rauljimenez
asked on
VPN lan-to-lan cisco 5505
Good evening,
I created a vpn lan-to-lan. VPN only works when I launch a ping from inside the firewall to outside (the other net) . If I throw a ping from outside the firewall to inside, the VPN is not up.
Normally I have one active connection IKE and one IPSEC. When I throw a ping and active the vpn, another connection IPSEC is created.
The vpn only is up when y make a ping.
In the other firewall (draytek 2910), I always have one active connection, Synamic Cliente. When the vpn is active y haver other normal vpn connection.
thanks!!
: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable
passwd
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 84.XXX.XXX.194 255.255.255.240
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 192.168.12.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 3
!
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list INSIDE_ACL_OUT extended permit ip any any
access-list 100 extended permit tcp any any eq 3389
access-list inside_access_in extended permit ip any any
access-list inbound extended permit tcp any interface outside eq 3389
access-list RDP extended permit tcp any interface outside eq 3389 log
access-list RDP extended permit tcp interface outside interface inside eq 3389
access-list outside_1_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.1.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.1.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool pool1 192.168.10.70-192.168.10.75 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 84.XXX.XXX.195-84.XXX.XXX.206 netmask 255.255.255.240
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.10.0 255.255.255.0
static (inside,outside) tcp 84.XXX.XXX.197 3389 192.168.10.10 3389 netmask 255.255.255.255
static (inside,outside) tcp 84.XXX.XXX.198 3389 192.168.10.22 3389 netmask 255.255.255.255
static (inside,outside) tcp 84.XXX.XXX.199 3389 192.168.10.24 3389 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 84.XXX.XXX.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.255 inside
http 192.168.10.0 255.255.255.0 inside
http 84.XXX.XXX.194 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-NOAUT esp-3des esp-none
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set connection-type originate-only
crypto map outside_map 1 set peer 89.XXX.XXX.96
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime none
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.10.90-192.168.10.100 inside
dhcpd dns 154.15.255.134 154.15.255.130 interface inside
dhcpd enable inside
!
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
vpn-tunnel-protocol l2tp-ipsec
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 30 retry 2
tunnel-group DefaultRAGroup general-attributes
address-pool pool1
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 30 retry 2
tunnel-group 89.XXX.XXX.96 type ipsec-l2l
tunnel-group 89.XXX.XXX.96 ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
chain
isakmp keepalive threshold 30 retry 2
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:11fe5f3da03be9830fa5839c999b7b3b
: end
asdm image disk0:/asdm-524.bin
no asdm history enable
ASKER
Thanks bignewf!!
The problem isn´t keepalives, the problem is that the vpn only starts when I send a ping or when I generate traffic between the two lan´s of the vpn. The vpn can´t star without a ping.
I have other firewall who´s can start and keepalives the vpn without send ping or something similar...
ASKER
Up!
someone knows how to always keep up a vpn ??
thanks!
someone knows how to always keep up a vpn ??
thanks!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks
you want to check ISAKMP keepalives, since tunnels can drop due to periods of inactivity. For the keepalives to work, both VPN endpoints must support them.
try this for starters
i.e for tunnel group 192.168.1.1:
asa5505(config)#tunnel-gro
asa5505(config-tunnel-ipse
also, make sure your ISAKMP lifetime matches on both tunnel enpoints---
86,400 is the default (24 hrs)
you might want to run a steady ping from hosts behind each peer network to keep data flowing, or a batchfile copying data continuously to a host behind each peer