Solved

CISCO ASA 5505 site to site vpn setup issues

Posted on 2010-11-08
11
704 Views
Last Modified: 2012-05-10
I am trying to setup a site to site vpn between two CISCO ASA 5505s and I followed the guide provided by CISCO (link below) for doing this through ASDM

http://www.cisco.com/en/US/docs/security/asa/asa80/getting_started/asa5500/quick/guide/sitvpn.html

But when I try to access to access a shared folder that I have set up on 192.168.2.2 from 192.168.1.2 it doesn't work and the ASDM log says 710003 TCP access denied by the ACL from 71.x.x.195/1050 to outside 64.x.x.123/22

If I try it in the reverse I get the following.

4      Nov 08 2010      13:27:48      113019                   Group = 64.x.x.123, Username = 64.x.x.123, IP = 64.x.x.123, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found


Clearly I'm missing the crypto map policy and possibly others. I am not quite sure why the CISCO guide does nto create this. Any help would be greatly appreciated.

FYI

Network A - ASA 5505 public IP 71.x.x.195 / LAN 192.168.1.1
Computer with shared folder is 192.168.1.2

Network B - ASA 5505 public IP 64.x.x.123 / LAN 192.168.2.1
Computer with shared folder is 192.168.2.2

Thank you very much.
0
Comment
Question by:cfgchiran
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
  • +1
11 Comments
 
LVL 2

Assisted Solution

by:ksaiki
ksaiki earned 150 total points
ID: 34092488
Did you set NAT exception for 192.168.1.0 network?

kazu
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 34095564
You may be missing some of the crypto policy setups.    Could we see the sanitized config from both ASA's please.
0
Are You Headed to Black Hat USA 2017?

Getting ready for Black Hat next week? Kick things off with the WatchGuard Badge Challenge and test your puzzle and cipher skills. Do you have what it takes to earn our limited edition Firebox Badge? Get started today - https://crimsonthorn.net

 
LVL 1

Author Comment

by:cfgchiran
ID: 34097585
Hi All - thank you for your responses. I have tried a few of your suggesitons but not really having any success.

Attached are the two configs from both ASAs. Please let me know if any of you can figure out what I am doing wrong, and/or why Cisco's guideline's for using the ASDM to set this up did not work for me.
Network-A.txt
Network-B.txt
0
 
LVL 1

Author Comment

by:cfgchiran
ID: 34097598

Network A

: Saved
:
ASA Version 7.2(4) 
!
hostname ciscoasa
domain-name default.domain.invalid
enable password Jejn9BpdYqCvmzQ6 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 71.x.x.195 255.255.255.240 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 71.x.x.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs 
crypto map outside_map 1 set peer 64.x.x.123 
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd enable inside
!

username hiran password uiV54of9icybz9Ci encrypted privilege 15
tunnel-group 64.x.x.123 type ipsec-l2l
tunnel-group 64.x.x.123 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:798f2e592e96ccc66520d16efca368f4
: end
asdm image disk0:/asdm-524.bin
no asdm history enable

Open in new window

0
 
LVL 1

Author Comment

by:cfgchiran
ID: 34097601

Network B


: Saved
:
ASA Version 7.2(3) 
!
hostname ciscoasa
domain-name default.domain.invalid
enable password Jejn9BpdYqCvmzQ6 encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.2.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 64.x.x.123 255.255.255.248 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 64.x.x.121 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs 
crypto map outside_map 1 set peer 71.x.x195 
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.2.2-192.168.2.33 inside
dhcpd enable inside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
username hiran password uiV54of9icybz9Ci encrypted privilege 15
tunnel-group 71.x.x195 type ipsec-l2l
tunnel-group 71.x.x195 ipsec-attributes
 pre-shared-key *
prompt hostname context 
Cryptochecksum:27be7fd4b65f507aad7e6b28525efaa5
: end
asdm image disk0:/asdm-523.bin
no asdm history enable

Open in new window

0
 
LVL 2

Expert Comment

by:ksaiki
ID: 34101003
config looks ok.
Can you get some vpn info?

sh crypto isakmp sa
sh crypto ipsec sa
debug crypto isakmp

on one of ASA device.

0
 
LVL 1

Author Comment

by:cfgchiran
ID: 34105619
This is from Network B. I am guessing there is a major problem here. :)


ciscoasa> enable
Password:
Invalid password
Password:
Invalid password
Password: *******
ciscoasa# sh crypto isakmp sa

There are no isakmp sas
ciscoasa# sh crypto ipsec sa

There are no ipsec sas
ciscoasa# debug crypto isakmp
ciscoasa#
0
 
LVL 33

Accepted Solution

by:
MikeKane earned 350 total points
ID: 34106624
You see no SAS because there is no tunnel built.  

This message>> "ASDM log says 710003 TCP access denied by the ACL from 71.x.x.195/1050 to outside 64.x.x.123/22"

Can you try the connection then copy and paste the log including a little before and a little after....      

That looks to me like the nonat is not catching the traffic for the crypto map and is instead forwarding it out the interface.  
This should happen if from the 192.168.1.x network you are trying to access port 22 on 64.x.x.123 instead of 192.168.2.x.         You should be able to telnet, ssh, http, whatever to any address on 192.168.2.x and have the tunnel build.  

0
 
LVL 2

Expert Comment

by:ksaiki
ID: 34112456
This site tell you everything you need.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080950890.shtml
 
Please make sure there is IP reachability between the ASA and nothing blocked.  

 

0
 
LVL 1

Author Closing Comment

by:cfgchiran
ID: 34138012
Hi All - thank you for your responses. Your comments pointed me in the right direction. The problem was that I was trying to access a network share, but using the public IP of router B instead of the IP address of the computer that actually had the share. The comment about "NAT" ad no SAS until the tunnel was built really pointed me on the correct path.
0

Featured Post

Supports up to 4K resolution!

The VS192 2-Port 4K DisplayPort Splitter is perfect for anyone who needs to send one source of DisplayPort high definition video to two or four DisplayPort displays. The VS192 can split and also expand DisplayPort audio/video signal on two or four DisplayPort monitors.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses
Course of the Month7 days, 20 hours left to enroll

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question