Hi,
 
Thanks for your responses. I was able to fix half of the problem wherein
R1 and ASA-1 are communicating thru IPSec tunnel. Verified using ssh -l
ipexpert 192.1.49.55
 
Problem that still exists is R1 and ASA-2 tunnel does not come up. There
are no routing issues since ping is working from R1 to ASA2 and visa
versa.
 
Configs and outputs are attached.
 
Appreciate your help,
-Anshul
 

________________________________

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Anshul
Arora (akarora)
Sent: Saturday, December 29, 2007 6:36 PM
To: Joshua Walton; [email protected]
Subject: Re: [OSL | CCIE_Security] CCIE_Security Digest, Vol 18, Issue
13


Ok lets ignore encryption...
 
- Tested that there is ping connectivity between R1 and ASA2. No routing
issue therefore tunnel should come up.
 
- For R1 and ASA1 communication, I need static translation on PIX for R1
(10.2.2.1 --> 192.1.12.1.5) and ACL (permit ip any any on outside
interface) on PIX. Plus statics on R1 and ASA1.
 
  What else is needed?

________________________________

From: Joshua Walton [mailto:[EMAIL PROTECTED] 
Sent: Saturday, December 29, 2007 5:42 PM
To: Anshul Arora (akarora); [email protected]
Subject: RE: [OSL | CCIE_Security] CCIE_Security Digest, Vol 18, Issue
13


before adding encryption it is a good idea to test basic routing so you
will know where to troubleshooting if needed.


Best Regards,
 
- Joshua R. Walton
  Senior Network Engineer 
  CCNP, CCSP, CCVP, INFOSEC



________________________________

        Subject: RE: [OSL | CCIE_Security] CCIE_Security Digest, Vol 18,
Issue 13
        Date: Sat, 29 Dec 2007 17:34:25 -0800
        From: [EMAIL PROTECTED]
        To: [EMAIL PROTECTED]; [email protected]
        
        
        SSH is not working. Seeing the following message in output.
         
        R1#ssh -l ipexpert 10.5.5.55
         
        *Dec 30 01:06:41.675: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of
Informational mode failed with peer at 10.5.5.55
        R1#
        R1#
        
        R1#ssh -l ipexpert 192.1.49.55
         
        R1#
         
        First of all, why R1 is not pinging ASA1? Secondly, If R1 is
able to ping ASA2 then why ssh connection did not establish (as seen in
the above output)?
         
        Attaching sh crypto output and pings from R1 suggesting that
peer relationship with both ASAs is established but still tunnel is not
formed.
         
        Appreciate any help.
        -Anshul
        
        
________________________________

        From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joshua
Walton
        Sent: Saturday, December 29, 2007 10:21 AM
        To: [email protected]
        Subject: Re: [OSL | CCIE_Security] CCIE_Security Digest, Vol 18,
Issue 13
        
        
        verify by SSH'ing to ASA1 and ASA2 from R1
         
        R1# ssh -l ipexpert 192.1.49.55 
         
         
        R1# ssh -l ipexpert 10.5.5.55
        
        
        
        Best Regards,
         
        - Joshua R. Walton
          Senior Network Engineer 
          CCNP, CCSP, CCVP, INFOSEC


        > From: [EMAIL PROTECTED]
        > Subject: CCIE_Security Digest, Vol 18, Issue 13
        > To: [email protected]
        > Date: Sat, 29 Dec 2007 12:00:03 -0500
        > 
        > Send CCIE_Security mailing list submissions to
        > [email protected]
        > 
        > To subscribe or unsubscribe via the World Wide Web, visit
        > http://onlinestudylist.com/mailman/listinfo/ccie_security
        > or, via email, send a message with subject or body 'help' to
        > [EMAIL PROTECTED]
        > 
        > You can reach the person managing the list at
        > [EMAIL PROTECTED]
        > 
        > When replying, please edit your Subject line so it is more
specific
        > than "Re: Contents of CCIE_Security digest..."
        > 
        > 
        > Today's Topics:
        > 
        > 1. Section 15 Task 7.6 (a): Management VPN (Anshul Arora
(akarora))
        > 
        > 
        >
----------------------------------------------------------------------
        > 
        > Message: 1
        > Date: Fri, 28 Dec 2007 20:22:21 -0800
        > From: "Anshul Arora (akarora)" <[EMAIL PROTECTED]>
        > Subject: [OSL | CCIE_Security] Section 15 Task 7.6 (a):
Management VPN
        > To: <[email protected]>
        > Message-ID:
        >
<[EMAIL PROTECTED]>
        > Content-Type: text/plain; charset="us-ascii"
        > 
        > Hi All,
        > 
        > I've R1 and ASA1 configured for secured communication through
IPsec
        > tunnel. The basic problem is that ASA1 can't ping R1 public IP
        > 192.1.12.15 and visa versa. Although R4 can ping R1.
        > Where do I enable ping from ASA1 to R1 so as to bring up the
tunnel?
        > 
        > The same setup is working for R1 and ASA2 tunnel communication
(Task b)
        > verifying that configuration on R1 and ASA is configured
correctly.
        > 
        > Attaching R1, R4 and ASA2 configs.
        > 
        > Appreciate any input.
        > -Anshul
        > 
        > -------------- next part --------------
        > An HTML attachment was scrubbed...
        > URL:
http://onlinestudylist.com/pipermail/ccie_security/attachments/20071228/
63c485b9/attachment-0001.html
        > -------------- next part --------------
        > An embedded and charset-unspecified text was scrubbed...
        > Name: ASA1.txt
        > Url:
http://onlinestudylist.com/pipermail/ccie_security/attachments/20071228/
63c485b9/ASA1-0001.txt
        > -------------- next part --------------
        > An embedded and charset-unspecified text was scrubbed...
        > Name: R1.txt
        > Url:
http://onlinestudylist.com/pipermail/ccie_security/attachments/20071228/
63c485b9/R1-0001.txt
        > -------------- next part --------------
        > An embedded and charset-unspecified text was scrubbed...
        > Name: R4.txt
        > Url:
http://onlinestudylist.com/pipermail/ccie_security/attachments/20071228/
63c485b9/R4-0001.txt
        > 
        > End of CCIE_Security Digest, Vol 18, Issue 13
        > *********************************************
        

ASA2# sh run
: Saved
:
ASA Version 7.2(2) 
!
firewall transparent
hostname ASA2
enable password 8Ry2YjIyt7RRXU24 encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
!
interface Ethernet0/1
 nameif inside
 security-level 100
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa722-k8.bin
ftp mode passive
access-list allow extended permit eigrp any any 
access-list allow extended permit icmp any any echo 
access-list allow extended permit icmp any any echo-reply 
access-list L2L extended permit ip host 10.5.5.55 10.1.1.0 255.255.255.0 

ip address 10.5.5.55 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp outside 10.5.5.5 001a.e254.5130 
arp inside 10.5.5.100 001a.a29e.6fd0 
arp timeout 14400
access-group allow in interface outside
access-group allow in interface inside
route outside 0.0.0.0 0.0.0.0 10.5.5.5 1

username ipexpert password yZj422lmSITORjHo encrypted
aaa authentication ssh console LOCAL 

crypto ipsec transform-set MYTRANS esp-3des esp-sha-hmac 
crypto map MYMAP 10 match address L2L
crypto map MYMAP 10 set connection-type answer-only
crypto map MYMAP 10 set peer 10.2.2.1 
crypto map MYMAP 10 set transform-set MYTRANS
crypto map MYMAP interface outside
crypto isakmp identity hostname 
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
tunnel-group 10.2.2.1 type ipsec-l2l
tunnel-group 10.2.2.1 ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh 10.1.1.0 255.255.255.0 outside
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp 
!
service-policy global_policy global
mac-address-table static inside 001a.a29e.6fd0
mac-address-table static outside 001a.e254.5130
arp-inspection outside enable no-flood
arp-inspection inside enable no-flood
prompt hostname context 
Cryptochecksum:10fe1c7f10501142ece241cbe5675f4f
: end
ASA2#
PIX Version 7.2(2) 
!
hostname pixfirewall
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 192.1.12.10 255.255.255.0 
!
interface Ethernet0.55
 vlan 55
 nameif DMZ55
 security-level 50
 ip address 192.168.5.10 255.255.255.0 
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 10.2.2.10 255.255.255.0 
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list outsideacl extended permit tcp host 4.4.4.4 host 192.1.12.100 eq 
tacacs 
access-list outsideacl extended permit tcp host 192.1.12.2 host 192.1.12.100 eq 
tacacs 
access-list outsideacl extended permit tcp host 192.1.6.20 host 192.1.12.100 eq 
tacacs 
access-list outsideacl extended permit udp host 192.1.25.5 eq isakmp host 
192.1.12.5 eq isakmp 
access-list outsideacl extended permit udp host 192.1.25.5 host 192.1.12.5 eq 
4500 
access-list outsideacl extended permit esp host 192.1.25.5 host 192.1.12.5 
access-list outsideacl extended permit esp any host 192.1.12.5 
access-list outsideacl extended permit udp any eq isakmp host 192.1.12.5 eq 
isakmp 
access-list outsideacl extended permit esp host 192.1.49.55 host 192.1.12.15 
access-list outsideacl extended permit udp host 192.1.49.55 eq isakmp host 
192.1.12.15 eq isakmp 
access-list dmzacl extended permit icmp any any echo 
access-list dmzacl extended permit icmp any any echo-reply 
access-list dmzacl extended permit esp host 192.168.5.5 host 192.1.25.5 
access-list dmzacl extended permit udp host 192.168.5.5 host 192.1.25.5 eq 
isakmp 
access-list dmzacl extended permit esp host 192.168.5.5 any 
access-list dmzacl extended permit udp host 192.168.5.5 eq isakmp any 
access-list R4l2l extended permit ip 10.2.2.0 255.255.255.0 192.168.104.0 
255.255.255.0 
access-list NONAT extended permit ip 10.2.2.0 255.255.255.0 192.168.104.0 
255.255.255.0 
pager lines 24
mtu outside 1500
mtu DMZ55 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any DMZ55
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (DMZ55) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 192.1.12.100 10.1.1.100 netmask 255.255.255.255 
static (inside,outside) 192.1.12.15 10.2.2.1 netmask 255.255.255.255 
static (DMZ55,outside) 192.1.12.5 192.168.5.5 netmask 255.255.255.255 
access-group outsideacl in interface outside
access-group dmzacl in interface DMZ55
route outside 192.168.104.0 255.255.255.0 192.1.12.2 1
route inside 10.1.1.0 255.255.255.0 10.2.2.1 1
route inside 1.0.0.0 255.255.255.0 10.2.2.1 1
!
router ospf 1
 network 192.1.12.0 255.255.255.0 area 0
 log-adj-changes
!
aaa-server TAC protocol tacacs+
aaa-server TAC host 10.1.1.100
 key pixkey
url-server (inside) vendor websense host 10.2.2.52 timeout 30 protocol TCP 
version 1 connections 5
aaa authentication include telnet inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 TAC 
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set MYTRANS esp-des esp-md5-hmac 
crypto map MYMAP 10 match address R4l2l
crypto map MYMAP 10 set peer 192.1.24.4 
crypto map MYMAP 10 set transform-set MYTRANS
crypto map MYMAP interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400
tunnel-group 192.1.24.4 type ipsec-l2l
tunnel-group 192.1.24.4 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect xdmcp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:c246a43b892e4604a9a230bec17f26da
: end
pixfirewall#
R1#sh run
Building configuration...

Current configuration : 2403 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 15
!
!
ip cef
!
!         
no ip domain lookup
ip domain name ipexpert.com
ip ssh source-interface FastEthernet1
!
!
!
!
! 
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key ccie address 192.1.49.55
crypto isakmp key ccie address 10.5.5.55
!
!
crypto ipsec transform-set ASA esp-3des esp-sha-hmac 
!
crypto map MYMAP 10 ipsec-isakmp 
 set peer 192.1.49.55
 set transform-set ASA 
 match address ASA1
crypto map MYMAP 20 ipsec-isakmp 
 set peer 10.5.5.55
 set transform-set ASA 
 match address ASA2
!
!
!
!
interface Loopback0
 ip address 1.1.1.1 255.0.0.0
!
interface Loopback16
 ip address 172.16.1.1 255.255.255.0
!
interface FastEthernet0
 ip address 10.2.2.1 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map MYMAP
!         
interface FastEthernet1
 ip address 10.1.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
router rip
 version 2
 network 1.0.0.0
 network 10.0.0.0
 network 172.16.0.0
 no auto-summary
!
ip route 0.0.0.0 0.0.0.0 10.2.2.10
ip route 10.5.5.0 255.255.255.0 10.2.2.5
ip route 192.168.5.0 255.255.255.0 10.2.2.10
ip route 192.168.104.0 255.255.255.0 10.2.2.10
!
!
ip http server
no ip http secure-server
ip nat inside source static udp 10.1.1.100 1645 10.2.2.99 1812 extendable
ip nat inside source static udp 10.1.1.100 1646 10.2.2.99 1813 extendable
!
ip access-list extended ASA1
 permit ip 10.1.1.0 0.0.0.255 host 192.1.49.55
ip access-list extended ASA2
 permit ip 10.1.1.0 0.0.0.255 host 10.5.5.55
!
line con 0
 exec-timeout 0 0
 logging synchronous
line aux 0
line vty 0 4
 password cisco
 login local
!
scheduler allocate 20000 1000
!
webvpn context Default_context
 ssl authenticate verify all
 !
 no inservice
!
end

R1#
R1#sh crypto ipsec sa

interface: FastEthernet0
    Crypto map tag: MYMAP, local addr 10.2.2.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.1.49.55/255.255.255.255/0/0)
   current_peer 192.1.49.55 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.2.2.1, remote crypto endpt.: 192.1.49.55
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:
          
     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.5.5.55/255.255.255.255/0/0)
   current_peer 10.5.5.55 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 22, #pkts encrypt: 22, #pkts digest: 22
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 10, #recv errors 0

     local crypto endpt.: 10.2.2.1, remote crypto endpt.: 10.5.5.55
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x585986E2(1482262242)

     inbound esp sas:
      spi: 0xBD42B232(3175264818)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 3, flow_id: Motorola SEC 2.0:3, crypto map: MYMAP
        sa timing: remaining key lifetime (k/sec): (4567320/2651)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x585986E2(1482262242)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 4, flow_id: Motorola SEC 2.0:4, crypto map: MYMAP
        sa timing: remaining key lifetime (k/sec): (4567319/2651)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:
R1#



ASA2# sh crypto ipsec sa
interface: outside
    Crypto map tag: MYMAP, seq num: 10, local addr: 10.5.5.55

      access-list L2L permit ip host 10.5.5.55 10.1.1.0 255.255.255.0 
      local ident (addr/mask/prot/port): (10.5.5.55/255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
      current_peer: 10.2.2.1

      #pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3
      #pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 3, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 10.5.5.55, remote crypto endpt.: 10.2.2.1

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: BD42B232

    inbound esp sas:
      spi: 0x585986E2 (1482262242)
         transform: esp-3des esp-sha-hmac none 
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 1, crypto-map: MYMAP
         sa timing: remaining key lifetime (kB/sec): (4274999/2592)
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0xBD42B232 (3175264818)
         transform: esp-3des esp-sha-hmac none 
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 1, crypto-map: MYMAP
         sa timing: remaining key lifetime (kB/sec): (4274999/2591)
         IV size: 8 bytes
         replay detection support: Y

ASA2# 

Reply via email to