[c-nsp] ASA5520 to Pix can't bring up IPSEC L2L tunnel

Ryan West rwest at zyedge.com
Wed Sep 2 14:50:45 EDT 2009


Scott,

Ideally, you'll want to use a new ACE for each phase2 tunnel and even though you have a single crypto map L2L interesting traffic ACL, I would still separate them out.  For example, have an ACL called vpn_ny and ACL called inside_nonat, then as you add new partners, you'll have a new interesting ACL and a new addition to your nonat ACL.

As for versions, if the PIX is a 515, that is a scary upgrade and will most likely require someone onsite to upgrade it from the bootloader.  If it's a 515E, the upgrade can be completed with a lot less risk.  Either option requires a minimum memory upgrade to 64 Meg.  We have a lot of luck with 7.2.4(33) interim release.

-ryan

-----Original Message-----
From: Scott Granados [mailto:gsgranados at comcast.net] 
Sent: Wednesday, September 02, 2009 1:44 PM
To: Michael K. Smith - Adhost; Ryan West; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] ASA5520 to Pix can't bring up IPSEC L2L tunnel

Hi Mike, to follow up on this, I do have existing clients working now.  For 
the nonat rule would I create a sepperate ACL for each target or would a 
basic acl like I use for the split tunneling do the trick?

either
access-list ny-vpn extended permit ip 10.18.0.0 255.255.255.0 10.18.15.0 
255.255.255.192
or would
access-list nonat standard permit 10.18.0.0 255.255.255.0

I have several different targets so how would one define that or is the 
standard ACL enough?

Thanks for the pointers!
Scott

----- Original Message ----- 
From: "Michael K. Smith - Adhost" <mksmith at adhost.com>
To: "Scott Granados" <gsgranados at comcast.net>; "Ryan West" 
<rwest at zyedge.com>; <cisco-nsp at puck.nether.net>
Sent: Wednesday, September 02, 2009 10:33 AM
Subject: RE: [c-nsp] ASA5520 to Pix can't bring up IPSEC L2L tunnel


Hello Ryan:

Without the no-nat on the ASA side it will try to NAT the traffic before
putting it down the tunnel.  So, you're remove side is looking for the
10. Addresses, but it's going to see traffic coming from the static
outside, NAT'd address.  Thus, the tunnel won't come up because your
proposals don't match.

Mike

--
Michael K. Smith - CISSP, GISP
Chief Technical Officer - Adhost Internet LLC mksmith at adhost.com
w: +1 (206) 404-9500 f: +1 (206) 404-9050
PGP: B49A DDF5 8611 27F3  08B9 84BB E61E 38C0 (Key ID: 0x9A96777D)


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Scott Granados
Sent: Wednesday, September 02, 2009 9:45 AM
To: Ryan West; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] ASA5520 to Pix can't bring up IPSEC L2L tunnel

Hi, so right now my Pix in the field is pointing at a VPN 3000 so I
can't
take that path down until after hours but I will to capture the debug
data.

A show ver on the asa shows device manager V5.0.7

The field pix shows V6.3
I have access to both ends so updating the firmware is definitely an
option.
Any suggested version?

On the ASA side I do not have a no nat statement at all.  I never
configured
NAT because this device isn't beingused for any features other than a
VPN
access device with split tunneling enabled for the clients.
On the NY pix side the nat config and acl are as follows.

global (outside) 1 208.x.x.100-208.x.x.115 netmask 255.255.255.224
global (outside) 1 208.x.x.99 netmask 255.255.255.224
nat (inside) 0 access-list vpn-1
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 10.1.0.0
255.255.0.0
access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 10.18.0.0
255.255.240.0
access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 10.14.0.0
255.254.0.0
access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 157.254.0.0
255.255.0.0
access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 141.11.0.0
255.255.0.0
access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 10.11.0.0
255.255.0.0

Thanks
Scott

----- Original Message ----- 
From: "Ryan West" <rwest at zyedge.com>
To: "Scott Granados" <gsgranados at comcast.net>;
<cisco-nsp at puck.nether.net>
Sent: Wednesday, September 02, 2009 6:15 AM
Subject: RE: [c-nsp] ASA5520 to Pix can't bring up IPSEC L2L tunnel


Scott,

Can you provide debugs from the ASA, code versions on both devices and
your
associated no-nat ACLs?

Assuming you have nothing else logging to monitor, you can enable
'logging
class vpn monitor debug' and throw up a term mon to gather inbound
messages
to the ASA from the PIX side.  You can gather the information on the PIX

with a debug cry isa 2 and then initiate interesting traffic from the
ASA
using the following, the more valuable information will be on the
receiving
end.  It really doesn't matter which side you enable as the receiver,
but I
try to stay away from pre 7.x code on the PIXes.

packet-tracer input inside icmp 10.1.0.10 8 0 10.18.15.10 detailed

Phase: 10 or 11 should be subtype encrypt.  If it fails the first time,
run
it again, the negotiation process causes the first packet to fail as the

tunnel is being brought.  This type of traffic will also give you your
debug
information and help you figure out where the failure is.

-ryan

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Scott Granados
Sent: Tuesday, September 01, 2009 8:29 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] ASA5520 to Pix can't bring up IPSEC L2L tunnel

Hi, I have a Pix out in the field and an ASA5520 that I'm trying to
configure to pass L2L traffic.  I keep getting an error that says
IKEV1 IP=a.b.c.d removing peer from peer table failed, no match
ip=a.b.c.d unable to remove peer table entry

What am I doing wrong?

Here are the important config bits

asa-5520
crypto map
crypto ipsec transform-set vpn-transform1 esp-aes-256 esp-sha-hmac
crypto ipsec transform-set vpn-transform2 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set vpn-transform3 esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set vpn-transform1
vpn-transform2
vpn-transform3
crypto dynamic-map dynmap 10 set reverse-route
crypto map vpn-ra-map 10 match address ny-vpn-acl
crypto map vpn-ra-map 10 set peer ny-fw-outside
crypto map vpn-ra-map 10 set transform-set vpn-transform2
crypto map vpn-ra-map 10 set reverse-route
crypto map vpn-ra-map 65535 ipsec-isakmp dynamic dynmap
crypto map vpn-ra-map interface outside

ISAKMP

isakmp enable outside
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption aes-256
isakmp policy 5 hash sha
isakmp policy 5 group 7
isakmp policy 5 lifetime 3600
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 5
isakmp policy 10 lifetime 3600
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 3600
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption aes-192
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 28800
isakmp nat-traversal  20
isakmp reload-wait

and the acl
access-list ny-vpn-acl extended permit ip 10.1.0.0 255.255.0.0
10.18.15.0
255.255.255.192
access-list ny-vpn-acl extended permit ip 10.18.0.0 255.255.254.0
10.18.15.0
255.255.255.192
access-list ny-vpn-acl extended permit ip 10.14.0.0 255.254.0.0
10.18.15.0
255.255.255.192
access-list ny-vpn-acl extended permit ip 157.254.0.0 255.255.0.0
10.18.15.0
255.255.255.192
access-list ny-vpn-acl extended permit ip 141.11.0.0 255.255.0.0
10.18.15.0
255.255.255.192
access-list ny-vpn-acl extended permit ip 10.11.0.0 255.255.0.0
10.18.15.0
255.255.255.192

TUNNEL GROUP

tunnel-group 208.37.161.98 type ipsec-l2l
tunnel-group 208.37.161.98 general-attributes
 tunnel-group 208.37.161.98 ipsec-attributes
 pre-shared-key *
 peer-id-validate nocheck

PIX

CRYPTO MAP and ISAKMP

crypto ipsec transform-set set1 esp-aes-192 esp-md5-hmac
crypto map map1 10 ipsec-isakmp
crypto map map1 10 match address vpn-1
crypto map map1 10 set peer vpnc
crypto map map1 10 set transform-set set1
crypto map map1 interface outside
isakmp enable outside
isakmp key *
 address vpnc netmask 255.255.255.255
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 28800

ACL
access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 10.1.0.0
255.255.0.0
access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 10.18.0.0
255.255.240.0
access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 10.14.0.0
255.254.0.0
access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 157.254.0.0
255.255.0.0
access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 141.11.0.0
255.255.0.0
access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 10.11.0.0
255.255.0.0

)note on the ASA I use individual /24's and shortened the ACL for ease
of
reasing.  I do this to exclued 10.18.14.0/24 from the tunnels since that
houses the ASA's inside interface and client access)

Any pointers would be appreciated.

Thanks
Scott

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/ 



More information about the cisco-nsp mailing list