Solved

Problem ASA 5510 VPN SIte to Site

Posted on 2008-10-20
10
535 Views
Last Modified: 2012-05-05
After using the ASDM wizard to setup the tunnel between two ASA 5510,  I still cannot communicate between the local inside network and the remote inside network.  more information, in ASA 1  i have SSL VPN config. anyone can help me ?

ASA 1 # sh run
: Saved
:
ASA Version 8.0(2)
!
hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted
names
dns-guard
!
interface Ethernet0/0
 description IP Address - IP Public
 nameif outside
 security-level 0
 ip address 202.57.xxx.xxx 255.255.xxx.xxx
 ospf cost 10
!
interface Ethernet0/1
 description IP Private Network - 5.15
 nameif inside
 security-level 100
 ip address 10.40.5.xx 255.255.255.0
 ospf cost 10
!
interface Ethernet0/2
 shutdown    
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 ospf cost 10
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone JAVT 7
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 202.57.xxx.xxx
 name-server 202.57.xxx.xxx
 domain-name id.seapro.ad.crs.org
access-list inside_access_in extended permit ip 10.40.5.0 255.255.255.0 any
access-list csc_out extended permit tcp 10.40.5.0 255.255.255.0 any eq ftp
access-list csc_out extended permit tcp 10.40.5.0 255.255.255.0 any eq www
access-list csc_out extended permit tcp 10.40.5.0 255.255.255.0 any eq pop3
access-list crs_splitTunnelAcl standard permit 10.40.5.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.40.5.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.40.5.0 255.255.255.0 172.16.0.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool mypool 10.40.5.220-10.40.5.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.40.5.0 255.255.255.0
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 202.57.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 10.40.5.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 202.182.xxx.xxx
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh 10.40.5.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics
!
class-map csc_outbound_class
 match access-list csc_out
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
policy-map csc_out_policy
 class csc_outbound_class
  csc fail-open
!
service-policy global_policy global
service-policy csc_out_policy interface inside
webvpn
 enable outside
group-policy crs internal
group-policy crs attributes
 dns-server value 10.40.5.xxx 10.40.5.xxx
 vpn-tunnel-protocol IPSec svc
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value crs_splitTunnelAcl
 default-domain value id.seapro.ad.crs.org
username admin password EaTY.0bmn5wmoGTZ encrypted privilege 15
username erwin password En0mzgF9BHVTmBlk encrypted privilege 15
username erwin attributes
 vpn-group-policy crs
tunnel-group crs type remote-access
tunnel-group crs general-attributes
 address-pool mypool
 default-group-policy crs
tunnel-group crs webvpn-attributes
 hic-fail-group-policy crs
tunnel-group crs ipsec-attributes
 pre-shared-key *
tunnel-group 202.182.xxx.xxx type ipsec-l2l
tunnel-group 202.182.xxx.xxx ipsec-attributes
 pre-shared-key *
prompt hostname context
Cryptochecksum:ae24eeda05da1f61bfc2aef9ba61f75c
: end




ASA 2# sh run
: Saved
:
ASA Version 8.0(2)
!
hostname ASA 2
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
 description To Outside
 nameif Outside
 security-level 0
 ip address 202.182.xxx.xxx 255.255.255.240
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 172.16.123.xxx 255.255.0.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
same-security-traffic permit intra-interface
access-list inside_access_in extended permit ip any any
access-list Outside_access_in extended permit ip any any
access-list Outside_1_cryptomap extended permit ip 172.16.0.0 255.255.0.0 10.40.5.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 10.40.5.0 255.255.255.0
pager lines 24
logging asdm informational
mtu management 1500
mtu inside 1500
mtu Outside 1500
no failover  
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (Outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,Outside) 202.182.xxx.xxx 172.16.22.201 netmask 255.255.255.255
static (inside,Outside) 202.182.xxx.xxx 172.16.25.25 netmask 255.255.255.255
static (inside,Outside) 202.182.xxx.xxx 172.16.22.22 netmask 255.255.255.255
static (inside,Outside) 202.182.xxx.xxx 172.16.200.200 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group Outside_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 202.182.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 172.16.0.0 255.255.0.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map Outside_map 1 match address Outside_1_cryptomap
crypto map Outside_map 1 set peer 202.57.xxx.xxx
crypto map Outside_map 1 set transform-set ESP-3DES-SHA
crypto map Outside_map interface Outside
crypto isakmp enable inside
crypto isakmp enable Outside
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
!
service-policy global_policy global
tunnel-group 202.57.xxx.xxx type ipsec-l2l
tunnel-group 202.57.xxx.xxx ipsec-attributes
 pre-shared-key *
prompt hostname context
Cryptochecksum:6accb411326d19e41d3a718f2f91b440
: end



0
Comment
Question by:Jovart
  • 3
  • 3
  • 2
  • +1
10 Comments
 
LVL 7

Expert Comment

by:knightfox
ID: 22764959
Please have a read through the following Cisco article...

Firstly we need to determine if the tunnel is comming up....

Please run up a terminal to the device. You can also verify the formation of tunnels using CLI. Issue the show crypto isakmp sa command to check the formation of tunnels and issue the show crypto ipsec sa command to observe the number of packets encapsulated, encrypted, and so forth.  You should see something like..

ASA(config)#show crypto ipsec sa
interface: outside
    Crypto map tag: outside_map, seq num: 20, local addr: 10.10.10.1

     access-list outside_cryptomap_20 permit ip 172.22.1.0
       255.255.255.0 172.16.1.0 255.255.255.0
     local ident (addr/mask/prot/port): (172.22.1.0/255.255.255.0/0/0)
     remote ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
     current_peer: 10.20.20.1

      #pkts encaps: 20, #pkts encrypt: 20, #pkts digest: 20
      #pkts decaps: 20, #pkts decrypt: 20, #pkts verify: 20
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 20, #pkts comp failed: 0, #pkts decomp failed: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 10.10.10.1, remote crypto endpt.: 10.20.20.1

      path mtu 1500, ipsec overhead 76, media mtu 1500
      current outbound spi: 44532974

    inbound esp sas:
      spi: 0xA87AD6FA (2826622714)
         transform: esp-aes-256 esp-sha-hmac
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 1, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3824998/28246)
         IV size: 16 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x44532974 (1146300788)
         transform: esp-aes-256 esp-sha-hmac
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 1, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3824998/28245)
         IV size: 16 bytes
         replay detection support: Y

Please post back your output

/Fox

0
 
LVL 7

Expert Comment

by:knightfox
ID: 22764963
The Cisco website has a couple of very good configuration examples

ASA side
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805a87f7.shtml
0
 
LVL 2

Expert Comment

by:inrouted
ID: 22764989
Ok. please forgive me if I have misunderstood your problem, but why exactly are you worried about SSL VPN when you have two ASA devices?  This should be a site to site vpn, and not an SSL VPN.  SSL VPN is typically relegated to client access connections.  Not from terminator to terminator device implementation.  If i have mis-read your request, please flame away.

aloha
-route

0
 

Author Comment

by:Jovart
ID: 22769364
to : knightfox

before i post this question,  i have tried command show crypto ipsec sa or sh crypto isakmp sa the result is There are no isakmp sas or There are no ipsec sas. i hope u can checking my configuration and find the error ?

or

anyone can help me ?
0
 
LVL 2

Expert Comment

by:inrouted
ID: 22819979
Did you determine if you wanted a site to site vpn?  If you have two ASAs, it should be.  If you can post or email the output of a sh run crypto on both ASA devices.  Then a sh run tunnel-group and finally, a sh run access-list  This should give us all the information we need to determine if the configuration is correct.

Just for a reference in setup..

1. create isakmp policy
2. assign policy to interface
3. create access-list
4. create tunnel-group
5. create crypto map
 5a. create transform-set
 5b assign access list to it
 5c assign peer ip
 5d assign transform-set
 5e (optional) create nonat access-list if required
6. add ip to ingress interface (if applicable)


0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 

Author Comment

by:Jovart
ID: 22828626
ASA 1

sh run crypto


crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 202.137.xxx.xxx
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal 30

sh run tunnel-group

tunnel-group 202.137.xxx.xxx type ipsec-l2l
tunnel-group 202.137.xxx.xxx ipsec-attributes
 pre-shared-key *

sh run access-list

ciscoasa# sh run access-list                                    
access-list outside_access_in extended permit ip any host 202.182.xxx.xxx
access-list outside_access_in extended permit ip any host 202.182.xxx.xxx
access-list outside_access_in extended permit ip any host 202.182.xxx.xxx
access-list outside_access_in extended permit ip any host 202.182.xxx.xxx
access-list outside_access_in extended permit ip any host 202.182.xxx.xxx
access-list inside_access_in extended permit ip any any
access-list outside_1_cryptomap extended permit ip 172.16.0.0 255.255.0.0 10.1.50.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 10.1.50.0 255.255.255.0

ASA 2

sh run crypto

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Interface_Outside_map 1 match address Interface_Outside_1_cryptomap
crypto map Interface_Outside_map 1 set peer 202.182.62.196
crypto map Interface_Outside_map 1 set transform-set ESP-3DES-SHA
crypto map Interface_Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Interface_Outside_map interface Interface_Outside
crypto ca trustpoint ASDM_TrustPoint0
 enrollment terminal
 fqdn ciscoasa
 subject-name CN=ciscoasa
 no client-types
 crl configure
crypto ca trustpoint ASDM_TrustPoint1
 enrollment terminal
 fqdn ciscoasa
 subject-name CN=ciscoasa
 no client-types
 crl configure
crypto isakmp enable Interface_Outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal 30

sh run tunnel-group

tunnel-group maxima type remote-access
tunnel-group maxima general-attributes
 address-pool tes
 default-group-policy maxima
tunnel-group maxima ipsec-attributes
 pre-shared-key *
tunnel-group 202.182.xxx.xxx type ipsec-l2l
tunnel-group 202.182.xxx.xxx ipsec-attributes
 pre-shared-key *

sh run access-list

access-list Interface_Outside_access_in extended permit ip any any
access-list Interface_inside_access_in extended permit ip any any
access-list DMZ_access_in extended permit ip any any
access-list DMZ_nat0_outbound extended permit ip host 10.1.50.250 10.1.50.248 255.255.255.248
access-list testing_splitTunnelAcl standard permit 10.1.50.0 255.255.255.0
access-list Interface_inside_nat0_outbound extended permit ip 10.1.50.0 255.255.255.0 10.1.50.248 255.255.255.248
access-list Interface_inside_nat0_outbound extended permit ip any 10.1.50.248 255.255.255.248
access-list Interface_inside_nat0_outbound extended permit ip 10.1.50.0 255.255.255.0 host 172.16.0.0
access-list cisco_splitTunnelAcl standard permit 10.1.50.0 255.255.255.0
access-list maxima_splitTunnelAcl standard permit 10.1.50.0 255.255.255.0
access-list testing_splitTunnelAcl_1 standard permit any
access-list cisco_splitTunnelAcl_1 standard permit any
access-list testing_splitTunnelAcl_2 standard permit 10.1.50.0 255.255.255.0
access-list cisco_splitTunnelAcl_2 standard permit 10.1.50.0 255.255.255.0
access-list Interface_Outside_1_cryptomap extended permit ip 10.1.50.0 255.255.255.0 172.16.0.0 255.255.255.0



0
 
LVL 2

Accepted Solution

by:
inrouted earned 500 total points
ID: 22840787
The line:

access-list Interface_Outside_1_cryptomap extended permit ip 10.1.50.0 255.255.255.0 172.16.0.0 255.255.255.0

Doesnt match the encryption domain on ASA1.  On ASA 1 you have 172.16.0.0 255.255.0.0  on ASA 2 you have 255.255.255.0

Try and make it match..then see if the tunnel works.

-route

0
 

Expert Comment

by:Citadelny
ID: 22881981
I had the same problem - the simple config works if you have absolutely no access lists or complex options. I called TAC and they simply added this command

crypto isakmp nat-traversal  30
on both sides
and the tunnel came up.
I know this command but I have NEVER seen it applied on any of the sample configs I've seem on the entire interwebb.
I also see you have it explicitly disabled in your config.
0
 

Expert Comment

by:Citadelny
ID: 22882010
Sorry I see it added later - i was looking at the old config
0
 

Author Closing Comment

by:Jovart
ID: 31508168
sorry, i wrong post this config, this config before i fixed. i have fixed the problem and i added crypto isakmp nat-traversal 30. the problem, if i show crypto ipsec sa or sh crypto isakmp sa the result is there are no isakmp sas or There are no ipsec sas, and i now the problem, i must trigger the tunnel is ping segment on ASA 2 for show the tunnnel.

Thx for all helping me.

and i have new problem in LDAP ASA, i will open the queston
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now