Task 4.4 ASA is sourcing its ISAKMP from wrong IP


For two hours I'm trying to find the error here in my configuration, but without success. Perhaps you have an idea. I configured the IPSEC for Task 4.4. First I had problems that the ISAKMP did not come through. After a while I gave up and opened the VPN-Concentrator outbound for everything. Then I saw the problem on the PIX - interestingly, the source-address of ASAs ISAKMP is *not* the IP of the outside interface (, which would have worked. But instead the ASA uses its internal address ( I see it in the logs of the ASA and now also on the PIX in between, which of course denies this traffic. WHY on heavens earth is the ASA using its internal address, although the cryptomap is applied on the outside? This is not the way I would expect it, and also not the way it's configured in iexperts solution-guide.

First I thought that the static nat from Task 2.2 is to blame. But even after removing this static (and even rebooting) the problem remained. Please, if you can point me to the issue I will be really appreciating it!

My current configuration of the ASA:


: Saved
ASA Version 7.2(4)
hostname Rack1ASA
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
interface Ethernet0/0
nameif OUTSIDE
security-level 0
ip address
interface Ethernet0/1
nameif INSIDE
security-level 100
ip address
interface Ethernet0/2
description LAN/STATE Failover Interface
interface Ethernet0/3
no nameif
no security-level
no ip address
interface Management0/0
no nameif
no security-level
no ip address
boot system disk0:/asa724-k8.bin
ftp mode passive
object-group icmp-type UNIX-TRACEROUTE
icmp-object information-reply
icmp-object traceroute
icmp-object unreachable
icmp-object echo-reply
icmp-object time-exceeded
access-list OUTSIDE extended permit icmp any any
access-list OUTSIDE extended permit tcp any any eq telnet
access-list OUTSIDE extended permit udp any any range 33434 33464
access-list OUTSIDE extended permit icmp any any object-group UNIX-TRACEROUTE
access-list ICMP extended permit icmp any any
access-list VLAN808-TO-VLAN805 extended permit ip
tcp-options range 19 19 allow
pager lines 24
logging console debugging
logging mail critical
logging from-address [email protected]
logging recipient-address [email protected] level critical
mtu OUTSIDE 1500
mtu INSIDE 1500
failover lan unit primary
failover lan interface FAILOVER-IF Ethernet0/2
failover polltime interface msec 500 holdtime 5
failover link FAILOVER-IF Ethernet0/2
failover interface ip FAILOVER-IF standby
icmp unreachable rate-limit 1 burst-size 1
icmp permit any OUTSIDE
no asdm history enable
arp timeout 14400
static (INSIDE,OUTSIDE) netmask
access-group OUTSIDE in interface OUTSIDE
route OUTSIDE 1
router ospf 1
network area 51
network area 51
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
snmp-server host OUTSIDE trap community CISCO
no snmp-server location
no snmp-server contact
snmp-server community CISCO
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps ipsec start stop
service resetoutside
crypto ipsec transform-set ESP-3DES esp-3des esp-md5-hmac
crypto map CRYPTOMAP 10 match address VLAN808-TO-VLAN805
crypto map CRYPTOMAP 10 set peer
crypto map CRYPTOMAP 10 set transform-set ESP-3DES
crypto map CRYPTOMAP interface OUTSIDE
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
pre-shared-key *
class-map UDP
match port udp range 1 65535
class-map TCP
match port tcp range 1 65535
class-map ICMP
match access-list ICMP
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
class TCP
set connection conn-max 5000 per-client-max 1000
set connection advanced-options PERMIT-OPTION19
class UDP
set connection conn-max 1000 per-client-max 500
class ICMP
police input 56000
service-policy global_policy global
service-policy OUTSIDE-POLICY interface OUTSIDE
prompt hostname context
: end

Some debug output, which shows that ASA is using it's internal address for ISAKMP:


%ASA-7-715046: IP =, constructing ISAKMP SA payload
%ASA-7-715046: IP =, constructing Fragmentation VID + extended capabilities payload
%ASA-7-713236: IP =, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
%ASA-7-609001: Built local-host OUTSIDE:
%ASA-6-302015: Built outbound UDP connection 17 for OUTSIDE: ( to NP Identity Ifc: (

Thanks a lot,


  • I found it, I did not enable ISAKMP outside. I didn't know that ISAKMP was enabled inside per default an that the ASA would build the connections towards outside sourcing from the inside...

Sign In or Register to comment.