Solved

Cisco ASA 5505 VPN configuration for Site-to-Site

Posted on 2008-10-28
13
1,315 Views
Last Modified: 2011-10-19
Please review site1 and site2 configs.  The site-to-site VPN tunnel will not come up.


Both site ASA's return:

# sho crypto isakmp sa

There are no isakmp sas


Thanks

site2config.txt
site1config.txt
0
Comment
Question by:salesandservice
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 4
13 Comments
 
LVL 1

Author Comment

by:salesandservice
ID: 22826077
I've also  gone thru the ASDM configuration already, following http://www.petenetlive.com/Tech/Firewalls/Cisco/s2svpn.htm

What requirements are needed for the tunnel to come up?  I currently do not have any switching equipment plugged into either side, does this make a difference?

Thank you for your help.
0
 
LVL 1

Author Comment

by:salesandservice
ID: 22826824
Here's the configs after completing the ASDM VPN wizard again.

There are plans for a third site in this as well as remote client VPN access to SITE1, but for now I'm just trying to get SITE1 and SITE2 to connect.
SITE1# sho run
: Saved
:
ASA Version 7.2(4)
!
hostname SITE1
doSITE1-name test
enable password 2KFasdfdI.2KYOU encrypted
passwd 2KFasdfIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.100.221 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address XXX.XXX.XXX.146 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 doSITE1-name test
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.102.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip host 192.168.100.50 172.168.100.0 255.255.255.248
access-list outside_1_cryptomap extended permit ip 192.168.100.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 192.168.100.0 255.255.255.0 192.168.102.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnclient 172.168.100.1-172.168.100.5 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.100.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer XXX.XXX.XXX.190
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs group1
crypto map outside_map 2 set peer YYY.YYY.YYY.85
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 192.168.100.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.100.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.100.222-192.168.100.254 inside
!
 
username mickey password Ges0mGy3asdfW9t5P encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
 address-pool vpnclient
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group XXX.XXX.XXX.190 type ipsec-l2l
tunnel-group XXX.XXX.XXX.190 ipsec-attributes
 pre-shared-key *
tunnel-group YYY.YYY.YYY.85 type ipsec-l2l
tunnel-group YYY.YYY.YYY.85 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:91ba443ec42eb0fa0f44dddf8386348c
: end
SITE1#
 
 
====
 
SITE2# sho run
: Saved
:
ASA Version 7.2(4)
!
hostname SITE2
domain-name test2
enable password 8Rya2YajIyasdfat7RRXU24 encrypted
passwd 2KFQnbasdfNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.101.221 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address XXX.XXX.XXX.190 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name test2
access-list inside_nat0_outbound extended permit ip 192.168.101.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.101.0 255.255.255.0 192.168.102.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.101.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 192.168.101.0 255.255.255.0 192.168.102.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.101.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer XXX.XXX.XXX.146
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs group1
crypto map outside_map 2 set peer YYY.YYY.YYY.85
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 192.168.101.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.101.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.101.222-192.168.101.254 inside
!
 
username hola password Gaes0maGyasdf3OQzaW9t5P encrypted privilege 15
tunnel-group XXX.XXX.XXX.146 type ipsec-l2l
tunnel-group XXX.XXX.XXX.146 ipsec-attributes
 pre-shared-key *
tunnel-group YYY.YYY.YYY.85 type ipsec-l2l
tunnel-group YYY.YYY.YYY.85 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:4e3a1c2927b9241009eff6033c58ad84
: end
SITE2#

Open in new window

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22827240
Try adding this to both sides:

  isakmp identity address
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Author Comment

by:salesandservice
ID: 22827461
thanks for the comment, still no go.  Any other ideas?  Thanks again.


SITE2(config)# isakmp identity address
SITE2(config)# exit
SITE2# show crypto isakmp sa

There are no isakmp sas
SITE2#

======================================
SITE1(config)# isakmp identity address
SITE1(config)# exit
SITE1# sho crypto isakmp sa

There are no isakmp sas
SITE1#
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22827635
Post result of sho crypto ipsec sa
Look for error packets
0
 
LVL 1

Author Comment

by:salesandservice
ID: 22827746
Wouldn't phase 1 need to come up first?  Either way, here's the output of the show crypto ipsec sa....


===

SITE1# sho crypto ipsec sa

There are no ipsec sas
SITE1#

========
SITE2# sho crypto ipsec sa

There are no ipsec sas
SITE2#
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22827938
Are these setup in a lab environment?
I can't see anything in the configs that jump out at me.
Probably need to debug crypto isakmp to see why phase1 is not completing.
0
 
LVL 1

Author Comment

by:salesandservice
ID: 22829329
I'm not seeing anything in the 'debug crypto isakmp' output in either ASA, which I would think is from the lack of user traffic at the moment.  If I debug anything else like ARP, entries start flooding to the session as soon as I 'clear arp'.

I attached a 'show crypto isakmp' for SITE1, SITE2 shows zeroes for all isakmp stats.

These devices are set to replace older Pix, I also tried the 'debug crypto isakmp' statement on the working pix and no logs came up.  

I don't remember this much trouble setting up the PIX firewalls and I would think ASA's would work just the same.

Is there a way to get the some interesting isakmp info from the 'debug crypto isakmp' command?  Thanks.
SITE1# sho crypto isakmp
 
There are no isakmp sas
 
Global IKE Statistics
Active Tunnels: 0
Previous Tunnels: 2
In Octets: 4056
In Packets: 12
In Drop Packets: 0
In Notifys: 0
In P2 Exchanges: 2
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In P2 Sa Delete Requests: 0
Out Octets: 1888
Out Packets: 16
Out Drop Packets: 0
Out Notifys: 0
Out P2 Exchanges: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 0
Initiator Tunnels: 0
Initiator Fails: 0
Responder Fails: 2
System Capacity Fails: 0
Auth Fails: 0
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 0

Open in new window

0
 
LVL 1

Author Comment

by:salesandservice
ID: 22829473
At this time, I think this problem still may be to lack of traffic on the inside interfaces.  

Questions:

Will this connection come up if I plug in a laptop to one of the ASA's and try to ping to the remote inside network?  

Will I need to write the config to start-up and reload?

---

I get the feeling that the configs are correct, but I'm going to have issues with the tunnels until I go live with real traffic.  Again, at this time both ASA's are just connected to their WAN connections.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 22830510
Yes. These tunnels are dynamic and only establish if and when there is traffic matching the criteria. No traffic, no tunnel.
You do not need to reload, but you should save the configs because they do look correct.

0
 
LVL 1

Author Comment

by:salesandservice
ID: 22832876
Problem solved, initial suspicions were correct - but it was nice to have an expert confirm it with a solid answer.  Thanks Irmoore.

Final Fix:  Once laptops work put into place on both sides, they were able to ping across the tunnel to each other, this brought up the tunnel and confirmed connectivity over it.

Confirmed working::

SITE1# sho crypto isakmp sa

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: X.X.X.190
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE
SITE1#


0
 
LVL 1

Author Closing Comment

by:salesandservice
ID: 31510661
Such a simple fix for a simple situation.  Lesson learned.  Thanks again.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 32644781
0

Featured Post

Retailers - Is your network secure?

With the prevalence of social media & networking tools, for retailers, reputation is critical. Have you considered the impact your network security could have in your customer's experience? Learn more in our Retail Security Resource Kit Today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…

687 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question