Solved

CISCO ASA 5505 site to site vpn setup issues

Posted on 2010-11-08
11
670 Views
Last Modified: 2012-05-10
I am trying to setup a site to site vpn between two CISCO ASA 5505s and I followed the guide provided by CISCO (link below) for doing this through ASDM

http://www.cisco.com/en/US/docs/security/asa/asa80/getting_started/asa5500/quick/guide/sitvpn.html

But when I try to access to access a shared folder that I have set up on 192.168.2.2 from 192.168.1.2 it doesn't work and the ASDM log says 710003 TCP access denied by the ACL from 71.x.x.195/1050 to outside 64.x.x.123/22

If I try it in the reverse I get the following.

4      Nov 08 2010      13:27:48      113019                   Group = 64.x.x.123, Username = 64.x.x.123, IP = 64.x.x.123, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found


Clearly I'm missing the crypto map policy and possibly others. I am not quite sure why the CISCO guide does nto create this. Any help would be greatly appreciated.

FYI

Network A - ASA 5505 public IP 71.x.x.195 / LAN 192.168.1.1
Computer with shared folder is 192.168.1.2

Network B - ASA 5505 public IP 64.x.x.123 / LAN 192.168.2.1
Computer with shared folder is 192.168.2.2

Thank you very much.
0
Comment
Question by:cfgchiran
  • 5
  • 3
  • 2
  • +1
11 Comments
 
LVL 16

Expert Comment

by:memo_tnt
ID: 34088590
0
 
LVL 2

Assisted Solution

by:ksaiki
ksaiki earned 150 total points
ID: 34092488
Did you set NAT exception for 192.168.1.0 network?

kazu
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 34095564
You may be missing some of the crypto policy setups.    Could we see the sanitized config from both ASA's please.
0
 
LVL 1

Author Comment

by:cfgchiran
ID: 34097585
Hi All - thank you for your responses. I have tried a few of your suggesitons but not really having any success.

Attached are the two configs from both ASAs. Please let me know if any of you can figure out what I am doing wrong, and/or why Cisco's guideline's for using the ASDM to set this up did not work for me.
Network-A.txt
Network-B.txt
0
 
LVL 1

Author Comment

by:cfgchiran
ID: 34097598

Network A



: Saved

:

ASA Version 7.2(4) 

!

hostname ciscoasa

domain-name default.domain.invalid

enable password Jejn9BpdYqCvmzQ6 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 192.168.1.1 255.255.255.0 

!

interface Vlan2

 nameif outside

 security-level 0

 ip address 71.x.x.195 255.255.255.240 

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

dns server-group DefaultDNS

 domain-name default.domain.invalid

access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 71.x.x.193 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs 

crypto map outside_map 1 set peer 64.x.x.123 

crypto map outside_map 1 set transform-set ESP-3DES-MD5

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash md5

 group 2

 lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd enable inside

!



username hiran password uiV54of9icybz9Ci encrypted privilege 15

tunnel-group 64.x.x.123 type ipsec-l2l

tunnel-group 64.x.x.123 ipsec-attributes

 pre-shared-key *

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny 

  inspect sunrpc 

  inspect xdmcp 

  inspect sip 

  inspect netbios 

  inspect tftp 

!

service-policy global_policy global

prompt hostname context 

Cryptochecksum:798f2e592e96ccc66520d16efca368f4

: end

asdm image disk0:/asdm-524.bin

no asdm history enable

Open in new window

0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 1

Author Comment

by:cfgchiran
ID: 34097601

Network B





: Saved

:

ASA Version 7.2(3) 

!

hostname ciscoasa

domain-name default.domain.invalid

enable password Jejn9BpdYqCvmzQ6 encrypted

names

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 192.168.2.1 255.255.255.0 

!

interface Vlan2

 nameif outside

 security-level 0

 ip address 64.x.x.123 255.255.255.248 

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns server-group DefaultDNS

 domain-name default.domain.invalid

access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 

access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 64.x.x.121 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.2.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs 

crypto map outside_map 1 set peer 71.x.x195 

crypto map outside_map 1 set transform-set ESP-3DES-MD5

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash md5

 group 2

 lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.2.2-192.168.2.33 inside

dhcpd enable inside

!



!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny 

  inspect sunrpc 

  inspect xdmcp 

  inspect sip 

  inspect netbios 

  inspect tftp 

!

service-policy global_policy global

username hiran password uiV54of9icybz9Ci encrypted privilege 15

tunnel-group 71.x.x195 type ipsec-l2l

tunnel-group 71.x.x195 ipsec-attributes

 pre-shared-key *

prompt hostname context 

Cryptochecksum:27be7fd4b65f507aad7e6b28525efaa5

: end

asdm image disk0:/asdm-523.bin

no asdm history enable

Open in new window

0
 
LVL 2

Expert Comment

by:ksaiki
ID: 34101003
config looks ok.
Can you get some vpn info?

sh crypto isakmp sa
sh crypto ipsec sa
debug crypto isakmp

on one of ASA device.

0
 
LVL 1

Author Comment

by:cfgchiran
ID: 34105619
This is from Network B. I am guessing there is a major problem here. :)


ciscoasa> enable
Password:
Invalid password
Password:
Invalid password
Password: *******
ciscoasa# sh crypto isakmp sa

There are no isakmp sas
ciscoasa# sh crypto ipsec sa

There are no ipsec sas
ciscoasa# debug crypto isakmp
ciscoasa#
0
 
LVL 33

Accepted Solution

by:
MikeKane earned 350 total points
ID: 34106624
You see no SAS because there is no tunnel built.  

This message>> "ASDM log says 710003 TCP access denied by the ACL from 71.x.x.195/1050 to outside 64.x.x.123/22"

Can you try the connection then copy and paste the log including a little before and a little after....      

That looks to me like the nonat is not catching the traffic for the crypto map and is instead forwarding it out the interface.  
This should happen if from the 192.168.1.x network you are trying to access port 22 on 64.x.x.123 instead of 192.168.2.x.         You should be able to telnet, ssh, http, whatever to any address on 192.168.2.x and have the tunnel build.  

0
 
LVL 2

Expert Comment

by:ksaiki
ID: 34112456
This site tell you everything you need.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080950890.shtml
 
Please make sure there is IP reachability between the ASA and nothing blocked.  

 

0
 
LVL 1

Author Closing Comment

by:cfgchiran
ID: 34138012
Hi All - thank you for your responses. Your comments pointed me in the right direction. The problem was that I was trying to access a network share, but using the public IP of router B instead of the IP address of the computer that actually had the share. The comment about "NAT" ad no SAS until the tunnel was built really pointed me on the correct path.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now