batsonaMaryland join:2004-04-17 Ellicott City, MD |
[Config] Two IPSEC tunnels, one Crypto-map...Greetings;
I've got an ASA 5505 on my hands, with the enterprise license. In the example above, VPN "22" tunnel is up & passes traffic just fine. VPN "11" won't come up. I think I'm missing something. is it related to the two lines at the bottom?
crypto map MyVPN 11 match address toVPN-A crypto map MyVPN 11 set pfs crypto map MyVPN 11 set peer VPN-A_Peer crypto map MyVPN 11 set transform-set ESP-3DES-MD5 ----------------------------------------------- crypto map MyVPN 22 match address toVPN-B crypto map MyVPN 22 set pfs crypto map MyVPN 22 set peer VPN-B_Peer crypto map MyVPN 22 set transform-set ESP-DES-MD5 crypto map MyVPN interface outside
crypto isakmp policy 22
crypto isakmp nat-traversal 22 |
|
|
Can we have the full config -- minus passwords / sensitive information -- to review?
Regards |
|
batsonaMaryland join:2004-04-17 Ellicott City, MD |
Here is the sanitized config...
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.11.05 14:00:23 =~=~=~=~=~=~=~=~=~=~=~=
DASS-VPN#
DASS-VPN# show run : Saved : ASA Version 8.2(1) ! hostname DASS-VPN domain-name dass enable password xxxxxxxxxxxx encrypted passwd xxxxxxxxxxxxxxxxxx encrypted names name 192.168.6.115 Forestville_FTP1 name 192.168.6.116 Forestville_FTP2 name 192.168.4.160 Forestville-FTP name 15.16.17.18 Forestville_PEER ! interface Vlan1 nameif inside security-level 100 ip address 192.168.28.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 172.16.189.157 255.255.254.0 ! interface Vlan3 no forward interface Vlan1 nameif DMZ security-level 50 ip address 192.168.1.2 255.255.255.0 ! interface Vlan4 nameif LEO-GEO security-level 80 ip address 192.168.29.1 255.255.255.0 ! interface Vlan5 nameif EXT-FTP security-level 70 ip address 192.168.27.1 255.255.255.0 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 !
interface Ethernet0/4 switchport access vlan 4 ! interface Ethernet0/5 switchport access vlan 3 speed 100 duplex full ! interface Ethernet0/6 switchport access vlan 5 ! interface Ethernet0/7 ! banner login .................... banner login ................ banner login ............... ! banner motd ............... banner motd ............... banner motd ............... ftp mode passive dns server-group DefaultDNS domain-name dass access-list toTSI extended permit ip 192.168.28.0 255.255.255.128 10.25.0.0 255.255.255.0 access-list exclude_from_nat extended permit ip 192.168.28.0 255.255.255.128 10.25.0.0 255.255.255.0
access-list exclude_from_nat extended permit ip 192.168.28.0 255.255.255.0 192.168.29.0 255.255.255.0 access-list exclude_from_nat extended permit ip host 192.168.28.72 host Forestville_FTP1 access-list exclude_from_nat extended permit ip host 192.168.28.72 host Forestville_FTP2 access-list toForestville extended permit ip host 182.168.28.74 host Forestville-FTP access-list toForestville extended permit ip host 192.168.28.72 host Forestville_FTP1 access-list toForestville extended permit ip host 192.168.28.72 host Forestville_FTP2 access-list tsi_policy extended permit tcp 10.25.0.0 255.255.255.0 192.168.28.0 255.255.255.128 eq pcanywhere-data access-list tsi_policy extended permit udp 10.25.0.0 255.255.255.0 192.168.28.0 255.255.255.128 eq pcanywhere-status access-list tsi_policy extended permit tcp 10.25.0.0 255.255.255.0 192.168.28.0 255.255.255.0 eq 3389 access-list tsi_policy extended permit tcp 10.25.0.0 255.255.255.0 host 192.168.28.71 eq 1433 access-list tsi_policy extended permit icmp 10.25.0.0 255.255.255.0 192.168.28.0 255.255.255.128 echo-reply access-list tsi_policy extended permit icmp 10.25.0.0 255.255.255.0 192.168.28.0 255.255.255.128 echo access-list Forestville_vpn_filter extended permit tcp host Forestville-FTP host 192.168.28.74 eq ftp access-list Forestville_vpn_filter extended permit tcp host Forestville_FTP2 host 192.168.28.72 eq ftp access-list Forestville_vpn_filter extended permit tcp host Forestville_FTP2 eq ftp host 192.168.28.72 access-list Forestville_vpn_filter extended permit tcp host Forestville_FTP1 host 192.168.28.72 eq ftp access-list Forestville_vpn_filter extended permit tcp host Forestville_FTP1 eq ftp host 192.168.28.72 access-list outside_access_in remark Allow HTTPS access to Packet Data Server (SRV3) access-list outside_access_in extended permit tcp any host 172.16.189.157 eq https log access-list DMZ_access_in remark Allows traffic inbound from frame-relay access-list DMZ_access_in extended permit tcp host Forestville-FTP host 192.168.28.74 eq ftp access-list DMZ_access_in extended permit ip 192.168.29.0 255.255.255.0 192.168.28.0 255.255.255.0 access-list DMZ_access_in extended permit icmp any any access-list DMZ_access_in extended permit ip any any
access-list inside_access_in remark Allows traffic into ASA from Inside access-list inside_access_in extended permit tcp host 192.168.28.74 host Forestville-FTP eq ftp access-list inside_access_in extended permit tcp host 192.168.28.74 192.168.29.0 255.255.255.0 eq ftp access-list inside_access_in extended permit icmp any any access-list inside_access_in extended permit ip any any access-list FTP-test remark For testing FTP packets access-list FTP-test extended permit tcp host 192.168.28.72 host Forestville-FTP access-list NEO-GEO-in remark allows traffic out of NEO-GEO net access-list NEO-GEO-in extended permit udp any host 172.16.244.173 eq domain access-list NEO-GEO-in extended permit udp any host 172.16.50.17 eq domain access-list NEO-GEO-in extended permit udp any host 172.16.10.134 eq domain access-list NEO-GEO-in extended permit tcp host 192.168.29.13 host 192.168.28.74 eq ftp access-list NEO-GEO-in extended permit tcp host 192.168.29.11 host 192.168.28.74 eq ftp access-list NEO-GEO-in extended permit tcp host 192.168.29.23 host 192.168.28.74 eq ftp access-list NEO-GEO-in extended permit tcp host 192.168.29.21 host 192.168.28.74 eq ftp access-list NEO-GEO-in extended deny ip any 192.168.28.0 255.255.255.0 access-list NEO-GEO-in extended permit ip any any access-list EXT-FTP-in remark allows traffic out of EXT-FTP network access-list EXT-FTP-in extended permit ip any any access-list SAR-no-nat extended permit ip 192.168.28.0 255.255.255.0 192.168.29.0 255.255.255.0 access-list LUT-no-nat extended permit ip 192.168.29.0 255.255.255.0 192.168.28.0 255.255.255.0 pager lines 24 logging enable logging timestamp
logging monitor debugging logging trap informational logging history notifications logging asdm informational logging facility 16 logging device-id hostname logging host outside 172.16.195.171 logging host outside 172.16.167.138 mtu inside 1500 mtu outside 1500 mtu DMZ 1500 mtu LEO-GEO 1500 mtu EXT-FTP 1500 no failover icmp unreachable rate-limit 1 burst-size 1 icmp permit any unreachable outside asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list exclude_from_nat nat (inside) 1 0.0.0.0 0.0.0.0 nat (LEO-GEO) 0 access-list LUT-no-nat nat (LEO-GEO) 1 0.0.0.0 0.0.0.0 static (inside,outside) tcp interface https 192.168.28.72 https netmask 255.255.255.255 dns
access-group inside_access_in in interface inside access-group outside_access_in in interface outside access-group DMZ_access_in in interface DMZ access-group NEO-GEO-in in interface LEO-GEO access-group EXT-FTP-in in interface EXT-FTP route outside 0.0.0.0 0.0.0.0 172.16.188.1 1 route DMZ Forestville-FTP 255.255.255.255 192.168.1.1 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record DfltAccessPolicy aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa authentication ssh console LOCAL aaa authentication http console LOCAL http server enable 65000 http 192.168.28.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community ***** snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto map DassVPN 500 match address toForestville crypto map DassVPN 500 set pfs crypto map DassVPN 500 set peer Forestville_PEER crypto map DassVPN 500 set transform-set ESP-3DES-MD5 crypto map DassVPN 1000 match address toTSI crypto map DassVPN 1000 set pfs crypto map DassVPN 1000 set peer 12.13.14.15 > crypto map DassVPN 1000 set transform-set ESP-DES-MD5 crypto map DassVPN interface outside crypto isakmp identity address crypto isakmp enable outside crypto isakmp policy 1000 authentication pre-share encryption des hash md5 group 2 lifetime 86400 crypto isakmp nat-traversal 1000 telnet timeout 60 ssh 192.168.28.0 255.255.255.0 inside
ssh Comcast-IP 255.255.255.255 outside ssh 172.16.166.209 255.255.255.255 outside ssh 172.16.167.110 255.255.255.255 outside ssh timeout 60 console timeout 60 dhcpd ping_timeout 750 dhcpd auto_config outside !
threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ntp server 192.168.28.50 source inside prefer tftp-server inside 192.168.28.72 DASS-ASA-Config_yyyy-mm-dd.txt webvpn group-policy ForestvillePolicy internal group-policy ForestvillePolicy attributes vpn-filter value Forestville_vpn_filter vpn-tunnel-protocol IPSec group-policy TSIPolicy internal group-policy TSIPolicy attributes vpn-filter value tsi_policy vpn-tunnel-protocol IPSec username admin password .ti4neGRW24q84lH encrypted privilege 15
tunnel-group 12.13.14.15 type ipsec-l2l tunnel-group 12.13.14.15 general-attributes default-group-policy TSIPolicy tunnel-group 12.13.14.15 ipsec-attributes pre-shared-key ******** tunnel-group Forestville_PEER type ipsec-l2l tunnel-group Forestville_PEER general-attributes default-group-policy ForestvillePolicy tunnel-group Forestville_PEER ipsec-attributes pre-shared-key ******** ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp inspect http ! service-policy global_policy global prompt hostname context Cryptochecksum:b8ac13d60ba239ace8a3653930959ed8 : end
DASS-VPN# |
|
|
to batsona
Don't seem to see crypto map MyVPN 11 or 22 in your sanitized config... or am I missing something? Or is it in actuality your crypto map DassVPN I should be looking at?
Regards |
|
|
batsonaMaryland join:2004-04-17 Ellicott City, MD |
Yep, "DassVPN" is the crypto map. The entries for priority 1000 is working OK, and the one for 500 isn't working. |
|
PaulgDisplaced Yooper Premium Member join:2004-03-15 Neenah, WI |
Paulg
Premium Member
2013-Nov-7 4:50 pm
'debug crypto ipsec 200' should give you some good troubleshooting information.
Also - 'sh crypto isakmp sa' will tell you what state the phase 1 connection is in. |
|
batsonaMaryland join:2004-04-17 Ellicott City, MD |
Output of show crypto isakmp sa:
DASS-VPN# show crypto isakmp sa
Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1
1 IKE Peer: 12.13.14.15 Type : L2L Role : initiator Rekey : no State : MM_ACTIVE DASS-VPN#
=====output from debug crypto isakmp 200============
The only output I saw on IKE, was keepalives back and forth, involving the TSI VPN remote peer, 12.13.14.15. I didn't see any entries for the Forestville VPN peer, 15.16.17.18 at all.
================================= |
|
PaulgDisplaced Yooper Premium Member join:2004-03-15 Neenah, WI |
Paulg
Premium Member
2013-Nov-8 11:10 am
Are you generating interesting traffic that matches the ACL and the NAT exemption ACL? |
|
batsonaMaryland join:2004-04-17 Ellicott City, MD |
The config line: crypto map DassVPN 500 match address toForestville
refers to an ACL, "toForestville", which allow traffic from the inside network to pass into the IPSEC tunnel. Now the next complication.. Apparently static routes 'trump' this ACL, because I have a static route that's directing the traffic over a frame-relay connection that's connected on interface "DMZ" right now, and I know it's working. SO.... It looks like the static-route is grabbing the traffic. So, one thing at a time -- let's see if we can get the tunnel to come up. --shall I just temporarily delete the static-route in order for traffic to be 'sucked into' the tunnel by virtue of the "toForestville" ACL? |
|
PaulgDisplaced Yooper Premium Member join:2004-03-15 Neenah, WI |
Paulg
Premium Member
2013-Nov-8 1:01 pm
Are you trying to set this up as a secondary connection to the frame relay? |
|
batsonaMaryland join:2004-04-17 Ellicott City, MD |
Actually I'm trying to do it the other way 'round. I'd like the IPSEC tunnel to be the primary path, and the frame-relay to be the secondary path. But: The order in which I'm testing these paths, doesn't have any bearing on the order-of-presidence in which they'll be used. Can I set a different cost on a static route that causes it to be considered 'after' the ACL the sucks traffic into the IPSEC tunnel? |
|
batsona |
to Paulg
Right now I'm having difficulty deciding on what syntax to use, to route packets into the IPSEC tunnel. When using a regular routing statement, do I use the remote-PEER for ISAKMP as the next-hop gateway, or use the Outside interface's next-hop gateway? (IPSEC tunnel is terminated on the Outside Interface... |
|
batsona |
to Paulg
Now the big question... if I route traffic into the IPSEC tunnel by sending it to the 172.16.188.1 gateway (on the Outside Interface), will this static route be deleted from the routing table when the tunnel goes down?
I need the ASA to detect a failure of the IPSEC tunnel, then use the higher-cost route over the frame-relay. In other words, I need it to act like a router --- when a path goes away, delete the route for it, until that path returns.... |
|
|
In my limited but recent experience of VTI tunnels, when the tunnel goes down the route disappears from the routing table. This was repeatable on 1841, 887 and 2901 series routers with current IOS versions. |
|
PaulgDisplaced Yooper Premium Member join:2004-03-15 Neenah, WI |
to batsona
I'm not confident an ASA will behave the same way. It is not a router by any stretch of the imagination. |
|
batsonaMaryland join:2004-04-17 Ellicott City, MD |
OP here: I've got the same thread going over on the Cisco Forums website, and an expert there said that a static route that points traffic into the tunnel will NOT go away when the tunnel goes down (boooo!!!!!) The tunnel itself is not a 'named interface' (like it is in Juniper JunOS), so I can't reference the tunnel itself, in routing statements. They said the only way to dynamically determine when to route traffic over the IPSEC tunnel or not, is to set up a 'tracked object', and associate it with a static route. --when the tracked object goes away, the route will go away too. |
|