[c-nsp] ASA5520 > Pix 501, NO_ERR_NO_TRANS error on VPN tunnel
Ryan West
rwest at zyedge.com
Mon Oct 19 08:54:54 EDT 2009
Scott,
Try this out, wax these sections and then do a packet-tracer:
tunnel-group 75.x.x.28 general-attributes
no default-group-policy 75.x.x.28
Clear configure group-policy 75.x.x.28
packet-tracer input inside icmp 10.18.1.14 8 0 10.18.15.130 detailed
It doesn't matter if those addresses do not exist, it's the output that's important. You may need to run the command twice, but you want output similar to this:
Phase: 10
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xd7e757a0, priority=70, domain=encrypt, deny=false
hits=24687, user_data=0x143ac44c, cs_id=0xd6efc0a8, reverse, flags=0x0, protocol=0
src ip=10.2.3.0, mask=255.255.255.0, port=0
dst ip=10.2.4.0, mask=255.255.255.0, port=0, dscp=0x0
I'm pretty sure the issue is on your ASA and not the PIX. Hope that helps.
-ryan
-----Original Message-----
From: Scott Granados [mailto:gsgranados at comcast.net]
Sent: Sunday, October 18, 2009 9:15 PM
To: Ryan West; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] ASA5520 > Pix 501, NO_ERR_NO_TRANS error on VPN tunnel
Hi, thanks for the help, here are the important bits.
PIX 501
test-fw# show isakmp sa
Total : 1
Embryonic : 0
dst src state pending created
75.x.x.28 206.x.x.232 QM_IDLE 0 0
test-fw# sh� �� �
show ipsec sa
interface: outside
Crypto map tag: map1, local addr. 75.x.x.28
local ident (addr/mask/prot/port): (10.18.15.128/255.255.255.240/0/0)
remote ident (addr/mask/prot/port): (10.18.5.0/255.255.255.0/0/0)
current_peer: 206.x.x.232:0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 75.x.x.28, remote crypto endpt.: 206.x.x.232
path mtu 1500, ipsec overhead 0, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
<--- More --->
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
local ident (addr/mask/prot/port): (10.18.15.128/255.255.255.240/0/0)
remote ident (addr/mask/prot/port): (10.18.3.0/255.255.255.0/0/0)
current_peer: 206.x.x.232:0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
failed: 0
#send errors 0, #recv errors 0
<--- More --->
local crypto endpt.: 75.x.x.28, remote crypto endpt.: 206.x.x.232
path mtu 1500, ipsec overhead 0, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
local ident (addr/mask/prot/port): (10.18.15.128/255.255.255.240/0/0)
<--- More --->
remote ident (addr/mask/prot/port): (10.18.1.0/255.255.255.0/0/0)
current_peer: 206.x.x.232:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 1748, #pkts encrypt: 1748, #pkts digest 1748
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 75.x.x.28, remote crypto endpt.: 206.x.x.232
path mtu 1500, ipsec overhead 72, media mtu 1500
current outbound spi: 7631b778
inbound esp sas:
spi: 0x38a1f0f(59383567)
transform: esp-aes-256 esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 1, crypto map: map1
sa timing: remaining key lifetime (k/sec): (4608000/17772)
IV size: 16 bytes
replay detection support: Y
inbound ah sas:
<--- More --->
inbound pcp sas:
outbound esp sas:
spi: 0x7631b778(1982969720)
transform: esp-aes-256 esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2, crypto map: map1
sa timing: remaining key lifetime (k/sec): (4607836/17718)
IV size: 16 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
local ident (addr/mask/prot/port): (10.18.15.128/255.255.255.240/0/0)
remote ident (addr/mask/prot/port): (10.18.0.0/255.255.255.0/0/0)
<--- More --->
current_peer: 206.x.x.232:0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 75.x.x.28, remote crypto endpt.: 206.x.x.232
path mtu 1500, ipsec overhead 0, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
<--- More --->
outbound ah sas:
outbound pcp sas:
CONFIG
test-fw#
write t
Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname test-fw
domain-name mycompany.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list test-vpn permit ip 10.18.15.128 255.255.255.240 10.18.0.0
255.255.255.0
access-list test-vpn permit ip 10.18.15.128 255.255.255.240 10.18.1.0
255.255.255.0
access-list test-vpn permit ip 10.18.15.128 255.255.255.240 10.18.3.0
255.255.255.0
access-list test-vpn permit ip 10.18.15.128 255.255.255.240 10.18.5.0
255.255.255.0
access-list inside permit ip any any
access-list outside permit icmp any any
access-list outside deny ip any any
pager lines 24
icmp permit 10.18.15.128 255.255.255.240 inside
mtu outside 1500
mtu inside 1500
ip address outside 75.x.x.28 255.255.255.248
ip address inside 10.18.15.129 255.255.255.240
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 75.x.x.26-75.x.x.27 netmask 255.255.255.248
global (outside) 1 75.x.x.29 netmask 255.255.255.248
nat (inside) 0 access-list test-vpn
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group inside in interface inside
route outside 0.0.0.0 0.0.0.0 75.147.137.30 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.18.15.130 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set set1 esp-aes-256 esp-sha-hmac
crypto map map1 10 ipsec-isakmp
crypto map map1 10 match address test-vpn
crypto map map1 10 set peer 206.x.x.232
crypto map map1 10 set transform-set set1
crypto map map1 interface outside
isakmp enable outside
isakmp key ******** address 206.x.x.232 netmask 255.255.255.255
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes-256
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 3600
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption aes-256
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 28800
dhcpd address 10.18.15.131-10.18.15.136 inside
dhcpd dns 208.67.222.222 208.67.220.220
dhcpd wins 10.18.1.14 10.18.1.15
dhcpd lease 9000
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
encrypted privilege 2
terminal width 80
[OK]
test-fw# � �� �� �� �� �� �� �� ��
(*NOTE* the dns servers listed are opendns public servers so releasing the
IP has no risk)
ASA 5520 side
Active SA: 10
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 10
6 IKE Peer: 75.x.x.28
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
vpn# show ipsec sa
interface: outside
Crypto map tag: dynmap, seq num: 10, local addr: 206.x.x.232
Crypto map tag: vpn-ra-map, seq num: 20, local addr: 206.x.x.232
access-list test-vpn permit ip 10.18.0.0 255.255.255.0 10.18.15.128
255.255.255.240
local ident (addr/mask/prot/port): (10.18.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.18.15.128/255.255.255.240/0/0)
current_peer: 75.x.x.28
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 1, #pkts decrypt: 1, #pkts verify: 1
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly:
0
#send errors: 0, #recv errors: 0
local crypto endpt.: 206.x.x.232, remote crypto endpt.: 75.x.x.28
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: A4D9786C
inbound esp sas:
spi: 0x6F906AE6 (1871735526)
transform: esp-aes-256 esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 915, crypto-map: vpn-ra-map
sa timing: remaining key lifetime (kB/sec): (4373999/27751)
IV size: 16 bytes
replay detection support: Y
outbound esp sas:
spi: 0xA4D9786C (2765715564)
transform: esp-aes-256 esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 915, crypto-map: vpn-ra-map
sa timing: remaining key lifetime (kB/sec): (4374000/27751)
IV size: 16 bytes
replay detection support: Y
Crypto map tag: vpn-ra-map, seq num: 20, local addr: 206.x.x.232
access-list test-vpn permit ip 10.18.1.0 255.255.255.0 10.18.15.128
255.255.255.240
local ident (addr/mask/prot/port): (10.18.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.18.15.128/255.255.255.240/0/0)
current_peer: 75.x.x.28
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 1942, #pkts decrypt: 1942, #pkts verify: 1942
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly:
0
#send errors: 0, #recv errors: 0
local crypto endpt.: 206.x.x.232, remote crypto endpt.: 75.x.x.28
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 038A1F0F
inbound esp sas:
spi: 0x7631B778 (1982969720)
transform: esp-aes-256 esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 915, crypto-map: vpn-ra-map
sa timing: remaining key lifetime (kB/sec): (4373819/16564)
IV size: 16 bytes
replay detection support: Y
outbound esp sas:
spi: 0x038A1F0F (59383567)
transform: esp-aes-256 esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 915, crypto-map: vpn-ra-map
sa timing: remaining key lifetime (kB/sec): (4374000/16564)
IV size: 16 bytes
replay detection support: Y
Crypto map tag: vpn-ra-map, seq num: 20, local addr: 206.x.x.232
access-list test-vpn permit ip 10.18.3.0 255.255.255.0 10.18.15.128
255.255.255.240
local ident (addr/mask/prot/port): (10.18.3.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.18.15.128/255.255.255.240/0/0)
current_peer: 75.x.x.28
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 1, #pkts decrypt: 1, #pkts verify: 1
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly:
0
#send errors: 0, #recv errors: 0
local crypto endpt.: 206.x.x.232, remote crypto endpt.: 75.x.x.28
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: B6096032
inbound esp sas:
spi: 0x62DA2363 (1658463075)
transform: esp-aes-256 esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 915, crypto-map: vpn-ra-map
sa timing: remaining key lifetime (kB/sec): (4373999/27783)
IV size: 16 bytes
replay detection support: Y
outbound esp sas:
spi: 0xB6096032 (3054067762)
transform: esp-aes-256 esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 915, crypto-map: vpn-ra-map
sa timing: remaining key lifetime (kB/sec): (4374000/27783)
IV size: 16 bytes
replay detection support: Y
Crypto map tag: vpn-ra-map, seq num: 20, local addr: 206.x.x.232
access-list test-vpn permit ip 10.18.5.0 255.255.255.0 10.18.15.128
255.255.255.240
local ident (addr/mask/prot/port): (10.18.5.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.18.15.128/255.255.255.240/0/0)
current_peer: 75.x.x.28
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 1, #pkts decrypt: 1, #pkts verify: 1
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly:
0
#send errors: 0, #recv errors: 0
local crypto endpt.: 206.x.x.232, remote crypto endpt.: 75.x.x.28
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 75F7C1A5
inbound esp sas:
spi: 0x01E9D9E2 (32102882)
transform: esp-aes-256 esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 915, crypto-map: vpn-ra-map
sa timing: remaining key lifetime (kB/sec): (4373999/27791)
IV size: 16 bytes
replay detection support: Y
outbound esp sas:
spi: 0x75F7C1A5 (1979171237)
transform: esp-aes-256 esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 915, crypto-map: vpn-ra-map
sa timing: remaining key lifetime (kB/sec): (4374000/27791)
IV size: 16 bytes
replay detection support: Y
vpn# write t
: Saved
:
ASA Version 7.2(4)33
!
hostname vpn
domain-name mycompany.com
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 206.x.x.232 255.255.255.224 standby 206.169.98.233
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.18.14.6 255.255.255.0 standby 10.18.14.7
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
description LAN/STATE Failover Interface
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
dns server-group DefaultDNS
domain-name mycompany.com
object-group network mycompany-domain-controllers
network-object host 10.18.1.14
network-object host 10.18.1.15
access-list FWBlockIn extended permit tcp any any eq 990
access-list FWBlockIn extended deny ip any any
access-list FWAllowAnyOut extended permit ip any any
access-list nonat extended permit ip 10.1.0.0 255.255.0.0 10.18.14.0
255.255.255.0
access-list nonat extended permit ip 10.11.0.0 255.255.0.0 10.18.14.0
255.255.255.0
access-list nonat extended permit ip 10.64.0.0 255.255.0.0 10.18.14.0
255.255.255.0
access-list nonat extended permit ip 10.66.0.0 255.255.0.0 10.18.14.0
255.255.255.0
access-list nonat extended permit ip 141.11.0.0 255.255.0.0 10.18.14.0
255.255.255.0
access-list nonat extended permit ip 192.168.122.0 255.255.255.192
10.18.14.0 255.255.255.0
access-list nonat extended permit ip 157.254.0.0 255.255.0.0 10.18.14.0
255.255.255.0
access-list nonat extended permit ip host 216.27.189.196 10.18.14.0
255.255.255.0
access-list nonat extended permit ip 10.18.0.0 255.255.255.0 10.18.14.0
255.255.255.0
access-list nonat extended permit ip 10.18.1.0 255.255.255.0 10.18.14.0
255.255.255.0
access-list nonat extended permit ip 10.18.2.0 255.255.255.0 10.18.14.0
255.255.255.0
access-list nonat extended permit ip 10.18.3.0 255.255.255.0 10.18.14.0
255.255.255.0
access-list nonat extended permit ip 10.18.4.0 255.255.255.0 10.18.14.0
255.255.255.0
access-list nonat extended permit ip 10.18.5.0 255.255.255.0 10.18.14.0
255.255.255.0
access-list nonat extended permit ip 10.18.6.0 255.255.255.0 10.18.14.0
255.255.255.0
access-list nonat extended permit ip 10.18.7.0 255.255.255.0 10.18.14.0
255.255.255.0
access-list nonat extended permit ip 10.18.8.0 255.255.255.0 10.18.14.0
255.255.255.0
access-list nonat extended permit ip 10.18.9.0 255.255.255.0 10.18.14.0
255.255.255.0
access-list nonat extended permit ip 10.18.10.0 255.255.255.0 10.18.14.0
255.255.255.0
access-list nonat extended permit ip 10.18.15.0 255.255.255.0 10.18.14.0
255.255.255.0
access-list nonat extended permit ip 10.15.0.0 255.255.0.0 10.18.14.0
255.255.255.0
access-list nonat extended permit ip 10.32.0.0 255.240.0.0 10.18.14.0
255.255.255.0
access-list nonat extended permit ip 192.168.255.0 255.255.255.0 10.18.14.0
255.255.255.0
access-list nonat extended permit ip 172.30.0.0 255.255.0.0 10.18.14.0
255.255.255.0
access-list nonat extended permit ip 10.18.11.0 255.255.255.0 10.18.14.0
255.255.255.0
access-list nonat extended permit ip 10.18.12.0 255.255.255.0 10.18.14.0
255.255.255.0
access-list nonat extended permit ip 10.18.13.0 255.255.255.0 10.18.14.0
255.255.255.0
access-list nonat extended permit ip 10.18.16.0 255.255.255.0 10.18.14.0
255.255.255.0
access-list nonat extended permit ip 10.1.192.0 255.255.255.0 10.18.14.0
255.255.255.0
access-list nonat extended permit ip 10.1.224.0 255.255.255.0 10.18.14.0
255.255.255.0
access-list nonat extended permit ip 10.1.225.0 255.255.255.0 10.18.14.0
255.255.255.0
access-list nonat extended permit ip 10.1.226.0 255.255.255.0 10.18.14.0
255.255.255.0
access-list nonat extended permit ip 10.1.227.0 255.255.255.0 10.18.14.0
255.255.255.0
access-list nonat extended permit ip 10.1.228.0 255.255.255.0 10.18.14.0
255.255.255.0
access-list nonat extended permit ip 10.1.229.0 255.255.255.0 10.18.14.0
255.255.255.0
access-list nonat extended permit ip 10.1.230.0 255.255.255.0 10.18.14.0
255.255.255.0
access-list nonat extended permit ip 10.1.0.0 255.255.0.0 10.18.15.0
255.255.255.192
access-list nonat extended permit ip 10.11.0.0 255.255.0.0 10.18.15.0
255.255.255.192
access-list nonat extended permit ip 10.64.0.0 255.255.0.0 10.18.15.0
255.255.255.192
access-list nonat extended permit ip 10.66.0.0 255.255.0.0 10.18.15.0
255.255.255.192
access-list nonat extended permit ip 141.11.0.0 255.255.0.0 10.18.15.0
255.255.255.192
access-list nonat extended permit ip 192.168.122.0 255.255.255.192
10.18.15.0 255.255.255.192
access-list nonat extended permit ip 157.254.0.0 255.255.0.0 10.18.15.0
255.255.255.192
access-list nonat extended permit ip host 216.27.189.196 10.18.15.0
255.255.255.192
access-list nonat extended permit ip 10.18.0.0 255.255.255.0 10.18.15.0
255.255.255.192
access-list nonat extended permit ip 10.18.1.0 255.255.255.0 10.18.15.0
255.255.255.192
access-list nonat extended permit ip 10.18.2.0 255.255.255.0 10.18.15.0
255.255.255.192
access-list nonat extended permit ip 10.18.3.0 255.255.255.0 10.18.15.0
255.255.255.192
access-list nonat extended permit ip 10.18.4.0 255.255.255.0 10.18.15.0
255.255.255.192
access-list nonat extended permit ip 10.18.5.0 255.255.255.0 10.18.15.0
255.255.255.192
access-list nonat extended permit ip 10.18.6.0 255.255.255.0 10.18.15.0
255.255.255.192
access-list nonat extended permit ip 10.18.7.0 255.255.255.0 10.18.15.0
255.255.255.192
access-list nonat extended permit ip 10.18.8.0 255.255.255.0 10.18.15.0
255.255.255.192
access-list nonat extended permit ip 10.18.9.0 255.255.255.0 10.18.15.0
255.255.255.192
access-list nonat extended permit ip 10.18.10.0 255.255.255.0 10.18.15.0
255.255.255.192
access-list nonat extended permit ip 10.18.15.0 255.255.255.0 10.18.15.0
255.255.255.192
access-list nonat extended permit ip 10.15.0.0 255.255.0.0 10.18.15.0
255.255.255.192
access-list nonat extended permit ip 10.32.0.0 255.240.0.0 10.18.15.0
255.255.255.192
access-list nonat extended permit ip 192.168.255.0 255.255.255.0 10.18.15.0
255.255.255.192
access-list nonat extended permit ip 172.30.0.0 255.255.0.0 10.18.15.0
255.255.255.192
access-list nonat extended permit ip 10.18.11.0 255.255.255.0 10.18.15.0
255.255.255.192
access-list nonat extended permit ip 10.18.12.0 255.255.255.0 10.18.15.0
255.255.255.192
access-list nonat extended permit ip 10.18.13.0 255.255.255.0 10.18.15.0
255.255.255.192
access-list nonat extended permit ip 10.18.16.0 255.255.255.0 10.18.15.0
255.255.255.192
access-list nonat extended permit ip 10.1.192.0 255.255.255.0 10.18.15.0
255.255.255.192
access-list nonat extended permit ip 10.1.224.0 255.255.255.0 10.18.15.0
255.255.255.192
access-list nonat extended permit ip 10.1.225.0 255.255.255.0 10.18.15.0
255.255.255.192
access-list nonat extended permit ip 10.1.226.0 255.255.255.0 10.18.15.0
255.255.255.192
access-list nonat extended permit ip 10.1.227.0 255.255.255.0 10.18.15.0
255.255.255.192
access-list nonat extended permit ip 10.1.228.0 255.255.255.0 10.18.15.0
255.255.255.192
access-list nonat extended permit ip 10.1.229.0 255.255.255.0 10.18.15.0
255.255.255.192
access-list nonat extended permit ip 10.1.230.0 255.255.255.0 10.18.15.0
255.255.255.192
access-list vprn-qa extended permit ip 10.18.14.0 255.255.255.0 10.18.8.0
255.255.255.0
access-list test-vpn extended permit ip 10.18.0.0 255.255.255.0 10.18.15.128
255.255.255.240
access-list test-vpn extended permit ip 10.18.1.0 255.255.255.0 10.18.15.128
255.255.255.240
access-list test-vpn extended permit ip 10.18.3.0 255.255.255.0 10.18.15.128
255.255.255.240
access-list test-vpn extended permit ip 10.18.5.0 255.255.255.0 10.18.15.128
255.255.255.240
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool VPRN-team-vpn-pool1 10.18.14.96-10.18.14.127 mask
255.255.255.0
ip local pool VPRN-team-vpn-pool2 10.18.14.160-10.18.14.191 mask
255.255.255.0
ip local pool vprn-is-pool 10.18.14.20-10.18.14.31 mask 255.255.255.0
ip local pool vprn-qa-pool 10.18.14.64-10.18.14.71 mask 255.255.255.0
ip local pool vprn-eng-pool 10.18.14.32-10.18.14.47 mask 255.255.255.0
ip local pool QAAugmentum-pool 10.18.14.248-10.18.14.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
global (outside) 1 206.169.98.234
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 206.169.98.225 1
route inside 10.1.192.0 255.255.255.0 10.18.14.1 1
route inside 10.18.16.0 255.255.255.0 10.18.14.1 1
route inside 10.18.13.0 255.255.255.0 10.18.14.1 1
route inside 10.18.12.0 255.255.255.0 10.18.14.1 1
route inside 10.18.11.0 255.255.255.0 10.18.14.1 1
route inside 172.30.0.0 255.255.0.0 10.18.14.1 1
route inside 192.168.255.0 255.255.255.0 10.18.14.1 1
route inside 10.32.0.0 255.240.0.0 10.18.14.1 1
route inside 157.254.0.0 255.255.0.0 10.18.14.1 1
route inside 192.168.122.0 255.255.255.192 10.18.14.1 1
route inside 141.11.0.0 255.255.0.0 10.18.14.1 1
route inside 10.18.10.0 255.255.255.0 10.18.14.1 1
route inside 10.18.9.0 255.255.255.0 10.18.14.1 1
route inside 10.18.8.0 255.255.255.0 10.18.14.1 1
route inside 10.18.7.0 255.255.255.0 10.18.14.1 1
route inside 10.18.6.0 255.255.255.0 10.18.14.1 1
route inside 10.18.5.0 255.255.255.0 10.18.14.1 1
route inside 10.18.4.0 255.255.255.0 10.18.14.1 1
route inside 10.18.3.0 255.255.255.0 10.18.14.1 1
route inside 10.18.2.0 255.255.255.0 10.18.14.1 1
route inside 10.18.1.0 255.255.255.0 10.18.14.1 1
route inside 10.18.0.0 255.255.255.0 10.18.14.1 1
route inside 10.66.0.0 255.255.0.0 10.18.14.1 1
route inside 10.11.0.0 255.255.0.0 10.18.14.1 1
route inside 10.64.0.0 255.255.0.0 10.18.14.1 1
route inside 10.1.0.0 255.255.0.0 10.18.14.1 1
route inside 10.15.0.0 255.255.0.0 10.18.14.1 1
aaa-server my_authent_grp protocol nt
aaa-server my_authent_grp (inside) host 10.18.1.14
nt-auth-domain-controller dc04
aaa-server my_authent_grp (inside) host 10.18.1.15
nt-auth-domain-controller dc05
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
service resetoutside
crypto ipsec transform-set ny-trans esp-aes-192 esp-md5-hmac
crypto ipsec transform-set vpn-transform1 esp-aes-256 esp-sha-hmac
crypto ipsec transform-set vpn-transform2 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set vpn-transform3 esp-3des esp-sha-hmac
crypto ipsec transform-set vpn-transform4 esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 10 set pfs
crypto dynamic-map dynmap 10 set transform-set vpn-transform1 vpn-transform2
vpn-transform3
crypto dynamic-map dynmap 10 set reverse-route
crypto map vpn-ra-map 10 match address ny-vpn-acl
crypto map vpn-ra-map 10 set peer ny-fw-outside
crypto map vpn-ra-map 10 set transform-set vpn-transform2 vpn-transform1
vpn-transform3 vpn-transform4
crypto map vpn-ra-map 10 set reverse-route
crypto map vpn-ra-map 20 match address test-vpn
crypto map vpn-ra-map 20 set peer 75.x.x.28
crypto map vpn-ra-map 20 set transform-set vpn-transform2 vpn-transform1
vpn-transform3 vpn-transform4
crypto map vpn-ra-map 20 set reverse-route
crypto map vpn-ra-map 65535 ipsec-isakmp dynamic dynmap
crypto map vpn-ra-map interface outside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 3600
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 3600
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 3600
crypto isakmp policy 30
authentication pre-share
encryption aes-192
hash md5
group 2
lifetime 28800
crypto isakmp policy 40
authentication pre-share
encryption aes
hash sha
group 2
lifetime 28800
crypto isakmp policy 50
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800
crypto isakmp nat-traversal 20
crypto isakmp reload-wait
client-update enable
group-policy 75.x.x.28 internal
group-policy 75.x.x.28 attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
ip-comp enable
ipsec-udp enable
ipsec-udp-port 10000
tunnel-group 75.x.x.28 type ipsec-l2l
tunnel-group 75.x.x.28 general-attributes
default-group-policy 75.x.x.28
tunnel-group 75.x.x.28 ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
!
I tried to remove all the other non related bits.
Thanks
Scott
�
----- Original Message -----
From: "Ryan West" <rwest at zyedge.com>
To: "Scott Granados" <gsgranados at comcast.net>; <cisco-nsp at puck.nether.net>
Sent: Saturday, October 17, 2009 5:36 PM
Subject: RE: [c-nsp] ASA5520 > Pix 501, NO_ERR_NO_TRANS error on VPN tunnel
Scott,
Can you post your 'show ipsec sa' and 'show isakmp sa' output on both
firewall, as well as 'show nat' and the associated nat 0 entries? Also
please post the contents of the 4 transforms on the ASA as well as the
transforms on the PIX.
-ryan
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Scott Granados
Sent: Saturday, October 17, 2009 8:23 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] ASA5520 > Pix 501, NO_ERR_NO_TRANS error on VPN tunnel
Hi, I'm having the following problem.
I have an ASA5520 running ASA724-33-k8 and a Pix 501 running 6.3. I have
the following on the asa
access-list test-vpn extended permit ip 10.18.0.0 255.255.255.0 10.18.15.128
255.255.255.240
access-list test-vpn extended permit ip 10.18.1.0 255.255.255.0 10.18.15.128
255.255.255.240
crypto map vpn-ra-map 20 match test-vpn
crypto map vpn-ra-map 20 peer 75.x.x.28
crypto map vpn-ra-map 20 transform vpn-transform1 vpn-transform2
vpn-transform3 vpn-transform4
crypto map vpn-ra-map 20 reverse-route
the transforms are simply aes and aes-256 des and 3des each with an md5 or
sha hash
isakmp policies exist and match as well
on the pix
access-list test-vpn permit ip 10.18.15.128 255.255.255.240 10.18.0.0
255.255.255.0
access-list test-vpn permit ip 10.18.15.128 255.255.255.240 10.18.1.0
255.255.255.0
crypto map map1 match test-vpn
crypto map map1 interface outside
crypto map map1 peer 206.x.x.232
isakmp policy 20 preshare
isakmp policy 20 group 2
isakmp policy 20 encrypt aes-256
isakmp policy 20 hash sha
isakmp policy 20 life 28800
A show isakmp sa and show crypto ipsec on both sides seems to show a tunnel
up. With a debug crypto isakmp and debug crypto ipsec on the pix 501 I keep
getting
IKMP_NO_ERR_NO_TRANS
The 5520 side shows a tunnel active and the pix a tunnel idle.
Pings or traffic of any form can't traverse the tunnel. What have I missed?
Any pointers would be appreciated.
Thanks
Scott
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list