Solved

ASA5510: LAN-LAN IPSec not working

Posted on 2006-11-15
10
530 Views
Last Modified: 2008-02-01
Hi, I am unable to get this to work. I'm new to ASA (I'm just beginning to understand PIX :P)

ASA5510(Site 1) <----->Cisco1841<--64kbps (serial point to point)-->Cisco1841<---->ASA5510(Site 2)

Site 1: ASA 5510
--------------------
ASA Version 7.1(2)
!
hostname site1asa5510
names
!
interface Ethernet0/0
 description Outside Interface to Cisco 1841
 speed 100
 nameif outside
 security-level 0
 ip address 172.10.10.253 255.255.255.252
!
interface Ethernet0/1
 description Inside interface to LAN
 speed 100
 nameif inside
 security-level 100
 ip address 10.143.25.254 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
 management-only
!
ftp mode passive
access-list OUTSIDE-IN extended permit icmp any any echo-reply
access-list OUTSIDE-IN extended permit ip any 10.143.25.0 255.255.255.0
access-list OUTSIDE-IN extended permit icmp any any
access-list VPN-Site2 extended permit ip 10.143.25.0 255.255.255.0 10.143.4.0 255.255.255.0
pager lines 24
logging enable
logging history errors
mtu outside 1500
mtu inside 1500
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.143.25.0 255.255.255.0
access-group OUTSIDE-IN in interface outside
route outside 0.0.0.0 0.0.0.0 172.10.10.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map VPNMAP 10 match address VPN-Site2
crypto map VPNMAP 10 set peer 172.20.10.253
crypto map VPNMAP 10 set transform-set ESP-3DES-MD5
crypto map VPNMAP interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 28800
tunnel-group 172.20.10.253 type ipsec-l2l
tunnel-group 172.20.10.253 ipsec-attributes
 pre-shared-key *
telnet 0.0.0.0 0.0.0.0 outside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:68cc72230d1f35ba9cfa466cc6318453
: end
Site1asa5510#

 Site 2: ASA 5510
--------------------

hostname Site2asa5510
enable password *
names
interface Ethernet0/0
 description Outside Interface to Cisco 1841
 speed 100
 nameif outside
 security-level 0
 ip address 172.20.10.253 255.255.255.252

interface Ethernet0/1
 description Inside interface to LAN
 speed 100
 nameif inside
 security-level 100
 ip address 10.143.4.66 255.255.255.0

interface Ethernet0/2
 shutdown
 no nameif      
 no security-level
 no ip address

interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
 management-only

ftp mode passive
access-list OUTSIDE-IN extended permit icmp any any echo-reply
access-list OUTSIDE-IN extended permit ip any 10.143.4.0 255.255.255.0
access-list OUTSIDE-IN extended permit icmp any any
access-list VPN-Site1 extended permit ip 10.143.4.0 255.255.255.0 10.143.25.0 255.255.255.0
pager lines 24
logging enable
logging history errors
logging asdm informational
mtu outside 1500
mtu inside 1500
no asdm history enable
arp timeout 14400          
global (outside) 1 interface
nat (inside) 1 10.143.4.0 255.255.255.0
access-group OUTSIDE-IN in interface outside
route outside 10.143.25.0 255.255.255.0 172.20.10.254 1
route outside 0.0.0.0 0.0.0.0 172.20.10.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map VPNMAP 10 match address VPN-Site1
crypto map VPNMAP 10 set peer 172.10.10.253
crypto map VPNMAP 10 set transform-set ESP-3DES-MD5
crypto map VPNMAP interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2            
isakmp policy 10 lifetime 28800
tunnel-group 172.10.10.253 type ipsec-l2l
tunnel-group 172.10.10.253 ipsec-attributes
 pre-shared-key *
telnet 10.143.0.0 255.255.0.0 inside
telnet timeout 5
ssh 172.0.0.0 255.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 50
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh              
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
service-policy global_policy global
Cryptochecksum:f4da380c7981d38bfd17a0009698b6fe
: end
Site2asa5510(config)#


The router config is staight forward, with static routes only:
Site 1:
ip route 0 0 172.20.10.254

Site 2:
ip route 0 0 172.10.10.254
0
Comment
Question by:titanax
  • 6
  • 4
10 Comments
 

Author Comment

by:titanax
ID: 17945844
The tunnel group for Site 1 is a mistake:

crypto map VPNMAP 10 set peer 172.20.10.253

tunnel-group 172.20.10.253 type ipsec-l2l
tunnel-group 172.20.10.253 general-attributes
tunnel-group 172.20.10.253 ipsec-attributes
 pre-shared-key *
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 17946368
Did you use the ASDM GUI VPN Wizard?

You need to add nat 0 controls:

Site 1
 access-list NO_NAT permit ip 10.143.25.0 255.255.255.0 10.143.4.0 255.255.255.0
 nat (inside) 0 access-list NO_NAT

Site 2 is mirror image
 access-list NO_NAT extended permit ip 10.143.4.0 255.255.255.0 10.143.25.0 255.255.255.0
 nat (inside) 0 access-list NO_NAT

Add those entries, then post result of "show cry is sa"
QM_IDLE = good sign
0
 

Author Comment

by:titanax
ID: 17956321
thkx lrmoore..its works!

Qn: I have set the following, but cant access the ssh / telnet from outside
ssh 0 0 outside
ssh 0 0 inside

telnet 0 0 outside
telnet 0 0 inside

Works fine on pix, but it doens't here. Telnet juz opens a black window without prompts & putty says "Fatal server error"...real bizzare...
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 500 total points
ID: 17959835
You can't telnet to the outside IP. Ever.
You should be able to SSH to it, though...
0
 

Author Comment

by:titanax
ID: 17976428
thats the problem ssh dun work either. MY putty responds with a "Server fatal error".

Is there anything else I should try, any additional access-lists? Should't this suffice?

ssh 0 0 outside
ssh 0 0 inside
0
 

Author Comment

by:titanax
ID: 18026916
anybody?? I know SSH is pretty easy to configure but I'm still having this issue
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 500 total points
ID: 18027164
That's all I've ever had to to with over 100 PIX installations.
Unless there is something out in front preventing connections through port 22
Are you trying to ssh to the inside IP of the remote ASA through the VPN tunnel, or are you trying to ssh to the ASA's outside interface IP from outside somewhere?

You might be able to add:
  management-access inside

Now you should be able to ssh/telnet to the inside IP of the remote ASA through the VPN tunnel

0
 

Author Comment

by:titanax
ID: 18033958
thx lrmoore, will give it a shot & update you - but the mgmt port is shutdown coz I;m not using it. but its worth a shot
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18035180
It's OK that the management port is shutdown. This is simply to allow access to the inside interface over the vpn tunnel.
0
 

Author Comment

by:titanax
ID: 18058458
thx lrmoore - ssh is still not working but i will close this case - it was pri a VPN issue.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
In a recent question (https://www.experts-exchange.com/questions/28997919/Pagination-in-Adobe-Acrobat.html) here at Experts Exchange, a member asked how to add page numbers to a PDF file using Adobe Acrobat XI Pro. This short video Micro Tutorial sh…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question