Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Vpn tunnel ASA5505 help

Posted on 2010-09-17
13
711 Views
Last Modified: 2012-08-14
Below is the configuration for the remote site's vpn. They are using an ASA5510 and we are using an ASA5505.  They're syntax is slightly different and I'm not familiar with it. After looking at their config, what would my settings have to be on the ASA5505 to successfully connect?

ASA5510 config:

access-list MWPH_PSS extended permit ip 128.1.0.0 255.255.0.0  192.168.109.0 255.255.255.0
access-list MWPH_PSS extended permit ip 192.168.109.0 255.255.255.0 128.1.0.0 255.255.0.0
crypto ipsec transform-set PSS esp-3des esp-sha-hmac
crypto map PSSmap  interface outside
crypto map PSSmap 1 match address MWPH_PSS
crypto map PSSmap 1 set peer 12.176.xxx.xxx
crypto map PSSmap 1 set transform-set PSS
 
 crypto isakmp policy 25
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 43200
 
tunnel-group 12.176.xxx.xxx type ipsec-l2l
tunnel-group 12.176.xxx.xxx ipsec-attributes
 pre-shared-key xxxxxx
0
Comment
Question by:schmad01
  • 9
  • 4
13 Comments
 
LVL 5

Expert Comment

by:shirkan
ID: 33704751
Hi, its basically a mirror with some minor changes:

this "MWPH_PSS" ist just the name, it can be anything, or leave it as it is


access-list MWPH_PSS extended permit ip 128.1.0.0 255.255.0.0 192.168.109.0 255.255.255.0
access-list MWPH_PSS extended permit ip 192.168.109.0 255.255.255.0 128.1.0.0 255.255.0.0

one of the access-lists is not needed
their access-list is THEIR LAN IP 2 YOUR LAN IP
YOUR access-list is YOUR_LAN_IP 2 THEIR_LAN_IP

PSS ist just another name that you can leave too or change it - it just has to match on the last line of the crypto map
crypto ipsec transform-set PSS esp-3des esp-sha-hmac
crypto map PSSmap  interface outside
crypto map PSSmap 1 match address MWPH_PSS
crypto map PSSmap 1 set peer 12.176.xxx.xxx   <<<here you need to put their peer IP
crypto map PSSmap 1 set transform-set PSS   <<<<<<see comment above
 
 crypto isakmp policy 25
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 43200
 
this is THEIR tunnel group to YOU
tunnel-group 12.176.xxx.xxx type ipsec-l2l
tunnel-group 12.176.xxx.xxx ipsec-attributes
 pre-shared-key xxxxxx

you need

tunnel-group THEIR_PEER_IP type ipsec-l2l
tunnel-group THEIR_PEER_IP ipsec-attributes
 pre-shared-key AND_OF_COURSE_THE_SAME_KEY

also

you should have a NAT (inside) 0 access-l NONAT

or something similar - if not then e.g.


access-list NONAT extended permit ip 192.168.109.0 255.255.255.0 128.1.0.0 255.255.0.0 <<<<< i am assuming 192.168.109.0 is YOUR network, if not just switch the ip's around
NAT (inside) 0 access-l NONAT

inside is the default name for the well inside or LAN interface , if you named it something different then of course it

NAT (YOUR_INTERFACE) 0 access-l NONAT (WHILE NONAT again is just what i named it)

also if you have a access-l for the traffic from the LAN outgoing, you should permit that traffic too, otherwise traffic wont be passed

I hope i cleared it up a bit, if not you have to post your config so i can see what you already have

0
 
LVL 5

Expert Comment

by:shirkan
ID: 33704760
ALMOST forgot

you have to, of course match the name of your crypto map

crypto map PSSmap

if yours is not that name, you need to change it to that (PSSmap - is their name - yours can of course be the same unless you already have other tunnels then you need to use your existing name)
0
 

Author Comment

by:schmad01
ID: 33704807
I will post my config soon as I can, but also, I don't have this option in my ASA : crypto ipsec transform-set PSS esp-3des esp-sha-hmac

at least the hmac part.
0
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

 
LVL 5

Expert Comment

by:shirkan
ID: 33705026
that hmac part is only in shell configs i believe, if you use the WEB Interface its not visible/choosable
0
 

Author Comment

by:schmad01
ID: 33713903
I' m not sure what you mean by shell config.  Let's forget everything in the beginning. Forget the names.  Let's say we are starting from scratch. The home site has an asa5505, the remote an asa5510. The home peer is 12.176.xxx.xxx.  The remote peer is 65.210.xxx.xxx.  The home internal subnet is 192.168.109.0.  The remote internal subnet is 128.1.0.0.  Now what commands do I need to set up a successful site to site vpn connection for both sides and allow both internal subnets to see each other?
0
 

Author Comment

by:schmad01
ID: 33717273
Anyone?
0
 
LVL 5

Expert Comment

by:shirkan
ID: 33717509
r u using the ASDM (WEB) or the console/seriel//ssh/telnet? (Shell)
0
 
LVL 5

Expert Comment

by:shirkan
ID: 33717590
access-list MYVPNLIST permit ip 192.168.109.0 255.255.255.0 128.1.0.0 255.255.0.0
access-list NONATLIST permit ip 192.168.109.0 255.255.255.0 128.1.0.0 255.255.0.0

nat (inside) 0 access-list NONATLIST

crypto ipsec transform-set MYCRYPT esp-3des esp-sha-hmac
crypto map outside_map 100 match address MYVPNLIST
crypto map outside_map 100 set peer 65.210.xxx.xxx
crypto map outside_map 100 set transform-set MYCRYPT
crypto map outside_map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside


THIS SHOULD BE DEFAULT - SO ITS ALREADY CONFIGURED
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2

0
 
LVL 5

Expert Comment

by:shirkan
ID: 33717616
nat (inside) 0 access-list NONATLIST

the name "inside" is the name of the interface your LAN is on, so if you called it something else, you have to replace the "inside" with whatever you called it (its that "nameif xxxxxxx" line on VLAN 1 (usually))




0
 
LVL 5

Expert Comment

by:shirkan
ID: 33717637
for the other side, just switch the IP's in that access-list and change the peer

e.g.
access-list MYVPNLIST permit ip  128.1.0.0 255.255.0.0 192.168.109.0 255.255.255.0
access-list NONATLIST permit ip 128.1.0.0 255.255.0.0 192.168.109.0 255.255.255.0

nat (inside) 0 access-list NONATLIST

crypto ipsec transform-set MYCRYPT esp-3des esp-sha-hmac
crypto map outside_map 100 match address MYVPNLIST
crypto map outside_map 100 set peer 12.176.xxx.xxx
crypto map outside_map 100 set transform-set MYCRYPT
crypto map outside_map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
0
 
LVL 5

Accepted Solution

by:
shirkan earned 500 total points
ID: 33717704
if you use ASDM, there is a setting that says something like " permit vpn to bypass access-lists"
if that one is set, there is nothing else you need to do (in shell its "sysopt connection permit-vpn")
if it is not checked, you need to allow the vpn traffic in your incoming access-list on your outside interface
, the one where you allow traffic from the internet to go inside. you  basically
access-list INCOMING permit ip  128.1.0.0 255.255.0.0 192.168.109.0 255.255.255.0
INCOMING of course to be replaced by whatever name you use
0
 
LVL 5

Expert Comment

by:shirkan
ID: 33718064
and of course the tunnel groups for your peers
tunnel-group 12.176.xxx.xxx type ipsec-l2l
tunnel-group 12.176.xxx.xxx ipsec-attributes
 pre-shared-key xxxxxx

always the other peer of course not yourself
0
 

Author Closing Comment

by:schmad01
ID: 33800839
The tunnel is up. Thank you.
0

Featured Post

Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question