Link to home
Start Free TrialLog in
Avatar of rauljimenez
rauljimenezFlag for Spain

asked on

VPN lan-to-lan cisco 5505

     
Good evening,

I created a vpn lan-to-lan. VPN only works when I launch a ping from inside the firewall to outside (the other net) . If I throw a ping from outside the firewall to inside, the VPN is not up.
Normally I have one active connection IKE and one IPSEC. When I throw a ping and active the vpn, another connection IPSEC is created.

The vpn only is up when y make a ping.


In the other firewall (draytek 2910), I always have one active connection, Synamic Cliente. When the vpn is active y haver other normal vpn connection.


thanks!!
: Saved
:
ASA Version 7.2(4) 
!
hostname ciscoasa
domain-name default.domain.invalid
enable 
passwd 
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.10.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 84.XXX.XXX.194 255.255.255.240 
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address 192.168.12.1 255.255.255.0 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 3
!
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended permit ip any any 
access-list outside_access_in extended permit tcp any interface outside eq 3389 
access-list INSIDE_ACL_OUT extended permit ip any any 
access-list 100 extended permit tcp any any eq 3389 
access-list inside_access_in extended permit ip any any 
access-list inbound extended permit tcp any interface outside eq 3389 
access-list RDP extended permit tcp any interface outside eq 3389 log 
access-list RDP extended permit tcp interface outside interface inside eq 3389 
access-list outside_1_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.1.1.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.1.1.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool pool1 192.168.10.70-192.168.10.75 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 84.XXX.XXX.195-84.XXX.XXX.206 netmask 255.255.255.240
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.10.0 255.255.255.0
static (inside,outside) tcp 84.XXX.XXX.197 3389 192.168.10.10 3389 netmask 255.255.255.255 
static (inside,outside) tcp 84.XXX.XXX.198 3389 192.168.10.22 3389 netmask 255.255.255.255 
static (inside,outside) tcp 84.XXX.XXX.199 3389 192.168.10.24 3389 netmask 255.255.255.255 
access-group inside_access_in in interface inside
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 84.XXX.XXX.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.255 inside
http 192.168.10.0 255.255.255.0 inside
http 84.XXX.XXX.194 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-NOAUT esp-3des esp-none 
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set connection-type originate-only
crypto map outside_map 1 set peer 89.XXX.XXX.96 
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime none
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.10.90-192.168.10.100 inside
dhcpd dns 154.15.255.134 154.15.255.130 interface inside
dhcpd enable inside
!
 
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 vpn-tunnel-protocol l2tp-ipsec 
tunnel-group DefaultL2LGroup ipsec-attributes
 isakmp keepalive threshold 30 retry 2
tunnel-group DefaultRAGroup general-attributes
 address-pool pool1
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 30 retry 2
tunnel-group 89.XXX.XXX.96 type ipsec-l2l
tunnel-group 89.XXX.XXX.96 ipsec-attributes
 pre-shared-key *
 peer-id-validate nocheck
 chain
 isakmp keepalive threshold 30 retry 2
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:11fe5f3da03be9830fa5839c999b7b3b
: end
asdm image disk0:/asdm-524.bin
no asdm history enable

Open in new window

Avatar of bignewf
bignewf
Flag of United States of America image
from what you are describing, without sending a ping, the tunnel collapses --
you want to check ISAKMP keepalives, since tunnels can drop due to periods of inactivity. For the keepalives to work, both VPN endpoints must support them.

try this for starters

i.e for tunnel group 192.168.1.1:
asa5505(config)#tunnel-group  192.168.1.1  ipsec-attributes
asa5505(config-tunnel-ipsec)#isakmp keepalive threshold 15 retry 10

also, make sure your ISAKMP lifetime matches on both tunnel enpoints---
86,400 is the default (24 hrs)

you might want to run a steady ping from hosts behind each peer network to keep data flowing, or a batchfile copying data continuously to a host behind each peer


Avatar of rauljimenez
rauljimenez
Flag of Spain image

ASKER


Thanks bignewf!!

The problem isn´t keepalives, the problem is that the vpn only starts when I send a ping or when I generate traffic between the two lan´s of the vpn. The vpn can´t star without a ping.

I have other firewall who´s can start and keepalives the vpn without send ping or something similar...
Avatar of rauljimenez
rauljimenez
Flag of Spain image

ASKER

Up!

someone knows how to always keep up a vpn ??

thanks!
ASKER CERTIFIED SOLUTION
Avatar of Qlemo
Qlemo
Flag of Germany image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of rauljimenez
rauljimenez
Flag of Spain image

ASKER

thanks