Identity_reborn
asked on
ASA 5505 Site-to-Site tunnels not coming up
Greetings,
I am trying to configure site-to-site VPN for one of my clients, their setup is such,
They have their Server sitting in a data centre, and then they have a branch office in two different cities. Currently they use watchgaurd firewalls at all ends to create two site-to-site tunnels at each end (one to data centre and one to other office) and it works fine.
Now, I am installing Cisco ASA 5505 at all these sites to replace watchguard boxes, even though I’ve done these kinds of setups for my other clients, I’m not getting much joy here. What brings me here is the fact that, to best of my knowledge the configurations (posted below) looks alright but I still have no active IPsec tunnels between these sites. I’d be highly obliged if someone could point out where I’m going wrong, by looking at the configurations.
PS: I have devices plugged in at inside interface of each of these devices to make sure that there is some traffic present and all interfaces are up.
Data
ASA Version 8.2(5)
!
hostname Data
domain-name zxcv
enable password ccccccccc/ encrypted
passwd cccccccc/ encrypted
names
name 10.0.0.0 site1
name 10.0.1.0 site2
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.75.250 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x y.y.y.y
!
boot system disk0:/asa825-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name zxcv
object-group network obj_any
access-list outside_1_cryptomap extended permit ip 192.168.75.0 255.255.255.0 site1 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.75.0 255.255.255.0 site1 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.75.0 255.255.255.0 site2 255.255.255.0
access-list outside_2_cryptomap extended permit ip 192.168.75.0 255.255.255.0 site2 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
http server enable 444
http 192.168.75.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer x.x.x.x
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs group1
crypto map outside_map 2 set peer y.y.y.y
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.75.50-192.168.75.1
dhcpd dns 8.8.8.8 4.4.2.2 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *****
tunnel-group y.y.y.y type ipsec-l2l
tunnel-group y.y.y.y ipsec-attributes
pre-shared-key *****
!
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:f415cbb37c2
: end
asdm location site2 255.255.255.0 inside
asdm location site1 255.255.255.0 inside
no asdm history enable
--------------------------
Site1
ASA Version 8.2(5)
!
hostname site1
domain-name zxcv
enable password ccccccccc/ encrypted
passwd ccccccccccc/ encrypted
names
name 10.0.1.0 site2
name 192.168.75.0 data
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x y.y.y.y
!
boot system disk0:/asa825-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name zxcv
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network obj_any
access-list outside_1_cryptomap extended permit ip 10.0.0.0 255.255.255.0 site2 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 site2 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 data 255.255.255.0
access-list outside_2_cryptomap extended permit ip 10.0.0.0 255.255.255.0 data 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
http server enable 444
http 10.0.0.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer x.x.x.x
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs group1
crypto map outside_map 2 set peer y.y.y.y
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.0.0.50-10.0.0.110 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd domain zxcv interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *****
tunnel-group y.y.y.y type ipsec-l2l
tunnel-group y.y.y.y ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:e4223d5e4f8
: end
asdm location site2 255.255.255.0 inside
asdm location data 255.255.255.0 inside
no asdm history enable
--------------------------
Site2
ASA Version 8.2(5)
!
hostname site2
domain-name zxcv
enable password ccccccccccc/ encrypted
passwd ccccccccccccc encrypted
names
name 10.0.0.0 site1
name 192.168.75.0 data
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x y.y.y.y
!
boot system disk0:/asa825-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name zxcv
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network obj_any
access-list outside_1_cryptomap extended permit ip 10.0.1.0 255.255.255.0 site1 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 site1 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 data 255.255.255.0
access-list outside_2_cryptomap extended permit ip 10.0.1.0 255.255.255.0 data 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 x.x.x.x
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
http server enable 444
http 10.0.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer x.x.x.x
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs group1
crypto map outside_map 2 set peer y.y.y.y
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.0.1.50-10.0.1.110 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *****
tunnel-group y.y.y.y type ipsec-l2l
tunnel-group y.y.y.y ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:a97de69d761
: end
asdm location site1 255.255.255.0 inside
asdm location data 255.255.255.0 inside
no asdm history enable
I am trying to configure site-to-site VPN for one of my clients, their setup is such,
They have their Server sitting in a data centre, and then they have a branch office in two different cities. Currently they use watchgaurd firewalls at all ends to create two site-to-site tunnels at each end (one to data centre and one to other office) and it works fine.
Now, I am installing Cisco ASA 5505 at all these sites to replace watchguard boxes, even though I’ve done these kinds of setups for my other clients, I’m not getting much joy here. What brings me here is the fact that, to best of my knowledge the configurations (posted below) looks alright but I still have no active IPsec tunnels between these sites. I’d be highly obliged if someone could point out where I’m going wrong, by looking at the configurations.
PS: I have devices plugged in at inside interface of each of these devices to make sure that there is some traffic present and all interfaces are up.
Data
ASA Version 8.2(5)
!
hostname Data
domain-name zxcv
enable password ccccccccc/ encrypted
passwd cccccccc/ encrypted
names
name 10.0.0.0 site1
name 10.0.1.0 site2
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.75.250 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x y.y.y.y
!
boot system disk0:/asa825-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name zxcv
object-group network obj_any
access-list outside_1_cryptomap extended permit ip 192.168.75.0 255.255.255.0 site1 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.75.0 255.255.255.0 site1 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.75.0 255.255.255.0 site2 255.255.255.0
access-list outside_2_cryptomap extended permit ip 192.168.75.0 255.255.255.0 site2 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
http server enable 444
http 192.168.75.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer x.x.x.x
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs group1
crypto map outside_map 2 set peer y.y.y.y
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.75.50-192.168.75.1
dhcpd dns 8.8.8.8 4.4.2.2 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *****
tunnel-group y.y.y.y type ipsec-l2l
tunnel-group y.y.y.y ipsec-attributes
pre-shared-key *****
!
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:f415cbb37c2
: end
asdm location site2 255.255.255.0 inside
asdm location site1 255.255.255.0 inside
no asdm history enable
--------------------------
Site1
ASA Version 8.2(5)
!
hostname site1
domain-name zxcv
enable password ccccccccc/ encrypted
passwd ccccccccccc/ encrypted
names
name 10.0.1.0 site2
name 192.168.75.0 data
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x y.y.y.y
!
boot system disk0:/asa825-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name zxcv
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network obj_any
access-list outside_1_cryptomap extended permit ip 10.0.0.0 255.255.255.0 site2 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 site2 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 data 255.255.255.0
access-list outside_2_cryptomap extended permit ip 10.0.0.0 255.255.255.0 data 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
http server enable 444
http 10.0.0.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer x.x.x.x
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs group1
crypto map outside_map 2 set peer y.y.y.y
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.0.0.50-10.0.0.110 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd domain zxcv interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *****
tunnel-group y.y.y.y type ipsec-l2l
tunnel-group y.y.y.y ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:e4223d5e4f8
: end
asdm location site2 255.255.255.0 inside
asdm location data 255.255.255.0 inside
no asdm history enable
--------------------------
Site2
ASA Version 8.2(5)
!
hostname site2
domain-name zxcv
enable password ccccccccccc/ encrypted
passwd ccccccccccccc encrypted
names
name 10.0.0.0 site1
name 192.168.75.0 data
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x y.y.y.y
!
boot system disk0:/asa825-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name zxcv
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network obj_any
access-list outside_1_cryptomap extended permit ip 10.0.1.0 255.255.255.0 site1 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 site1 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 data 255.255.255.0
access-list outside_2_cryptomap extended permit ip 10.0.1.0 255.255.255.0 data 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 x.x.x.x
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
http server enable 444
http 10.0.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer x.x.x.x
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs group1
crypto map outside_map 2 set peer y.y.y.y
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.0.1.50-10.0.1.110 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *****
tunnel-group y.y.y.y type ipsec-l2l
tunnel-group y.y.y.y ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:a97de69d761
: end
asdm location site1 255.255.255.0 inside
asdm location data 255.255.255.0 inside
no asdm history enable
ASKER
@ Garry-G
VPNs are not coming up at all for some reason, and yes I have set these up using ASDM wizards.
VPNs are not coming up at all for some reason, and yes I have set these up using ASDM wizards.
OK, then try a ping from end points while running the "debug crypto isa 250" command on the initiating side ...
ASKER
@ Garry-G
Endpoints are dumb ASDL routers, I've assigned static IPs to their LAN interfaces to keep the 'inside' interface of the ASAs alive, also I'm managing these devices for a central location via ASDM (cant SSH in from outside into these devices) it would let me run any debug commands.
Endpoints are dumb ASDL routers, I've assigned static IPs to their LAN interfaces to keep the 'inside' interface of the ASAs alive, also I'm managing these devices for a central location via ASDM (cant SSH in from outside into these devices) it would let me run any debug commands.
ASKER
Sorry meant to say 'it wouldn't let me run debug commands through ASDM'.
Add your IP temporarily for SSH ...
Hi,
I'd try and delete the
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set pfs group2
on both the ASA
They're not necessary and have caused me trouble a few times in my implementations
With command line you just put a "no" before any of those commands, while in ASDM you should uncheck it
good luck
I'd try and delete the
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set pfs group2
on both the ASA
They're not necessary and have caused me trouble a few times in my implementations
With command line you just put a "no" before any of those commands, while in ASDM you should uncheck it
good luck
ASKER
@ Max_the_king
I've tried creating these tunnels with PFS diabled as well, but with no luck.
I've tried creating these tunnels with PFS diabled as well, but with no luck.
ASKER
@ Garry-G
I cant seem to ssh into any of the devices (even after generating crypto rsa key and making an exception in firewall) would packet tracer utility in ASDM any good?
I cant seem to ssh into any of the devices (even after generating crypto rsa key and making an exception in firewall) would packet tracer utility in ASDM any good?
You're probably missing the Option for authentication ... without it, the ASA will not enable the SSH feature ..
Go to Device Managment, Users/AAA, AAA Access. Turn on SSH Authentication with Server Group local ...
Go to Device Managment, Users/AAA, AAA Access. Turn on SSH Authentication with Server Group local ...
ASKER
Molrning,
I've ennabled Server group local for SSH, but its the same thing an blank putty screen and that's all, also I SSH into port 444.
I've ennabled Server group local for SSH, but its the same thing an blank putty screen and that's all, also I SSH into port 444.
ASKER
@ Garry-G
Update
I've got the SSH session up and running, started debug crypto isa 250, and pinged from end point.
I m not getting any reply back for my pings as if the tunnels are non existent and hence the topic.
Update
I've got the SSH session up and running, started debug crypto isa 250, and pinged from end point.
I m not getting any reply back for my pings as if the tunnels are non existent and hence the topic.
Are you getting any output from the debug? What does "show crypto isa sa" and "show crypto ipsec sa" output?
ASKER
Crypto ipsec shows all counters as zeros and the others show crypto commands would not show any thing.
Hm ... if not even isakmp comes up, there's something basic wrong ...
The outside interfaces have official IPs, don't they? Is there any output from the "debug crypto isa" command? Both initiating and receiving end ...
The outside interfaces have official IPs, don't they? Is there any output from the "debug crypto isa" command? Both initiating and receiving end ...
ASKER
The fact that I can connect to these devices remotely, proves that the outside interfaces IP are setup correctly. However, I agree with you that some basic config is missing or wrong.
Also. there is no output from debug crypto isa.
PS: I'm certain that the pre-shared key and peer IP are correct as well. Could there be any rule(s)
missing from the firewall?
Also. there is no output from debug crypto isa.
PS: I'm certain that the pre-shared key and peer IP are correct as well. Could there be any rule(s)
missing from the firewall?
Hm ... comparing the config to one that's working for me, I used "regular" isakmp/ipsec instead of l2l tunnel ... so adding something like this might be worth a try:
crypto map outside_map 1 ipsec-isakmp
crypto map outside_map 2 ipsec-isakmp
isakmp key PW1 address x.x.x.x netmask 255.255.255.255 no-xauth no-config-mode
isakmp key PW2 address y.y.y.y netmask 255.255.255.255 no-xauth no-config-mode
isakmp keepalive 60 5
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption aes-256
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
isakmp policy 2 authentication pre-share
isakmp policy 2 encryption aes-256
isakmp policy 2 hash sha
isakmp policy 2 group 2
isakmp policy 2 lifetime 86400ASKER
I'd certainly give that a try.
I've noticed that ADSL routers plugged into inside interfaces (to keep them up) are not generating any traffic at all, I can access them only via their web interface.
Considering the fact, that they are on internal range of the ASA firewalls (10.0.0.7, 10.0.1.7 and 192.168.75.7), I can port forward these hosts so i can access there web interfaces. But when I put in a static NAT and an access rule to allow in http into these hosts I can't get to their web interfaces, any clues why?
I've noticed that ADSL routers plugged into inside interfaces (to keep them up) are not generating any traffic at all, I can access them only via their web interface.
Considering the fact, that they are on internal range of the ASA firewalls (10.0.0.7, 10.0.1.7 and 192.168.75.7), I can port forward these hosts so i can access there web interfaces. But when I put in a static NAT and an access rule to allow in http into these hosts I can't get to their web interfaces, any clues why?
ASKER
@ Garry-G
Hi,
I've tried adding those lines but to no avail :(
Hi,
I've tried adding those lines but to no avail :(
Do you now get any output from the "debug crypto isakmp 250" line?
ASKER
Sadly No...
So you e.g. do a ping to an inside address of the remote location, and nothing happens on the firewall? No attempt to set up the tunnel? Are you even getting the packets, i.e. is the firewall really your default gateway? Can you set up a packet trace to confirm the packets aren't going to some other place instead?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I do not have a scientific explanation, but it works!!
Also, did you set the VPNs up using the ASDM VPN wizard? Usually, s2s VPNs are pretty easy to get up and running with the help of the wizard ... maybe just drop the current config for the VPN and give it a try?