Announcement

Collapse
No announcement yet.

Cisco site-to-site & Remote Access VPN on ASA / PIX

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco site-to-site & Remote Access VPN on ASA / PIX

    Hi all,

    I would really appreciate any help on trying to solve this!

    I am have got some site to site VPNs running properly between a Cisco ASA 5520 and 857 routers, but have come unstuck when trying to add remote-access functionality onto the same ASA. The Cisco VPN Dialler connects to the ASA, both phases 1 and 2 complete, but the device can't access anything on the inside LAN.

    Due to the site to site VPN's being in production I have managed to replicate the same problems on an old PIX 515e with similar configuration.

    The message I appear to be getting from syslogging is:

    %PIX-3-713042: IKE Initiator unable to find policy: Intf outside, Src: 10.0.100.2, Dst: 10.0.85.1

    I have googled this message, and tried various solutions (one found on this site) but to no avail. I even followed the Cisco guide to adding further site-to-site or remote accss VPN's to existing firewalls already configured with site-to-site VPN's.

    I have attached the config below from the demo PIX, I have been going round in circles with this one and just can't suss out whats wrong. I am guessing there will be something obvious I have overlooked!

    FYI - inside LAN is 10.0.100.0/23, outside LAN is 10.0.90.0/24, IP LOCAL POOL is: 10.0.85.0/24

    CONFIG:

    *********************

    !
    hostname pixfirewall
    enable password IzEj8ss2X5XVdHWh encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    dns-guard
    !
    interface Ethernet0
    nameif outside
    security-level 0
    ip address 10.0.90.1 255.255.255.0
    !
    interface Ethernet1
    nameif inside
    security-level 100
    ip address 10.0.100.68 255.255.254.0
    !
    boot system flash:/pix804.bin
    ftp mode passive
    object-group network SITE_TO_SITE_VPNS
    network-object 10.0.78.0 255.255.255.0
    network-object 10.0.79.0 255.255.255.0
    network-object 10.0.80.0 255.255.255.0
    network-object 10.0.85.0 255.255.255.0
    object-group network INSIDE_LAN
    description Inside Network Hosts
    network-object 10.0.100.0 255.255.254.0
    access-list INSIDE_ACCESS_TO_HW extended permit ip object-group INSIDE_LAN object-group SITE_TO_SITE_VPNS
    access-list INSIDE_ACCESS_OUT extended permit ip object-group INSIDE_LAN any
    access-list OUTSIDE_ACCESS_IN extended permit ip 10.1.1.0 255.255.255.0 object-group INSIDE_LAN
    access-list remote_access_split_tunnel standard permit 10.0.100.0 255.255.255.0
    pager lines 24
    logging enable
    logging trap debugging
    logging host inside 10.0.100.104
    mtu outside 1500
    mtu inside 1500
    ip local pool DHCP_SCOPE 10.0.85.1-10.0.85.10 mask 255.255.255.0
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image flash:/asdm-613.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list INSIDE_ACCESS_TO_HW
    nat (inside) 1 10.0.100.0 255.255.254.0
    access-group OUTSIDE_ACCESS_IN in interface outside
    route outside 0.0.0.0 0.0.0.0 10.0.90.2 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set STS_TRANS_SET esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set RA_TRAMSFORM esp-3des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 43200
    crypto ipsec security-association lifetime kilobytes 46080000
    crypto dynamic-map outside_dyn_map 20 set transform-set RA_TRAMSFORM
    crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 43200
    crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 46080000
    crypto dynamic-map outside_dyn_map 20 set reverse-route
    crypto map HOMEWORKERS 10 match address INSIDE_ACCESS_TO_HW
    crypto map HOMEWORKERS 10 set peer 123.123.123.123 122.122.122.122 121.121.121.121
    crypto map HOMEWORKERS 10 set transform-set STS_TRANS_SET
    crypto map HOMEWORKERS 10 set security-association lifetime seconds 28800
    crypto map HOMEWORKERS 10 set security-association lifetime kilobytes 4608000
    crypto map HOMEWORKERS 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map HOMEWORKERS interface outside
    crypto isakmp enable outside
    crypto isakmp policy 1
    authentication pre-share
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 65535
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    group-policy ravpn internal
    group-policy ravpn attributes
    dns-server value 10.0.100.1
    vpn-tunnel-protocol IPSec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value remote_access_split_tunnel
    username bob123 password Ar/YOfOkJfPnyZYM encrypted
    tunnel-group 121.121.121.121 type ipsec-l2l
    tunnel-group 121.121.121.121 ipsec-attributes
    pre-shared-key *
    tunnel-group 122.122.122.122 type ipsec-l2l
    tunnel-group 122.122.122.122 ipsec-attributes
    pre-shared-key *
    tunnel-group 123.123.123.123 type ipsec-l2l
    tunnel-group 123.123.123.123 ipsec-attributes
    pre-shared-key *
    tunnel-group ravpn type remote-access
    tunnel-group ravpn general-attributes
    address-pool DHCP_SCOPE
    default-group-policy ravpn
    tunnel-group ravpn ipsec-attributes
    pre-shared-key *
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    policy-map type inspect dns migrated_dns_map_1
    parameters
    message-length maximum 512
    !
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:d8034e23e7d413a1b5d08dc301697c58
    : end

    ************

    Again, any help really appreciated!!!

  • #2
    Re: Cisco site-to-site & Remote Access VPN on ASA / PIX

    Either NATing or encryption isn't configured right if VPN connects but no traffic flows.

    The NAT looks okay at first glance. I would guess the VPN client connection is somehow trying to use the encryption settings for the site-to-site VPN. I'll have to compare this config to some others I have before I can say anything more specific.

    Comment


    • #3
      Re: Cisco site-to-site & Remote Access VPN on ASA / PIX

      Your VPN IP pool (10.0.85.x) is included in SITE_TO_SITE_VPNS, so it is therefore included in INSIDE_ACCESS_TO_HW. So your remote access VPN is using this crypto map instead of the dynamic map.

      Code:
      crypto map HOMEWORKERS 10 match address INSIDE_ACCESS_TO_HW

      Comment

      Working...
      X