0

I am having trouble setting up a second VPN tunnel from my Cisco ASA 5510. When I run the packet tracer I don't see the packet going throught a NAT exempt stage nor a VPN lookup stage. First tunnel is up and running fine with a Watchguard on one end. This second tunnel is a PIX (unknow model or version)

Any ideas you guys have would be appreciated.

Here is my network schema: inside network: 10.10.10.0/24 inside if: 10.10.10.1 outside if: 8.8.8.8

First VPN tunnel inside network: 10.0.40.0/24 inside if: 10.0.40.1 ouside if: 74.128.54.15

Second VPN tunnel inside network: 10.1.0.160/27 inside if: unknown ouside if: 63.74224.5

Here is my running-config:

: Saved
:
ASA Version 7.2(1)
!
hostname asa1
domain-name domain.com
enable password xxxxxxxxxx encrypted
names
name 10.10.10.52 sub1
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 8.8.8.8 255.255.255.224 standby 8.8.8.9
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.10.10.1 255.255.255.0 standby 10.10.10.2
!
interface Ethernet0/2
 description LAN Failover Interface
!
interface Ethernet0/3
 description STATE Failover Interface
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
 management-only
!
passwd xxxxxxxxxxxxx encrypted
banner motd ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
banner motd This is a private system. If you are not
banner motd authorized to access this system,
banner motd LOG OFF NOW!
banner motd ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
boot system disk0:/asa721-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 8.8.8.8
 name-server 8.8.4.4
 domain-name domain.com
object-group service httpANDhttps tcp
 description Both port 80 and 443
 port-object eq https
 port-object eq www
object-group service PASVports tcp
 description ports 50000-51000
 port-object range 50000 50100

--cut-- other access-list items here

access-list inside_access_in extended permit ip any any
access-list watchguard extended permit ip 10.10.10.0 255.255.255.0 10.0.40.0 255.255.255.0
access-list outside_30_cryptomap extended permit ip 10.10.10.0 255.255.255.0 10.1.0.160 255.255.255.224
access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 10.1.0.160 255.255.255.224
access-list outside_cryptomap_1 extended permit ip 10.10.10.0 255.255.255.0 10.1.0.160 255.255.255.224
pager lines 24
logging enable
logging timestamp
logging trap emergencies
logging asdm informational
logging from-address CiscoASA@domain.com
logging recipient-address brad@domain.com level alerts
logging host inside int-logging 6/1470
logging class vpn trap emergencies
mtu outside 1500
mtu inside 1500
mtu management 1500
failover
failover lan unit primary
failover lan interface LANfailover Ethernet0/2
failover key *****
failover replication http
failover mac address Ethernet0/0 xxxx.abcd.xxx1 xxxx.abcd.xxx2
failover mac address Ethernet0/1 xxxx.abcd.xxx3 xxxx.abcd.xxx4
failover link Statefailover Ethernet0/3
failover interface ip LANfailover 192.168.1.25 255.255.255.252 standby 192.168.1.26
failover interface ip Statefailover 192.168.1.49 255.255.255.252 standby 192.168.1.50
no monitor-interface management
icmp permit 10.10.10.0 255.255.255.0 inside
asdm image disk0:/asdm521.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 101 interface
nat (inside) 0 access-list watchguard
nat (inside) 101 0.0.0.0 0.0.0.0

--cut-- -- static nats here -- 

access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 8.8.8.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management

--cut-- snmp entries here

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set firebox esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set Client-3DES-MD5 esp-3des esp-md5-hmac
crypto map watchguardmap 1 match address outside_cryptomap_1
crypto map watchguardmap 1 set peer 63.74.224.5
crypto map watchguardmap 1 set transform-set Client-3DES-MD5
crypto map watchguardmap 1 set security-association lifetime seconds 86400
crypto map watchguardmap 10 match address watchguard
crypto map watchguardmap 10 set pfs
crypto map watchguardmap 10 set peer 74.128.54.15
crypto map watchguardmap 10 set transform-set firebox
crypto map watchguardmap 10 set security-association lifetime seconds 2592000
crypto map watchguardmap 10 set security-association lifetime kilobytes 2147483647
crypto map watchguardmap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 9
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 2592000
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
tunnel-group 74.128.54.15 type ipsec-l2l
tunnel-group 74.128.54.15 ipsec-attributes
 pre-shared-key *
tunnel-group 63.74.224.5 type ipsec-l2l
tunnel-group 63.74.224.5 ipsec-attributes
 pre-shared-key *
no tunnel-group-map enable ou
telnet int-vpn 255.255.255.255 inside
telnet timeout 5
ssh int-vpn 255.255.255.255 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.20-192.168.1.25 management
dhcpd enable management
!
!
!
ntp server 206.246.118.250 source outside
smtp-server 10.10.10.50
prompt hostname context
Cryptochecksum:19372
: end
user67572
  • 23
  • 2
  • 6
  • I'm a bit confused here: are you trying to route traffic from location A to location C through location B? – gravyface Jan 20 '11 at 19:43
  • Locations A,B,C are all independent. I need B to be the hub, B will talk to A and C but A and C will never talk to each other. – user67572 Jan 21 '11 at 15:32

1 Answers1

0

I suspect you need to do some debug crypto ipsec and debug crypto isakmp and watch the tunnel coming up to the second site. You may well have mismatched IKE ID's

You've got two completely un-referenced access lists: outside_30_cryptomap, and inside_nat0_outbound

I don't see a nat (inside) 0 access-list outside_cryptomap_1, so your traffic bound for the "second site" is getting NAT'ted.

Evan Anderson
  • 141,881
  • 20
  • 196
  • 331
  • Thanks, The unreferenced access lists were from another attempt. I need to delete these. I added nat (inside) 1 access-list outside_cryptomap_1. Changing the unique ID to 1 since I already have nat (inside) 0 access-list watchguard and I need that one for the first tunnel. When I open up the ASDM to the Configuration/NAT I now see an entry for a dynamic policy whereas my first tunnel has an Exempt rule. I have tried to add an Exempt rule through this interface but that didn't work. I ran the debug commands you suggested but traffic is still not going through the tunnel nothing was ever logged. – user67572 Jan 21 '11 at 15:31