Solved

Cisco ASA 5505 VPN configuration for Site-to-Site

Posted on 2008-10-28
13
1,300 Views
Last Modified: 2011-10-19
Please review site1 and site2 configs.  The site-to-site VPN tunnel will not come up.


Both site ASA's return:

# sho crypto isakmp sa

There are no isakmp sas


Thanks

site2config.txt
site1config.txt
0
Comment
Question by:salesandservice
  • 8
  • 4
13 Comments
 
LVL 1

Author Comment

by:salesandservice
Comment Utility
I've also  gone thru the ASDM configuration already, following http://www.petenetlive.com/Tech/Firewalls/Cisco/s2svpn.htm

What requirements are needed for the tunnel to come up?  I currently do not have any switching equipment plugged into either side, does this make a difference?

Thank you for your help.
0
 
LVL 1

Author Comment

by:salesandservice
Comment Utility
Here's the configs after completing the ASDM VPN wizard again.

There are plans for a third site in this as well as remote client VPN access to SITE1, but for now I'm just trying to get SITE1 and SITE2 to connect.
SITE1# sho run

: Saved

:

ASA Version 7.2(4)

!

hostname SITE1

doSITE1-name test

enable password 2KFasdfdI.2KYOU encrypted

passwd 2KFasdfIdI.2KYOU encrypted

names

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 192.168.100.221 255.255.255.0

!

interface Vlan2

 nameif outside

 security-level 0

 ip address XXX.XXX.XXX.146 255.255.255.0

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns server-group DefaultDNS

 doSITE1-name test

access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.101.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.102.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip host 192.168.100.50 172.168.100.0 255.255.255.248

access-list outside_1_cryptomap extended permit ip 192.168.100.0 255.255.255.0 192.168.101.0 255.255.255.0

access-list outside_2_cryptomap extended permit ip 192.168.100.0 255.255.255.0 192.168.102.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool vpnclient 172.168.100.1-172.168.100.5 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authentication serial console LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

http server enable

http 192.168.100.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto dynamic-map outside_dyn_map 20 set pfs group1

crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer XXX.XXX.XXX.190

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set pfs group1

crypto map outside_map 2 set peer YYY.YYY.YYY.85

crypto map outside_map 2 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

telnet 192.168.100.0 255.255.255.0 inside

telnet timeout 5

ssh 192.168.100.0 255.255.255.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.100.222-192.168.100.254 inside

!
 

username mickey password Ges0mGy3asdfW9t5P encrypted privilege 15

tunnel-group DefaultRAGroup general-attributes

 address-pool vpnclient

tunnel-group DefaultRAGroup ipsec-attributes

 pre-shared-key *

tunnel-group XXX.XXX.XXX.190 type ipsec-l2l

tunnel-group XXX.XXX.XXX.190 ipsec-attributes

 pre-shared-key *

tunnel-group YYY.YYY.YYY.85 type ipsec-l2l

tunnel-group YYY.YYY.YYY.85 ipsec-attributes

 pre-shared-key *

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:91ba443ec42eb0fa0f44dddf8386348c

: end

SITE1#
 
 

====
 

SITE2# sho run

: Saved

:

ASA Version 7.2(4)

!

hostname SITE2

domain-name test2

enable password 8Rya2YajIyasdfat7RRXU24 encrypted

passwd 2KFQnbasdfNIdI.2KYOU encrypted

names

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 192.168.101.221 255.255.255.0

!

interface Vlan2

 nameif outside

 security-level 0

 ip address XXX.XXX.XXX.190 255.255.255.0

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns server-group DefaultDNS

 domain-name test2

access-list inside_nat0_outbound extended permit ip 192.168.101.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.101.0 255.255.255.0 192.168.102.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.101.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list outside_2_cryptomap extended permit ip 192.168.101.0 255.255.255.0 192.168.102.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authentication serial console LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 outside

http 192.168.101.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer XXX.XXX.XXX.146

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set pfs group1

crypto map outside_map 2 set peer YYY.YYY.YYY.85

crypto map outside_map 2 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

telnet 192.168.101.0 255.255.255.0 inside

telnet timeout 5

ssh 192.168.101.0 255.255.255.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.101.222-192.168.101.254 inside

!
 

username hola password Gaes0maGyasdf3OQzaW9t5P encrypted privilege 15

tunnel-group XXX.XXX.XXX.146 type ipsec-l2l

tunnel-group XXX.XXX.XXX.146 ipsec-attributes

 pre-shared-key *

tunnel-group YYY.YYY.YYY.85 type ipsec-l2l

tunnel-group YYY.YYY.YYY.85 ipsec-attributes

 pre-shared-key *

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:4e3a1c2927b9241009eff6033c58ad84

: end

SITE2#

Open in new window

0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Try adding this to both sides:

  isakmp identity address
0
 
LVL 1

Author Comment

by:salesandservice
Comment Utility
thanks for the comment, still no go.  Any other ideas?  Thanks again.


SITE2(config)# isakmp identity address
SITE2(config)# exit
SITE2# show crypto isakmp sa

There are no isakmp sas
SITE2#

======================================
SITE1(config)# isakmp identity address
SITE1(config)# exit
SITE1# sho crypto isakmp sa

There are no isakmp sas
SITE1#
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Post result of sho crypto ipsec sa
Look for error packets
0
 
LVL 1

Author Comment

by:salesandservice
Comment Utility
Wouldn't phase 1 need to come up first?  Either way, here's the output of the show crypto ipsec sa....


===

SITE1# sho crypto ipsec sa

There are no ipsec sas
SITE1#

========
SITE2# sho crypto ipsec sa

There are no ipsec sas
SITE2#
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Are these setup in a lab environment?
I can't see anything in the configs that jump out at me.
Probably need to debug crypto isakmp to see why phase1 is not completing.
0
 
LVL 1

Author Comment

by:salesandservice
Comment Utility
I'm not seeing anything in the 'debug crypto isakmp' output in either ASA, which I would think is from the lack of user traffic at the moment.  If I debug anything else like ARP, entries start flooding to the session as soon as I 'clear arp'.

I attached a 'show crypto isakmp' for SITE1, SITE2 shows zeroes for all isakmp stats.

These devices are set to replace older Pix, I also tried the 'debug crypto isakmp' statement on the working pix and no logs came up.  

I don't remember this much trouble setting up the PIX firewalls and I would think ASA's would work just the same.

Is there a way to get the some interesting isakmp info from the 'debug crypto isakmp' command?  Thanks.
SITE1# sho crypto isakmp
 

There are no isakmp sas
 

Global IKE Statistics

Active Tunnels: 0

Previous Tunnels: 2

In Octets: 4056

In Packets: 12

In Drop Packets: 0

In Notifys: 0

In P2 Exchanges: 2

In P2 Exchange Invalids: 0

In P2 Exchange Rejects: 0

In P2 Sa Delete Requests: 0

Out Octets: 1888

Out Packets: 16

Out Drop Packets: 0

Out Notifys: 0

Out P2 Exchanges: 0

Out P2 Exchange Invalids: 0

Out P2 Exchange Rejects: 0

Out P2 Sa Delete Requests: 0

Initiator Tunnels: 0

Initiator Fails: 0

Responder Fails: 2

System Capacity Fails: 0

Auth Fails: 0

Decrypt Fails: 0

Hash Valid Fails: 0

No Sa Fails: 0

Open in new window

0
 
LVL 1

Author Comment

by:salesandservice
Comment Utility
At this time, I think this problem still may be to lack of traffic on the inside interfaces.  

Questions:

Will this connection come up if I plug in a laptop to one of the ASA's and try to ping to the remote inside network?  

Will I need to write the config to start-up and reload?

---

I get the feeling that the configs are correct, but I'm going to have issues with the tunnels until I go live with real traffic.  Again, at this time both ASA's are just connected to their WAN connections.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
Comment Utility
Yes. These tunnels are dynamic and only establish if and when there is traffic matching the criteria. No traffic, no tunnel.
You do not need to reload, but you should save the configs because they do look correct.

0
 
LVL 1

Author Comment

by:salesandservice
Comment Utility
Problem solved, initial suspicions were correct - but it was nice to have an expert confirm it with a solid answer.  Thanks Irmoore.

Final Fix:  Once laptops work put into place on both sides, they were able to ping across the tunnel to each other, this brought up the tunnel and confirmed connectivity over it.

Confirmed working::

SITE1# sho crypto isakmp sa

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: X.X.X.190
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE
SITE1#


0
 
LVL 1

Author Closing Comment

by:salesandservice
Comment Utility
Such a simple fix for a simple situation.  Lesson learned.  Thanks again.
0
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
Occasionally, we encounter connectivity issues that appear to be isolated to cable internet service.  The issues we typically encountered were reset errors within Internet Explorer when accessing web sites or continually dropped or failing VPN conne…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now