Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4447
  • Last Modified:

Having a problem with ASA 5505 L2L VPN setup

Hi Experts,

I have a problem to get my L2L VPN working and not sure which parts of configurations I did wrong.  Please review the config file attached.  I also put some syslog files on Code area.  Thank you for your helps!!


LJ

Result of the command: "show running-config"

: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password xxxxxxxxx encrypted
passwd yyyyyyyy encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.0.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address x.x.x.x 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list outside_1_cryptomap extended permit ip 10.0.0.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list outside_access_in extended permit ip any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit ip 10.0.0.0 255.255.255.0 x.x.x.x 255.255.255.248
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 x.x.x.x 255.255.255.248
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 host x.x.x.x
access-list nonat extended permit ip host x.x.x.x any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.0.0.0 255.255.255.0 dns
nat (inside) 1 0.0.0.0 0.0.0.0 dns
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set xxxxxxxxxxxxxxxxx
crypto dynamic-map outside_map 1 set pfs group1
crypto dynamic-map outside_map 1 set transform-set xxxxxxxxxx
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer x.x.x.x
crypto map outside_map 1 set transform-set xxxxxxxxxxx
crypto map outside_map 1 set reverse-route
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy xx
 authentication xxx
 encryption xxx
 hash xxx
 group x
 lifetime xxxxxx
crypto isakmp ipsec-over-tcp port 10000
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn username magedmina@att.net password ********* store-local
dhcp-client update dns server both
dhcpd dns x.x.x.x y.y.y.y
dhcpd auto_config outside
!
dhcpd address x.x.x.x-y.y.y.y inside
dhcpd dns x.x.x.x y.y.y.y interface inside
dhcpd enable inside
!

tunnel-group x.x.x.x type ipsec-l2l
tunnel-group y.y.y.y ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:e84f4ccb9f35bd4d631c07f04bdd7e29
: end

Code removed for privacy reasons.

modguy
2010-05-27

Open in new window

0
JJLuo
Asked:
JJLuo
  • 14
  • 11
  • 7
  • +3
1 Solution
 
JFrederick29Commented:
Can we see the other side of the tunnel config?
0
 
JJLuoAuthor Commented:
no I don't have other side config file. But here is the requirment from other side. That's all I got.

Thanks, LJ

Please provide these VPN Parameters to clinic IT to configure tunnel:

Gateway to Gateway
----------------------------------------------------

Our endpoint is: x.x.x.x Our network is: x.x.x.x (255.255.255.0)

clinic will need to make ACL from x.x.x.x/x to network x.x.x.x/x
clinic will need to NAT interesting traffic to x.x.x.x 255.255.255.0

Phase 1
Authentication: xxxx
Encryption: xxx
Hash: xxx
DH: x
Lifetime: xxx sec
Pre-shared Key: xxxxxxxxxxxx

Phase2
ESP encryption xxx
ESP authentication
Lifetime xxxx

0
 
JFrederick29Commented:
This to me conflicts.

clinic will need to make ACL from x.x.x.x/x to network x.x.x.x/x
clinic will need to NAT interesting traffic to x.x.x.x 255.255.255.0

Do they want you to NAT to x.x.x.x or y.y.y.y? The ACL should be from the NAT traffic to x.x.x.x You'll need to get them to clarify this.
0
NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

 
JJLuoAuthor Commented:
I assuming yes. But I am very confused by the requirements. I am luckly got someone has this kind requirment for same kind application...

Configuration Information:

End point x.x.x.x
Internal network x.x.x.x 255.255.255.0
Pre-shared key: xxxxxxxxxxxxx
xxxx
xxxx
Group x
Lifetime xxxx
The internal network: 192.168.x.x 255.255.255.0

You will need to make an ACL from 192.168.x.x to host 192.168.x.x and 192.168.x.x

Step 1) Configure your side of connection with the above information
Step 2) Attempt to access http://192.168.x.x/index.html from the database server
Step 3) Attempt to access http://192.168.x.x/index.html from a workstation

Addtional info...
I have been setup the tunnel with SonicWall TZ150 but cannot ping from inside host, which the app requires the ping to the hosts 192.168.50.83 from SonicWall inside network.

My side the endpoint is x.x.x.x/255.255.255.248 and gatway is x.x.x.x /255.255.255.248.

I am very new to Cisco asa 5505, don't know what is syslog said. Did you get anything from the syslog output file?

Thanks, LJ
0
 
DonbooCommented:
You should also remove "crypto map outside_map 1 set pfs " as it isn't a requirement for the tunnel as far as I can see. However the requirements are somewhat confusing you should try and get it clarified.
0
 
JJLuoAuthor Commented:
If the reqirements like following, can anyone help me to verify the configuration? Thanks, LJ

Our endpoint is: x.x.x.x
Our network is: 192.168.x.x (255.255.255.0)
Phase x
Authentication: xxxx
Encryption: xxx
Hash: xxx
DH: x
Lifetime: xxxx sec
Pre-shared Key: xxxxxxxxxxxx

Phase2
ESP encryption xxx
ESP authentication
Lifetime xxxx

0
 
DonbooCommented:
Phase 2 is the confusing part as you have 2 options there: xxxxxxxx or xxxxxxxx.

My guess is they want you to use xxxxxxx as you do now which makes me belive that if you remove "no crypto map outside_map 1 set pfs" it would work.
0
 
JJLuoAuthor Commented:
Hi Donboo,

I remove 'no crypto map outside_map 1 pfs' but still no luck. The VPN is still no show up... Here is the syslog output when I am trying to ping one of the remote hosts. Can you find anything wrong regarding to the configuration? Thanks, LJ

IP = x.x.x.x, IKE Initiator: New Phase 1, Intf inside, IKE Peer x.x.x.x local Proxy Address 10.0.0.0, remote Proxy Address 192.168.x.x, Crypto map (outside_map)
Built outbound UDP connection 115 for outside:x.x.x.x/x (x.x.x.x/x) to NP Identity Ifc:x.x.x.x/x (x.x.x.x/x)
Group = x.x.x.x, IP = x.x.x.x, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Teardown UDP connection 0 for outside:x.x.x.x/x to NP Identity Ifc:x.x.x.x/x duration 0:02:01 bytes 1204
Group = x.x.x.x, IP = v, Duplicate Phase 1 packet detected. Retransmitting last packet.
Group = x.x.x.x, IP = x.x.x.x, P1 Retransmit msg dispatched to xxxx
Group = x.x.x.x, IP = x.x.x.x, Duplicate Phase 1 packet detected. Retransmitting last packet.
Group =x.x.x.x, IP = x.x.x.x, P1 Retransmit msg dispatched to xxxx
Group = x.x.x.x, IP = x.x.x.x, Duplicate Phase 1 packet detected. Retransmitting last packet.
Group = x.x.x.x, IP = x.x.x.x, P1 Retransmit msg dispatched to xxxx
Group = x.x.x.x, IP = x.x.x.x, Removing peer from peer table failed, no match!
Group = x.x.x.x, IP = x.x.x.x, Error: Unable to remove PeerTblEntry
Teardown UDP connection 1 for inside:0.0.0.0/68 to NP Identity Ifc:255.255.255.255/x duration 0:02:01 bytes 623
Teardown UDP connection 2 for inside:255.255.255.255/x to NP Identity Ifc:10.0.0.1/x duration 0:02:01 bytes 627
IP = x.x.x.x, IKE Initiator: New Phase 1, Intf inside, IKE Peer x.x.x.x local Proxy Address 10.0.0.0, remote Proxy Address 192.168.x.x, Crypto map (outside_map)
0
 
bhrenyoCommented:
Below shows the basic configuration of a Cisco ASA 5505 VPN router that has a VPN connection established with the e-MDs Datacenter. This example uses 192.168.1.0/x as the clients LAN, x.x.x.x/x as the NAT'd VPN traffic. It also uses the IP Address of 192.168.1.x as the IIS Server that hosts the Surescripts and Patient Portal software.

I took 99% of this config from another post by batry_boy that was missing one piece in the ACL. I have this config up and running. I've done this configuration with a different router (Fortigate), but this was my first Cisco. I'm still a little confused about the results of the 'show nat' command. Maybe someone can help me decypher this to make sure that are no side effects.

-- Begin Configuration Segment

object-group network remote-vpn-hosts
network-object host 192.168.x.x
network-object host 192.168.x.x
network-object host 192.168.x.x
access-list cryptomap_acl permit ip host x.x.x.x object-group remote-vpn-hosts
access-list cryptomap_acl permit ip host 192.168.1.x object-group remote-vpn-hosts
global (outside) 10 x.x.x.x
nat (inside) 10 access-list cryptomap_acl
crypto ipsec transform-set xxxxxx yyyyyyy
crypto map outside_map 20 match address cryptomap_acl
crypto map outside_map 20 set peer x.x.x.x
crypto map outside_map 20 set transform-set xxxxxx
crypto map outside_map 20 set security-association lifetime seconds 28800
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy x
authentication xxx
encryption xxx
hash xxx
group 1
lifetime 86400
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key [enter assigned preshare key from e-mds without brackets]




0
 
bhrenyoCommented:
Here are the results of my 'show nat' command. I've trimmed out some of the extra non relavent entries.
The entries that hzave a dynamic translation pool set are the correct ones ... I think. Are the others a result of my configuration? Or are they expected when listing the different interface pairs, i.e. inside/inside, inside,dmz, etc ...

ciscoasa# show nat

NAT policies on Interface inside:
match ip inside host 192.168.x.x inside host 192.168.x.x
dynamic translation to pool 10 (No matching global)
translate_hits = 0, untranslate_hits = 0
...
0
 
JJLuoAuthor Commented:
Hi bhrenyo,
I noticed that you built the VPN directly to the xxx hosts, instead to the xxx subnetwork, right? Please verify this and confirm...since I got the requirment parameters are not directly to the hosts. Thanks, LJ
0
 
bhrenyoCommented:
LJ,

The hosts are .x and .y for sureScripts. .z is used for the PatientPortal.

The Phase 1 is setup as a Site-to-Site (tunnel-group x.x.x.x type xxxx
) and the ACLs are specific to the host.

I'm very familiar with the e-MDs setup, so once the VPN is created for access to these hosts ... you are ready to roll.

When talking with the xxx side, make sure you tell them:
1. You are setup for site-to-site with ACL's controlling host access
2. Dead Peer detection is turned off
3. PFS is turned off.

Let me know how things go.

Chuck.
0
 
JJLuoAuthor Commented:
Hi Chuch,
Thank you! You let me see the light ahead...but here some additional questions. Do I need set up the specific hosts in my ends? Such as the IIS and e-MDs database server for the SureScripts? Second, what is Dead Peer detection turned off? Is the setting on Cisco asa 5505 side? And last, the PFS is turned off for phase 1 or 2? Thanks, LJ
0
 
JJLuoAuthor Commented:
bhrenyo,
Just study what your post before, and I have addtional questions...

x.x.x.x/x as the NAT'd VPN traffic. WHAT IS THIS NETWORK?

Thanks, LJ
0
 
bhrenyoCommented:
LJ,

e-MDs asked us to NAT interesting traffic as x.x.xx/x.

So in the example I listed, our internal IIS server was 192.168.x.x and e-MDs wanted us to NAT this address to x.x.x.x.

Does that make sense?

Chuck.
0
 
JJLuoAuthor Commented:
Chuck,

I was given as this from e-MDs...

clinic will need to make ACL from x.x.x.x/x to network 192.168.x.x/x -- HOW DO YOU INTERPRITE THIS??

clinic will need to NAT interesting traffic to x.x.x.x 255.255.255.0 -- BUT I DON'T HAVE A SPECIFIC IP...

Thanks, LJ
0
 
bhrenyoCommented:
LJ,

Didn't see your earlier post ...

1.  Hosts on e-MDs.  No, you do not need to configure this anywhere.  The Surescripts stuff installs as a WebService on your IIS server and the configuration of IP Address is done automatically.  You will go through a registration process that will build the link between the e-MDs side and your side ... from the application perspective.  This is pretty easy to do.

2.  Dead Peer Detection and PFS are disabled by default.  If you do a 'show running' and do not see these active, then you can assume that they are not turned on.

Chuck.
0
 
bhrenyoCommented:
LJ,

You are getting real close. What is the IP Address of the machine that has IIS installed on it. Lets say that your internal network is x.x.x.x/x and your IIS server is x.x.x.x. e-MDs asked you to NAT x.x.x.x/x. So, basically you want to NAT x.x.x.x to x.x.x.x.

Here is how your config should look using the scenario above. Just substitute the final number of the IP for the .xxx in the code below.

object-group network remote-vpn-hosts
network-object host 192.168.x.x
network-object host 192.168.x.x
network-object host 192.168.x.x
access-list cryptomap_acl permit ip host x.x.x.x object-group remote-vpn-hosts
access-list cryptomap_acl permit ip host x.x.x.x object-group remote-vpn-hosts
global (outside) 10 x.x.x.x
nat (inside) 10 access-list cryptomap_acl
crypto ipsec transform-set xxxxx xxxxxxx
crypto map outside_map 20 match address cryptomap_acl
crypto map outside_map 20 set peer x.x.x.x
crypto map outside_map 20 set transform-set xxxxxxx
crypto map outside_map 20 set security-association lifetime seconds xxxx
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication xxxx
encryption xxx
hash xxx
group x
lifetime xxxx
tunnel-group x.x.x.x type xxxx
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key [enter assigned preshare key from e-mds without


0
 
JJLuoAuthor Commented:
Hi Chuch,

I am get a little confused here from what you said...

So in the example I listed, our internal IIS server was 192.168.x.x and e-MDs wanted us to NAT this address to x.x.x.x. SO YOU DO NEED TO DEFINE A HOST ON YOUR SIDE, RIGHT?

1. Hosts on e-MDs. No, you do not need to configure this anywhere. The Surescripts stuff installs as a WebService on your IIS server and the configuration of IP Address is done automatically. You will go through a registration process that will build the link between the e-MDs side and your side ... from the application perspective. This is pretty easy to do. -- ON HERE, I AM READING THAT I DO NEED TO HAVE SPECIFIC IP FOR THE MY IIS SERVER TO NATd TRAFFIC TO x.x.x.x/x (IN MY CASE), RIGHT?

0
 
bhrenyoCommented:
LJ,

I think I get what you are saying. You need to define the IP address of the IIS server running on your clients network. This is the ONLY machine that will communicate across the VPN tunnel. You should have specified this IP address when you filled out the SureScripts registration sheet.

You are correct on your NAT comments. You need to NAT the trafic going to the e-MDs hosts as x.x.x.x.???.

Chuck.
0
 
JJLuoAuthor Commented:
Hi Chuck,
one more question for your last second post...

Since the network IP you used is really confused me, can you please confirm this? if i use my internal network is 10.0.0..0/x and your IIS server is 10.0.0.x. e-MDs asked you to NAT x.x.x.x/x. So, basically you want to NAT 10.0.0.x to x.x.x.x? Thanks, LJ
0
 
bhrenyoCommented:
LJ,

Yes, you are correct.  I apologize for making the posts confusing.  I thought I was using IP addresses that you specified.

Your example is cleaner and simpler to understand.

Chuck.
0
 
JJLuoAuthor Commented:
Thank you, Chuch!! I will give a try tonight...and let you know how that goes. One more last question about the verification of VPN tunnel completion...Open Internet browser to access http://192.168.x.x/index.html
Can you please confirm this? By the way, do you what is the index.html page looks like? If you can help to put screen print for the page that will be great! Again, Thank you! I let keep you post what my progress...LJ
0
 
bhrenyoCommented:
LJ,

A couple of things to look at:
1. On your cisco, type "show isakmp sa". You should see your Phase 1 up and running.
2. On your cisco, type "show ipsec sa". You should see your Phase 2 up and running.

If both of those show as active ...

3. From your IIS Server, try pining 192.168.x.x, 192.168.x.x and 192.168.x.x.

If all of these pass, you are done with the transport side.

Using your method ...


Thank you for installing the e-MDs Surescripts.

If this page is displaying then you have a secure tunnel with e-MDs.



©2007 e-
0
 
JJLuoAuthor Commented:
Hi Chuck,
Why I lost my Internet connection when the VPN tunnel is up?  or I should say, I cannot go yahoo.com any more?  Thanks, LJ
0
 
Unix58Commented:
LJ

I am very interested in finding out if Chucks solution was able to get you going.  We too are working on the same setup with emds surescripts.  We are using a Cisco 501.  Please let me know if you were able to get things working

Thanks

Chris
0
 
JJLuoAuthor Commented:
Hi Chuck,
Any hints about Why I am losting my Internet connaection when the VPN tunnel is up? Thanks, LJ
0
 
Unix58Commented:
Thanks Chuck

I had asked a support contact at Emds for a sample config and we had actually looked at the sample config posted in another question related to surescripts (probably the same post from batry_boy). We will be trying that config here shortly. Fortunately, they have no other VPN connections to worry about. we'll substitute the information they gave us in the config you provided and see how it goes. If it works, i'll be sure to let you know. We've got another site who will be going though this same setup.

Chris
0
 
bhrenyoCommented:
Chris,

Yes ... that line allows the traffic from the local lan to access the vpn hosts.  I still have some questions about the results of the 'show nat' command.  I have some extra pairings that I really don't want, but it does not effect anything.  I'm going to play with the config a bit more as this is my first VPN setup using the Cisco products.  I'm familiar with IOS, just not the crypto setup.

LJ, can you post your entire config and maybe we can troubleshoot it together?  Just to confirm, the VPN tunnel comes up ... but you can no longer access other non e-MDs related sites?  Can you ping the e-MDs hosts?

Thanks.
Chuck.
0
 
Unix58Commented:
Chuck

We've made a little prograss here. The syntax is a bit different on the 501. At this point we can reach their endpoint, but when i am running the show crypto isakmp sa command, i'm seeing a state of MM_NO_STATE. Thus, something is most likely wrong with phase one config somewhere. Maybe you can see something i don't.

Chris

Code deleted for privacy reasons.

modguy
2010-05-27

Open in new window

0
 
Unix58Commented:
FYI

We had a faulty 501 pix and ended up upgrading to a ASA router.  Using the base config Chuck provided we were able to get a connection to the Surescripts endpoint.
0
 
bhrenyoCommented:
Chris,

I've had an issue pop up when trying to complete the SS install.  My ASA config is identical to the one posted, except for the pertinent IP address changes.  I am able to ping their hosts ... but their hosts cannot ping mine.  Was there any tweaks to the ACL that you did?

Also, is your installation 100% complete?  I may have jumped the gun in declaring victory on my side ...

Thanks.
Chuck.
0
 
Unix58Commented:
Chuck

Interesting you mention that because we too are going through the same issues. I am in the middle of another project, but i'll have to revisit this issue tomorrow or wednesday. We can ping them, but they don't see us. I'm trying to remember what their network engineer stated to me (don't have my notes in front of me right now). I know that the issue had to do with them being able to access the entire subnet they gave you (they must have it setup on their side that way). ..like x.x.x.x/x instead of x.x.x.x. I'll post when i get it worked out. If you do so before me, let me know.

Chris
0
 
bouncyfiresCommented:
Chris and Chuck,

I've used the base config provided by Chuck on an ASA 5505, and currently cannot ping their hosts, nor can they ping mine. The connection is not passing phase 1 and show crypto isa sa gives the following:
1 IKE Peer: x.x.x.x
Type : xxxx : initiator
Rekey : no State : xxxxx

Any help would be appreciated.

Thanks,
Dylan
0
 
Unix58Commented:
Dylan

By no means am I a cisco expert.  At this point, i'm pretty much limping along, but i'll take a peek if you post some of the config ( don't post any info you don't want public).  

Chris
0
 
bouncyfiresCommented:
Chris

Turns out they had my public IP wrong. I can now ping their hosts, however, I'm not sure if they can ping mine. Did you ever solve that problem?

Cheers,
Dylan
0
 
bouncyfiresCommented:
Chris and Chuck,

The problem with their hosts not being able to ping yours is caused by the NAT policy being dynamic rather than static. Here would be the commands you would need to enter with the server address being x.x.x.x NAT'd to x.x.x.x.

no global (outside) 10 x.x.x.x
no nat (inside) 10 access-list cryptomap_acl

access-list static-vpn1 permit ip host x.x.x.x object-group remote-vpn-hosts
static (inside,outside) x.x.x.x access-list static-vpn1
0
 
Unix58Commented:
Bouncyfires

That did the trick.  Appreciate the help.  
0
 
JJLuoAuthor Commented:
I lost tracking what is going on.
0

Featured Post

Become an Android App Developer

Ready to kick start your career in 2018? Learn how to build an Android app in January’s Course of the Month and open the door to new opportunities.

  • 14
  • 11
  • 7
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now