SSH is not working. Seeing the following message in output.
R1#ssh -l ipexpert 10.5.5.55
*Dec 30 01:06:41.675: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of
Informational mode failed with peer at 10.5.5.55
R1#
R1#
R1#ssh -l ipexpert 192.1.49.55
R1#
First of all, why R1 is not pinging ASA1? Secondly, If R1 is able to
ping ASA2 then why ssh connection did not establish (as seen in the
above output)?
Attaching sh crypto output and pings from R1 suggesting that peer
relationship with both ASAs is established but still tunnel is not
formed.
Appreciate any help.
-Anshul
________________________________
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joshua
Walton
Sent: Saturday, December 29, 2007 10:21 AM
To: [email protected]
Subject: Re: [OSL | CCIE_Security] CCIE_Security Digest, Vol 18, Issue
13
verify by SSH'ing to ASA1 and ASA2 from R1
R1# ssh -l ipexpert 192.1.49.55
R1# ssh -l ipexpert 10.5.5.55
Best Regards,
- Joshua R. Walton
Senior Network Engineer
CCNP, CCSP, CCVP, INFOSEC
> From: [EMAIL PROTECTED]
> Subject: CCIE_Security Digest, Vol 18, Issue 13
> To: [email protected]
> Date: Sat, 29 Dec 2007 12:00:03 -0500
>
> Send CCIE_Security mailing list submissions to
> [email protected]
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://onlinestudylist.com/mailman/listinfo/ccie_security
> or, via email, send a message with subject or body 'help' to
> [EMAIL PROTECTED]
>
> You can reach the person managing the list at
> [EMAIL PROTECTED]
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of CCIE_Security digest..."
>
>
> Today's Topics:
>
> 1. Section 15 Task 7.6 (a): Management VPN (Anshul Arora (akarora))
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 28 Dec 2007 20:22:21 -0800
> From: "Anshul Arora (akarora)" <[EMAIL PROTECTED]>
> Subject: [OSL | CCIE_Security] Section 15 Task 7.6 (a): Management VPN
> To: <[email protected]>
> Message-ID:
> <[EMAIL PROTECTED]>
> Content-Type: text/plain; charset="us-ascii"
>
> Hi All,
>
> I've R1 and ASA1 configured for secured communication through IPsec
> tunnel. The basic problem is that ASA1 can't ping R1 public IP
> 192.1.12.15 and visa versa. Although R4 can ping R1.
> Where do I enable ping from ASA1 to R1 so as to bring up the tunnel?
>
> The same setup is working for R1 and ASA2 tunnel communication (Task
b)
> verifying that configuration on R1 and ASA is configured correctly.
>
> Attaching R1, R4 and ASA2 configs.
>
> Appreciate any input.
> -Anshul
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
http://onlinestudylist.com/pipermail/ccie_security/attachments/20071228/
63c485b9/attachment-0001.html
> -------------- next part --------------
> An embedded and charset-unspecified text was scrubbed...
> Name: ASA1.txt
> Url:
http://onlinestudylist.com/pipermail/ccie_security/attachments/20071228/
63c485b9/ASA1-0001.txt
> -------------- next part --------------
> An embedded and charset-unspecified text was scrubbed...
> Name: R1.txt
> Url:
http://onlinestudylist.com/pipermail/ccie_security/attachments/20071228/
63c485b9/R1-0001.txt
> -------------- next part --------------
> An embedded and charset-unspecified text was scrubbed...
> Name: R4.txt
> Url:
http://onlinestudylist.com/pipermail/ccie_security/attachments/20071228/
63c485b9/R4-0001.txt
>
> End of CCIE_Security Digest, Vol 18, Issue 13
> *********************************************
R1#sh crypto ipsec sa
interface: FastEthernet0
Crypto map tag: MYMAP, local addr 10.2.2.1
protected vrf: (none)
local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.1.49.55/255.255.255.255/0/0)
current_peer 192.1.49.55 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 4, #recv errors 0
local crypto endpt.: 10.2.2.1, remote crypto endpt.: 192.1.49.55
path mtu 1500, ip mtu 1500
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.5.5.55/255.255.255.255/0/0)
current_peer 10.5.5.55 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 4, #recv errors 0
local crypto endpt.: 10.2.2.1, remote crypto endpt.: 10.5.5.55
path mtu 1500, ip mtu 1500
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
R1#sh crypto isak
R1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
IPv6 Crypto ISAKMP SA
R1#
R1#ping 10.5.5.55
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.5.5.55, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/7/8 ms
R1#ping 192.1.24.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.1.24.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R1#ping 192.1.49.55
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.1.49.55, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
ASA2# sh run
: Saved
:
ASA Version 7.2(2)
!
firewall transparent
hostname ASA2
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
!
interface Ethernet0/1
nameif inside
security-level 100
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list allow extended permit eigrp any any
access-list allow extended permit icmp any any echo
access-list allow extended permit icmp any any echo-reply
access-list L2L extended permit ip host 10.5.5.55 10.1.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address 10.5.5.55 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
access-group allow in interface outside
access-group allow out interface inside
route outside 0.0.0.0 0.0.0.0 10.5.5.5 1
username ipexpert password yZj422lmSITORjHo encrypted
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set MYTRANS esp-3des esp-sha-hmac
crypto map MYMAP 10 match address L2L
crypto map MYMAP 10 set connection-type answer-only
crypto map MYMAP 10 set peer 10.2.2.1
crypto map MYMAP 10 set transform-set MYTRANS
crypto map MYMAP interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 10.2.2.1 type ipsec-l2l
tunnel-group 10.2.2.1 ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh 10.1.1.0 255.255.255.0 outside
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
!
service-policy global_policy global
mac-address-table static inside 001a.a29e.6fd0
mac-address-table static outside 001a.e254.5130
: end
ASA2#