Solved

CISCO ASA 5505 Site-to-site VPN

Posted on 2012-03-11
2
790 Views
Last Modified: 2012-03-13
Hi,
I'm trying to setup a site to site vpn between to ASA 5505's. For some reason I just can't get it to work properly.

I've got two sites, A and B:
A: 10.1.20.0 Cisco ASA 5505 with FW 7.2
 A1: Test pc on this network: 10.1.20.189
B: 10.1.2.0, Cisco ASA 5505 with FW 8.3
 B1: 10.1.2.101 Test pc on remote network that should respond to ping.

The tunnel is up and from Site A I can ping the ASA on Site B. ie. I can ping 10.1.2.1 from any computer on 10.1.20.0. However, when I try pining any of the machines behind the Site B FW, it just won't work.

i.e, trying to ping 10.1.2.101 from 10.1.20.138 doesn't work, but ping 10.1.2.1 from 10.1.20.138 works fine. Same problem the other direction, but from Site B I can't even ping the gateway of Site A so I assume the problem actually is on Site B ASA.

Running config for Site A:
asdm image disk0:/asdm-521.bin
no asdm history enable
: Saved
:
ASA Version 7.2(1) 
!
hostname ciscoasa
domain-name default.domain.invalid
enable password nvNvdhePuUkZsFOo encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.1.20.1 255.255.255.0 
 ospf cost 10
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute 
 ospf cost 10
!
interface Ethernet0/0
 switchport access vlan 2
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/1
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/2
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/4
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/5
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/6
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/7
 no nameif
 no security-level
 no ip address
!
passwd XXXXXXXXXXX.XXXXX encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit intra-interface
access-list outside_20_cryptomap extended permit ip 10.1.20.0 255.255.255.0 10.1.2.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.1.20.0 255.255.255.0 10.1.2.0 255.255.255.0 
access-list inside_access_out extended permit ip any 10.1.2.0 255.255.255.0 
pager lines 24
logging enable
logging asdm warnings
mtu inside 1500
mtu outside 1500
asdm image disk0:/asdm-521.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_out out interface inside
route outside 0.0.0.0 0.0.0.0 91.XXX.X.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.1.20.0 255.255.255.0 inside
http 195.XXX.2X3.XXX 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set peer 195.XXX.2X3.XXX 
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
tunnel-group 195.XXX.2X3.XXX type ipsec-l2l
tunnel-group 195.XXX.2X3.XXX ipsec-attributes
 pre-shared-key *
tunnel-group-map default-group 195.XXX.2X3.XXX
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.1.20.100-10.1.20.200 inside
dhcpd auto_config outside interface inside
dhcpd enable inside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:55a5c1ae520add67614599545544e45a
: end

Open in new window



Running config for Site B:
: Saved
:
ASA Version 8.3(1) 
!
hostname TomasNw
enable password XXXXXXXXXX encrypted
passwd XXXXXXXX encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.1.2.1 255.255.255.0 
!
interface Vlan2
 mac-address 0023.7d3f.0cfd standby 0023.7d3f.0cfd
 nameif outside
 security-level 0
 ip address 195.XXX.2X3.XXX 255.255.255.240 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
same-security-traffic permit intra-interface
object network obj_any 
 subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_10.1.2.0_24 
 subnet 10.1.2.0 255.255.255.0
object network NETWORK_OBJ_10.1.20.0_24 
 subnet 10.1.20.0 255.255.255.0
access-list 104 extended permit icmp any any echo-reply 
access-list 104 extended permit icmp any any time-exceeded 
access-list 104 extended permit icmp any any unreachable 
access-list inside_access_in extended permit ip any any 
access-list inside_access_in extended permit ip any 10.1.20.0 255.255.255.0 
access-list outside_1_cryptomap extended permit ip 10.1.2.0 255.255.255.0 10.1.20.0 255.255.255.0 
access-list outside_access_in extended permit tcp any interface outside eq 3389 
pager lines 24
logging enable
logging asdm warnings
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 192.168.37.1-192.168.37.10
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic any interface
nat (inside,outside) source static NETWORK_OBJ_10.1.2.0_24 NETWORK_OBJ_10.1.2.0_24 destination static NETWORK_OBJ_10.1.20.0_24 NETWORK_OBJ_10.1.20.0_24
!
object network obj_any
 nat (inside,outside) dynamic interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 195.67.213.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server vpnradius protocol radius
aaa-server vpnradius (inside) host 10.0.1.2
 key *****
http server enable
http 10.1.2.0 255.255.255.0 inside
http 91.XXX.X.1 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map mymap 1 match address outside_1_cryptomap
crypto map mymap 1 set peer 91.XXX.X.1 
crypto map mymap 1 set transform-set myset
crypto map mymap interface outside
crypto isakmp identity address 
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 10.1.2.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 195.67.199.39 195.67.199.16
!
dhcpd address 10.1.2.100-10.1.2.120 inside
dhcpd dns 195.67.199.14 195.67.199.15 interface inside
dhcpd wins 10.1.1.2 interface inside
dhcpd auto_config outside interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username name password gAbEspeTT0GmX2Df encrypted
tunnel-group DefaultL2LGroup ipsec-attributes
 isakmp keepalive threshold 20 retry 2
tunnel-group DefaultRAGroup ipsec-attributes
 isakmp keepalive threshold 20 retry 2
tunnel-group 91.XXX.X.1 type ipsec-l2l
tunnel-group 91.XXX.X.1 ipsec-attributes
 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:a13e39cbfc6bce7e40c02826f4c09e4a
: end
no asdm history enable

Open in new window


I would guess that it's related to routing but I have tried different ways there as well and I'm just nog getting anywhere....

My hopes are now that someone more experienced on Cisco than I can help me out with this one. :-)

/Tomas
0
Comment
Question by:tnson
2 Comments
 

Author Comment

by:tnson
ID: 37706632
Increasing points since I'm in a bit of a hurry. :)

Figured it out my self... it was the ICMP setting in the ASA with later FW. In the old one this was enabled already, but from FW 8.x you have to enable it.
0
 
LVL 57

Accepted Solution

by:
Pete Long earned 500 total points
ID: 37708948
policy-map global_policy
class inspection_default
inspect icmp


Cisco Firewalls and PING

Pete
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now