Cisco ASA site to site VPN Help

Axis52401
Axis52401 used Ask the Experts™
on
I am trying to set up a VPN between two Ciscoi ASA's. I followed the wizard in the ASDM on both but cannot get them to connect. I have pasted the configs of both below, where am I going wrong?

ASA A
hostname axisieasa
domain-name axisie
enable password bh.FA1Do8rU5EiE3 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 0
 ip address 192.168.123.254 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 64.199.233.30 255.255.255.240
!
interface Vlan3
 shutdown
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address dhcp setroute
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 3
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name axisie
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in remark Terminal server access
access-list outside_access_in extended permit ip any host 192.168.123.6
access-list outside_access_in remark Mail
access-list outside_access_in extended permit ip any host 192.168.123.5
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq pop3
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any interface outside eq https
access-list acl-out extended permit icmp any any
access-list acl-out extended permit tcp any any eq www
access-list acl-out extended permit tcp any any eq 3389
access-list acl-out extended permit tcp any any eq smtp
access-list acl-out extended permit tcp any any eq 3396
access-list acl-out extended permit tcp any any eq pop3
access-list acl-out extended permit tcp any any eq https
access-list inside_access_in extended permit ip any any
access-list dmz_nat0_outbound extended permit ip host 64.199.233.30 host 72.50.230.17
access-list outside_1_cryptomap extended permit ip host 64.199.233.30 host 72.50.230.17
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 0 64.199.233.30 255.255.255.255 outside
nat (dmz) 0 access-list dmz_nat0_outbound
static (inside,outside) tcp interface 3389 192.168.123.6 3389 netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.123.5 smtp netmask 255.255.255.255
static (outside,inside) tcp 192.168.123.5 smtp 64.199.233.30 smtp netmask 255.255.255.255
static (outside,inside) tcp 192.168.123.5 www 64.199.233.30 www netmask 255.255.255.255
static (inside,outside) tcp interface pop3 192.168.123.5 pop3 netmask 255.255.255.255
static (outside,inside) tcp 192.168.123.5 pop3 64.199.233.30 pop3 netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.123.5 https netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.123.5 www netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 64.199.233.30 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.123.111 255.255.255.255 inside
http 192.168.123.170 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 inside
http 192.168.123.0 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 72.50.230.17
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 192.168.123.0 255.255.255.255 inside
telnet 192.168.123.170 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd dns 209.253.113.19 208.67.222.222 interface inside
!

!
!
prompt hostname context
Cryptochecksum:f883fd8c7fe42881cb12d33aa79a219d
: end
asdm image disk0:/asdm-524.bin
no asdm history enable


ASA B

enable password MKZEAAvAsvlaKcpO encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.222.11 AB1
name 192.168.222.21 AB1R
name 192.168.222.15 AB5R
name 192.168.222.31 msabts
dns-guard
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.222.1 255.255.255.0
!
interface Ethernet0/1
description outside
nameif outside
security-level 0
ip address 72.50.230.17 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
management-only
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
object-group service mail tcp
description mail server
port-object eq pop3
port-object eq imap4
port-object eq smtp
port-object range 3389 3389
port-object eq www
port-object eq https
port-object eq 587
object-group service backup tcp
description backup server
port-object eq www
port-object range 3389 3389
port-object eq https
object-group service AB1 tcp
description AB1
port-object eq 3389
port-object eq www
port-object eq https
object-group service AB1R tcp
description Ab1R
port-object eq 3389
port-object eq www
port-object eq https
object-group service AB5R tcp
description Ab5R
port-object eq 3389
port-object eq www
port-object eq https
object-group service msabts tcp
description msabts
port-object eq 3389
port-object eq www
port-object eq https
object-group service AB6 tcp
port-object eq 3389
port-object eq https
port-object eq www
object-group service MTS tcp
description Management Terminal Server
port-object eq www
port-object range 3389 3389
port-object eq https
port-object eq smtp
object-group service TS2 tcp
description TS2
port-object eq www
port-object range 3389 3389
port-object eq https
object-group service ts3 tcp
description ts3
port-object eq www
port-object range 3389 3389
port-object eq https
object-group service ts4 tcp
description ts4
port-object eq www
port-object eq https
object-group service ts5 tcp
description ts5
port-object eq www
port-object range 3389 3389
port-object eq https
access-list outside extended permit icmp any any echo-reply
access-list outside extended permit udp any any eq snmp
access-list outside extended permit tcp any host 72.50.230.18 object-group AB1
access-list outside extended permit tcp any host 72.50.230.25 object-group AB1R
access-list outside remark mail.iens.net
access-list outside extended permit tcp any host 147.202.24.230 object-group mail
access-list outside remark ns2.iens.net
access-list outside extended permit tcp any host 72.50.230.22 object-group msabts
access-list outside extended permit tcp any host 72.50.230.19 object-group AB6
access-list outside remark ts2
access-list outside extended permit tcp any host 72.50.230.50 object-group TS2
access-list outside remark ts3
access-list outside extended permit tcp any host 72.50.230.51 object-group ts3
access-list outside remark ts4
access-list outside extended permit tcp any host 72.50.230.52 object-group ts4
access-list outside remark ts5
access-list outside extended permit tcp any host 72.50.230.53 object-group ts5
access-list outside remark mts 2
access-list outside extended permit tcp any host 72.50.230.23 object-group MTS
access-list nonat extended permit ip 192.168.222.0 255.255.255.0 192.168.222.0 255.255.255.0
access-list nonat extended permit ip any 192.168.222.128 255.255.255.192
access-list nonat extended permit ip any host 192.168.123.0
access-list nonat extended permit ip 192.168.222.0 255.255.255.0 192.168.123.0 255.255.255.0
access-list nonat extended permit ip 192.168.222.0 255.255.255.0 host 192.168.123.0
access-list nonat extended permit ip 192.168.222.0 255.255.255.0 192.168.222.128 255.255.255.192
access-list inside_access_in extended permit ip 192.168.222.0 255.255.255.0 any
access-list outside_cryptomap_80 extended permit ip 192.168.222.0 255.255.255.0 host 192.168.123.0
access-list outside_cryptomap_20 extended permit ip 192.168.222.0 255.255.255.0 192.168.123.0 255.255.255.0
access-list outside_cryptomap_100 extended permit ip any host 192.168.123.0
pager lines 24
logging monitor debugging
logging buffered debugging
logging trap debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu management 1500
ip local pool VPNIP 192.168.222.150-192.168.222.170 mask 255.255.255.0
ip verify reverse-path interface inside
ip verify reverse-path interface outside
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-508.bin
asdm history enable
arp timeout 14400
nat (inside) 0 access-list nonat
static (inside,outside) 72.50.230.18 AB1 netmask 255.255.255.255
static (inside,outside) 72.50.230.25 AB1R netmask 255.255.255.255
static (inside,outside) 72.50.230.22 msabts netmask 255.255.255.255
static (inside,outside) 72.50.230.21 AB5R netmask 255.255.255.255
static (inside,outside) 72.50.230.19 192.168.222.16 netmask 255.255.255.255
static (inside,outside) 72.50.230.50 192.168.222.50 netmask 255.255.255.255
static (inside,outside) 72.50.230.51 192.168.222.51 netmask 255.255.255.255
static (inside,outside) 72.50.230.52 192.168.222.52 netmask 255.255.255.255
static (inside,outside) 72.50.230.53 192.168.222.53 netmask 255.255.255.255
static (inside,outside) 72.50.230.23 192.168.222.20 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 72.50.230.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
url-list MTS "MTS" http://192.168.222.20
url-list MTS "mts" cifs://192.168.222.20
aaa-server abts2 protocol radius
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
webvpn
  functions url-entry
  port-forward-name value Application Access
group-policy ABTSPolicy internal
group-policy ABTSPolicy attributes
vpn-tunnel-protocol webvpn
webvpn
  functions url-entry file-access file-entry file-browsing mapi
  url-list none
group-policy Axis internal
group-policy VPN internal
username administrator password Q2rjdzPRGdI5M3bC encrypted privilege 0
username administrator attributes
vpn-group-policy VPN
webvpn
username Axis password jhcosmTlBrSDVQIF encrypted privilege 0
username Axis attributes
vpn-group-policy Axis
webvpn
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication serial console LOCAL
http server enable
http 192.168.222.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
http redirect outside 80
snmp-server host outside 64.199.233.20 poll community iepriv
snmp-server location Covault
snmp-server contact Jason Komendat
snmp-server community iepriv
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 40 set security-association lifetime kilobytes 4608000
crypto map outside_map 20 set peer 64.199.233.30
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 20 set security-association lifetime seconds 28800
crypto map outside_map 20 set security-association lifetime kilobytes 4608000
crypto map outside_map 40 set security-association lifetime seconds 28800
crypto map outside_map 40 set security-association lifetime kilobytes 4608000
crypto map outside_map 60 set security-association lifetime seconds 28800
crypto map outside_map 60 set security-association lifetime kilobytes 4608000
crypto map outside_map 80 match address outside_cryptomap_80
crypto map outside_map 80 set peer 64.199.230.30
crypto map outside_map 80 set transform-set ESP-3DES-MD5
crypto map outside_map 80 set security-association lifetime seconds 28800
crypto map outside_map 80 set security-association lifetime kilobytes 4608000
crypto map outside_map 100 match address outside_cryptomap_100
crypto map outside_map 100 set peer 64.199.233.30
crypto map outside_map 100 set transform-set ESP-3DES-SHA
crypto map outside_map 100 set security-association lifetime seconds 28800
crypto map outside_map 100 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 5
isakmp policy 30 lifetime 86400
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption 3des
isakmp policy 50 hash sha
isakmp policy 50 group 2
isakmp policy 50 lifetime 86400
tunnel-group Axis type ipsec-l2l
tunnel-group Axis ipsec-attributes
pre-shared-key *
vpn-sessiondb max-session-limit 10
telnet msabts 255.255.255.255 inside
telnet timeout 5
ssh 192.168.222.0 255.255.255.0 inside
ssh 64.199.233.16 255.255.255.240 outside
ssh 12.152.199.0 255.255.255.128 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
ntp server 66.250.45.2 source outside
ntp server 66.36.239.127 source outside
ntp server 155.101.3.114 source outside
ntp server 69.31.13.210 source outside
webvpn
enable outside
smtp-server 192.168.111.102
Cryptochecksum:c75fe6d0cb514bfbd9ecbf6e83c05104
: end
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Start by removing (from the console) anything to do with the VPNs - they are totally broken. On ASA A you have a VPN set up to only encrypt traffic from the outside of A to the outside of B (nothing for the internal to internal traffic you need) and on ASA B you have 3 different crypto maps that are trying to do roughly the same thing but only 20 has the correct ACL (the ASA B subnet to the ASA A subnet). I would also name your interfaces and networks in the firewall tab of ASDM or using the name command on the CLI as it will make troubleshooting and configuring much easier.

The ASDM wizard usually works really well for this - as long as you don't have anything else already configured that would conflict otherwise it has a bit of a hissy fit and won't do it properly.

Start over with them is the best bet. If that doesn't do it then let me know and I will write the config for you to put straight into the CLI.
Istvan KalmarHead of IT Security Division
Top Expert 2010

Commented:
Hi,

It seems that you not definied tunnel group for IP address, and not definied key...

And on the SITE be you definied twicethe crypto, please remove the following:

crypto map outside_map 100 match address outside_cryptomap_100
crypto map outside_map 100 set peer 64.199.233.30
crypto map outside_map 100 set transform-set ESP-3DES-SHA
crypto map outside_map 100 set security-association lifetime seconds 28800
crypto map outside_map 100 set security-association lifetime kilobytes 4608000

And please use mirrored ACL on both side


Please refer this guide howto:
http://www.petenetlive.com/KB/Article/0000072.htm
http://www.petenetlive.com/KB/Article/0000050.htm
Axis52401Security Analyst

Author

Commented:
I can't seem to remove the following lines from ASA B. I run the no etc command and I don't get any errors but they remain. Most of these lines were from a previous attempt to set up a VPN to a different router. They were made from the ASDM wizard  but I don't see an option there to remove them.


crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 40 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 40 set security-association lifetime kilobytes 4608000
crypto map outside_map 20 set security-association lifetime seconds 28800
crypto map outside_map 20 set security-association lifetime kilobytes 4608000
crypto map outside_map 40 set security-association lifetime seconds 28800
crypto map outside_map 40 set security-association lifetime kilobytes 4608000
crypto map outside_map 60 set security-association lifetime seconds 28800
crypto map outside_map 60 set security-association lifetime kilobytes 4608000
crypto map outside_map 80 set security-association lifetime seconds 28800
crypto map outside_map 80 set security-association lifetime kilobytes 4608000
crypto map outside_map 100 set security-association lifetime seconds 28800
crypto map outside_map 100 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 set security-association lifetime seconds 28800
crypto map outside_map 65535 set security-association lifetime kilobytes 4608000
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Istvan KalmarHead of IT Security Division
Top Expert 2010

Commented:
what is the intresting traffic of VPN?
Istvan KalmarHead of IT Security Division
Top Expert 2010

Commented:
no crypto ipsec security-association lifetime seconds 28800
no crypto ipsec security-association lifetime kilobytes 4608000
no crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
no crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
no crypto dynamic-map outside_dyn_map 40 set security-association lifetime seconds 28800
no crypto dynamic-map outside_dyn_map 40 set security-association lifetime kilobytes 4608000
no crypto map outside_map 20 set security-association lifetime seconds 28800
no crypto map outside_map 20 set security-association lifetime kilobytes 4608000
no crypto map outside_map 40 set security-association lifetime seconds 28800
no crypto map outside_map 40 set security-association lifetime kilobytes 4608000
no crypto map outside_map 60 set security-association lifetime seconds 28800
no crypto map outside_map 60 set security-association lifetime kilobytes 4608000
no crypto map outside_map 80 set security-association lifetime seconds 28800
no crypto map outside_map 80 set security-association lifetime kilobytes 4608000
no crypto map outside_map 100 set security-association lifetime seconds 28800
no crypto map outside_map 100 set security-association lifetime kilobytes 4608000
no crypto map outside_map 65535 set security-association lifetime seconds 28800
no crypto map outside_map 65535 set security-association lifetime kilobytes 4608000
Remove the lines from the config, copy it back to the ASA to a different file name - such as novpn - then do a copy novpn start and reload.
Axis52401Security Analyst

Author

Commented:
ikalmar:

I've tried the no commands. It says command successfully sent to device. Yet when I do a sho run they are still there. It's only happening on the ASA 5510 The ASA 5505 let me remove the wrong ones I had.
Axis52401Security Analyst

Author

Commented:
I just tried doing it from the telnet interface to see if it would make a difference if I bypassed the ASDM and they still won't remove.
Axis52401Security Analyst

Author

Commented:
I'm not sure what you are asking here.

ikalmar:
what is the intresting traffic of VPN?

Istvan KalmarHead of IT Security Division
Top Expert 2010

Commented:
please reload the asa... and do only CLI, not ASDM
Axis52401Security Analyst

Author

Commented:
The ASA in in production in a data center I can't take it offline, Is there any way of adding the new VPN configuration and leaving those lines there?
Axis52401Security Analyst

Author

Commented:
I was able to remove those configurations. Apparently with those lines you don't use
no crypto ipsec security-association lifetime seconds 28800

you use clear config  crypto ipsec security-association lifetime seconds 28800

So I'm back to the starting point I didn't have great luck with the ASDM last time can anyone help me with the configs to get these 2 sites connected.

My site A ASA 5505 IP external 64.199.233.30 and internal network 192.168.123.x
Site B ASA 5510 External 72.50.230.17 and internal 192.168.222.x

I'd appreciate any help I can get.
Axis52401Security Analyst

Author

Commented:
I tried resetting up the VPN with no success this is what I have in the configs using the ASDM

ASA A

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

 nameif inside

 security-level 0

 ip address 192.168.123.254 255.255.255.0

!

interface Vlan2

 nameif outside

 security-level 0

 ip address 64.199.233.30 255.255.255.240

!

interface Vlan3

 shutdown

 no forward interface Vlan1

 nameif dmz

 security-level 50

 ip address dhcp setroute

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

 switchport access vlan 3

!

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns server-group DefaultDNS

 domain-name axisie

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list outside_access_in remark Terminal server access

access-list outside_access_in extended permit ip any host 192.168.123.6

access-list outside_access_in remark Mail

access-list outside_access_in extended permit ip any host 192.168.123.5

access-list outside_access_in extended permit tcp any interface outside eq smtp

access-list outside_access_in extended permit tcp any interface outside eq pop3

access-list outside_access_in extended permit tcp any interface outside eq 3389

access-list outside_access_in extended permit tcp any interface outside eq www

access-list outside_access_in extended permit tcp any interface outside eq https

access-list acl-out extended permit icmp any any

access-list acl-out extended permit tcp any any eq www

access-list acl-out extended permit tcp any any eq 3389

access-list acl-out extended permit tcp any any eq smtp

access-list acl-out extended permit tcp any any eq 3396

access-list acl-out extended permit tcp any any eq pop3

access-list acl-out extended permit tcp any any eq https

access-list inside_access_in extended permit ip any any

access-list outside_1_cryptomap extended permit ip interface outside host 72.50.230.17

access-list inside_nat0_outbound extended permit ip interface outside host 72.50.230.17

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

nat (outside) 0 64.199.233.30 255.255.255.255 outside

static (inside,outside) tcp interface 3389 192.168.123.6 3389 netmask 255.255.255.255

static (inside,outside) tcp interface smtp 192.168.123.5 smtp netmask 255.255.255.255

static (outside,inside) tcp 192.168.123.5 smtp 64.199.233.30 smtp netmask 255.255.255.255

static (outside,inside) tcp 192.168.123.5 www 64.199.233.30 www netmask 255.255.255.255

static (inside,outside) tcp interface pop3 192.168.123.5 pop3 netmask 255.255.255.255

static (outside,inside) tcp 192.168.123.5 pop3 64.199.233.30 pop3 netmask 255.255.255.255

static (inside,outside) tcp interface https 192.168.123.5 https netmask 255.255.255.255

static (inside,outside) tcp interface www 192.168.123.5 www netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 64.199.233.30 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http 192.168.123.111 255.255.255.255 inside

http 192.168.123.170 255.255.255.255 inside

http 192.168.1.0 255.255.255.0 inside

http 192.168.123.0 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer 72.50.230.17

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

telnet 192.168.123.0 255.255.255.255 inside

telnet 192.168.123.170 255.255.255.255 inside

telnet 192.168.123.6 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

dhcpd auto_config outside

!

dhcpd dns 209.253.113.19 208.67.222.222 interface inside

!

 

tunnel-group 72.50.230.17 type ipsec-l2l

tunnel-group 72.50.230.17 ipsec-attributes

 pre-shared-key *



ASA B
asdm location 147.202.24.230 255.255.255.255 outside
asdm location 192.168.222.16 255.255.255.255 inside
asdm history enable
: Saved
:
ASA Version 7.0(8)
!
hostname ciscoasa
domain-name axisbu.com
enable password MKZEAAvAsvlaKcpO encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.222.11 AB1
name 192.168.222.21 AB1R
name 192.168.222.15 AB5R
name 192.168.222.31 msabts
dns-guard
!
interface Ethernet0/0
 nameif inside
 security-level 100
 ip address 192.168.222.1 255.255.255.0
!
interface Ethernet0/1
 description outside
 nameif outside
 security-level 0
 ip address 72.50.230.17 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 no ip address
 management-only
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
object-group service mail tcp
 description mail server
 port-object eq pop3
 port-object eq imap4
 port-object eq smtp
 port-object range 3389 3389
 port-object eq www
 port-object eq https
 port-object eq 587
object-group service backup tcp
 description backup server
 port-object eq www
 port-object range 3389 3389
 port-object eq https
object-group service AB1 tcp
 description AB1
 port-object eq 3389
 port-object eq www
 port-object eq https
object-group service AB1R tcp
 description Ab1R
 port-object eq 3389
 port-object eq www
 port-object eq https
object-group service AB5R tcp
 description Ab5R
 port-object eq 3389
 port-object eq www
 port-object eq https
object-group service msabts tcp
 description msabts
 port-object eq 3389
 port-object eq www
 port-object eq https
object-group service AB6 tcp
 port-object eq 3389
 port-object eq https
 port-object eq www
object-group service MTS tcp
 description Management Terminal Server
 port-object eq www
 port-object range 3389 3389
 port-object eq https
 port-object eq smtp
object-group service TS2 tcp
 description TS2
 port-object eq www
 port-object range 3389 3389
 port-object eq https
object-group service ts3 tcp
 description ts3
 port-object eq www
 port-object range 3389 3389
 port-object eq https
object-group service ts4 tcp
 description ts4
 port-object eq www
 port-object eq https
object-group service ts5 tcp
 description ts5
 port-object eq www
 port-object range 3389 3389
 port-object eq https
access-list outside extended permit icmp any any echo-reply
access-list outside extended permit udp any any eq snmp
access-list outside extended permit tcp any host 72.50.230.18 object-group AB1
access-list outside extended permit tcp any host 72.50.230.25 object-group AB1R
access-list outside remark mail.iens.net
access-list outside extended permit tcp any host 147.202.24.230 object-group mail
access-list outside remark ns2.iens.net
access-list outside extended permit tcp any host 72.50.230.22 object-group msabts
access-list outside extended permit tcp any host 72.50.230.19 object-group AB6
access-list outside remark ts2
access-list outside extended permit tcp any host 72.50.230.50 object-group TS2
access-list outside remark ts3
access-list outside extended permit tcp any host 72.50.230.51 object-group ts3
access-list outside remark ts4
access-list outside extended permit tcp any host 72.50.230.52 object-group ts4
access-list outside remark ts5
access-list outside extended permit tcp any host 72.50.230.53 object-group ts5
access-list outside remark mts 2
access-list outside extended permit tcp any host 72.50.230.23 object-group MTS
access-list nonat extended permit ip 192.168.222.0 255.255.255.0 192.168.222.0 255.255.255.0
access-list nonat extended permit ip any 192.168.222.128 255.255.255.192
access-list nonat extended permit ip any host 192.168.123.0
access-list nonat extended permit ip 192.168.222.0 255.255.255.0 192.168.123.0 255.255.255.0
access-list nonat extended permit ip 192.168.222.0 255.255.255.0 host 192.168.123.0
access-list nonat extended permit ip 192.168.222.0 255.255.255.0 192.168.222.128 255.255.255.192
access-list inside_access_in extended permit ip 192.168.222.0 255.255.255.0 any
access-list outside_nat0_inbound extended permit ip interface outside host 64.199.233.30
access-list outside_cryptomap_20 extended permit ip interface outside host 64.199.233.30
pager lines 24
logging monitor debugging
logging buffered debugging
logging trap debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu management 1500
ip local pool VPNIP 192.168.222.150-192.168.222.170 mask 255.255.255.0
ip verify reverse-path interface inside
ip verify reverse-path interface outside
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-508.bin
asdm history enable
arp timeout 14400
nat (inside) 0 access-list nonat
nat (outside) 0 access-list outside_nat0_inbound outside
static (inside,outside) 72.50.230.18 AB1 netmask 255.255.255.255
static (inside,outside) 72.50.230.25 AB1R netmask 255.255.255.255
static (inside,outside) 72.50.230.22 msabts netmask 255.255.255.255
static (inside,outside) 72.50.230.21 AB5R netmask 255.255.255.255
static (inside,outside) 72.50.230.19 192.168.222.16 netmask 255.255.255.255
static (inside,outside) 72.50.230.50 192.168.222.50 netmask 255.255.255.255
static (inside,outside) 72.50.230.51 192.168.222.51 netmask 255.255.255.255
static (inside,outside) 72.50.230.52 192.168.222.52 netmask 255.255.255.255
static (inside,outside) 72.50.230.53 192.168.222.53 netmask 255.255.255.255
static (inside,outside) 72.50.230.23 192.168.222.20 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 72.50.230.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
url-list MTS "MTS" http://192.168.222.20
url-list MTS "mts" cifs://192.168.222.20
aaa-server abts2 protocol radius
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 client-firewall none
 client-access-rule none
 webvpn
  functions url-entry
  port-forward-name value Application Access
group-policy ABTSPolicy internal
group-policy ABTSPolicy attributes
 vpn-tunnel-protocol webvpn
 webvpn
  functions url-entry file-access file-entry file-browsing mapi
  url-list none
username administrator password Q2rjdzPRGdI5M3bC encrypted privilege 0
username administrator attributes
 vpn-group-policy DfltGrpPolicy
 webvpn
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication serial console LOCAL
http server enable
http 192.168.222.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
http redirect outside 80
snmp-server host outside 64.199.233.20 poll community iepriv
snmp-server location Covault
snmp-server contact Jason Komendat
snmp-server community iepriv
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 64.199.230.30
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 20 set security-association lifetime seconds 28800
crypto map outside_map 20 set security-association lifetime kilobytes 4608000
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group 64.199.230.30 type ipsec-l2l
tunnel-group 64.199.230.30 ipsec-attributes
 pre-shared-key *
vpn-sessiondb max-session-limit 10
telnet msabts 255.255.255.255 inside
telnet timeout 5
ssh 192.168.222.0 255.255.255.0 inside
ssh 64.199.233.16 255.255.255.240 outside
ssh 12.152.199.0 255.255.255.128 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
ntp server 66.250.45.2 source outside
ntp server 66.36.239.127 source outside
ntp server 155.101.3.114 source outside
ntp server 69.31.13.210 source outside
webvpn
 enable outside
smtp-server 192.168.111.102
Istvan KalmarHead of IT Security Division
Top Expert 2010

Commented:
Hi the following need on SITE A:
no nat (outside) 0 64.199.233.30 255.255.255.255 outside

no access-list inside_nat0_outbound extended permit ip interface outside host 72.50.230.17
access-list inside_nat0_outbound extended permit ip 192.168.123.0 255.255.255.0 192.168.222.0 255.255.0 

access-list VPN_to_B  extended permit ip 192.168.123.0 255.255.255.0 192.168.222.0 255.255.0 

crypto ipsec transform-set myset esp-3des esp-md5-hma

tunnel-group 72.50.230.17 type ipsec-l2l
tunnel-group 72.50.230.17 ipsec-attributes
 pre-shared-key *

crypto map mymap 30 match address VPN_to_B  
crypto map mymap 30 set peer 72.50.230.17
crypto map mymap 30 set transform-set myset
crypto map mymap 30 set security-association lifetime seconds 28800
crypto map mymap 30 set security-association lifetime kilobytes 4608000
clear xlate

Open in new window

Axis52401Security Analyst

Author

Commented:
I got the following errors when entering these commands. The rest of the commends entered successfully.


Result of the command: "crypto ipsec transform-set myset esp-3des esp-md5-hma"

usage: crypto ipsec transform-set <trans-name> transform1 transform2
transform..[ esp-aes|esp-aes-192|esp-aes-256|esp-des|esp-3des|esp-null ]
or         [ esp-md5-hmac|esp-sha-hmac|esp-none ]
       crypto ipsec transform-set <trans-name> mode transport

Result of the command: "tunnel-group 72.50.230.17 type ipsec-l2l"

tunnel-group 72.50.230.17 type ipsec-l2l
                          ^
ERROR: % Invalid input detected at '^' marker.

Result of the command: "pre-shared-key *"

pre-shared-key *
   ^
ERROR: % Invalid input detected at '^' marker.

Result of the command: "crypto map mymap 30 set transform-set myset"

ERROR: transform set with tag "myset" does not exist.
Axis52401Security Analyst

Author

Commented:
I got all of the commands to run successfully except
pre-shared-key *

Am I supposed to type in the Preshared key itself and not the *
Istvan KalmarHead of IT Security Division
Top Expert 2010

Commented:
yes * means the password

pre-shared-key dfsdfg5ew/=%!(=!%(%/78
Axis52401Security Analyst

Author

Commented:
I'm a little confused on the syntax for this one and this is probably why it won't connect so woult it be

pre-shared-key password

where password is the preshared key on both?
Axis52401Security Analyst

Author

Commented:
How to I enter this command

I'm trying pre-shared-key password

and it gives me
pre-shared-key PASSWORD
                      ^
ERROR: % Invalid input detected at '^' marker.
Istvan KalmarHead of IT Security Division
Top Expert 2010

Commented:
tunnel-group 72.50.230.17 type ipsec-l2l
pre-shared-key PASSWORD
Axis52401Security Analyst

Author

Commented:
I get this with the first line   tunnel-group 72.50.230.17 type ipsec-l2l



axisieasa(config)# tunnel-group 72.50.230.17 type ipsec-l2l
                                             ^
ERROR: % Invalid input detected at '^' marker.
Axis52401Security Analyst

Author

Commented:
I looked in Both ASDM's for each side and they both have the same Preshared key
Istvan KalmarHead of IT Security Division
Top Expert 2010

Commented:
tunnel-group 72.50.230.17 type ipsec-l2l
tunnel-group 72.50.230.17 ipsec-attributes
 pre-shared-key *
Axis52401Security Analyst

Author

Commented:
It took the commands that time. I'm trying to ping an IP address on the site B side with no luck and the VPN light on the ASA 5505 on this side is still off. Is there something else that has to be done to initiate the connection.
Istvan KalmarHead of IT Security Division
Top Expert 2010

Commented:
please do intresting traffic from a PC, becouse the VPN is not build up untill the intresting traffic flowing....
Axis52401Security Analyst

Author

Commented:
How do I do intresting traffic from a PC? I just googled it and found some listings for access lists.
Security Analyst
Commented:
I haven't been able to find any information on how to do this interesting traffic that you mentioned.
Interesting traffic is just from a PC on the inside lan on one side to a PC on the inside lan on the other side.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial