Search This Blog

Monday, October 05, 2009

firewall-wizards Digest, Vol 42, Issue 5

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: asa 5505 vpn ipsec l2l problem (Hrvoje Popovski)


----------------------------------------------------------------------

Message: 1
Date: Sat, 03 Oct 2009 14:38:47 +0200
From: Hrvoje Popovski <hrvoje@srce.hr>
Subject: Re: [fw-wiz] asa 5505 vpn ipsec l2l problem
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <4AC745D7.2030605@srce.hr>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

> If you're not seeing IPsec build the tunnel with debug crypto, I would
> guess that traffic is getting NAT'd out, and not hitting the tunnel (by
> the way, you probably only need debug crypto ipsec 5, not 100...)
>
>
> Do you have NAT setup on the 5505? If you do, do you have a NAT exclude
> ACL setup that excludes "your device networks -> remote device networks"?
>
> --
> Eric
>

hello eveyone,

first thanks everyone who replay on my post.
I can't established SA, crypto acl is the same on both ends, well they
tell me so. I can't see config on other side but maybe from log that i
can se on my ASA i think that problem is on my side. I realy don't know
maybe problem is in licence (10 inside hosts) but i have only 2 inside
hosts (192.168.11.11 and 11.12).
I will try to apply crypto acl with ip rule and see what happens.

---------------------------------
log:
Ignoring msg to mark SA with specified coordinates <abcMap, 1> dead

debug crypto engine, ipsec 127 and ipsec 127 gave me nothing

---------------------------------
my asa:
ciscoasa# sh crypto isakmp sa
There are no isakmp sas

ciscoasa# sh crypto ipsec sa
There are no ipsec sas
---------------------------------
my asa - 22.22.22.22
other asa - 33.33.33.33
-----------------------------------------------
config on 33.33.33.33 asa:
access-list acl1 permit tcp host 10.1.100.13 eq 4000 host 192.168.11.11
access-list acl1 permit tcp host 10.1.110.250 eq 4000 host 192.168.11.11
access-list acl1 permit tcp host 10.1.100.105 eq ftp host 192.168.11.11
eq ftp
access-list acl1 permit tcp host 10.1.100.105 eq ftp-data host 192.168.11.11
access-list acl1 permit tcp host 10.1.100.13 eq 4000 host 192.168.11.12
access-list acl1 permit tcp host 10.1.110.250 eq 4000 host 192.168.11.12
access-list acl1 permit tcp host 10.1.100.105 eq ftp host 192.168.11.12
access-list acl1 permit tcp host 10.1.100.105 eq ftp-data host 192.168.11.12

transform-set esp-3des esp-md5-hmac

isakmp key * address 22.22.22.22 netmask 255.255.255.255 no-xauth
no-config-mode

this is all information that i know

-------------------------------------------------

here is my config - 22.22.22.22 asa:

ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.11.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 10
ip address 22.22.22.22 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa724-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list NoNAT extended permit ip host 192.168.11.11 host 10.1.100.13
access-list NoNAT extended permit ip host 192.168.11.11 host 10.1.100.105
access-list NoNAT extended permit ip host 192.168.11.11 host 10.1.110.250
access-list NoNAT extended permit ip host 192.168.11.12 host 10.1.100.13
access-list NoNAT extended permit ip host 192.168.11.12 host 10.1.100.105
access-list NoNAT extended permit ip host 192.168.11.12 host 10.1.110.250
access-list ACL1 extended permit tcp host 192.168.11.11 host 10.1.100.13
eq 4000
access-list ACL1 extended permit tcp host 192.168.11.11 host
10.1.110.250 eq 4000
access-list ACL1 extended permit tcp host 192.168.11.11 eq ftp host
10.1.100.105 eq ftp
access-list ACL1 extended permit tcp host 192.168.11.11 host
10.1.100.105 eq ftp-data
access-list ACL1 extended permit tcp host 192.168.11.12 host 10.1.100.13
eq 4000
access-list ACL1 extended permit tcp host 192.168.11.12 host
10.1.110.250 eq 4000
access-list ACL1 extended permit tcp host 192.168.11.12 host
10.1.100.105 eq ftp
access-list ACL1 extended permit tcp host 192.168.11.12 host
10.1.100.105 eq ftp-data
pager lines 24
logging enable
logging timestamp
logging buffer-size 10000
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
nat (inside) 0 access-list NoNAT
static (inside,outside) 192.168.113.11 192.168.11.11 netmask 255.255.255.255
static (inside,outside) 192.168.113.12 192.168.11.12 netmask 255.255.255.255
*i need this static nat but not for now*
route inside 192.168.10.0 255.255.255.0 192.168.11.1 1
route outside 0.0.0.0 0.0.0.0 22.22.22.1 1

crypto ipsec transform-set ESP-AES256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map abcMap 1 match address ACL1
crypto map abcMap 1 set peer 33.33.33.33
crypto map abcMap 1 set transform-set ESP-3DES-MD5
crypto map abcMap 1 set security-association lifetime seconds 3600
crypto map abcMap 1 set security-association lifetime kilobytes 2560
crypto map abcMap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 2
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20

ntp server 192.168.10.2
ntp server 192.168.10.3
ssl encryption des-sha1

tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 120 retry 10
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 120 retry 10
tunnel-group 33.33.33.33 type ipsec-l2l
tunnel-group 33.33.33.33 ipsec-attributes
pre-shared-key *

!
!
prompt hostname context
Cryptochecksum:ad3bf9e8fef81844b866e79c1b0c8e2f
: end

--

/hrvoje


------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 42, Issue 5
***********************************************

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)