Solved

ASA 5505 site to site VPN not connecting

Posted on 2008-10-02
4
654 Views
Last Modified: 2012-05-05
Hi,
I have installed an ASA 5505 at each of two sites and having trouble getting site to site VPN to work. Remote access VPN connection is working to Site A with Cisco VPN Client.
Here's the layout:
SITE A
192.168.10.0 255.255.255.0
Inside interface = 192.168.10.1 Outside Interface = x.x.x.189 255.255.255.252
Site B
192.168.0.0 255.255.0.0
Inside Interface = 192.168.1.50 Outside Interface = x.x.x.179 255.255.255.248

Site A - Show Config

Result of the command: "show config"

: Saved
: Written by enable_15 at 05:29:40.102 UTC Thu Oct 2 2008
!
ASA Version 7.2(4)
!
hostname SFBASA
domain-name xxx.com
enable password Dr0KI7S5C7dIwyPV encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.10.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address x.x.x.189 255.255.255.252
!
interface Vlan3
 shutdown
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address 192.168.12.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 68.87.71.226
 name-server 68.87.73.242
 domain-name seaboardbox.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service RDP tcp
 description Terminal Services
 port-object eq 3389
access-list outside_access_in extended permit tcp any any eq smtp
access-list outside_access_in extended permit tcp any any object-group RDP
access-list inside_nat_static extended permit tcp host 192.168.10.10 eq smtp any
access-list inside_nat_static_1 extended permit tcp host 192.168.10.10 eq 3389 any
access-list outside_1_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list TunnelUsers_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.0.0 255.255.0.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool TunnelPool 192.168.10.100-192.168.10.150 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.10.10 255.255.255.255
static (inside,outside) tcp interface smtp access-list inside_nat_static
static (inside,outside) tcp interface 3389 access-list inside_nat_static_1
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.190 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.10.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer x.x.x.179
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

webvpn
 port 444
 enable outside
group-policy TunnelUsers internal
group-policy TunnelUsers attributes
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value TunnelUsers_splitTunnelAcl
username RIUser password SBczTtM5X/lZ7NBM encrypted
username RIUser attributes
 vpn-group-policy TunnelUsers
username jwescott password fOSs9WfLkygSApes encrypted privilege 0
username jwescott attributes
 vpn-group-policy TunnelUsers
username nadines password PO7M4e1iD3ZFQv.5 encrypted
username nadines attributes
 vpn-group-policy TunnelUsers
tunnel-group TunnelUsers type ipsec-ra
tunnel-group TunnelUsers general-attributes
 address-pool TunnelPool
 default-group-policy TunnelUsers
tunnel-group TunnelUsers ipsec-attributes
 pre-shared-key *
tunnel-group x.x.x.179 type ipsec-l2l
tunnel-group x.x.x.179 ipsec-attributes
 pre-shared-key *
 peer-id-validate nocheck
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:3185467c4f8640e19a82d9b78ee2cee9

___________________________________

Site B - Show Config

Result of the command: "show config"

: Saved
: Written by enable_15 at 13:00:49.531 UTC Wed Oct 1 2008
!
ASA Version 7.2(4)
!
hostname RI5505
domain-name xxx.com
enable password Dr0KI7S5C7dIwyPV encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.50 255.255.0.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address x.x.x.179 255.255.255.248
!
interface Vlan3
 shutdown
 no forward interface Vlan1
 nameif dmz
 security-level 50
 no ip address
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name seaboardbox.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 host x.x.x.189
access-list outside_1_cryptomap extended permit ip 192.168.0.0 255.255.0.0 192.168.10.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 x.x.x.177 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer x.x.x.189
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

tunnel-group x.x.x.189 type ipsec-l2l
tunnel-group x.x.x.189 ipsec-attributes
 pre-shared-key *
 peer-id-validate nocheck
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:32c47dab9c5cc832280a93883d34e8ac


Thanks for taking a look

0
Comment
Question by:VNI-Joe
  • 2
4 Comments
 
LVL 76

Expert Comment

by:arnold
ID: 22624542
Your problem is that you have overlaping IPs.
Site A has 192.168.10.0 255.255.255.0
Site B has 192.168.0.0 255.255.0.0

192.168.10.0 255.255.255.0 is included in the 192.168.0.0 255.255.0.0.

Additionally you have a policy mismatch.  SiteA has pfs group1 Site B only has pfs.

0
 

Author Comment

by:VNI-Joe
ID: 22624684
I fixed the pfs so that they both are group 1.
Will the overlapping networks keep the vpn from connecting? What could I do to work around this?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 22624906
I would change the mask at the site with 255.255.0.0 mask. With a little bitty 5505 I'm sure you're not trying to suport that many hosts...65,000+
Besides, using a class B mask on class C range constitutes a Supernet, not a true subnet and many older tcp/ip stacks can't deal with supernet masks. For the most part, it works, but is non-standard. Standards are set for a reason and bucking them just makes life more difficult somewhere else.

Else, you could nat both ways to some other address space... makes it even uglier and difficult to troubleshoot for the next guy, but it will work.


0
 

Author Closing Comment

by:VNI-Joe
ID: 31502388
Thanks for your assistance. I knew going into this that the IP address scheme was going to be a problem. I am putting this on hold until we do something about IP adressing. Thanks.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now