VPN Site to Site Phase 2 issue

Home Forums Networking Cisco Security – PIX/ASA/VPN VPN Site to Site Phase 2 issue

Viewing 1 post (of 1 total)
  • Author
    Posts
  • Avatar
    ITLondon
    Member
    #166068

    Hi,

    Site to site IPsec, phase 2 not connecting.
    Is there anything obvious we are missing on the following config of our IPSec tunnel, phase 1 connects fine. This is using crypto map Londonsite. Could it be related to the filter access-lists we have?

    Thanks for your help

    aa new-model
    !
    !
    aaa authentication login default local
    aaa authentication login VPN_CLIENT_LOGIN local
    aaa authorization network sdm_vpn_group_ml_1 local
    aaa authorization network VPN_CLIENT_GROUP local
    !
    !
    !
    !
    !
    aaa session-id common
    !
    clock timezone EST -5 0
    clock summer-time EDT recurring
    dot11 syslog
    ip source-route
    !
    !
    !
    !
    !
    ip cef
    no ip domain lookup

    ip name-server 10.75.139.18
    ip name-server 10.88.10.48
    login on-failure log
    login on-success log
    !
    multilink bundle-name authenticated
    !
    crypto pki token default removal timeout 0
    !
    crypto pki trustpoint TP-self-signed-1879604112
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-1879604112
    revocation-check none
    !
    !
    crypto pki certificate chain TP-self-signed-1879604112
    certificate self-signed 01

    !

    !
    redundancy
    !
    !
    ip ftp username xxxx
    ip ftp password cisco1111
    ip ssh source-interface FastEthernet0/1
    ip ssh logging events
    ip ssh version 2
    !
    !
    crypto isakmp policy 10
    encr 3des
    authentication pre-share
    group 2
    lifetime 3600
    !
    crypto isakmp policy 12
    encr 3des
    authentication pre-share
    group 2
    lifetime 28800
    crypto isakmp key cisco address xxxx (peer IP address)
    !
    crypto isakmp client configuration group VPN_CLIENTS
    key vpnkey
    dns 41.160.0.36
    pool VPN_CLIENT_POOL
    acl 110
    !
    !
    crypto ipsec transform-set TRANS_3DES_SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set Londonvpn esp-3des esp-sha-hmac
    !
    crypto dynamic-map EXT_DYNAMIC_MAP 10
    set transform-set TRANS_3DES_SHA
    !
    !
    crypto map EXT_MAP client authentication list VPN_CLIENT_LOGIN
    crypto map EXT_MAP isakmp authorization list VPN_CLIENT_GROUP
    crypto map EXT_MAP client configuration address respond
    crypto map EXT_MAP 10 ipsec-isakmp dynamic EXT_DYNAMIC_MAP
    !
    crypto map Londonsite 1 ipsec-isakmp
    set peer xxx (Public IP)
    set security-association lifetime seconds 86400
    set transform-set Londonvpn
    set pfs group2
    match address 102
    !
    !
    !
    !
    !
    !
    interface FastEthernet0/0
    ip address 10.88.48.1 255.255.252.0
    ip access-group OUTBOUND_FILTER in
    no ip redirects
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly in
    duplex auto
    speed auto
    !
    interface FastEthernet0/1
    description To Internet
    ip address xxxx (Public ip)
    ip access-group INBOUND_FILTER in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat outside
    ip virtual-reassembly in
    duplex auto
    speed auto
    crypto map Londonsite
    !
    interface Serial0/0/0
    no ip address
    shutdown
    clock rate 2000000
    !
    interface FastEthernet0/1/0
    no ip address
    shutdown
    duplex auto
    speed auto
    !
    ip local pool VPN_CLIENT_POOL 192.168.255.20 192.168.255.50
    no ip forward-protocol nd
    no ip http server
    ip http secure-server
    !
    !
    ip nat inside source list 101 interface FastEthernet0/1 overload
    ip nat inside source static tcp 10.88.49.59 21 interface FastEthernet0/1 21
    ip route 0.0.0.0 0.0.0.0 xxxx (public IP of next hop)
    !
    ip access-list standard SNMP-ACL
    permit 10.75.139.90
    deny any log
    ip access-list standard SSH-ACL
    permit xxx public IP
    !
    ip access-list extended INBOUND_FILTER
    permit udp any eq domain any
    permit tcp any eq domain any
    permit tcp any eq www any
    permit tcp any eq 563 any
    permit udp any eq 563 any
    permit tcp any eq 443 any
    permit udp any eq 443 any
    permit tcp any any eq 1723
    permit tcp any eq ftp any
    permit gre any any
    permit tcp any eq 3389 any
    permit tcp any eq ftp-data any
    permit udp any eq isakmp any
    permit udp any eq non500-isakmp any
    permit esp any any
    permit tcp any any range 1023 65535
    permit icmp any any
    permit tcp any eq 1723 any
    permit tcp any eq smtp any
    permit tcp any eq pop3 any
    permit tcp any host Public IP
    permit tcp any host public IP
    permit tcp host public IP host 192.168.51.250 eq 22
    permit udp any host 192.168.51.250 eq isakmp
    permit udp any host 192.168.51.250 eq non500-isakmp
    permit esp any host 192.168.51.250
    permit ahp any host 192.168.51.250
    permit tcp host public IP host punlic IP eq 22
    permit udp any host public IP eq isakmp
    permit udp any host public IP eq non500-isakmp
    permit esp any host public IP
    permit ahp any host public IP
    ip access-list extended OUTBOUND_FILTER
    permit tcp 10.88.48.0 0.0.0.255 any eq smtp
    permit tcp 10.88.49.0 0.0.0.255 any eq smtp
    permit tcp 10.88.50.0 0.0.0.255 any eq smtp
    deny tcp 10.88.48.0 0.0.0.255 any eq smtp
    permit ip any any
    permit icmp any any
    !
    logging esm config
    access-list 101 deny ip 10.88.0.0 0.0.255.255 192.168.255.0 0.0.0.255
    access-list 101 deny ip 10.88.48.0 0.0.0.255 192.168.255.0 0.0.0.255
    access-list 101 deny ip 10.88.0.0 0.0.255.255 192.168.51.0 0.0.0.255
    access-list 101 deny ip 10.88.48.0 0.0.0.255 192.168.51.0 0.0.0.255
    access-list 101 permit ip 10.88.0.0 0.0.255.255 any
    access-list 102 permit ip 10.88.0.0 0.0.0.255 192.168.51.0 0.0.0.255
    access-list 110 permit ip 10.88.0.0 0.0.255.255 192.168.255.0 0.0.0.255
    access-list 110 permit ip 10.88.48.0 0.0.0.255 192.168.255.0 0.0.0.255
    !
    !
    !
    snmp-server community Stanley RO SNMP-ACL
    snmp-server ifindex persist
    snmp-server enable traps tty

Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.