Re: [fw-wiz] asa 5505 vpn ipsec l2l problem



> If you're not seeing IPsec build the tunnel with debug crypto, I would
guess that traffic is getting NAT'd out, and not hitting the tunnel (by the way, you probably only need debug crypto ipsec 5, not 100...)


Do you have NAT setup on the 5505? If you do, do you have a NAT exclude ACL setup that excludes "your device networks -> remote device networks"?

--
Eric


hello eveyone,

first thanks everyone who replay on my post.
I can't established SA, crypto acl is the same on both ends, well they tell me so. I can't see config on other side but maybe from log that i can se on my ASA i think that problem is on my side. I realy don't know maybe problem is in licence (10 inside hosts) but i have only 2 inside hosts (192.168.11.11 and 11.12).
I will try to apply crypto acl with ip rule and see what happens.

---------------------------------
log:
Ignoring msg to mark SA with specified coordinates <abcMap, 1> dead

debug crypto engine, ipsec 127 and ipsec 127 gave me nothing

---------------------------------
my asa:
ciscoasa# sh crypto isakmp sa
There are no isakmp sas

ciscoasa# sh crypto ipsec sa
There are no ipsec sas
---------------------------------
my asa - 22.22.22.22
other asa - 33.33.33.33
-----------------------------------------------
config on 33.33.33.33 asa:
access-list acl1 permit tcp host 10.1.100.13 eq 4000 host 192.168.11.11
access-list acl1 permit tcp host 10.1.110.250 eq 4000 host 192.168.11.11
access-list acl1 permit tcp host 10.1.100.105 eq ftp host 192.168.11.11 eq ftp
access-list acl1 permit tcp host 10.1.100.105 eq ftp-data host 192.168.11.11
access-list acl1 permit tcp host 10.1.100.13 eq 4000 host 192.168.11.12
access-list acl1 permit tcp host 10.1.110.250 eq 4000 host 192.168.11.12
access-list acl1 permit tcp host 10.1.100.105 eq ftp host 192.168.11.12
access-list acl1 permit tcp host 10.1.100.105 eq ftp-data host 192.168.11.12

transform-set esp-3des esp-md5-hmac

isakmp key * address 22.22.22.22 netmask 255.255.255.255 no-xauth no-config-mode

this is all information that i know

-------------------------------------------------

here is my config - 22.22.22.22 asa:

ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.11.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 10
ip address 22.22.22.22 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa724-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list NoNAT extended permit ip host 192.168.11.11 host 10.1.100.13
access-list NoNAT extended permit ip host 192.168.11.11 host 10.1.100.105
access-list NoNAT extended permit ip host 192.168.11.11 host 10.1.110.250
access-list NoNAT extended permit ip host 192.168.11.12 host 10.1.100.13
access-list NoNAT extended permit ip host 192.168.11.12 host 10.1.100.105
access-list NoNAT extended permit ip host 192.168.11.12 host 10.1.110.250
access-list ACL1 extended permit tcp host 192.168.11.11 host 10.1.100.13 eq 4000
access-list ACL1 extended permit tcp host 192.168.11.11 host 10.1.110.250 eq 4000
access-list ACL1 extended permit tcp host 192.168.11.11 eq ftp host 10.1.100.105 eq ftp
access-list ACL1 extended permit tcp host 192.168.11.11 host 10.1.100.105 eq ftp-data
access-list ACL1 extended permit tcp host 192.168.11.12 host 10.1.100.13 eq 4000
access-list ACL1 extended permit tcp host 192.168.11.12 host 10.1.110.250 eq 4000
access-list ACL1 extended permit tcp host 192.168.11.12 host 10.1.100.105 eq ftp
access-list ACL1 extended permit tcp host 192.168.11.12 host 10.1.100.105 eq ftp-data
pager lines 24
logging enable
logging timestamp
logging buffer-size 10000
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
nat (inside) 0 access-list NoNAT
static (inside,outside) 192.168.113.11 192.168.11.11 netmask 255.255.255.255
static (inside,outside) 192.168.113.12 192.168.11.12 netmask 255.255.255.255
*i need this static nat but not for now*
route inside 192.168.10.0 255.255.255.0 192.168.11.1 1
route outside 0.0.0.0 0.0.0.0 22.22.22.1 1

crypto ipsec transform-set ESP-AES256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map abcMap 1 match address ACL1
crypto map abcMap 1 set peer 33.33.33.33
crypto map abcMap 1 set transform-set ESP-3DES-MD5
crypto map abcMap 1 set security-association lifetime seconds 3600
crypto map abcMap 1 set security-association lifetime kilobytes 2560
crypto map abcMap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 2
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20

ntp server 192.168.10.2
ntp server 192.168.10.3
ssl encryption des-sha1

tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 120 retry 10
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 120 retry 10
tunnel-group 33.33.33.33 type ipsec-l2l
tunnel-group 33.33.33.33 ipsec-attributes
pre-shared-key *

!
!
prompt hostname context
Cryptochecksum:ad3bf9e8fef81844b866e79c1b0c8e2f
: end

--

/hrvoje
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • RE: Remote Office VPNs
    ... Crypto Policy Settings ... access-list 101 permit gre host 172.16.132.2 host 172.16.226.28 ...
    (Security-Basics)
  • RE: Remote Office VPNs
    ... Crypto Policy Settings ... access-list 101 permit gre host 172.16.132.2 host 172.16.226.28 ...
    (Security-Basics)
  • Why is it not funtioning?
    ... crypto pki certificate chain TP-self-signed-xxxxxxxxxx ... interface FastEthernet0 ... deny ip any host 172.27.0.1 ...
    (comp.dcom.sys.cisco)
  • Re: New version of iwi(4) - Call for testers
    ... We found that this problem is completely unrelated to iwi, but a general problem with software encryption in net80211. ... The issue was that when crypto was done in the host it was sometimes being done in-place on mbufs still owned by the socket. ... As Max said this was in the net80211 layer and affected all drivers depending on the host to do crypto. ...
    (freebsd-net)
  • Re: PIX 525: Restricting www access
    ... :I'm new to PIX configs and I have a question. ... :access-list outside permit tcp host 65.25.x.x host 208.242.x.x eq www ... :access-list outside permit tcp host 65.25.x.x host 208.242.x.x eq https ... You will also need a 'static' command to make the connection between ...
    (comp.security.firewalls)