Task 4.4 ASA is sourcing its ISAKMP from wrong IP

Hi!

For two hours I'm trying to find the error here in my configuration, but without success. Perhaps you have an idea. I configured the IPSEC for Task 4.4. First I had problems that the ISAKMP did not come through. After a while I gave up and opened the VPN-Concentrator outbound for everything. Then I saw the problem on the PIX - interestingly, the source-address of ASAs ISAKMP is *not* the IP of the outside interface (183.1.100.12), which would have worked. But instead the ASA uses its internal address (192.10.1.12). I see it in the logs of the ASA and now also on the PIX in between, which of course denies this traffic. WHY on heavens earth is the ASA using its internal address, although the cryptomap is applied on the outside? This is not the way I would expect it, and also not the way it's configured in iexperts solution-guide.

First I thought that the static nat from Task 2.2 is to blame. But even after removing this static (and even rebooting) the problem remained. Please, if you can point me to the issue I will be really appreciating it!

My current configuration of the ASA:

 Code:

: Saved
:
ASA Version 7.2(4)
!
hostname Rack1ASA
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif OUTSIDE
security-level 0
ip address 183.1.100.12 255.255.255.0
!
interface Ethernet0/1
nameif INSIDE
security-level 100
ip address 192.10.1.12 255.255.255.0
!
interface Ethernet0/2
description LAN/STATE Failover Interface
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa724-k8.bin
ftp mode passive
object-group icmp-type UNIX-TRACEROUTE
icmp-object information-reply
icmp-object traceroute
icmp-object unreachable
icmp-object echo-reply
icmp-object time-exceeded
access-list OUTSIDE extended permit icmp any any
access-list OUTSIDE extended permit tcp any any eq telnet
access-list OUTSIDE extended permit udp any any range 33434 33464
access-list OUTSIDE extended permit icmp any any object-group UNIX-TRACEROUTE
access-list ICMP extended permit icmp any any
access-list VLAN808-TO-VLAN805 extended permit ip 10.8.8.0 255.255.255.0 10.5.5.0 255.255.255.0
!
tcp-map PERMIT-OPTION19
tcp-options range 19 19 allow
!
pager lines 24
logging console debugging
logging mail critical
logging from-address [email protected]
logging recipient-address [email protected] level critical
mtu OUTSIDE 1500
mtu INSIDE 1500
failover
failover lan unit primary
failover lan interface FAILOVER-IF Ethernet0/2
failover polltime interface msec 500 holdtime 5
failover link FAILOVER-IF Ethernet0/2
failover interface ip FAILOVER-IF 100.100.100.1 255.255.255.252 standby 100.100.100.2
icmp unreachable rate-limit 1 burst-size 1
icmp permit any OUTSIDE
no asdm history enable
arp timeout 14400
static (INSIDE,OUTSIDE) 183.1.100.128 192.10.1.0 netmask 255.255.255.128
access-group OUTSIDE in interface OUTSIDE
route OUTSIDE 10.5.5.0 255.255.255.0 183.1.100.11 1
!
router ospf 1
router-id 150.1.12.12
network 183.1.100.12 255.255.255.255 area 51
network 192.10.1.12 255.255.255.255 area 51
log-adj-changes
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
snmp-server host OUTSIDE 183.1.119.100 trap community CISCO
no snmp-server location
no snmp-server contact
snmp-server community CISCO
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps ipsec start stop
service resetoutside
crypto ipsec transform-set ESP-3DES esp-3des esp-md5-hmac
crypto map CRYPTOMAP 10 match address VLAN808-TO-VLAN805
crypto map CRYPTOMAP 10 set peer 183.1.119.5
crypto map CRYPTOMAP 10 set transform-set ESP-3DES
crypto map CRYPTOMAP interface OUTSIDE
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
tunnel-group 183.1.119.5 type ipsec-l2l
tunnel-group 183.1.119.5 ipsec-attributes
pre-shared-key *
!
class-map UDP
match port udp range 1 65535
class-map TCP
match port tcp range 1 65535
class-map ICMP
match access-list ICMP
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
class TCP
set connection conn-max 5000 per-client-max 1000
set connection advanced-options PERMIT-OPTION19
class UDP
set connection conn-max 1000 per-client-max 500
policy-map OUTSIDE-POLICY
class ICMP
police input 56000
!
service-policy global_policy global
service-policy OUTSIDE-POLICY interface OUTSIDE
smtp-server 10.0.0.100
prompt hostname context
Cryptochecksum:daf7e2ae14e7a89bc10833e838e8628c
: end


Some debug output, which shows that ASA is using it's internal address for ISAKMP:

 Code:

%ASA-7-715046: IP = 183.1.119.5, constructing ISAKMP SA payload
%ASA-7-715046: IP = 183.1.119.5, constructing Fragmentation VID + extended capabilities payload
%ASA-7-713236: IP = 183.1.119.5, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
%ASA-7-609001: Built local-host OUTSIDE:183.1.119.5
%ASA-6-302015: Built outbound UDP connection 17 for OUTSIDE:183.1.119.5/500 (183.1.119.5/500) to NP Identity Ifc:192.10.1.12/1024 (192.10.1.12/1024)


Thanks a lot,
airflow

Comments

  • I found it, I did not enable ISAKMP outside. I didn't know that ISAKMP was enabled inside per default an that the ASA would build the connections towards outside sourcing from the inside...

    greez,
    airflow
Sign In or Register to comment.