[c-nsp] ASA5520 > Pix 501, NO_ERR_NO_TRANS error on VPN tunnel

Ryan West rwest at zyedge.com
Mon Oct 19 08:54:54 EDT 2009


Scott,

Try this out, wax these sections and then do a packet-tracer:

tunnel-group 75.x.x.28 general-attributes
no default-group-policy 75.x.x.28
Clear configure group-policy 75.x.x.28

packet-tracer input inside icmp 10.18.1.14 8 0 10.18.15.130 detailed

It doesn't matter if those addresses do not exist, it's the output that's important.  You may need to run the command twice, but you want output similar to this:

Phase: 10
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0xd7e757a0, priority=70, domain=encrypt, deny=false
       hits=24687, user_data=0x143ac44c, cs_id=0xd6efc0a8, reverse, flags=0x0, protocol=0
       src ip=10.2.3.0, mask=255.255.255.0, port=0
       dst ip=10.2.4.0, mask=255.255.255.0, port=0, dscp=0x0

I'm pretty sure the issue is on your ASA and not the PIX.  Hope that helps.

-ryan

-----Original Message-----
From: Scott Granados [mailto:gsgranados at comcast.net]
Sent: Sunday, October 18, 2009 9:15 PM
To: Ryan West; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] ASA5520 > Pix 501, NO_ERR_NO_TRANS error on VPN tunnel

Hi, thanks for the help, here are the important bits.
PIX 501

test-fw# show isakmp sa
Total     : 1
Embryonic : 0
        dst               src        state     pending     created
   75.x.x.28   206.x.x.232    QM_IDLE         0           0

test-fw# sh  

show ipsec sa


interface: outside
    Crypto map tag: map1, local addr. 75.x.x.28

   local  ident (addr/mask/prot/port): (10.18.15.128/255.255.255.240/0/0)
   remote ident (addr/mask/prot/port): (10.18.5.0/255.255.255.0/0/0)
   current_peer: 206.x.x.232:0
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 75.x.x.28, remote crypto endpt.: 206.x.x.232
     path mtu 1500, ipsec overhead 0, media mtu 1500
     current outbound spi: 0

     inbound esp sas:


     inbound ah sas:

<--- More --->


     inbound pcp sas:


     outbound esp sas:


     outbound ah sas:


     outbound pcp sas:



   local  ident (addr/mask/prot/port): (10.18.15.128/255.255.255.240/0/0)
   remote ident (addr/mask/prot/port): (10.18.3.0/255.255.255.0/0/0)
   current_peer: 206.x.x.232:0
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
failed: 0
    #send errors 0, #recv errors 0

<--- More --->

     local crypto endpt.: 75.x.x.28, remote crypto endpt.: 206.x.x.232
     path mtu 1500, ipsec overhead 0, media mtu 1500
     current outbound spi: 0

     inbound esp sas:


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:


     outbound ah sas:


     outbound pcp sas:



   local  ident (addr/mask/prot/port): (10.18.15.128/255.255.255.240/0/0)
<--- More --->

   remote ident (addr/mask/prot/port): (10.18.1.0/255.255.255.0/0/0)
   current_peer: 206.x.x.232:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 1748, #pkts encrypt: 1748, #pkts digest 1748
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: 75.x.x.28, remote crypto endpt.: 206.x.x.232
     path mtu 1500, ipsec overhead 72, media mtu 1500
     current outbound spi: 7631b778

     inbound esp sas:
      spi: 0x38a1f0f(59383567)
        transform: esp-aes-256 esp-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 1, crypto map: map1
        sa timing: remaining key lifetime (k/sec): (4608000/17772)
        IV size: 16 bytes
        replay detection support: Y


     inbound ah sas:
<--- More --->



     inbound pcp sas:


     outbound esp sas:
      spi: 0x7631b778(1982969720)
        transform: esp-aes-256 esp-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2, crypto map: map1
        sa timing: remaining key lifetime (k/sec): (4607836/17718)
        IV size: 16 bytes
        replay detection support: Y


     outbound ah sas:


     outbound pcp sas:



   local  ident (addr/mask/prot/port): (10.18.15.128/255.255.255.240/0/0)
   remote ident (addr/mask/prot/port): (10.18.0.0/255.255.255.0/0/0)
<--- More --->

   current_peer: 206.x.x.232:0
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 75.x.x.28, remote crypto endpt.: 206.x.x.232
     path mtu 1500, ipsec overhead 0, media mtu 1500
     current outbound spi: 0

     inbound esp sas:


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:


<--- More --->

     outbound ah sas:


     outbound pcp sas:



CONFIG

test-fw#

write t
Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname test-fw
domain-name mycompany.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521

fixup protocol tftp 69
names
access-list test-vpn permit ip 10.18.15.128 255.255.255.240 10.18.0.0
255.255.255.0
access-list test-vpn permit ip 10.18.15.128 255.255.255.240 10.18.1.0
255.255.255.0
access-list test-vpn permit ip 10.18.15.128 255.255.255.240 10.18.3.0
255.255.255.0
access-list test-vpn permit ip 10.18.15.128 255.255.255.240 10.18.5.0
255.255.255.0
access-list inside permit ip any any
access-list outside permit icmp any any
access-list outside deny ip any any
pager lines 24
icmp permit 10.18.15.128 255.255.255.240 inside
mtu outside 1500
mtu inside 1500
ip address outside 75.x.x.28 255.255.255.248
ip address inside 10.18.15.129 255.255.255.240
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 75.x.x.26-75.x.x.27 netmask 255.255.255.248
global (outside) 1 75.x.x.29 netmask 255.255.255.248
nat (inside) 0 access-list test-vpn
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group inside in interface inside

route outside 0.0.0.0 0.0.0.0 75.147.137.30 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.18.15.130 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set set1 esp-aes-256 esp-sha-hmac
crypto map map1 10 ipsec-isakmp
crypto map map1 10 match address test-vpn


crypto map map1 10 set peer 206.x.x.232
crypto map map1 10 set transform-set set1
crypto map map1 interface outside
isakmp enable outside
isakmp key ******** address 206.x.x.232 netmask 255.255.255.255
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes-256
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 3600
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption aes-256
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 28800
dhcpd address 10.18.15.131-10.18.15.136 inside
dhcpd dns 208.67.222.222 208.67.220.220
dhcpd wins 10.18.1.14 10.18.1.15


dhcpd lease 9000
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
encrypted privilege 2
terminal width 80
[OK]

test-fw#                  
(*NOTE* the dns servers listed are opendns public servers so releasing the
IP has no risk)

ASA 5520 side


   Active SA: 10
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 10

6   IKE Peer: 75.x.x.28
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE
vpn# show ipsec sa
interface: outside
    Crypto map tag: dynmap, seq num: 10, local addr: 206.x.x.232

    Crypto map tag: vpn-ra-map, seq num: 20, local addr: 206.x.x.232

      access-list test-vpn permit ip 10.18.0.0 255.255.255.0 10.18.15.128
255.255.255.240
      local ident (addr/mask/prot/port): (10.18.0.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.18.15.128/255.255.255.240/0/0)
      current_peer: 75.x.x.28

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 1, #pkts decrypt: 1, #pkts verify: 1
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly:
0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 206.x.x.232, remote crypto endpt.: 75.x.x.28

      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: A4D9786C

    inbound esp sas:
      spi: 0x6F906AE6 (1871735526)
         transform: esp-aes-256 esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 915, crypto-map: vpn-ra-map
         sa timing: remaining key lifetime (kB/sec): (4373999/27751)
         IV size: 16 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0xA4D9786C (2765715564)
         transform: esp-aes-256 esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 915, crypto-map: vpn-ra-map
         sa timing: remaining key lifetime (kB/sec): (4374000/27751)
         IV size: 16 bytes
         replay detection support: Y

    Crypto map tag: vpn-ra-map, seq num: 20, local addr: 206.x.x.232

      access-list test-vpn permit ip 10.18.1.0 255.255.255.0 10.18.15.128
255.255.255.240
      local ident (addr/mask/prot/port): (10.18.1.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.18.15.128/255.255.255.240/0/0)
      current_peer: 75.x.x.28

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 1942, #pkts decrypt: 1942, #pkts verify: 1942
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly:
0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 206.x.x.232, remote crypto endpt.: 75.x.x.28

      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: 038A1F0F

    inbound esp sas:
      spi: 0x7631B778 (1982969720)
         transform: esp-aes-256 esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 915, crypto-map: vpn-ra-map
         sa timing: remaining key lifetime (kB/sec): (4373819/16564)
         IV size: 16 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x038A1F0F (59383567)
         transform: esp-aes-256 esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 915, crypto-map: vpn-ra-map
         sa timing: remaining key lifetime (kB/sec): (4374000/16564)
         IV size: 16 bytes
         replay detection support: Y

    Crypto map tag: vpn-ra-map, seq num: 20, local addr: 206.x.x.232

      access-list test-vpn permit ip 10.18.3.0 255.255.255.0 10.18.15.128
255.255.255.240
      local ident (addr/mask/prot/port): (10.18.3.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.18.15.128/255.255.255.240/0/0)
      current_peer: 75.x.x.28

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 1, #pkts decrypt: 1, #pkts verify: 1
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly:
0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 206.x.x.232, remote crypto endpt.: 75.x.x.28

      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: B6096032

    inbound esp sas:
      spi: 0x62DA2363 (1658463075)
         transform: esp-aes-256 esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 915, crypto-map: vpn-ra-map
         sa timing: remaining key lifetime (kB/sec): (4373999/27783)
         IV size: 16 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0xB6096032 (3054067762)
         transform: esp-aes-256 esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 915, crypto-map: vpn-ra-map
         sa timing: remaining key lifetime (kB/sec): (4374000/27783)
         IV size: 16 bytes
         replay detection support: Y

    Crypto map tag: vpn-ra-map, seq num: 20, local addr: 206.x.x.232

      access-list test-vpn permit ip 10.18.5.0 255.255.255.0 10.18.15.128
255.255.255.240
      local ident (addr/mask/prot/port): (10.18.5.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.18.15.128/255.255.255.240/0/0)
      current_peer: 75.x.x.28

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 1, #pkts decrypt: 1, #pkts verify: 1
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly:
0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 206.x.x.232, remote crypto endpt.: 75.x.x.28

      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: 75F7C1A5

    inbound esp sas:
      spi: 0x01E9D9E2 (32102882)
         transform: esp-aes-256 esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 915, crypto-map: vpn-ra-map
         sa timing: remaining key lifetime (kB/sec): (4373999/27791)
         IV size: 16 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x75F7C1A5 (1979171237)
         transform: esp-aes-256 esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 915, crypto-map: vpn-ra-map
         sa timing: remaining key lifetime (kB/sec): (4374000/27791)
         IV size: 16 bytes
          replay detection support: Y

vpn# write t
: Saved
:
ASA Version 7.2(4)33
!
hostname vpn
domain-name mycompany.com
names
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 206.x.x.232 255.255.255.224 standby 206.169.98.233
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 10.18.14.6 255.255.255.0 standby 10.18.14.7
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 description LAN/STATE Failover Interface
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
ftp mode passive
dns server-group DefaultDNS
 domain-name mycompany.com
object-group network mycompany-domain-controllers
 network-object host 10.18.1.14
 network-object host 10.18.1.15
access-list FWBlockIn extended permit tcp any any eq 990
access-list FWBlockIn extended deny ip any any
access-list FWAllowAnyOut extended permit ip any any
access-list nonat extended permit ip 10.1.0.0 255.255.0.0 10.18.14.0
255.255.255.0
access-list nonat extended permit ip 10.11.0.0 255.255.0.0 10.18.14.0
255.255.255.0
access-list nonat extended permit ip 10.64.0.0 255.255.0.0 10.18.14.0
255.255.255.0
access-list nonat extended permit ip 10.66.0.0 255.255.0.0 10.18.14.0
255.255.255.0
access-list nonat extended permit ip 141.11.0.0 255.255.0.0 10.18.14.0
255.255.255.0
access-list nonat extended permit ip 192.168.122.0 255.255.255.192
10.18.14.0 255.255.255.0
access-list nonat extended permit ip 157.254.0.0 255.255.0.0 10.18.14.0
255.255.255.0
access-list nonat extended permit ip host 216.27.189.196 10.18.14.0
255.255.255.0
access-list nonat extended permit ip 10.18.0.0 255.255.255.0 10.18.14.0
255.255.255.0
access-list nonat extended permit ip 10.18.1.0 255.255.255.0 10.18.14.0
255.255.255.0
access-list nonat extended permit ip 10.18.2.0 255.255.255.0 10.18.14.0
255.255.255.0
access-list nonat extended permit ip 10.18.3.0 255.255.255.0 10.18.14.0
255.255.255.0
access-list nonat extended permit ip 10.18.4.0 255.255.255.0 10.18.14.0
255.255.255.0
access-list nonat extended permit ip 10.18.5.0 255.255.255.0 10.18.14.0
255.255.255.0
access-list nonat extended permit ip 10.18.6.0 255.255.255.0 10.18.14.0
255.255.255.0
access-list nonat extended permit ip 10.18.7.0 255.255.255.0 10.18.14.0
255.255.255.0
access-list nonat extended permit ip 10.18.8.0 255.255.255.0 10.18.14.0
255.255.255.0
access-list nonat extended permit ip 10.18.9.0 255.255.255.0 10.18.14.0
255.255.255.0
access-list nonat extended permit ip 10.18.10.0 255.255.255.0 10.18.14.0
255.255.255.0
access-list nonat extended permit ip 10.18.15.0 255.255.255.0 10.18.14.0
255.255.255.0
access-list nonat extended permit ip 10.15.0.0 255.255.0.0 10.18.14.0
255.255.255.0
access-list nonat extended permit ip 10.32.0.0 255.240.0.0 10.18.14.0
255.255.255.0
access-list nonat extended permit ip 192.168.255.0 255.255.255.0 10.18.14.0
255.255.255.0
access-list nonat extended permit ip 172.30.0.0 255.255.0.0 10.18.14.0
255.255.255.0
access-list nonat extended permit ip 10.18.11.0 255.255.255.0 10.18.14.0
255.255.255.0
access-list nonat extended permit ip 10.18.12.0 255.255.255.0 10.18.14.0
255.255.255.0
access-list nonat extended permit ip 10.18.13.0 255.255.255.0 10.18.14.0
255.255.255.0
access-list nonat extended permit ip 10.18.16.0 255.255.255.0 10.18.14.0
255.255.255.0
access-list nonat extended permit ip 10.1.192.0 255.255.255.0 10.18.14.0
255.255.255.0
access-list nonat extended permit ip 10.1.224.0 255.255.255.0 10.18.14.0
255.255.255.0
access-list nonat extended permit ip 10.1.225.0 255.255.255.0 10.18.14.0
255.255.255.0
access-list nonat extended permit ip 10.1.226.0 255.255.255.0 10.18.14.0
255.255.255.0
access-list nonat extended permit ip 10.1.227.0 255.255.255.0 10.18.14.0
255.255.255.0
access-list nonat extended permit ip 10.1.228.0 255.255.255.0 10.18.14.0
255.255.255.0
access-list nonat extended permit ip 10.1.229.0 255.255.255.0 10.18.14.0
255.255.255.0
access-list nonat extended permit ip 10.1.230.0 255.255.255.0 10.18.14.0
255.255.255.0
access-list nonat extended permit ip 10.1.0.0 255.255.0.0 10.18.15.0
255.255.255.192
access-list nonat extended permit ip 10.11.0.0 255.255.0.0 10.18.15.0
255.255.255.192
access-list nonat extended permit ip 10.64.0.0 255.255.0.0 10.18.15.0
255.255.255.192
access-list nonat extended permit ip 10.66.0.0 255.255.0.0 10.18.15.0
255.255.255.192
access-list nonat extended permit ip 141.11.0.0 255.255.0.0 10.18.15.0
255.255.255.192
access-list nonat extended permit ip 192.168.122.0 255.255.255.192
10.18.15.0 255.255.255.192
access-list nonat extended permit ip 157.254.0.0 255.255.0.0 10.18.15.0
255.255.255.192
access-list nonat extended permit ip host 216.27.189.196 10.18.15.0
255.255.255.192
access-list nonat extended permit ip 10.18.0.0 255.255.255.0 10.18.15.0
255.255.255.192
access-list nonat extended permit ip 10.18.1.0 255.255.255.0 10.18.15.0
255.255.255.192
access-list nonat extended permit ip 10.18.2.0 255.255.255.0 10.18.15.0
255.255.255.192
access-list nonat extended permit ip 10.18.3.0 255.255.255.0 10.18.15.0
255.255.255.192
access-list nonat extended permit ip 10.18.4.0 255.255.255.0 10.18.15.0
255.255.255.192
access-list nonat extended permit ip 10.18.5.0 255.255.255.0 10.18.15.0
255.255.255.192
access-list nonat extended permit ip 10.18.6.0 255.255.255.0 10.18.15.0
255.255.255.192
access-list nonat extended permit ip 10.18.7.0 255.255.255.0 10.18.15.0
255.255.255.192
access-list nonat extended permit ip 10.18.8.0 255.255.255.0 10.18.15.0
255.255.255.192
access-list nonat extended permit ip 10.18.9.0 255.255.255.0 10.18.15.0
255.255.255.192
access-list nonat extended permit ip 10.18.10.0 255.255.255.0 10.18.15.0
255.255.255.192
access-list nonat extended permit ip 10.18.15.0 255.255.255.0 10.18.15.0
255.255.255.192
access-list nonat extended permit ip 10.15.0.0 255.255.0.0 10.18.15.0
255.255.255.192
access-list nonat extended permit ip 10.32.0.0 255.240.0.0 10.18.15.0
255.255.255.192
access-list nonat extended permit ip 192.168.255.0 255.255.255.0 10.18.15.0
255.255.255.192
access-list nonat extended permit ip 172.30.0.0 255.255.0.0 10.18.15.0
255.255.255.192
access-list nonat extended permit ip 10.18.11.0 255.255.255.0 10.18.15.0
255.255.255.192
access-list nonat extended permit ip 10.18.12.0 255.255.255.0 10.18.15.0
255.255.255.192
access-list nonat extended permit ip 10.18.13.0 255.255.255.0 10.18.15.0
255.255.255.192
access-list nonat extended permit ip 10.18.16.0 255.255.255.0 10.18.15.0
255.255.255.192
access-list nonat extended permit ip 10.1.192.0 255.255.255.0 10.18.15.0
255.255.255.192
access-list nonat extended permit ip 10.1.224.0 255.255.255.0 10.18.15.0
255.255.255.192
access-list nonat extended permit ip 10.1.225.0 255.255.255.0 10.18.15.0
255.255.255.192
access-list nonat extended permit ip 10.1.226.0 255.255.255.0 10.18.15.0
255.255.255.192
access-list nonat extended permit ip 10.1.227.0 255.255.255.0 10.18.15.0
255.255.255.192
access-list nonat extended permit ip 10.1.228.0 255.255.255.0 10.18.15.0
255.255.255.192
access-list nonat extended permit ip 10.1.229.0 255.255.255.0 10.18.15.0
255.255.255.192
access-list nonat extended permit ip 10.1.230.0 255.255.255.0 10.18.15.0
255.255.255.192
access-list vprn-qa extended permit ip 10.18.14.0 255.255.255.0 10.18.8.0
255.255.255.0
access-list test-vpn extended permit ip 10.18.0.0 255.255.255.0 10.18.15.128
255.255.255.240
access-list test-vpn extended permit ip 10.18.1.0 255.255.255.0 10.18.15.128
255.255.255.240
access-list test-vpn extended permit ip 10.18.3.0 255.255.255.0 10.18.15.128
255.255.255.240
access-list test-vpn extended permit ip 10.18.5.0 255.255.255.0 10.18.15.128
255.255.255.240
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool VPRN-team-vpn-pool1 10.18.14.96-10.18.14.127 mask
255.255.255.0
ip local pool VPRN-team-vpn-pool2 10.18.14.160-10.18.14.191 mask
255.255.255.0
ip local pool vprn-is-pool 10.18.14.20-10.18.14.31 mask 255.255.255.0
ip local pool vprn-qa-pool 10.18.14.64-10.18.14.71 mask 255.255.255.0
ip local pool vprn-eng-pool 10.18.14.32-10.18.14.47 mask 255.255.255.0
ip local pool QAAugmentum-pool 10.18.14.248-10.18.14.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
global (outside) 1 206.169.98.234
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 206.169.98.225 1
route inside 10.1.192.0 255.255.255.0 10.18.14.1 1
route inside 10.18.16.0 255.255.255.0 10.18.14.1 1
route inside 10.18.13.0 255.255.255.0 10.18.14.1 1
route inside 10.18.12.0 255.255.255.0 10.18.14.1 1
route inside 10.18.11.0 255.255.255.0 10.18.14.1 1
route inside 172.30.0.0 255.255.0.0 10.18.14.1 1
route inside 192.168.255.0 255.255.255.0 10.18.14.1 1
route inside 10.32.0.0 255.240.0.0 10.18.14.1 1
route inside 157.254.0.0 255.255.0.0 10.18.14.1 1
route inside 192.168.122.0 255.255.255.192 10.18.14.1 1
route inside 141.11.0.0 255.255.0.0 10.18.14.1 1
route inside 10.18.10.0 255.255.255.0 10.18.14.1 1
route inside 10.18.9.0 255.255.255.0 10.18.14.1 1
route inside 10.18.8.0 255.255.255.0 10.18.14.1 1
route inside 10.18.7.0 255.255.255.0 10.18.14.1 1
route inside 10.18.6.0 255.255.255.0 10.18.14.1 1
route inside 10.18.5.0 255.255.255.0 10.18.14.1 1
route inside 10.18.4.0 255.255.255.0 10.18.14.1 1
route inside 10.18.3.0 255.255.255.0 10.18.14.1 1
route inside 10.18.2.0 255.255.255.0 10.18.14.1 1
route inside 10.18.1.0 255.255.255.0 10.18.14.1 1
route inside 10.18.0.0 255.255.255.0 10.18.14.1 1
route inside 10.66.0.0 255.255.0.0 10.18.14.1 1
route inside 10.11.0.0 255.255.0.0 10.18.14.1 1
route inside 10.64.0.0 255.255.0.0 10.18.14.1 1
route inside 10.1.0.0 255.255.0.0 10.18.14.1 1
route inside 10.15.0.0 255.255.0.0 10.18.14.1 1
aaa-server my_authent_grp protocol nt
aaa-server my_authent_grp (inside) host 10.18.1.14
 nt-auth-domain-controller dc04
aaa-server my_authent_grp (inside) host 10.18.1.15
 nt-auth-domain-controller dc05
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
service resetoutside
crypto ipsec transform-set ny-trans esp-aes-192 esp-md5-hmac
crypto ipsec transform-set vpn-transform1 esp-aes-256 esp-sha-hmac
crypto ipsec transform-set vpn-transform2 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set vpn-transform3 esp-3des esp-sha-hmac
crypto ipsec transform-set vpn-transform4 esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 10 set pfs
crypto dynamic-map dynmap 10 set transform-set vpn-transform1 vpn-transform2
vpn-transform3
crypto dynamic-map dynmap 10 set reverse-route
crypto map vpn-ra-map 10 match address ny-vpn-acl
crypto map vpn-ra-map 10 set peer ny-fw-outside
crypto map vpn-ra-map 10 set transform-set vpn-transform2 vpn-transform1
vpn-transform3 vpn-transform4
crypto map vpn-ra-map 10 set reverse-route
crypto map vpn-ra-map 20 match address test-vpn
crypto map vpn-ra-map 20 set peer 75.x.x.28
crypto map vpn-ra-map 20 set transform-set vpn-transform2 vpn-transform1
vpn-transform3 vpn-transform4
crypto map vpn-ra-map 20 set reverse-route
crypto map vpn-ra-map 65535 ipsec-isakmp dynamic dynmap
crypto map vpn-ra-map interface outside
crypto isakmp enable outside
crypto isakmp policy 5
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 3600
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 3600
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 3600
crypto isakmp policy 30
 authentication pre-share
 encryption aes-192
 hash md5
 group 2
 lifetime 28800
crypto isakmp policy 40
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 28800
crypto isakmp policy 50
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 28800
crypto isakmp nat-traversal  20
crypto isakmp reload-wait
client-update enable
group-policy 75.x.x.28 internal
group-policy 75.x.x.28 attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec
 ip-comp enable
 ipsec-udp enable
 ipsec-udp-port 10000
tunnel-group 75.x.x.28 type ipsec-l2l
tunnel-group 75.x.x.28 general-attributes
 default-group-policy 75.x.x.28
tunnel-group 75.x.x.28 ipsec-attributes
 pre-shared-key *
 peer-id-validate nocheck
!

I tried to remove all the other non related bits.

Thanks
Scott





----- Original Message -----
From: "Ryan West" <rwest at zyedge.com>
To: "Scott Granados" <gsgranados at comcast.net>; <cisco-nsp at puck.nether.net>
Sent: Saturday, October 17, 2009 5:36 PM
Subject: RE: [c-nsp] ASA5520 > Pix 501, NO_ERR_NO_TRANS error on VPN tunnel


Scott,

Can you post your 'show ipsec sa' and 'show isakmp sa' output on both
firewall, as well as 'show nat' and the associated nat 0 entries?  Also
please post the contents of the 4 transforms on the ASA as well as the
transforms on the PIX.

-ryan

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Scott Granados
Sent: Saturday, October 17, 2009 8:23 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] ASA5520 > Pix 501, NO_ERR_NO_TRANS error on VPN tunnel

Hi, I'm having the following problem.

I have an ASA5520 running ASA724-33-k8 and a Pix 501 running 6.3.  I have
the following on the asa

access-list test-vpn extended permit ip 10.18.0.0 255.255.255.0 10.18.15.128
255.255.255.240
access-list test-vpn extended permit ip 10.18.1.0 255.255.255.0 10.18.15.128
255.255.255.240
crypto map vpn-ra-map 20 match test-vpn
crypto map vpn-ra-map 20 peer 75.x.x.28
crypto map vpn-ra-map 20 transform vpn-transform1 vpn-transform2
vpn-transform3 vpn-transform4
crypto map vpn-ra-map 20 reverse-route

the transforms are simply aes and aes-256 des and 3des each with an md5 or
sha hash

isakmp policies exist and match as well

on the pix

access-list test-vpn permit ip 10.18.15.128 255.255.255.240 10.18.0.0
255.255.255.0
access-list test-vpn permit ip 10.18.15.128 255.255.255.240 10.18.1.0
255.255.255.0
crypto map map1 match test-vpn
crypto map map1 interface outside
crypto map map1 peer 206.x.x.232
isakmp policy 20 preshare
isakmp policy 20 group 2
isakmp policy 20 encrypt aes-256
isakmp policy 20 hash sha
isakmp policy 20 life 28800

A show isakmp sa and show crypto ipsec on both sides seems to show a tunnel
up.  With a debug crypto isakmp and debug crypto ipsec on the pix 501 I keep
getting
IKMP_NO_ERR_NO_TRANS

The 5520 side shows a tunnel active and the pix a tunnel idle.

Pings or traffic of any form can't traverse the tunnel.  What have I missed?
Any pointers would be appreciated.

Thanks
Scott


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list