Solved

VPN lan-to-lan cisco 5505

Posted on 2009-07-09
5
662 Views
Last Modified: 2013-11-16
     
Good evening,

I created a vpn lan-to-lan. VPN only works when I launch a ping from inside the firewall to outside (the other net) . If I throw a ping from outside the firewall to inside, the VPN is not up.
Normally I have one active connection IKE and one IPSEC. When I throw a ping and active the vpn, another connection IPSEC is created.

The vpn only is up when y make a ping.


In the other firewall (draytek 2910), I always have one active connection, Synamic Cliente. When the vpn is active y haver other normal vpn connection.


thanks!!
: Saved

:

ASA Version 7.2(4) 

!

hostname ciscoasa

domain-name default.domain.invalid

enable 

passwd 

names

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 192.168.10.1 255.255.255.0 

!

interface Vlan2

 nameif outside

 security-level 0

 ip address 84.XXX.XXX.194 255.255.255.240 

!

interface Vlan3

 no forward interface Vlan1

 nameif dmz

 security-level 50

 ip address 192.168.12.1 255.255.255.0 

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

 switchport access vlan 3

!

ftp mode passive

dns server-group DefaultDNS

 domain-name default.domain.invalid

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list outside_access_in extended permit ip any any 

access-list outside_access_in extended permit tcp any interface outside eq 3389 

access-list INSIDE_ACL_OUT extended permit ip any any 

access-list 100 extended permit tcp any any eq 3389 

access-list inside_access_in extended permit ip any any 

access-list inbound extended permit tcp any interface outside eq 3389 

access-list RDP extended permit tcp any interface outside eq 3389 log 

access-list RDP extended permit tcp interface outside interface inside eq 3389 

access-list outside_1_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.1.1.0 255.255.255.0 

access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.1.1.0 255.255.255.0 

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

ip local pool pool1 192.168.10.70-192.168.10.75 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (outside) 1 84.XXX.XXX.195-84.XXX.XXX.206 netmask 255.255.255.240

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 192.168.10.0 255.255.255.0

static (inside,outside) tcp 84.XXX.XXX.197 3389 192.168.10.10 3389 netmask 255.255.255.255 

static (inside,outside) tcp 84.XXX.XXX.198 3389 192.168.10.22 3389 netmask 255.255.255.255 

static (inside,outside) tcp 84.XXX.XXX.199 3389 192.168.10.24 3389 netmask 255.255.255.255 

access-group inside_access_in in interface inside

access-group 100 in interface outside

route outside 0.0.0.0 0.0.0.0 84.XXX.XXX.193 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.255 inside

http 192.168.10.0 255.255.255.0 inside

http 84.XXX.XXX.194 255.255.255.255 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac 

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 

crypto ipsec transform-set ESP-3DES-NOAUT esp-3des esp-none 

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set connection-type originate-only

crypto map outside_map 1 set peer 89.XXX.XXX.96 

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime none

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.10.90-192.168.10.100 inside

dhcpd dns 154.15.255.134 154.15.255.130 interface inside

dhcpd enable inside

!
 

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

 vpn-tunnel-protocol l2tp-ipsec 

tunnel-group DefaultL2LGroup ipsec-attributes

 isakmp keepalive threshold 30 retry 2

tunnel-group DefaultRAGroup general-attributes

 address-pool pool1

 default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

 pre-shared-key *

 isakmp keepalive threshold 30 retry 2

tunnel-group 89.XXX.XXX.96 type ipsec-l2l

tunnel-group 89.XXX.XXX.96 ipsec-attributes

 pre-shared-key *

 peer-id-validate nocheck

 chain

 isakmp keepalive threshold 30 retry 2

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny 

  inspect sunrpc 

  inspect xdmcp 

  inspect sip 

  inspect netbios 

  inspect tftp 

!

service-policy global_policy global

prompt hostname context 

Cryptochecksum:11fe5f3da03be9830fa5839c999b7b3b

: end

asdm image disk0:/asdm-524.bin

no asdm history enable

Open in new window

0
Comment
Question by:rauljimenez
  • 3
5 Comments
 
LVL 15

Expert Comment

by:bignewf
ID: 24819806
from what you are describing, without sending a ping, the tunnel collapses --
you want to check ISAKMP keepalives, since tunnels can drop due to periods of inactivity. For the keepalives to work, both VPN endpoints must support them.

try this for starters

i.e for tunnel group 192.168.1.1:
asa5505(config)#tunnel-group  192.168.1.1  ipsec-attributes
asa5505(config-tunnel-ipsec)#isakmp keepalive threshold 15 retry 10

also, make sure your ISAKMP lifetime matches on both tunnel enpoints---
86,400 is the default (24 hrs)

you might want to run a steady ping from hosts behind each peer network to keep data flowing, or a batchfile copying data continuously to a host behind each peer


0
 

Author Comment

by:rauljimenez
ID: 24821292

Thanks bignewf!!

The problem isn´t keepalives, the problem is that the vpn only starts when I send a ping or when I generate traffic between the two lan´s of the vpn. The vpn can´t star without a ping.

I have other firewall who´s can start and keepalives the vpn without send ping or something similar...
0
 

Author Comment

by:rauljimenez
ID: 24849519
Up!

someone knows how to always keep up a vpn ??

thanks!
0
 
LVL 68

Accepted Solution

by:
Qlemo earned 500 total points
ID: 25011798
It's quite normal that some VPN devices build up tunnels only on demand. That behaviour is often intended. Other devices, more in the cheaper department, tend to use all VPN connections they are able to establish immediately after reboot.
I don't know whether you can change that behaviour on a general or by-tunnel base on Cisco. You could try if Dead Peer Detection helps - it often forces the tunnel to be established and stay active.
0
 

Author Closing Comment

by:rauljimenez
ID: 31601683
thanks
0

Featured Post

Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Port 808 is being blocked 9 55
Cisco ASDM device NT domain question 4 34
Cisco ACS 5.4 "management" proc stuck in Restarting 2 37
P2P and MPLS 3 42
Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now