Re: vpn on asa - no matching crypto map entry problem
- From: anonymous <no@xxxxxxxx>
- Date: Fri, 28 Apr 2006 10:20:55 -0400
I figured out what the problem was. My crypto map dynamic access lists were backwards:
access-list outside_cryptomap_dyn_20 extended permit ip 10.10.10.0
255.255.255.0 any
should be:
access-list outside_cryptomap_dyn_20 extended permit ip any 10.10.10.0
255.255.255.0
anonymous wrote:
Hello,
I'm setting up a vpn on an ASA 5510 7.0(4)12 but it doesn't seem to be getting past completion of phase I. I'm getting this message in my logs (take a look at the line I marked with "***"):
LOGS
========================================================================
6|Apr 28 2006 12:21:41|713172: Group = my-Group, IP = 192.168.10.10, Automatic NAT Detection Status: Remote end IS behind a NAT device This end is NOT behind a NAT device
6|Apr 28 2006 12:21:53|113012: AAA user authentication Successful : local database : user = testuser
6|Apr 28 2006 12:21:53|113003: AAA group policy for user testuser is being set to my-Group
6|Apr 28 2006 12:21:53|113011: AAA retrieved user specific group policy (my-Group) for user = testuser
6|Apr 28 2006 12:21:53|113009: AAA retrieved default group policy (my-Group) for user = testuser
6|Apr 28 2006 12:21:53|113008: AAA transaction status ACCEPT : user = testuser 5|Apr 28 2006 12:21:53|713130: Group = my-Group, Username = testuser, IP = 192.168.10.10, Received unsupported transaction mode attribute: 5
5|Apr 28 2006 12:21:53|713131: Group = my-Group, Username = testuser, IP = 192.168.10.10, Received unknown transaction mode attribute: 28683
6|Apr 28 2006 12:21:53|713184: Group = my-Group, Username = testuser, IP = 192.168.10.10, Client Type: WinNT Client Application Version: 4.6.00.0045
6|Apr 28 2006 12:21:53|713228: Group = my-Group, Username = testuser, IP = 192.168.10.10, Assigned private IP address 10.10.10.20 to remote user
3|Apr 28 2006 12:21:53|713119: Group = my-Group, Username = testuser, IP = 192.168.10.10, PHASE 1 COMPLETED
*****************
***3|Apr 28 2006 12:21:53|713061: Group = my-Group, Username = testuser, IP = 192.168.10.10, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 10.10.10.20/255.255.255.255/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
*****************
3|Apr 28 2006 12:21:53|713902: Group = my-Group, Username = testuser, IP = 192.168.10.10, QM FSM error (P2 struct &0x388d2b0, mess id 0x71fb8a55)!
3|Apr 28 2006 12:21:53|713902: Group = my-Group, Username = testuser, IP = 192.168.10.10, Removing peer from correlator table failed, no match!
4|Apr 28 2006 12:21:53|113019: Group = my-Group, Username = testuser, IP = 192.168.10.10, Session disconnected. Session Type: IPSec, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found
5|Apr 28 2006 12:21:53|713904: IP = 192.168.10.10, Received encrypted packet with no matching SA, dropping
========================================================================
I noticed this on Cisco's site:
CISCO's EXPLANATION
========================================================================
Error Message %PIX|ASA-3-713061: Tunnel rejected: Crypto Map Policy not found for Src:source_address, Dst: dest_address!
Explanation This message indicates that the Cisco ASA was not able to find security policy information for the private networks or hosts indicated in the message. These networks
or hosts were sent by the initiator and do not match any crypto ACLs at the Cisco ASA . This is most likely a misconfiguration.
Recommended Action Check the protected network configuration in the crypto ACLs on both sides and make sure that the local net on the initiator is the remote net on the responder
and vice-versa. Pay special attention to wildcard masks, host addresses versus network addresses, etc. Non-Cisco implementations may have the private addresses labeled as proxy addresses or red networks.
========================================================================
AFAIK, I've done this. Is there something I'm missing here?
ASA CONFIG
========================================================================
ciscoasa# show run
: Saved
:
ASA Version 7.0(4)12
!
hostname ciscoasa
names
!
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address 172.16.1.37 255.255.255.0
!
interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 10.10.10.5 255.255.255.0
!
ftp mode passive
access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 any
access-list my-Group_splitTunnelAcl standard permit 10.10.10.0 255.255.255.0
access-list outside_cryptomap_dyn_20 extended permit ip 10.10.10.0 255.255.255.0 any
access-list outside_cryptomap_dyn_20 extended permit udp 10.10.10.0 255.255.255.0 eq isakmp any
mtu management 1500
mtu inside 1500
mtu outside 1500
ip local pool pac-vpn-ip-pool 10.10.10.20-10.10.10.100 mask 255.255.255.0
asdm image disk0:/asdm-504.bin
asdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 0 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 172.16.1.33 1
group-policy my-Group internal
group-policy my-Group attributes
wins-server value 10.10.10.58
dns-server value 10.10.10.82
vpn-tunnel-protocol IPSec
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value my-Group_splitTunnelAcl
client-firewall none
webvpn
username testuser password XXXXXXX encrypted privilege 1
username testuser attributes
vpn-group-policy my-Group
webvpn
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca certificate map 10
subject-name attr ip eq 172.16.1.37
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal 20
isakmp ipsec-over-tcp port 10000
tunnel-group my-Group type ipsec-ra
tunnel-group my-Group general-attributes
address-pool pac-vpn-ip-pool
authentication-server-group none
default-group-policy my-Group
tunnel-group my-Group ipsec-attributes
pre-shared-key *
tunnel-group-map default-group my-Group
tunnel-group-map 10 my-Group
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
client-update enable
: end
========================================================================
Thanks,
STU
----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==----
http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =----
----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==----
http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =----
.
- Prev by Date: Re: Aironet 1121G - can it run in B only mode?
- Next by Date: Re: Aironet 1121G - can it run in B only mode?
- Previous by thread: configuration vpn: cisco + linux
- Next by thread: Cisco 836 with IOS c836-k9o3s8y6-mz.123-11.YZ
- Index(es):
Relevant Pages
|
|
