Solved

VPN lan-to-lan cisco 5505

Posted on 2009-07-09
5
670 Views
Last Modified: 2013-11-16
     
Good evening,

I created a vpn lan-to-lan. VPN only works when I launch a ping from inside the firewall to outside (the other net) . If I throw a ping from outside the firewall to inside, the VPN is not up.
Normally I have one active connection IKE and one IPSEC. When I throw a ping and active the vpn, another connection IPSEC is created.

The vpn only is up when y make a ping.


In the other firewall (draytek 2910), I always have one active connection, Synamic Cliente. When the vpn is active y haver other normal vpn connection.


thanks!!
: Saved
:
ASA Version 7.2(4) 
!
hostname ciscoasa
domain-name default.domain.invalid
enable 
passwd 
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.10.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 84.XXX.XXX.194 255.255.255.240 
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address 192.168.12.1 255.255.255.0 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 3
!
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended permit ip any any 
access-list outside_access_in extended permit tcp any interface outside eq 3389 
access-list INSIDE_ACL_OUT extended permit ip any any 
access-list 100 extended permit tcp any any eq 3389 
access-list inside_access_in extended permit ip any any 
access-list inbound extended permit tcp any interface outside eq 3389 
access-list RDP extended permit tcp any interface outside eq 3389 log 
access-list RDP extended permit tcp interface outside interface inside eq 3389 
access-list outside_1_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.1.1.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.1.1.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool pool1 192.168.10.70-192.168.10.75 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 84.XXX.XXX.195-84.XXX.XXX.206 netmask 255.255.255.240
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.10.0 255.255.255.0
static (inside,outside) tcp 84.XXX.XXX.197 3389 192.168.10.10 3389 netmask 255.255.255.255 
static (inside,outside) tcp 84.XXX.XXX.198 3389 192.168.10.22 3389 netmask 255.255.255.255 
static (inside,outside) tcp 84.XXX.XXX.199 3389 192.168.10.24 3389 netmask 255.255.255.255 
access-group inside_access_in in interface inside
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 84.XXX.XXX.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.255 inside
http 192.168.10.0 255.255.255.0 inside
http 84.XXX.XXX.194 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-NOAUT esp-3des esp-none 
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set connection-type originate-only
crypto map outside_map 1 set peer 89.XXX.XXX.96 
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime none
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.10.90-192.168.10.100 inside
dhcpd dns 154.15.255.134 154.15.255.130 interface inside
dhcpd enable inside
!
 
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 vpn-tunnel-protocol l2tp-ipsec 
tunnel-group DefaultL2LGroup ipsec-attributes
 isakmp keepalive threshold 30 retry 2
tunnel-group DefaultRAGroup general-attributes
 address-pool pool1
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 30 retry 2
tunnel-group 89.XXX.XXX.96 type ipsec-l2l
tunnel-group 89.XXX.XXX.96 ipsec-attributes
 pre-shared-key *
 peer-id-validate nocheck
 chain
 isakmp keepalive threshold 30 retry 2
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:11fe5f3da03be9830fa5839c999b7b3b
: end
asdm image disk0:/asdm-524.bin
no asdm history enable

Open in new window

0
Comment
Question by:rauljimenez
  • 3
5 Comments
 
LVL 15

Expert Comment

by:bignewf
ID: 24819806
from what you are describing, without sending a ping, the tunnel collapses --
you want to check ISAKMP keepalives, since tunnels can drop due to periods of inactivity. For the keepalives to work, both VPN endpoints must support them.

try this for starters

i.e for tunnel group 192.168.1.1:
asa5505(config)#tunnel-group  192.168.1.1  ipsec-attributes
asa5505(config-tunnel-ipsec)#isakmp keepalive threshold 15 retry 10

also, make sure your ISAKMP lifetime matches on both tunnel enpoints---
86,400 is the default (24 hrs)

you might want to run a steady ping from hosts behind each peer network to keep data flowing, or a batchfile copying data continuously to a host behind each peer


0
 

Author Comment

by:rauljimenez
ID: 24821292

Thanks bignewf!!

The problem isn´t keepalives, the problem is that the vpn only starts when I send a ping or when I generate traffic between the two lan´s of the vpn. The vpn can´t star without a ping.

I have other firewall who´s can start and keepalives the vpn without send ping or something similar...
0
 

Author Comment

by:rauljimenez
ID: 24849519
Up!

someone knows how to always keep up a vpn ??

thanks!
0
 
LVL 69

Accepted Solution

by:
Qlemo earned 500 total points
ID: 25011798
It's quite normal that some VPN devices build up tunnels only on demand. That behaviour is often intended. Other devices, more in the cheaper department, tend to use all VPN connections they are able to establish immediately after reboot.
I don't know whether you can change that behaviour on a general or by-tunnel base on Cisco. You could try if Dead Peer Detection helps - it often forces the tunnel to be established and stay active.
0
 

Author Closing Comment

by:rauljimenez
ID: 31601683
thanks
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

774 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question