salesandservice
asked on
Cisco ASA 5505 VPN configuration for Site-to-Site
Please review site1 and site2 configs. The site-to-site VPN tunnel will not come up.
Both site ASA's return:
# sho crypto isakmp sa
There are no isakmp sas
Thanks
site2config.txt
site1config.txt
Both site ASA's return:
# sho crypto isakmp sa
There are no isakmp sas
Thanks
site2config.txt
site1config.txt
ASKER
Here's the configs after completing the ASDM VPN wizard again.
There are plans for a third site in this as well as remote client VPN access to SITE1, but for now I'm just trying to get SITE1 and SITE2 to connect.
There are plans for a third site in this as well as remote client VPN access to SITE1, but for now I'm just trying to get SITE1 and SITE2 to connect.
SITE1# sho run
: Saved
:
ASA Version 7.2(4)
!
hostname SITE1
doSITE1-name test
enable password 2KFasdfdI.2KYOU encrypted
passwd 2KFasdfIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.100.221 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address XXX.XXX.XXX.146 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
doSITE1-name test
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.102.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip host 192.168.100.50 172.168.100.0 255.255.255.248
access-list outside_1_cryptomap extended permit ip 192.168.100.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 192.168.100.0 255.255.255.0 192.168.102.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnclient 172.168.100.1-172.168.100.5 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.100.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer XXX.XXX.XXX.190
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs group1
crypto map outside_map 2 set peer YYY.YYY.YYY.85
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.100.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.100.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.100.222-192.168.100.254 inside
!
username mickey password Ges0mGy3asdfW9t5P encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
address-pool vpnclient
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group XXX.XXX.XXX.190 type ipsec-l2l
tunnel-group XXX.XXX.XXX.190 ipsec-attributes
pre-shared-key *
tunnel-group YYY.YYY.YYY.85 type ipsec-l2l
tunnel-group YYY.YYY.YYY.85 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:91ba443ec42eb0fa0f44dddf8386348c
: end
SITE1#
====
SITE2# sho run
: Saved
:
ASA Version 7.2(4)
!
hostname SITE2
domain-name test2
enable password 8Rya2YajIyasdfat7RRXU24 encrypted
passwd 2KFQnbasdfNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.101.221 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address XXX.XXX.XXX.190 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name test2
access-list inside_nat0_outbound extended permit ip 192.168.101.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.101.0 255.255.255.0 192.168.102.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.101.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 192.168.101.0 255.255.255.0 192.168.102.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.101.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer XXX.XXX.XXX.146
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs group1
crypto map outside_map 2 set peer YYY.YYY.YYY.85
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.101.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.101.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.101.222-192.168.101.254 inside
!
username hola password Gaes0maGyasdf3OQzaW9t5P encrypted privilege 15
tunnel-group XXX.XXX.XXX.146 type ipsec-l2l
tunnel-group XXX.XXX.XXX.146 ipsec-attributes
pre-shared-key *
tunnel-group YYY.YYY.YYY.85 type ipsec-l2l
tunnel-group YYY.YYY.YYY.85 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:4e3a1c2927b9241009eff6033c58ad84
: end
SITE2#
Try adding this to both sides:
isakmp identity address
isakmp identity address
ASKER
thanks for the comment, still no go. Any other ideas? Thanks again.
SITE2(config)# isakmp identity address
SITE2(config)# exit
SITE2# show crypto isakmp sa
There are no isakmp sas
SITE2#
==========================
SITE1(config)# isakmp identity address
SITE1(config)# exit
SITE1# sho crypto isakmp sa
There are no isakmp sas
SITE1#
SITE2(config)# isakmp identity address
SITE2(config)# exit
SITE2# show crypto isakmp sa
There are no isakmp sas
SITE2#
==========================
SITE1(config)# isakmp identity address
SITE1(config)# exit
SITE1# sho crypto isakmp sa
There are no isakmp sas
SITE1#
Post result of sho crypto ipsec sa
Look for error packets
Look for error packets
ASKER
Wouldn't phase 1 need to come up first? Either way, here's the output of the show crypto ipsec sa....
===
SITE1# sho crypto ipsec sa
There are no ipsec sas
SITE1#
========
SITE2# sho crypto ipsec sa
There are no ipsec sas
SITE2#
===
SITE1# sho crypto ipsec sa
There are no ipsec sas
SITE1#
========
SITE2# sho crypto ipsec sa
There are no ipsec sas
SITE2#
Are these setup in a lab environment?
I can't see anything in the configs that jump out at me.
Probably need to debug crypto isakmp to see why phase1 is not completing.
I can't see anything in the configs that jump out at me.
Probably need to debug crypto isakmp to see why phase1 is not completing.
ASKER
I'm not seeing anything in the 'debug crypto isakmp' output in either ASA, which I would think is from the lack of user traffic at the moment. If I debug anything else like ARP, entries start flooding to the session as soon as I 'clear arp'.
I attached a 'show crypto isakmp' for SITE1, SITE2 shows zeroes for all isakmp stats.
These devices are set to replace older Pix, I also tried the 'debug crypto isakmp' statement on the working pix and no logs came up.
I don't remember this much trouble setting up the PIX firewalls and I would think ASA's would work just the same.
Is there a way to get the some interesting isakmp info from the 'debug crypto isakmp' command? Thanks.
I attached a 'show crypto isakmp' for SITE1, SITE2 shows zeroes for all isakmp stats.
These devices are set to replace older Pix, I also tried the 'debug crypto isakmp' statement on the working pix and no logs came up.
I don't remember this much trouble setting up the PIX firewalls and I would think ASA's would work just the same.
Is there a way to get the some interesting isakmp info from the 'debug crypto isakmp' command? Thanks.
SITE1# sho crypto isakmp
There are no isakmp sas
Global IKE Statistics
Active Tunnels: 0
Previous Tunnels: 2
In Octets: 4056
In Packets: 12
In Drop Packets: 0
In Notifys: 0
In P2 Exchanges: 2
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In P2 Sa Delete Requests: 0
Out Octets: 1888
Out Packets: 16
Out Drop Packets: 0
Out Notifys: 0
Out P2 Exchanges: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 0
Initiator Tunnels: 0
Initiator Fails: 0
Responder Fails: 2
System Capacity Fails: 0
Auth Fails: 0
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 0ASKER
At this time, I think this problem still may be to lack of traffic on the inside interfaces.
Questions:
Will this connection come up if I plug in a laptop to one of the ASA's and try to ping to the remote inside network?
Will I need to write the config to start-up and reload?
---
I get the feeling that the configs are correct, but I'm going to have issues with the tunnels until I go live with real traffic. Again, at this time both ASA's are just connected to their WAN connections.
Questions:
Will this connection come up if I plug in a laptop to one of the ASA's and try to ping to the remote inside network?
Will I need to write the config to start-up and reload?
---
I get the feeling that the configs are correct, but I'm going to have issues with the tunnels until I go live with real traffic. Again, at this time both ASA's are just connected to their WAN connections.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Problem solved, initial suspicions were correct - but it was nice to have an expert confirm it with a solid answer. Thanks Irmoore.
Final Fix: Once laptops work put into place on both sides, they were able to ping across the tunnel to each other, this brought up the tunnel and confirmed connectivity over it.
Confirmed working::
SITE1# sho crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: X.X.X.190
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
SITE1#
Final Fix: Once laptops work put into place on both sides, they were able to ping across the tunnel to each other, this brought up the tunnel and confirmed connectivity over it.
Confirmed working::
SITE1# sho crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: X.X.X.190
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
SITE1#
ASKER
Such a simple fix for a simple situation. Lesson learned. Thanks again.
Dead Links above see
http://www.petenetlive.com/KB/Article/0000072.htm VPN with ASDM
or
http://www.petenetlive.com/KB/Article/0000050.htm VPN from CLI
http://www.petenetlive.com/KB/Article/0000072.htm VPN with ASDM
or
http://www.petenetlive.com/KB/Article/0000050.htm VPN from CLI
ASKER
What requirements are needed for the tunnel to come up? I currently do not have any switching equipment plugged into either side, does this make a difference?
Thank you for your help.