2.7 LAN-to-LAN tunnel between IOS routers

Hi all,

this simple task drives me crazy. i am posting the config for ASA1, R1 and R2. simple IPSec between the Lo0 interfaces is not working

R1:

Rack1R1#sh run
Building configuration...

Current configuration : 1435 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Rack1R1
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
memory-size iomem 15
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
no ip domain lookup
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key 6 CISCO address 136.1.122.2
!
!
crypto ipsec transform-set 3DESMD5 ah-md5-hmac esp-3des
!
crypto map MYMAP 10 ipsec-isakmp
 set peer 136.1.122.2
 set transform-set 3DESMD5
 match address LO1-TO-LO2
!
!
!
interface Loopback0
 ip address 150.1.1.1 255.255.255.0
!
interface FastEthernet0/0
 ip address 136.1.121.1 255.255.255.0
 speed auto
 crypto map MYMAP
!
interface Serial0/0
 no ip address
 shutdown
!
interface Serial0/1
 no ip address
 shutdown
!
interface Serial1/0
 no ip address
 shutdown
!
router rip
 version 2
 network 136.1.0.0
 network 150.1.0.0
 no auto-summary
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip access-list extended LO1-TO-LO2
 permit ip 150.1.1.0 0.0.0.255 150.1.2.0 0.0.0.255
!
access-list 100 permit icmp any any
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
line vty 0 4
 password cisco
 login
!
end

R2

sh run
Building configuration...

Current configuration : 1370 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Rack1R2
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
no ip domain lookup
ip multicast-routing
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key 6 CISCO address 136.1.121.1
!
!
crypto ipsec transform-set 3DESMD5 ah-md5-hmac esp-3des
!
crypto map MYMAP 10 ipsec-isakmp
 set peer 136.1.121.1
 set transform-set 3DESMD5
 match address LO2-TO-LO1
!
!
!
interface Loopback0
 ip address 150.1.2.2 255.255.255.0
 ip pim sparse-mode
!
interface FastEthernet0
 ip address 136.1.122.2 255.255.255.0
 ip pim sparse-mode
 speed auto
 crypto map MYMAP
!
interface Serial0
 no ip address
 shutdown
!
router rip
 version 2
 network 136.1.0.0
 network 150.1.0.0
 no auto-summary
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip pim rp-address 150.1.2.2
!
ip access-list extended LO2-TO-LO1
 permit ip 150.1.2.0 0.0.0.255 150.1.1.0 0.0.0.255
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
line vty 0 4
 password cisco
 login
!
end

Rack1R2#

ASA1

sh run
: Saved
:
ASA Version 8.0(4)39
!
hostname Rack1ASA1
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 136.1.122.12 255.255.255.0
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 136.1.121.12 255.255.255.0
!
interface Ethernet0/2
 nameif dmz
 security-level 50
 ip address 10.0.0.12 255.255.255.0
!
interface Ethernet0/3
<--- More --->
             
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
 management-only
!
ftp mode passive
access-list OUTSIDE-IN extended permit esp host 136.1.122.2 host 136.1.121.1
access-list OUTSIDE-IN extended permit udp any any eq isakmp
access-list OUTSIDE-IN extended permit icmp any any echo
access-list OUTSIDE-IN extended permit icmp any any echo-reply
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
<--- More --->
             
arp timeout 14400
access-group OUTSIDE-IN in interface outside
!
router rip
 network 10.0.0.0
 network 136.1.0.0
 version 2
 no auto-summary
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
<--- More --->
             
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
<--- More --->
             
  inspect sip 
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:a328c15378f71ad66707694512c9f84f
: end

Rack1ASA1#              

 

Comments

  • Hi,

    I'm not confident on ASA's but maybe you need:

     

    policy-map global_policy

      class inspection_default

        inspect ipsec-pass-thru 

     

     

    The configuration on the routers looks absolutely fine.  Once you enable that, check the acl on the firewall for hit counts to make sure its going through the asa.

     

    EDIT: No wonder theres so many firewall questions.  Im in the ccie security section lol.  I though I was in ccir r&s technical

  • Hi,

    Why are using AH instead of ESP? If I recall correctly this tasks requires the use of ESP instead of AH.

    crypto ipsec transform-set 3DESMD5 ah-md5-hmac esp-3des 

    Is phase-1 completing?

    You may also want to take a look at the following debugs that may provide more info what the problem is:

    debug cry isakmp

    debug cry ipsec

    HTH

    Good luck!

     

  • Dear all,

    really appreciate your help.when running " debug cry isa" on both routers it shows nothing. when running " looging con 7" an " logging on" on the ASA it shows that IP 51 is denied from 136.1.122.1 to 136.1.121.1 even if it is enabled by the OUTSIDE-IN ACL on the ASA.[:@]

    regards

  • Hi all,

    could it be a bug in the IOS code. shall it requires an upgrade?

    regards

Sign In or Register to comment.