Solved

Cisco ASA 5505 Site-to-Site VPN won't come up

Posted on 2011-03-12
25
6,402 Views
Last Modified: 2012-05-11
I am working on setting up a site-to-site VPN on two Cisco ASA 5505's. Internet connections for users behind both firewalls work fine. The issue I am having is with the site-to-site VPN.

I am a Cisco newbie, so I mainly use the ASDM for configuration. In this case I have used the site-to-site VPN wizard.

The two sites are almost identical, with static IP. The only difference is in the second site the ASA 5505 also serves as DHCP server.

Site 1 - Regina
WAN: XX.XX.XX.80          
LAN: 192.168.162.0  / 255.255.255.0

Site 2 - Hallstrom
WAN: YY.YY.YY.100
LAN:  192.168.63.0 / 255.255.255.0

My problem, as you might have guessed, is that the tunnel does not come up.

I attach the configuration of both firewalls. As I said, although I have some general network understanding I am a newbie on Cisco, so there might be something very basic missing here. Very grateful for help anyway.


SITE 1 - REGINA


: Saved
: Written by enable_15 at 00:21:44.439 UTC Sun Mar 13 2011
!
ASA Version 8.3(1) 
!
hostname reginaB2
enable password XXX encrypted
passwd XXX encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.162.2 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address XX.XX.XX.80 255.255.255.192 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
object network obj_any 
 subnet 0.0.0.0 0.0.0.0
object network HallstromNV 
 subnet 192.168.63.0 255.255.255.0
object network ReginaNV 
 subnet 192.168.162.0 255.255.255.0
access-list outside_cryptomap extended permit ip object ReginaNV object HallstromNV 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic any interface
!
object network obj_any
 nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.162.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map0 1 match address outside_cryptomap
crypto map outside_map0 1 set peer YY.YY.YY.100 
crypto map outside_map0 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map0 interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.162.181-192.168.162.200 inside
dhcpd dns X.Y.Z.200 X.Y.Z.204 interface inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group YY.YY.YY.100 type ipsec-l2l
tunnel-group YY.YY.YY.100 ipsec-attributes
 pre-shared-key *****
!
!
prompt hostname context 
Cryptochecksum:5a6c3ce7be2888c2c609d58dffe06eda

Open in new window

SITE 2 - Hallstrom


: Saved
: Written by enable_15 at 17:17:43.059 UTC Sat Mar 12 2011
!
ASA Version 8.3(1) 
!
hostname hallstrom
enable password XXX encrypted
passwd XXX encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.63.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address YY.YY.YY.100 255.255.255.128 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
object network obj_any 
 subnet 0.0.0.0 0.0.0.0
object network HallstromNV 
 subnet 192.168.63.0 255.255.255.0
object network ReginaNV 
 subnet 192.168.162.0 255.255.255.0
access-list outside_cryptomap extended permit ip object HallstromNV object ReginaNV 
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic any interface
!
object network obj_any
 nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 YY.YY.YY.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.63.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map0 1 match address outside_cryptomap
crypto map outside_map0 1 set peer XX.XX.XX.80 
crypto map outside_map0 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map0 interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.63.101-192.168.63.130 inside
dhcpd dns A.B.C.10 A.B.C.20 interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group XX.XX.XX.80 type ipsec-l2l
tunnel-group XX.XX.XX.80 ipsec-attributes
 pre-shared-key *****
!
!
prompt hostname context 
Cryptochecksum:cb53039b9fa30f28565e27387c0439a8

Open in new window

0
Comment
Question by:WaldenWoods
  • 10
  • 6
  • 5
  • +2
25 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 350 total points
ID: 35119375
Looks like you're missing a couple of nat statements

object network NETWORK_OBJ_THEIR_LAN
 subnet 192.168.63.0.0 255.255.255.0
object network NETWORK_OBJ_MY_LAN
 subnet 192.168.162.0 255.255.255.0

nat (inside,outside) source static NETWORK_OBJ_MY_LAN NETWORK_OBJ_MY_LAN  destination static NETWORK_OBJ_THEIR_LAN NETWORK_OBJ_THEIR_LAN

Reverse it for the other side

0
 
LVL 34

Assisted Solution

by:Istvan Kalmar
Istvan Kalmar earned 50 total points
ID: 35120144
Adter you xonfigured the nonat statament you need: "clear xlate"
0
 

Author Comment

by:WaldenWoods
ID: 35120926
lrmoore, thanks for spotting this. Strange that the nat statement is missing - before posting the question I tried the whole wizard procedure several times, and I know that the nat statement was sometimes actually there. But in the configuration above it was certainly missing, so I have now added it.

On SITE 1 Regina:
nat (inside,outside) source static ReginaNV ReginaNV destination static HallstromNV HallstromNV

On SITE 2 Hallstrom:
nat (inside,outside) source static HallstromNV HallstromNV destination static ReginaNV ReginaNV

Still, the tunnel does not work.

I agree that the added statements above are needed in order to make the connection actually work (for example ping across the tunnel). However, even withouth those statements, shouldn't the devices have reported having 1 IKE/IPsec tunnel up? I get 0 as the number of active tunnels.

ikalmar, thanks for pointing this out. Several entries were deleted according to the response to this command. However, doesn't seem to do the full trick.

Very grateful for further suggestion on what is wrong (or what it is that I am not understanding, that could certainly be the case as well).
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35121960
Did you check the logs on the ASA's to see what happens when trying to set up the VPN?
0
 

Author Comment

by:WaldenWoods
ID: 35122727
I have tried disabling and again enabling the VPN, and I see absolutely nothing in the logs when I do that.

When I try to ping the other network, I see the outgoing requests in the log, but they look exactly the same as for any other IP address (outside the VPN scope).
0
 

Expert Comment

by:Herbein
ID: 35123234
I am experiencing the same problem with a nearly identical configuration and setup. I would really like to know what the problem is.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35126643
Well, that was not quit what I meant (if I read it correctly).

With the VPN setup enabled, when you try to ping an address which should be reached through the VPN tunnel, there always should show something in the (ASDM) log. Either if the tunnel is established or not.
0
 

Expert Comment

by:Herbein
ID: 35129880
In my case, when I try to ping from a laptop on one side of the VPN tunnel to a laptop on the other side, the ASA Log shows, "Failed to locate egress interface for ICMP from rdg_inside:192.168.253.10/1 to 192.168.231.10/0". To me, this would make sense since the VPN tunnel does not appear to be up. When I use the command, "show crypto isakmp sa" it returns with the messages, "There are no IKEv1 SAs, There are no IKEv2 SAs". I have the Logging level set to debugging, but there still doesn't seem to be enough info to be able to tell why the tunnel is not coming up. Is there a way to get more info about why the tunnel is failing to come up ?
0
 

Author Comment

by:WaldenWoods
ID: 35133968
Erniebeek - what you ask for is what I tried to tell in my second paragraph, but I probably was not clear enough; sorry about that. When I try from Site 1 to ping an adress in Site 2, e.g., from 192.168.162.27 to 192.168.63.104 (which is an active machine, responding to ping if done locally within Site 2), I get the following in the log:

6      Mar 14 2011      22:35:27      302021      192.168.63.104      0      192.168.162.27      512      Teardown ICMP connection for faddr 192.168.63.104/0 gaddr XX.XX.XX.80/2119 laddr 192.168.162.27/512
6      Mar 14 2011      22:35:25      302020      192.168.162.27      512      192.168.63.104      0      Built outbound ICMP connection for faddr 192.168.63.104/0 gaddr XX.XX.XX.80/2119 laddr 192.168.162.27/512

If I do a similar ping from the same machine to a bogus IP number that does not exist, 192.168.99.99, I get the follwing in the logs:

6      Mar 14 2011      22:39:49      302020      192.168.162.27      512      192.168.99.99      0      Built outbound ICMP connection for faddr 192.168.99.99/0 gaddr XX.XX.XX.80/52562 laddr 192.168.162.27/512
6      Mar 14 2011      22:39:51      302021      192.168.99.99      0      192.168.162.27      512      Teardown ICMP connection for faddr 192.168.99.99/0 gaddr XX.XX.XX.80/52562 laddr 192.168.162.27/512

To me, this looks rather identical to the entry above (although I do not understand every single number). Thus, it seems like the ASA is treating the ping request to the other site just like any other external IP number, not even trying to fins the tunnel. Or do I misunderstand anything?

I attach the current running config of Site 1.

Cryptochecksum: 94b556eb a6fcbae1 632d2217 48e25632 
: Saved
: Written by enable_15 at 22:45:59.876 UTC Mon Mar 14 2011
!
ASA Version 8.3(1) 
!
hostname reginaB2
enable password XXX encrypted
passwd XXX encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.162.2 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address XX.XX.XX.80 255.255.255.192 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
object network obj_any 
 subnet 0.0.0.0 0.0.0.0
object network HallstromNV 
 subnet 192.168.63.0 255.255.255.0
object network ReginaNV 
 subnet 192.168.162.0 255.255.255.0
access-list outside_cryptomap extended permit ip object ReginaNV object HallstromNV 
access-list outside_access_in extended permit icmp any any 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic any interface
nat (inside,outside) source static ReginaNV ReginaNV destination static HallstromNV HallstromNV
!
object network obj_any
 nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.162.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map0 1 match address outside_cryptomap
crypto map outside_map0 1 set peer YY.YY.YY.100
crypto map outside_map0 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map0 interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.162.181-192.168.162.200 inside
dhcpd dns 195.54.122.200 195.54.122.204 interface inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group YY.YY.YY.100 type ipsec-l2l
tunnel-group YY.YY.YY.100 ipsec-attributes
 pre-shared-key ***
!
!
prompt hostname context 
Cryptochecksum:94b556eba6fcbae1632d221748e25632
: end

Open in new window

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 35134332
Enable ICMP inspect in the service policy rules
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 100 total points
ID: 35136164
The thing is I don't see anything regarding an attempt to set up the VPN which strikes me as rather odd.

Could you also check the log at the other end?
0
 

Author Comment

by:WaldenWoods
ID: 35151083
Enable ICMP inspect in the service policy rules

Thanks for the suggestion, I have now enabled it. No effect.

The thing is I don't see anything regarding an attempt to set up the VPN which strikes me as rather odd. Could you also check the log at the other end?

Well, I do not have any prior experience of Cisco, but from a general perspective I would have expected something to be visible regarding VPN attempt. I have checked the log at Site 2 as well - no trace of requests from Site 1. And when I try to ping from Site 2 to Site 1 I only get log entries mirroring the above.

After trying several different things I am now starting to feel more comfortable with CLI. Maybe I should try reverting back to factory settings and then enter all of "my own" settings through CLI so I have better control of them.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Expert Comment

by:Herbein
ID: 35151581
WaldenWoods said: "After trying several different things I am now starting to feel more comfortable with CLI. Maybe I should try reverting back to factory settings and then enter all of "my own" settings through CLI so I have better control of them."

I just tried this exact same thing with my devices but it did not make any difference. I also see no attempt whatsoever that the ASA's on either side are making any attempt to setup the tunnel. I got fed up and just opened a Service Request with Cisco TAC Support. I am anxious to see what they find.
0
 

Expert Comment

by:Herbein
ID: 35152186
Just got done with Cisco TAC. Turns out that the entire VPN config was correct. The tunnel was not coming up because of a missing static route. He added a route that told each ASA that to reach the network on the inside interface of each ASA it should send its packets to the default gateway of the outside interface (ie the router interface). As soon as he did that and ran a ping, the tunnel came up. Make sure you can ping in both directions from a workstation on the inside interface to the outside interface of the ASA. And then triple check your routes !! :)
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 35152854
That makes absolutely no sense. as long as you have a proper default route.
But, glad it's working for you now.
I highly recommend downgrading from 8.3 back to 8.24
0
 

Author Comment

by:WaldenWoods
ID: 35152894
Herbein said:
He added a route that told each ASA that to reach the network on the inside interface of each ASA it should send its packets to the default gateway of the outside interface (ie the router interface).

Thanks for the suggestion. Could you please tell me what this command looks like? To me it sounds like the normal static route for all internet traffic should be sufficient, in my case:
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.65 1

Or do I misunderstand anything?
0
 

Author Comment

by:WaldenWoods
ID: 35152901
lrmoore, hadn't seen your comment when I posted my last one. However, we seem to agree on the default route being enough.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35154684
Your route command is correct (can't believe I overlooked that :-~  ). But that's we should be glad there a people like lrmoore around here :-)

I assume you haven't tried it yet?
0
 

Author Comment

by:WaldenWoods
ID: 35154949
Well, you did not overlook it. The command is already in the config, and has been there all the time. (If not, the users behind the firewall would not have been able to connect to the internet, if I understand it correctly). So this can not really be the problem.

Sorry for being unclear in my previous message.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35155046
*put's glasses on*

.
..
...
How about a sysopt connection permit-vpn ?
0
 

Author Comment

by:WaldenWoods
ID: 35160161
Thanks earniebeek for the suggestion. Now tried, on both ends. No effect, no change in the logs.

When looking around in different communities I find that many people seem to have similar problems (not necessarily identical, but similar) with version 8.3, which is the one I have. I find the 8.3 nat syntax difficult to understand. I therefore thought I'd downgrade to 8.2.4 and see if it works better.

However, as my boxes were pre-loaded with 8.3, I have to download the 8.2.4 firmware. It seems like I have to get a service agreement in order to be allowed to do that. Do I understand that correctly?

Herbein, which version do you have? If it is 8.3, is there any chance you could post your complete, functioning config?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35160255
If I run the VPN wizard on my asa (8.3.1) I get the following:

object network NETWORK_OBJ_192.168.162.0_24
        subnet 192.168.162.0 255.255.255.0
      object network NETWORK_OBJ_192.168.63.0_24
        subnet 192.168.63.0 255.255.255.0
      access-list outside_4_cryptomap line 1 extended permit ip 192.168.63.0 255.255.255.0 192.168.162.0 255.255.255.0
      tunnel-group 1.2.3.80 type ipsec-l2l
      tunnel-group 1.2.3.80 ipsec-attributes
        pre-shared-key **********
        isakmp keepalive threshold 10 retry 2
      crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
      crypto map outside_map 4 match address outside_4_cryptomap
      crypto map outside_map 4 set  pfs group1
      crypto map outside_map 4 set  peer  1.2.3.80
      crypto map outside_map 4 set  transform-set  ESP-3DES-SHA
      nat (inside,outside) 4 source static NETWORK_OBJ_192.168.63.0_24 NETWORK_OBJ_192.168.63.0_24 destination static NETWORK_OBJ_192.168.162.0_24 NETWORK_OBJ_192.168.162.0_24


Pretending to be Halstrom.
0
 

Expert Comment

by:Herbein
ID: 35160446
I am running ASA Version 8.4(1) and ASDM Version 6.4(1). I think I discovered what my problem was from earlier related to the static routing. I was not using the proper syntax when entering the default route in the GUI so it entered it as 0.0.0.0 255.255.255.255 in one instance and during another test it was 0.0.0.0 255.255.255.252. After I entered 0.0.0.0/0 in the GUI it created the proper default route. I reset all 3 of my ASA's to factory defaults and then used the Site-to-Site VPN Wizard in the ASDM GUI. The VPN tunnel worked perfectly the first time. The Wizard made it very easy. Below is the running config from one of the ASA's.

: Saved
:
ASA Version 8.4(1)
!
hostname rdgborder1
enable password XXX encrypted
passwd XXX encrypted
names
!
interface Ethernet0/0
 nameif rdg_outside
 security-level 0
 ip address 172.20.149.194 255.255.255.252
!
interface Ethernet0/1
 nameif rdg_inside
 security-level 100
 ip address 192.168.253.2 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
boot system disk0:/asa841-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
object network grn_inside-network
 subnet 192.168.220.0 255.255.255.0
object network grn_outside-network
 subnet 172.22.83.172 255.255.255.252
object network pgh_inside-network
 subnet 192.168.231.0 255.255.255.0
object network pgh_outside-network
 subnet 172.22.83.176 255.255.255.252
object network NETWORK_OBJ_192.168.253.0_24
 subnet 192.168.253.0 255.255.255.0
access-list rdg_outside_access_in extended permit icmp any any echo-reply
access-list rdg_outside_cryptomap extended permit ip 192.168.253.0 255.255.255.0 object pgh_inside-network
access-list rdg_outside_cryptomap_1 extended permit ip 192.168.253.0 255.255.255.0 object grn_inside-network
pager lines 24
logging enable
logging asdm informational
mtu rdg_outside 1500
mtu rdg_inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
nat (rdg_inside,rdg_outside) source static NETWORK_OBJ_192.168.253.0_24 NETWORK_OBJ_192.168.253.0_24 destination static pgh_inside-network pgh_inside-network
nat (rdg_inside,rdg_outside) source static NETWORK_OBJ_192.168.253.0_24 NETWORK_OBJ_192.168.253.0_24 destination static grn_inside-network grn_inside-network
!
nat (rdg_inside,rdg_outside) after-auto source dynamic any interface
access-group rdg_outside_access_in in interface rdg_outside
route rdg_outside 0.0.0.0 0.0.0.0 172.20.149.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.253.0 255.255.255.0 rdg_inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto map rdg_outside_map 1 match address rdg_outside_cryptomap
crypto map rdg_outside_map 1 set peer 172.22.83.178
crypto map rdg_outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map rdg_outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map rdg_outside_map 2 match address rdg_outside_cryptomap_1
crypto map rdg_outside_map 2 set peer 172.22.83.174
crypto map rdg_outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map rdg_outside_map 2 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map rdg_outside_map interface rdg_outside
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5
 prf sha
 lifetime seconds 86400
crypto ikev2 enable rdg_outside
crypto ikev1 enable rdg_outside
crypto ikev1 policy 10
 authentication crack
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 40
 authentication crack
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 70
 authentication crack
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 100
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy GroupPolicy_172.22.83.178 internal
group-policy GroupPolicy_172.22.83.178 attributes
 vpn-tunnel-protocol ikev1 ikev2
group-policy GroupPolicy_172.22.83.174 internal
group-policy GroupPolicy_172.22.83.174 attributes
 vpn-tunnel-protocol ikev1 ikev2
tunnel-group 172.22.83.178 type ipsec-l2l
tunnel-group 172.22.83.178 general-attributes
 default-group-policy GroupPolicy_172.22.83.178
tunnel-group 172.22.83.178 ipsec-attributes
 ikev1 pre-shared-key *****
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
tunnel-group 172.22.83.174 type ipsec-l2l
tunnel-group 172.22.83.174 general-attributes
 default-group-policy GroupPolicy_172.22.83.174
tunnel-group 172.22.83.174 ipsec-attributes
 ikev1 pre-shared-key *****
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:a6a5cf860b884814d8de52a2026a634d
: end
asdm image disk0:/asdm-641.bin
no asdm history enable

0
 

Author Comment

by:WaldenWoods
ID: 35193369
Finally, I now have the VPN tunnel up-and-running.

This is how I did it:
1. Reset to factory configuration
2. Configure some basic facts through CLI (like static route to default gateway, logging, enable ping)
3. Remove every config line that did not seem necessary or that I did not understand
4. Use the IPsec tunnel wizard for the tunnel

This is the total set of commands (site 1) given after factory reset:
!BASIC INTERNET
hostname reginaB2
interface Vlan2
 nameif outside
 security-level 0
 ip address XX.XX.XX.80 255.255.255.192 
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.65 1

!DISABLE DHCP
no dhcpd enable inside
no dhcpd auto_config outside
no dhcpd address 192.168.162.6-192.168.162.254 inside

!ENABLE PING
icmp permit any inside
icmp permit any outside

!ENABLE LOGGING
logging enable

!DISABLE SERVICE POLICY RULES
no service-policy global_policy global
no policy-map global_policy
no class-map inspection_default
no policy-map type inspect dns preset_dns_map

!SITE-TO-SITE VPN FROM WIZARD
crypto isakmp enable outside
object network HallstromNW
  subnet 192.168.63.0 255.255.255.0
object network ReginaNW
  subnet 192.168.162.0 255.255.255.0
access-list outside_1_cryptomap line 1 extended permit ip object ReginaNW object HallstromNW 
tunnel-group YY.YY.YY.100 type ipsec-l2l
tunnel-group YY.YY.YY.100 ipsec-attributes
  pre-shared-key **********
  isakmp keepalive threshold 10 retry 2
crypto isakmp policy 10 authen pre-share
crypto isakmp policy 10 encrypt 3des
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 2
crypto isakmp policy 10 lifetime 86400
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set  pfs group1
crypto map outside_map 1 set  peer  YY.YY.YY.100
crypto map outside_map 1 set  transform-set  ESP-3DES-SHA
crypto map outside_map interface  outside
nat (inside,outside) 1 source static ReginaNW ReginaNW destination static HallstromNW HallstromNW

Open in new window


And this is the resulting configuration (of site 1, site 2 is just a mirror of this):
 
: Saved
:
ASA Version 8.3(1) 
!
hostname reginaB2
enable password r8yGedV92P2ot/9t encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.162.2 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address XX.XX.XX.80 255.255.255.192 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
object network obj_any 
 subnet 0.0.0.0 0.0.0.0
object network HallstromNW 
 subnet 192.168.63.0 255.255.255.0
object network ReginaNW 
 subnet 192.168.162.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip object ReginaNW object HallstromNW 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
no asdm history enable
arp timeout 14400
nat (inside,outside) source static ReginaNW ReginaNW destination static HallstromNW HallstromNW
!
object network obj_any
 nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.162.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer YY.YY.YY.100 
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group YY.YY.YY.100 type ipsec-l2l
tunnel-group YY.YY.YY.100 ipsec-attributes
 pre-shared-key *****
!
!
prompt hostname context 
Cryptochecksum:4c5674de9c555c8149abd862104e7acb
: end

Open in new window


Thanks for all support and good, useful suggestions. I have spent a lot more time on this than expected. However, the benefit is now that I feel I know the equipment much better.
0
 

Author Closing Comment

by:WaldenWoods
ID: 35193415
-
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now