Re: site-to-site vpn

Hi,

Seems to me that the problem is your NAT is dis-locating your "interesting
traffic"! Look carefully through this and work it out:

name 10.15.10.45 SMPP-internal
name 38.105.120.78 SMPP-external

object-group network Tmobile_SMPP_Networks
 network-object 66.94.3.71 255.255.255.255

object-group service SMPP tcp
 port-object eq 9071

static (inside,outside) SMPP-external SMPP-internal netmask 255.255.255.255

access-list outside_SMPP extended permit tcp host SMPP-internal host
66.94.3.71 object-group SMPP

nat (inside) 0 access-list outside_SMPP

crypto map outside_map 1 match address outside_SMPP

This just tells me that my the time your static NAT is done with the
packets, they wont be hitting the crypto ACL. Did I get that right?

Hope that helps abit.

Sadiq

On Wed, Oct 20, 2010 at 1:57 AM, Ryan West <rwest_at_zyedge.com> wrote:

> Are you sure Tmobile is expecting your private addressing? They usually
> like
> to peer with other globally unique addresses.
>
> With the way your ACL is currently written, you're the initiator connecting
> to
> them on port 9071. The receiving end of the tunnel will have more valuable
> debug information, but you can still run 'packet-tracer input inside tcp
> 10.15.10.45 1025 66.94.3.71 9071 det' to gather information.
>
> Everything else seems fine, assuming that your tunnel end point and
> interesting traffic are the same host, i.e. they are doing a PAT off their
> external address.
>
> -ryan
>
> From: Cisco Fanatic [mailto:ebay_products_at_hotmail.com]
> Sent: Tuesday, October 19, 2010 8:49 PM
> To: jpoplawski_at_starkinvestments.com; marcelo_at_academiacisco.com.br; Ryan
> West
> Cc: ccielab_at_groupstudy.com
> Subject: RE: site-to-site vpn
>
> This is the final config. Phase I is up, but Phase II is not coming up.
>
> name 10.15.10.45 SMPP-internal
> name 38.105.120.78 SMPP-external
>
> static (inside,outside) SMPP-external SMPP-internal netmask 255.255.255.255
>
> object-group network Tmobile_SMPP_Networks
> network-object 66.94.3.71 255.255.255.255
>
> object-group service SMPP tcp
> port-object eq 9071
>
> crypto isakmp enable outside
>
> crypto isakmp policy 1
> authentication pre-share
> encryption 3des
> hash sha
> group 2
> lifetime 86400
>
>
> access-list outside_SMPP extended permit tcp host SMPP-internal host
> 66.94.3.71 object-group SMPP
>
> nat (inside) 0 access-list outside_SMPP
>
> crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
>
> crypto map outside_map 1 match address outside_SMPP
> crypto map outside_map 1 set peer 66.94.3.71
> crypto map outside_map 1 set transform-set ESP-3DES-SHA
> crypto map outside_map 1 set security-association lifetime seconds 3600
>
> crypto map outside_map interface outside
>
>
> tunnel-group 66.94.3.71 type ipsec-l2l
> tunnel-group 66.94.3.71 ipsec-attributes
> pre-shared-key *
>
>
>
> > From:
> jpoplawski_at_starkinvestments.com<mailto:jpoplawski_at_starkinvestments.com>
> > To: marcelo_at_academiacisco.com.br<mailto:marcelo_at_academiacisco.com.br>;
> rwest_at_zyedge.com<mailto:rwest_at_zyedge.com>
> > CC: ebay_products_at_hotmail.com<mailto:ebay_products_at_hotmail.com>;
> ccielab_at_groupstudy.com<mailto:ccielab_at_groupstudy.com>
> > Date: Tue, 19 Oct 2010 19:38:26 -0500
> > Subject: RE: site-to-site vpn
> >
> > Missing a NAT0 command
> > Not sure I saw outside_map_1 acl defined.
> >
> > Call me a slacker but typically I use ASDM to configure the Site-to-Site,
> then use CLI to check ACLs, phase 1 (show crypto isakmp sa) phase 2 (show
> crypto ipsec sa).
> >
> > Are you trying to do a static NAT translation to the outside world too?
> >
> > I always run into problems with PSK. Other end doesn't support it
> typically.
> >
> > HTH,
> > JB
> >
> > -----Original Message-----
> > From: nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com>
> [mailto:nobody_at_groupstudy.com]<mailto:[mailto:nobody_at_groupstudy.com]> On
> Behalf Of Marcelo Pinheiro
> > Sent: Tuesday, October 19, 2010 6:42 PM
> > To: Ryan West
> > Cc: Cisco Fanatic; ccielab_at_groupstudy.com<mailto:ccielab_at_groupstudy.com>
> > Subject: Re: site-to-site vpn
> >
> > Hi Yuri,
> >
> > Make sure that:
> > - the crypto map ACL is mirrored. This can cause weird behaviors (packet
> > loss, lose vpn connection, etc).
> > - psk is OK
> > - transform-set is OK
> >
> > If possible, try to debug (ipsec, isakmp).
> >
> > HTH.
> > Marcelo Pinheiro
> >
> > On Tue, Oct 19, 2010 at 8:32 PM, Ryan West
> <rwest_at_zyedge.com<mailto:rwest_at_zyedge.com>> wrote:
> >
> > > Probably want to avoid port selectors when configuring a site to site
> > > tunnel, it will affect performance. Your interesting traffic ACL should
> > > read 'access-list permit ip host <your host> host <their host>. If you
> want
> > > to limit what comes across the tunnel, turn off sysopt permit-vpn and
> filter
> > > on your outside ACL.
> > >
> > > -ryan
> > >
> > > -----Original Message-----
> > > From: nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com>
> [mailto:nobody_at_groupstudy.com]<mailto:[mailto:nobody_at_groupstudy.com]> On
> Behalf Of
> > > Cisco Fanatic
> > > Sent: Tuesday, October 19, 2010 7:25 PM
> > > To: ccielab_at_groupstudy.com<mailto:ccielab_at_groupstudy.com>
> > > Subject: site-to-site vpn
> > >
> > > I am trying to configure site-to-site vpn on a ASA. I don't have access
> to
> > > the other side of the equipment so can't really, but the person has
> been
> > > generous to share the parameters which I need to configure on my end to
> make
> > > it work. I just have couple of hrs to get it working so that I can
> checklist
> > > on my things to do from my CCIE standpoint :(-.
> > >
> > > Appreciate any help.
> > >
> > > What I am trying to do is that there is a remote server - 66.94.3.71
> and
> I
> > > have a local server 10.15.10.45 which should be seen by the outside
> world
> as
> > > 38.105.120.78.
> > >
> > > [Local] ---38.105.120.66 --- INTERNET --- 97.65.105.5 -- [Remote] ---
> > > 66.94.3.71
> > > !
> > > !
> > > 38.105.120.78
> > > !
> > > [10.15.10.45]
> > >
> > > Config
> > > ++++
> > >
> > > name 10.15.10.45 SM-internal
> > > name 38.105.120.78 SM-external
> > >
> > > static (inside,outside) SM-external SM-internal netmask 255.255.255.255
> > >
> > > object-group network mob_SM_Networks
> > > network-object 66.94.3.71 255.255.255.255
> > >
> > > object-group service SM tcp
> > > port-object eq 9071
> > >
> > > crypto isakmp enable outside
> > >
> > > crypto isakmp policy 1
> > > authentication pre-share
> > > encryption 3des
> > > hash sha
> > > group 2
> > > lifetime 86400
> > >
> > >
> > > access-list outside_SM extended permit tcp host SM-internal host
> 66.94.3.71
> > > object-group SM
> > >
> > >
> > > crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
> > >
> > > crypto map outside_map 1 match address outside_SM crypto map
> outside_map
> 1
> > > set peer 66.94.3.71 crypto map outside_map 1 set transform-set
> ESP-3DES-SHA
> > > crypto map outside_map 1 set security-association lifetime seconds 3600
> > >
> > >
> > > tunnel-group 66.94.3.71 type ipsec-l2l
> > > tunnel-group 66.94.3.71 ipsec-attributes pre-shared-key *
> > >
> > > Thanks,
> > > -Yuri
> > >
> > >
> > > Blogs and organic groups at http://www.ccie.net
> > >
> > > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > > Blogs and organic groups at http://www.ccie.net
> > >
> > > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
> >
> > This transmission contains information for the exclusive use of the
> intended
> recipient and may be privileged, confidential and/or otherwise protected
> from
> disclosure. Any unauthorized review or distribution is strictly prohibited.
> Our company is required to retain electronic mail messages, which may be
> produced at the request of regulators or in connection with litigation.
> Electronic messages cannot be guaranteed to be secure, timely or
> error-free.
> As such, we recommend that you do not send confidential information to us
> via
> electronic mail. This communication is for informational purposes only and
> is
> not an offer or solicitation to buy or sell any investment product. Any
> information regarding specific investment products is subject to change
> without notice. If you received this transmission in error, please notify
> the
> sender immediately by return e-mail and delete this message and any
> attachments from your system.
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
CCIEx2 (R&S|Sec) #19963
Blogs and organic groups at http://www.ccie.net