dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
5323
batsona
Maryland
join:2004-04-17
Ellicott City, MD

batsona

Member

[Config] Two IPSEC tunnels, one Crypto-map...

Greetings;

I've got an ASA 5505 on my hands, with the enterprise license. In the example above, VPN "22" tunnel is up & passes traffic just fine. VPN "11" won't come up. I think I'm missing something. is it related to the two lines at the bottom?

crypto map MyVPN 11 match address toVPN-A
crypto map MyVPN 11 set pfs
crypto map MyVPN 11 set peer VPN-A_Peer
crypto map MyVPN 11 set transform-set ESP-3DES-MD5
-----------------------------------------------
crypto map MyVPN 22 match address toVPN-B
crypto map MyVPN 22 set pfs
crypto map MyVPN 22 set peer VPN-B_Peer
crypto map MyVPN 22 set transform-set ESP-DES-MD5
crypto map MyVPN interface outside

crypto isakmp policy 22

crypto isakmp nat-traversal 22
HELLFIRE
MVM
join:2009-11-25

HELLFIRE

MVM

Can we have the full config -- minus passwords / sensitive information -- to review?

Regards
batsona
Maryland
join:2004-04-17
Ellicott City, MD

batsona

Member

Here is the sanitized config...

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.11.05 14:00:23 =~=~=~=~=~=~=~=~=~=~=~=

DASS-VPN#

DASS-VPN# show run
: Saved
:
ASA Version 8.2(1)
!
hostname DASS-VPN
domain-name dass
enable password xxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxxxx encrypted
names
name 192.168.6.115 Forestville_FTP1
name 192.168.6.116 Forestville_FTP2
name 192.168.4.160 Forestville-FTP
name 15.16.17.18 Forestville_PEER
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.28.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 172.16.189.157 255.255.254.0
!
interface Vlan3
no forward interface Vlan1
nameif DMZ
security-level 50
ip address 192.168.1.2 255.255.255.0
!
interface Vlan4
nameif LEO-GEO
security-level 80
ip address 192.168.29.1 255.255.255.0
!
interface Vlan5
nameif EXT-FTP
security-level 70
ip address 192.168.27.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!

interface Ethernet0/4
switchport access vlan 4
!
interface Ethernet0/5
switchport access vlan 3
speed 100
duplex full
!
interface Ethernet0/6
switchport access vlan 5
!
interface Ethernet0/7
!
banner login ....................
banner login ................
banner login ...............
!
banner motd ...............
banner motd ...............
banner motd ...............
ftp mode passive
dns server-group DefaultDNS
domain-name dass
access-list toTSI extended permit ip 192.168.28.0 255.255.255.128 10.25.0.0 255.255.255.0
access-list exclude_from_nat extended permit ip 192.168.28.0 255.255.255.128 10.25.0.0 255.255.255.0

access-list exclude_from_nat extended permit ip 192.168.28.0 255.255.255.0 192.168.29.0 255.255.255.0
access-list exclude_from_nat extended permit ip host 192.168.28.72 host Forestville_FTP1
access-list exclude_from_nat extended permit ip host 192.168.28.72 host Forestville_FTP2
access-list toForestville extended permit ip host 182.168.28.74 host Forestville-FTP
access-list toForestville extended permit ip host 192.168.28.72 host Forestville_FTP1
access-list toForestville extended permit ip host 192.168.28.72 host Forestville_FTP2
access-list tsi_policy extended permit tcp 10.25.0.0 255.255.255.0 192.168.28.0 255.255.255.128 eq pcanywhere-data
access-list tsi_policy extended permit udp 10.25.0.0 255.255.255.0 192.168.28.0 255.255.255.128 eq pcanywhere-status
access-list tsi_policy extended permit tcp 10.25.0.0 255.255.255.0 192.168.28.0 255.255.255.0 eq 3389
access-list tsi_policy extended permit tcp 10.25.0.0 255.255.255.0 host 192.168.28.71 eq 1433
access-list tsi_policy extended permit icmp 10.25.0.0 255.255.255.0 192.168.28.0 255.255.255.128 echo-reply
access-list tsi_policy extended permit icmp 10.25.0.0 255.255.255.0 192.168.28.0 255.255.255.128 echo
access-list Forestville_vpn_filter extended permit tcp host Forestville-FTP host 192.168.28.74 eq ftp
access-list Forestville_vpn_filter extended permit tcp host Forestville_FTP2 host 192.168.28.72 eq ftp
access-list Forestville_vpn_filter extended permit tcp host Forestville_FTP2 eq ftp host 192.168.28.72
access-list Forestville_vpn_filter extended permit tcp host Forestville_FTP1 host 192.168.28.72 eq ftp
access-list Forestville_vpn_filter extended permit tcp host Forestville_FTP1 eq ftp host 192.168.28.72
access-list outside_access_in remark Allow HTTPS access to Packet Data Server (SRV3)
access-list outside_access_in extended permit tcp any host 172.16.189.157 eq https log
access-list DMZ_access_in remark Allows traffic inbound from frame-relay
access-list DMZ_access_in extended permit tcp host Forestville-FTP host 192.168.28.74 eq ftp
access-list DMZ_access_in extended permit ip 192.168.29.0 255.255.255.0 192.168.28.0 255.255.255.0
access-list DMZ_access_in extended permit icmp any any
access-list DMZ_access_in extended permit ip any any

access-list inside_access_in remark Allows traffic into ASA from Inside
access-list inside_access_in extended permit tcp host 192.168.28.74 host Forestville-FTP eq ftp
access-list inside_access_in extended permit tcp host 192.168.28.74 192.168.29.0 255.255.255.0 eq ftp
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list FTP-test remark For testing FTP packets
access-list FTP-test extended permit tcp host 192.168.28.72 host Forestville-FTP
access-list NEO-GEO-in remark allows traffic out of NEO-GEO net
access-list NEO-GEO-in extended permit udp any host 172.16.244.173 eq domain
access-list NEO-GEO-in extended permit udp any host 172.16.50.17 eq domain
access-list NEO-GEO-in extended permit udp any host 172.16.10.134 eq domain
access-list NEO-GEO-in extended permit tcp host 192.168.29.13 host 192.168.28.74 eq ftp
access-list NEO-GEO-in extended permit tcp host 192.168.29.11 host 192.168.28.74 eq ftp
access-list NEO-GEO-in extended permit tcp host 192.168.29.23 host 192.168.28.74 eq ftp
access-list NEO-GEO-in extended permit tcp host 192.168.29.21 host 192.168.28.74 eq ftp
access-list NEO-GEO-in extended deny ip any 192.168.28.0 255.255.255.0
access-list NEO-GEO-in extended permit ip any any
access-list EXT-FTP-in remark allows traffic out of EXT-FTP network
access-list EXT-FTP-in extended permit ip any any
access-list SAR-no-nat extended permit ip 192.168.28.0 255.255.255.0 192.168.29.0 255.255.255.0
access-list LUT-no-nat extended permit ip 192.168.29.0 255.255.255.0 192.168.28.0 255.255.255.0
pager lines 24
logging enable
logging timestamp

logging monitor debugging
logging trap informational
logging history notifications
logging asdm informational
logging facility 16
logging device-id hostname
logging host outside 172.16.195.171
logging host outside 172.16.167.138
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
mtu LEO-GEO 1500
mtu EXT-FTP 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any unreachable outside
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list exclude_from_nat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (LEO-GEO) 0 access-list LUT-no-nat
nat (LEO-GEO) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface https 192.168.28.72 https netmask 255.255.255.255 dns

access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group DMZ_access_in in interface DMZ
access-group NEO-GEO-in in interface LEO-GEO
access-group EXT-FTP-in in interface EXT-FTP
route outside 0.0.0.0 0.0.0.0 172.16.188.1 1
route DMZ Forestville-FTP 255.255.255.255 192.168.1.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable 65000
http 192.168.28.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map DassVPN 500 match address toForestville
crypto map DassVPN 500 set pfs
crypto map DassVPN 500 set peer Forestville_PEER
crypto map DassVPN 500 set transform-set ESP-3DES-MD5
crypto map DassVPN 1000 match address toTSI
crypto map DassVPN 1000 set pfs
crypto map DassVPN 1000 set peer 12.13.14.15 >
crypto map DassVPN 1000 set transform-set ESP-DES-MD5
crypto map DassVPN interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1000
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 1000
telnet timeout 60
ssh 192.168.28.0 255.255.255.0 inside

ssh Comcast-IP 255.255.255.255 outside
ssh 172.16.166.209 255.255.255.255 outside
ssh 172.16.167.110 255.255.255.255 outside
ssh timeout 60
console timeout 60
dhcpd ping_timeout 750
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.28.50 source inside prefer
tftp-server inside 192.168.28.72 DASS-ASA-Config_yyyy-mm-dd.txt
webvpn
group-policy ForestvillePolicy internal
group-policy ForestvillePolicy attributes
vpn-filter value Forestville_vpn_filter
vpn-tunnel-protocol IPSec
group-policy TSIPolicy internal
group-policy TSIPolicy attributes
vpn-filter value tsi_policy
vpn-tunnel-protocol IPSec
username admin password .ti4neGRW24q84lH encrypted privilege 15

tunnel-group 12.13.14.15 type ipsec-l2l
tunnel-group 12.13.14.15 general-attributes
default-group-policy TSIPolicy
tunnel-group 12.13.14.15 ipsec-attributes
pre-shared-key ********
tunnel-group Forestville_PEER type ipsec-l2l
tunnel-group Forestville_PEER general-attributes
default-group-policy ForestvillePolicy
tunnel-group Forestville_PEER ipsec-attributes
pre-shared-key ********
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:b8ac13d60ba239ace8a3653930959ed8
: end

DASS-VPN#
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to batsona

MVM

to batsona
Don't seem to see crypto map MyVPN 11 or 22 in your sanitized config... or am I missing something?
Or is it in actuality your crypto map DassVPN I should be looking at?

Regards
batsona
Maryland
join:2004-04-17
Ellicott City, MD

batsona

Member

Yep, "DassVPN" is the crypto map. The entries for priority 1000 is working OK, and the one for 500 isn't working.

Paulg
Displaced Yooper
Premium Member
join:2004-03-15
Neenah, WI

Paulg

Premium Member

'debug crypto ipsec 200' should give you some good troubleshooting information.

Also - 'sh crypto isakmp sa' will tell you what state the phase 1 connection is in.
batsona
Maryland
join:2004-04-17
Ellicott City, MD

batsona

Member

Output of show crypto isakmp sa:

DASS-VPN# show crypto isakmp sa

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: 12.13.14.15
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
DASS-VPN#

=====output from debug crypto isakmp 200============

The only output I saw on IKE, was keepalives back and forth, involving the TSI VPN remote peer, 12.13.14.15. I didn't see any entries for the Forestville VPN peer, 15.16.17.18 at all.

=================================

Paulg
Displaced Yooper
Premium Member
join:2004-03-15
Neenah, WI

Paulg

Premium Member

Are you generating interesting traffic that matches the ACL and the NAT exemption ACL?
batsona
Maryland
join:2004-04-17
Ellicott City, MD

batsona

Member

The config line:
crypto map DassVPN 500 match address toForestville

refers to an ACL, "toForestville", which allow traffic from the inside network to pass into the IPSEC tunnel. Now the next complication.. Apparently static routes 'trump' this ACL, because I have a static route that's directing the traffic over a frame-relay connection that's connected on interface "DMZ" right now, and I know it's working. SO.... It looks like the static-route is grabbing the traffic. So, one thing at a time -- let's see if we can get the tunnel to come up. --shall I just temporarily delete the static-route in order for traffic to be 'sucked into' the tunnel by virtue of the "toForestville" ACL?

Paulg
Displaced Yooper
Premium Member
join:2004-03-15
Neenah, WI

Paulg

Premium Member

Are you trying to set this up as a secondary connection to the frame relay?
batsona
Maryland
join:2004-04-17
Ellicott City, MD

batsona

Member

Actually I'm trying to do it the other way 'round. I'd like the IPSEC tunnel to be the primary path, and the frame-relay to be the secondary path. But: The order in which I'm testing these paths, doesn't have any bearing on the order-of-presidence in which they'll be used. Can I set a different cost on a static route that causes it to be considered 'after' the ACL the sucks traffic into the IPSEC tunnel?
batsona

batsona to Paulg

Member

to Paulg
Right now I'm having difficulty deciding on what syntax to use, to route packets into the IPSEC tunnel. When using a regular routing statement, do I use the remote-PEER for ISAKMP as the next-hop gateway, or use the Outside interface's next-hop gateway? (IPSEC tunnel is terminated on the Outside Interface...
batsona

batsona to Paulg

Member

to Paulg
Now the big question... if I route traffic into the IPSEC tunnel by sending it to the 172.16.188.1 gateway (on the Outside Interface), will this static route be deleted from the routing table when the tunnel goes down?

I need the ASA to detect a failure of the IPSEC tunnel, then use the higher-cost route over the frame-relay. In other words, I need it to act like a router --- when a path goes away, delete the route for it, until that path returns....
markysharkey
Premium Member
join:2012-12-20
united kingd

markysharkey

Premium Member

In my limited but recent experience of VTI tunnels, when the tunnel goes down the route disappears from the routing table. This was repeatable on 1841, 887 and 2901 series routers with current IOS versions.

Paulg
Displaced Yooper
Premium Member
join:2004-03-15
Neenah, WI

Paulg to batsona

Premium Member

to batsona
I'm not confident an ASA will behave the same way. It is not a router by any stretch of the imagination.
batsona
Maryland
join:2004-04-17
Ellicott City, MD

batsona

Member

OP here: I've got the same thread going over on the Cisco Forums website, and an expert there said that a static route that points traffic into the tunnel will NOT go away when the tunnel goes down (boooo!!!!!) The tunnel itself is not a 'named interface' (like it is in Juniper JunOS), so I can't reference the tunnel itself, in routing statements. They said the only way to dynamically determine when to route traffic over the IPSEC tunnel or not, is to set up a 'tracked object', and associate it with a static route. --when the tracked object goes away, the route will go away too.