Solved

Configure Site-to-Site VPN on Cisco ASA5505

Posted on 2012-03-10
5
1,389 Views
Last Modified: 2013-04-30
I am trying to configure a site to site vpn between 2 Cisco ASA5505s.  I am running ASDM version 6.4(7) and ASA version 8.4(3)     I have tried using the wizard and following the instructions below.  I have tried each multiple times without getting a connection.  

Below are the CLI commands I used on Site-B,  I used the same commands on Site-A with the IP addresses updated.  Site-B is setup with IPSEC VPN connection for remote access as well.

Current Site B Configuration

access-list VPN-INTERESTING-TRAFFIC line 1 extended permit ip object Site2-Subnet object Site1-Subnet
nat (inside,outside) source static Site2-Subnet Site2-Subnet destination static Site1-Subnet Site1-Subnet
tunnel-group A.S.D.F type ipsec-l2l
tunnel-group A.S.D.F ipsec-attributes
pre-shared-key 123456
isakmp keepalive threshold 10 retry 2
exit
 
crypto ikev1 policy 10
authentication pre-share
hash sha
group 2 
lifetime 86400

 crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

 crypto map outside_map 2 match address VPN-INTERESTING-TRAFFIC

 crypto map outside_map 2 set pfs group2
 crypto map outside_map 2 set peer 75.150.160.37
 crypto map outside_map 2 set ikev1 transform-set ESP-3DES-SHA
 crypto map outside_map interface outside



Below is the current running configuration of Site-B  

: Saved
:
ASA Version 8.4(3) 
!
hostname DDT-asa
domain-name MyCoINC.COM

names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address B.B.B.21 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address Z.X.C.B 255.255.255.0 
!
boot system disk0:/asa843-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name MyCoINC.COM
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network Site1-Subnet
 subnet A.A.A.0 255.255.255.0
object network NETWORK_OBJ_B.B.C.0_24
 subnet B.B.C.0 255.255.255.0
object network Site3-Subnet
 subnet C.C.C.0 255.255.255.0
object network Site2-Subnet
 subnet B.B.B.0 255.255.255.0
access-list VPN-INTERESTING-TRAFFIC extended permit ip object Site2-Subnet object Site1-Subnet 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool IPPool2 B.B.C.100-B.B.C.192 mask 255.255.255.128
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static any any destination static NETWORK_OBJ_B.B.C.0_24 NETWORK_OBJ_B.B.C.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static Site2-Subnet Site2-Subnet destination static Site1-Subnet Site1-Subnet
!
object network obj_any
 nat (inside,outside) dynamic interface
!
nat (inside,outside) after-auto source dynamic any interface
route outside 0.0.0.0 0.0.0.0 Z.X.C.V 1
route inside C.C.C.0 255.255.255.0 B.B.B.1 1
route inside A.A.A.0 255.255.255.0 B.B.B.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication telnet console LOCAL 
http server enable
http B.B.B.0 255.255.255.0 inside
http C.C.C.0 255.255.255.0 inside
http A.A.A.0 255.255.255.0 inside
http B.B.C.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 2 match address VPN-INTERESTING-TRAFFIC
crypto map outside_map 2 set pfs 
crypto map outside_map 2 set peer A.S.D.F
crypto map outside_map 2 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 40
 authentication crack
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 70
 authentication crack
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 100
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 130
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet B.B.B.0 255.255.255.0 inside
telnet A.A.A.0 255.255.255.0 inside
telnet timeout 5
ssh B.B.B.0 255.255.255.0 inside
ssh A.A.A.0 255.255.255.0 inside
ssh timeout 5
console timeout 0

dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy VPNAccess internal
group-policy VPNAccess attributes
 vpn-tunnel-protocol ikev1 
 default-domain value MyCoINC.COM
username user1 password zdsffgdfgdfg encrypted privilege 0
username user1 attributes
 vpn-group-policy VPNAccess
tunnel-group VPNAccess type remote-access
tunnel-group VPNAccess general-attributes
 address-pool IPPool2
 default-group-policy VPNAccess
tunnel-group VPNAccess ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group A.S.D.Ftype ipsec-l2l
tunnel-group A.S.D.Fipsec-attributes
 ikev1 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:fgadfsgfhghjghkhjkhjk
: end
asdm image disk0:/asdm-647.bin
no asdm history enable

Open in new window

0
Comment
Question by:qvfps
  • 3
5 Comments
 
LVL 17

Expert Comment

by:Garry-G
ID: 37707241
Did you do some debugging on ISAKMP/IPSEC? What do get when you do either "show crypto isa sa" and "show crypto ipsec sa" ?
0
 
LVL 57

Accepted Solution

by:
Pete Long earned 500 total points
ID: 37708955
0
 

Author Comment

by:qvfps
ID: 37714531
I started having some issues with the firewall so I reset it factory defaults and rebuilt it.   Right now I am having an issue with our BES server not keeping a connection to the Blackberry network.   As soon as I have that resolved I will get back to this.
0
 

Author Comment

by:qvfps
ID: 37734154
The issue with the BES is resolved.   I have run  "show crypto isa sa" and "show crypto ipsec sa".  They show no errors and the only tunnel I can see is the Remote vpn connection.
0
 

Author Closing Comment

by:qvfps
ID: 37764216
I resolved the issue this weekend.   I got it working by using the Phase 1 testing at petenet.com and the VPN setup guide (CLI)  the ASDM wizard did not add the ACL or static route.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now