interface FastEthernet0/1.10 ! interface Serial0/1 no ip address no ip unreachables shutdown clock rate 2000000 ! interface Virtual-Template1 type tunnel description $FW_INSIDE$ ip unnumbered Loopback0 ip access-group 103 in no ip unreachables ip virtual-reassembly tunnel mode ipsec ipv4 tunnel protection ipsec profile IPSEC_PROFILE1 ! ip local pool VPN_POOL 192.168.0.100 192.168.0.105 ip forward-protocol nd ip route 172.16.10.0 255.255.255.0 10.0.0.2 ip route 172.31.12.0 255.255.255.0 74.245.61.45 ! ! ip http server ip http authentication local ip http secure-server ip http timeout-policy idle 600 life 86400 requests 10000 ip nat translation udp-timeout 900 ip nat inside source list 150 interface FastEthernet0/0 overload ! logging trap debugging logging origin-id hostname logging 172.16.2.6 access-list 100 permit ip 172.16.2.0 0.0.0.255 172.16.10.0 0.0.0.255 access-list 100 permit ip 172.16.2.0 0.0.0.255 172.31.12.0 0.0.0.255 access-list 101 remark SDM_ACL Category=17 access-list 101 permit ahp any host 172.16.2.1 access-list 101 permit esp any host 172.16.2.1 access-list 101 permit udp any host 172.16.2.1 eq isakmp access-list 101 permit udp any host 172.16.2.1 eq non500-isakmp access-list 101 permit ip 172.16.10.0 0.0.0.255 172.16.2.0 0.0.0.255 access-list 101 permit ip 172.31.12.0 0.0.0.255 172.16.2.0 0.0.0.255 access-list 101 deny ip 10.0.0.0 0.0.15.255 any log access-list 101 deny ip 192.168.0.0 0.0.0.255 any log access-list 101 deny ip 172.16.3.0 0.0.0.255 any log access-list 101 deny ip host 255.255.255.255 any log access-list 101 deny ip 127.0.0.0 0.255.255.255 any log access-list 101 deny tcp any any range 1 chargen log access-list 101 deny tcp any any eq whois log access-list 101 deny tcp any any eq 93 log access-list 101 deny tcp any any range 135 139 log access-list 101 deny tcp any any eq 445 log access-list 101 deny tcp any any range exec 518 log access-list 101 deny tcp any any eq uucp log access-list 101 permit ip any any access-list 102 deny ip 172.16.2.0 0.0.0.255 any log access-list 102 deny ip 10.0.0.0 0.0.15.255 any log access-list 102 deny ip 192.168.0.0 0.0.0.255 any log access-list 102 deny ip host 255.255.255.255 any log access-list 102 deny ip 127.0.0.0 0.255.255.255 any log access-list 102 permit ip any any access-list 103 deny ip 172.16.2.0 0.0.0.255 any access-list 103 deny ip 10.0.0.0 0.0.15.255 any access-list 103 deny ip 172.16.3.0 0.0.0.255 any access-list 103 deny ip host 255.255.255.255 any access-list 103 deny ip 127.0.0.0 0.255.255.255 any access-list 103 permit ip any any access-list 104 remark SDM_ACL Category=17 access-list 104 permit udp host 205.152.132.23 eq domain any access-list 104 permit udp host 205.152.144.23 eq domain any access-list 104 remark Auto generated by SDM for NTP (123) 129.6.15.29 access-list 104 permit udp host 129.6.15.29 eq ntp any eq ntp access-list 104 permit ahp any any access-list 104 permit esp any any access-list 104 permit 41 any any access-list 104 permit udp any any eq isakmp access-list 104 permit udp any any eq non500-isakmp access-list 104 deny ip 10.0.0.0 0.0.15.255 any log access-list 104 permit ip 172.16.10.0 0.0.0.255 172.16.2.0 0.0.0.255 access-list 104 deny ip 172.16.2.0 0.0.0.255 any log access-list 104 deny ip 192.168.0.0 0.0.0.255 any log access-list 104 deny ip 172.16.3.0 0.0.0.255 any log access-list 104 permit udp any eq bootps any eq bootpc access-list 104 permit icmp any any echo-reply access-list 104 permit icmp any any time-exceeded access-list 104 permit icmp any any unreachable access-list 104 permit icmp any any echo access-list 104 deny icmp any any mask-request log access-list 104 deny icmp any any redirect log access-list 104 deny ip 10.0.0.0 0.255.255.255 any log access-list 104 deny ip 172.16.0.0 0.15.255.255 any log access-list 104 deny ip 192.168.0.0 0.0.255.255 any log access-list 104 deny ip 127.0.0.0 0.255.255.255 any log access-list 104 deny ip 224.0.0.0 15.255.255.255 any log access-list 104 deny ip host 255.255.255.255 any log access-list 104 deny tcp any any range 6000 6063 log access-list 104 deny tcp any any eq 6667 log access-list 104 deny tcp any any range 12345 12346 log access-list 104 deny tcp any any eq 31337 log access-list 104 deny udp any any eq 2049 log access-list 104 deny udp any any eq 31337 log access-list 104 deny udp any any range 33400 34400 log access-list 104 deny ip any any log access-list 105 permit udp host 129.6.15.29 eq ntp host 10.0.0.1 eq ntp access-list 105 permit ahp host 10.0.0.2 host 10.0.0.1 access-list 105 permit esp host 10.0.0.2 host 10.0.0.1 access-list 105 permit udp host 10.0.0.2 host 10.0.0.1 eq isakmp access-list 105 permit udp host 10.0.0.2 host 10.0.0.1 eq non500-isakmp access-list 105 permit ip 172.16.10.0 0.0.0.255 172.16.2.0 0.0.0.255 access-list 105 permit udp host 10.0.0.2 host 172.16.2.10 eq tftp access-list 105 permit udp host 10.0.0.2 host 172.16.2.5 eq syslog access-list 105 deny ip 172.16.2.0 0.0.0.255 any access-list 105 deny ip 192.168.0.0 0.0.0.255 any access-list 105 deny ip 172.16.3.0 0.0.0.255 any access-list 105 permit icmp any host 10.0.0.1 echo-reply access-list 105 permit icmp any host 10.0.0.1 time-exceeded access-list 105 permit icmp any host 10.0.0.1 unreachable access-list 105 deny ip 10.0.0.0 0.255.255.255 any access-list 105 deny ip 172.16.0.0 0.15.255.255 any access-list 105 deny ip 192.168.0.0 0.0.255.255 any access-list 105 deny ip 127.0.0.0 0.255.255.255 any access-list 105 deny ip host 255.255.255.255 any access-list 105 deny ip host 0.0.0.0 any access-list 105 deny ip any any log access-list 115 permit ip 172.16.0.0 0.0.255.255 any access-list 120 deny ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.0.255 access-list 120 permit ip 172.16.0.0 0.0.255.255 any access-list 150 deny ip 172.16.2.0 0.0.0.255 172.31.12.0 0.0.0.255 access-list 150 permit ip 172.16.2.0 0.0.0.255 any access-list 150 permit ip 172.16.3.0 0.0.0.255 any
	to forum · permalink · · 2008-11-13 09:57:25 ·
kubaff join:2007-06-14 kenya	reply to rsreese Ran the CLEAR CRYPTO IPSEC SA Could you display - sh crypto isakmp sa - sh crypto isakmp ipsec You could be having issues with IPSEC; - debug crypto ipsec
	to forum · permalink · · 2008-11-15 12:52:14 ·
kubaff join:2007-06-14 kenya	reply to rsreese sorry... sh crypto ipsec sa
	to forum · permalink · · 2008-11-15 13:01:52 ·
rsreese join:2004-02-17 Saint Augustine, FL	reply to rsreese It was a issue with my connection renewing the lease on the IP.
	to forum · permalink · · 2008-11-17 11:24:53 ·
thejipster join:2008-05-20	reply to rsreese FYI, I know you have solved this issue. This is mainly for other who run into this issue in the future. IPSEC router has pfs disabled by default. Problem is that Cisco IOS IPSEC router will be able to accept PFS from the peer even if PFS is disabled. But if ASA has PFS enabled, IPSEC router will fail the IPSEC negotiation since ASA will reject the IPSEC negotiation. That explains the one-directional IPSEC setup issue.
	to forum · permalink · · 2008-12-19 03:22:34 ·
rsreese join:2004-02-17 Saint Augustine, FL	Thanks for the heads up. I realized that PFS was a issue between the two devices after many hours of trouble shooting
	to forum · permalink · · 2008-12-20 14:57:33 ·


Friday, 20-Nov 20:41:58	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 10 years online! © 1999-2009 dslreports.com. page compression OFF