asa 5505 vpn ipsec l2l problem
|
View:
New views
9 Messages
—
Rating Filter:
Alert me
|
 |
asa 5505 vpn ipsec l2l problem
by Hrvoje Popovski
::
Rate this Message:
hello eveyone,
i have asa 5505 with Base license and 7.2.4 sofware. Licensed features for this platform: Maximum Physical Interfaces : 8 VLANs : 3, DMZ Restricted Inside Hosts : 10 Failover : Disabled VPN-DES : Enabled VPN-3DES-AES : Enabled VPN Peers : 10 WebVPN Peers : 2 Dual ISPs : Disabled VLAN Trunk Ports : 0 i'm trying to create l2l ipsec tunnel reading manual on http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/site2sit.html and when i'm applying acl in crypto map crypto map abcMap 1 match address acl i'm getting this log: Ignoring msg to mark SA with specified coordinates <abcMap, 1> dead i don't have any debug messages (debug crypto ipsec 100) google it but haven't found any answer. thank you for your answers! acl access-list acl extended permit tcp host 192.168.11.11 host 10.1.100.13 eq 4000 access-list acl extended permit tcp host 192.168.11.11 host 10.1.110.250 eq 4000 access-list acl extended permit tcp host 192.168.11.11 eq ftp host 10.1.100.105 eq ftp access-list acl extended permit tcp host 192.168.11.11 host 10.1.100.105 eq ftp-data access-list acl extended permit tcp host 192.168.11.12 host 10.1.100.13 eq 4000 access-list acl extended permit tcp host 192.168.11.12 host 10.1.110.250 eq 4000 access-list acl extended permit tcp host 192.168.11.12 host 10.1.100.105 eq ftp access-list acl extended permit tcp host 192.168.11.12 host 10.1.100.105 eq ftp-data _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards |
|
|
Re: asa 5505 vpn ipsec l2l problem
by Christopher J. Wargaski
::
Rate this Message:
Hello--
Is the SA established? If so, try starting with a much simpler ACL for the crypto map match. For example: access-list acl extended permit ip host 192.168.11.11 host 10.1.100.13 access-list acl extended permit ip host 192.168.11.11 host 10.1.100.250 access-list acl extended permit ip host 192.168.11.11 host 10.1.100.105 access-list acl extended permit ip host 192.168.11.12 host 10.1.100.13 access-list acl extended permit ip host 192.168.11.12 host 10.1.100.250 access-list acl extended permit ip host 192.168.11.12 host 10.1.100.105 Make sure that the same ACL is on the other peer. If this works, begin restricting the traffic, say starting with all TCP. Continue restricting the ACL until it it is how you want it, or it no longer works. cjw On Fri, Oct 2, 2009 at 7:09 AM, Hrvoje Popovski <hrvoje@...> wrote: > hello eveyone, > > i have asa 5505 with Base license and 7.2.4 sofware. > > Licensed features for this platform: > Maximum Physical Interfaces : 8 > VLANs : 3, DMZ Restricted > Inside Hosts : 10 > Failover : Disabled > VPN-DES : Enabled > VPN-3DES-AES : Enabled > VPN Peers : 10 > WebVPN Peers : 2 > Dual ISPs : Disabled > VLAN Trunk Ports : 0 > > > i'm trying to create l2l ipsec tunnel reading manual on > http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/site2sit.html > > and when i'm applying acl in crypto map > crypto map abcMap 1 match address acl > i'm getting this log: > Ignoring msg to mark SA with specified coordinates <abcMap, 1> dead > > i don't have any debug messages (debug crypto ipsec 100) > google it but haven't found any answer. > > thank you for your answers! firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards |
|
|
Re: asa 5505 vpn ipsec l2l problem
by Paul Melson-2
::
Rate this Message:
> and when i'm applying acl in crypto map
> crypto map abcMap 1 match address acl > i'm getting this log: > Ignoring msg to mark SA with specified coordinates <abcMap, 1> dead > > i don't have any debug messages (debug crypto ipsec 100) google it but haven't found > any answer. > > thank you for your answers! > > acl > access-list acl extended permit tcp host 192.168.11.11 host 10.1.100.13 eq 4000 > access-list acl extended permit tcp host 192.168.11.11 host 10.1.110.250 eq 4000 > access-list acl extended permit tcp host 192.168.11.11 eq ftp host 10.1.100.105 eq ftp > access-list acl extended permit tcp host 192.168.11.11 host 10.1.100.105 eq ftp-data > access-list acl extended permit tcp host 192.168.11.12 host 10.1.100.13 eq 4000 > access-list acl extended permit tcp host 192.168.11.12 host 10.1.110.250 eq 4000 > access-list acl extended permit tcp host 192.168.11.12 host 10.1.100.105 eq ftp > access-list acl extended permit tcp host 192.168.11.12 host 10.1.100.105 eq ftp-data You can only use 'permit ip' in an access-list used for crypto map match, and your access-list is set to use tcp. If you need to filter VPN traffic down to the port and protocol level, use the access-list applied to the outside interface, not the access-list applied to the VPN tunnel's crypto map. PaulM _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards |
|
|
Re: asa 5505 vpn ipsec l2l problem
by Farrukh Haroon
::
Rate this Message:
Run these three debugs
debug crypto engine debug crypto isakmp 127 debug crypto ipsec 127 and then see if you get any more meaningful debugs. Regards Farrukh Haroon CCIE Security On Fri, Oct 2, 2009 at 3:09 PM, Hrvoje Popovski <hrvoje@...> wrote: hello eveyone, _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards |
|
|
Re: asa 5505 vpn ipsec l2l problem
by Eric G-4
::
Rate this Message:
On Fri, Oct 2, 2009 at 5:09 AM, Hrvoje Popovski <hrvoje@...> wrote:
hello eveyone, If you're not seeing IPsec build the tunnel with debug crypto, I would guess that traffic is getting NAT'd out, and not hitting the tunnel (by the way, you probably only need debug crypto ipsec 5, not 100...) Do you have NAT setup on the 5505? If you do, do you have a NAT exclude ACL setup that excludes "your device networks -> remote device networks"? -- Eric _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards |
|
|
Re: asa 5505 vpn ipsec l2l problem
by Hrvoje Popovski
::
Rate this Message:
> If you're not seeing IPsec build the tunnel with debug crypto, I would
> guess that traffic is getting NAT'd out, and not hitting the tunnel (by > the way, you probably only need debug crypto ipsec 5, not 100...) > > > Do you have NAT setup on the 5505? If you do, do you have a NAT exclude > ACL setup that excludes "your device networks -> remote device networks"? > > -- > Eric > hello eveyone, first thanks everyone who replay on my post. I can't established SA, crypto acl is the same on both ends, well they tell me so. I can't see config on other side but maybe from log that i can se on my ASA i think that problem is on my side. I realy don't know maybe problem is in licence (10 inside hosts) but i have only 2 inside hosts (192.168.11.11 and 11.12). I will try to apply crypto acl with ip rule and see what happens. --------------------------------- log: Ignoring msg to mark SA with specified coordinates <abcMap, 1> dead debug crypto engine, ipsec 127 and ipsec 127 gave me nothing --------------------------------- my asa: ciscoasa# sh crypto isakmp sa There are no isakmp sas ciscoasa# sh crypto ipsec sa There are no ipsec sas --------------------------------- my asa - 22.22.22.22 other asa - 33.33.33.33 ----------------------------------------------- config on 33.33.33.33 asa: access-list acl1 permit tcp host 10.1.100.13 eq 4000 host 192.168.11.11 access-list acl1 permit tcp host 10.1.110.250 eq 4000 host 192.168.11.11 access-list acl1 permit tcp host 10.1.100.105 eq ftp host 192.168.11.11 eq ftp access-list acl1 permit tcp host 10.1.100.105 eq ftp-data host 192.168.11.11 access-list acl1 permit tcp host 10.1.100.13 eq 4000 host 192.168.11.12 access-list acl1 permit tcp host 10.1.110.250 eq 4000 host 192.168.11.12 access-list acl1 permit tcp host 10.1.100.105 eq ftp host 192.168.11.12 access-list acl1 permit tcp host 10.1.100.105 eq ftp-data host 192.168.11.12 transform-set esp-3des esp-md5-hmac isakmp key * address 22.22.22.22 netmask 255.255.255.255 no-xauth no-config-mode this is all information that i know ------------------------------------------------- here is my config - 22.22.22.22 asa: ASA Version 7.2(4) ! hostname ciscoasa domain-name default.domain.invalid names ! interface Vlan1 nameif inside security-level 100 ip address 192.168.11.254 255.255.255.0 ! interface Vlan2 nameif outside security-level 10 ip address 22.22.22.22 255.255.255.0 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! boot system disk0:/asa724-k8.bin ftp mode passive clock timezone CEST 1 clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00 dns server-group DefaultDNS domain-name default.domain.invalid access-list NoNAT extended permit ip host 192.168.11.11 host 10.1.100.13 access-list NoNAT extended permit ip host 192.168.11.11 host 10.1.100.105 access-list NoNAT extended permit ip host 192.168.11.11 host 10.1.110.250 access-list NoNAT extended permit ip host 192.168.11.12 host 10.1.100.13 access-list NoNAT extended permit ip host 192.168.11.12 host 10.1.100.105 access-list NoNAT extended permit ip host 192.168.11.12 host 10.1.110.250 access-list ACL1 extended permit tcp host 192.168.11.11 host 10.1.100.13 eq 4000 access-list ACL1 extended permit tcp host 192.168.11.11 host 10.1.110.250 eq 4000 access-list ACL1 extended permit tcp host 192.168.11.11 eq ftp host 10.1.100.105 eq ftp access-list ACL1 extended permit tcp host 192.168.11.11 host 10.1.100.105 eq ftp-data access-list ACL1 extended permit tcp host 192.168.11.12 host 10.1.100.13 eq 4000 access-list ACL1 extended permit tcp host 192.168.11.12 host 10.1.110.250 eq 4000 access-list ACL1 extended permit tcp host 192.168.11.12 host 10.1.100.105 eq ftp access-list ACL1 extended permit tcp host 192.168.11.12 host 10.1.100.105 eq ftp-data pager lines 24 logging enable logging timestamp logging buffer-size 10000 logging buffered debugging logging asdm informational mtu inside 1500 mtu outside 1500 icmp unreachable rate-limit 1 burst-size 1 icmp permit any inside icmp permit any outside asdm image disk0:/asdm-522.bin no asdm history enable arp timeout 14400 nat-control nat (inside) 0 access-list NoNAT static (inside,outside) 192.168.113.11 192.168.11.11 netmask 255.255.255.255 static (inside,outside) 192.168.113.12 192.168.11.12 netmask 255.255.255.255 *i need this static nat but not for now* route inside 192.168.10.0 255.255.255.0 192.168.11.1 1 route outside 0.0.0.0 0.0.0.0 22.22.22.1 1 crypto ipsec transform-set ESP-AES256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto map abcMap 1 match address ACL1 crypto map abcMap 1 set peer 33.33.33.33 crypto map abcMap 1 set transform-set ESP-3DES-MD5 crypto map abcMap 1 set security-association lifetime seconds 3600 crypto map abcMap 1 set security-association lifetime kilobytes 2560 crypto map abcMap interface outside crypto isakmp identity address crypto isakmp enable outside crypto isakmp policy 1 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 crypto isakmp policy 2 authentication pre-share encryption aes hash sha group 2 lifetime 86400 crypto isakmp nat-traversal 20 ntp server 192.168.10.2 ntp server 192.168.10.3 ssl encryption des-sha1 tunnel-group DefaultL2LGroup ipsec-attributes isakmp keepalive threshold 120 retry 10 tunnel-group DefaultRAGroup ipsec-attributes isakmp keepalive threshold 120 retry 10 tunnel-group 33.33.33.33 type ipsec-l2l tunnel-group 33.33.33.33 ipsec-attributes pre-shared-key * ! ! prompt hostname context Cryptochecksum:ad3bf9e8fef81844b866e79c1b0c8e2f : end -- /hrvoje _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards |
|
|
Re: asa 5505 vpn ipsec l2l problem
by Farrukh Haroon
::
Rate this Message:
I don't know if you got my older email, here it is again:
Run these three debugs
debug crypto engine
debug crypto isakmp 127 debug crypto ipsec 127 and then see if you get any more meaningful debugs.
Its better to clear both Phase 1 and Phase 2 before you run the debugs (just in case the SAs are already established).
Also try removing the crypto map from the interface and re-applying it!
Please also check the logging levels on your ASA 'show logging'
logging buffered 7
logging monitor 7 (save/log the telnet session after issuing the 'terminal monitor' command)
Regards Farrukh
On Sat, Oct 3, 2009 at 3:38 PM, Hrvoje Popovski <hrvoje@...> wrote:
_______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards |
|
|
Re: asa 5505 vpn ipsec l2l problem
by Eric G-4
::
Rate this Message:
On Sat, Oct 3, 2009 at 5:38 AM, Hrvoje Popovski <hrvoje@...> wrote:
I think this was previously mentioned by Paul Melson... try to use IP addresses in your IPsec interesting traffic ACL... I agree with him, that having specific ports in ACL1 is the problem, as far as I know So ACL1 is now: access-list ACL1 extended permit tcp host 192.168.11.11 host 10.1.100.13 eq 4000 access-list ACL1 extended permit tcp host 192.168.11.11 host 10.1.110.250 eq 4000 access-list ACL1 extended permit tcp host 192.168.11.11 eq ftp host 10.1.100.105 eq ftp access-list ACL1 extended permit tcp host 192.168.11.11 host 10.1.100.105 eq ftp-data access-list ACL1 extended permit tcp host 192.168.11.12 host 10.1.100.13 eq 4000 access-list ACL1 extended permit tcp host 192.168.11.12 host 10.1.110.250 eq 4000 access-list ACL1 extended permit tcp host 192.168.11.12 host 10.1.100.105 eq ftp access-list ACL1 extended permit tcp host 192.168.11.12 host 10.1.100.105 eq ftp-data ACL1 should be: access-list ACL1 extended permit ip host 192.168.11.11 host 10.1.100.13 access-list ACL1 extended permit ip host 192.168.11.11 host 10.1.110.250 access-list ACL1 extended permit ip host 192.168.11.11 host 10.1.100.105 access-list ACL1 extended permit ip host 192.168.11.11 host 10.1.100.105 access-list ACL1 extended permit ip host 192.168.11.12 host 10.1.100.13 access-list ACL1 extended permit ip host 192.168.11.12 host 10.1.110.250 access-list ACL1 extended permit ip host 192.168.11.12 host 10.1.100.105 access-list ACL1 extended permit ip host 192.168.11.12 host 10.1.100.105 At least try this config, and see if it works... worst case roll it back to what you had before. Do a 'debug cry isa 5' and try to ping a remote host from e.g. 10.1.100.13 and see if the tunnel tries to build -- Eric _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards |
|
|
Re: asa 5505 vpn ipsec l2l problem
by craig.wilson
::
Rate this Message:
If you have tunnel interfaces setup on each end can you ping those addresses? They should work even if your not passing anything into the tunnel.
Sent from my BlackBerry® wireless device -----Original Message----- From: Eric Gearhart <eric@...> Date: Mon, 5 Oct 2009 21:45:33 To: Firewall Wizards Security Mailing List<firewall-wizards@...> Subject: Re: [fw-wiz] asa 5505 vpn ipsec l2l problem _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards ______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________ _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards |
| Free embeddable forum powered by Nabble | Forum Help |
