Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 441
  • Last Modified:

Establishing VPN connection between two ASA 5505's

I can't seem to get this VPN connection up and running...can someone tell me what I'm missing?  I'm sure it's something quick.  ASA 1's network is 192.168.1.0/24 and ASA 2's network is 192.168.3.0/24.  Thanks!

ASA 1:
...
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
...
nat (inside) 0 access-list inside_nat0_outbound
...
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer <peer_ip>
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
...
tunnel-group <peer_ip> type ipsec-l2l
tunnel-group <peer_ip> ipsec-attributes
 pre-shared-key *

ASA 2:
...
access-list inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
...
nat (inside) 0 access-list inside_nat0_outbound
...
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer <peer_ip>
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
...
tunnel-group <peer_ip> type ipsec-l2l
tunnel-group <peer_ip> ipsec-attributes
 pre-shared-key *
0
brianunc
Asked:
brianunc
  • 4
  • 4
1 Solution
 
JFrederick29Commented:
Make sure there isn't routing to the inside for the 192.168.3.0 on ASA1 or the 192.168.1.0 on ASA2.  If you only have a default route, routing is fine.

Try to ping 192.168.3.x from a 192.168.1.x host and post the output from the following commands on the ASA's.

show cry isa sa
show cry ipsec sa
0
 
brianuncAuthor Commented:
The default route is the only one entered...

Pings to both networks time out

ASA 1:
Active SA: 1
Rekey SA: 0
Total IKE SA: 1

1 IKE Peer: peer_ip
Type: user  Role: initiator
Rekey: no  State: MM_WAIT_MSG2

There are no ipsec sas

ASA 2:
There are no isakmp sas
There are no ipsec sas
0
 
JFrederick29Commented:
Looks like there is no communication between ASA1 and ASA2 on the outside.  Is this in a lab or is the Internet between these ASA's?  Enable ICMP on the ASA's and make sure you can ping the other ASA outside interface IP address (the peer IP).

conf t
icmp permit any outside
0
The Growing Need for Data Analysts

As the amount of data rapidly increases in our world, so does the need for qualified data analysts. WGU's MS in Data Analytics and maximize your leadership opportunities as a data engineer, business analyst, information research scientist, and more.

 
brianuncAuthor Commented:
It's in production - internet connection between them.  Clients behind both firewalls can access the internet, and inbound services work fine per the respective ACLs.  Not getting any ping response though, which is odd (from anything outside).
0
 
JFrederick29Commented:
So, you enabled ICMP for the outside and you can't ping the other ASA outside?
0
 
brianuncAuthor Commented:
Here are the full configs...

ASA 1:
: Saved
:
ASA Version 7.2(4)
!

names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.254 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address <host_ip> 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS

access-list outside-coming-in extended permit tcp any host <host_ip> eq smtp
access-list outside-coming-in extended permit tcp any host <host_ip> eq imap4
access-list outside-coming-in extended permit tcp any host <host_ip> eq pop3
access-list outside-coming-in extended permit tcp any host <host_ip> eq 3389
access-list outside-coming-in extended permit tcp any host <host_ip> eq https
access-list outside-coming-in extended permit tcp any host <host_ip> eq lotusnotes
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 192.168.1.20 smtp netmask 255.255.255.255
static (inside,outside) tcp interface imap4 192.168.1.20 imap4 netmask 255.255.255.255
static (inside,outside) tcp interface pop3 192.168.1.20 pop3 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.1.9 3389 netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.20 https netmask 255.255.255.255
static (inside,outside) tcp interface lotusnotes 192.168.1.20 lotusnotes netmask 255.255.255.255
access-group outside-coming-in in interface outside
route outside 0.0.0.0 0.0.0.0 <route_ip> 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer <peer_ip>
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0

tunnel-group <peer_ip> type ipsec-l2l
tunnel-group <peer_ip> ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
prompt hostname context


ASA 2:
: Saved
:
ASA Version 7.2(4)
!

names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.3.254 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address <host_ip> 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
access-list inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 <route_ip> 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer <peer_ip>
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
!
dhcpd address 192.168.3.12-192.168.3.250 inside
dhcpd enable inside
!

tunnel-group <peer_ip> type ipsec-l2l
tunnel-group <peer_ip> ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
0
 
JFrederick29Commented:
The configs look good assuming the peer IP's are correct (the other ASA outside interface IP address).

With that config, you should be able to ping ASA2's outside interface IP address from ASA1 and vice versa.  If that isn't working, something upstream is wrong.
0
 
brianuncAuthor Commented:
Thanks, it was an error with the default route.  I appreciate the help!
0

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now