Solved

ASA - Site to Site VPN w/ 9.1 code

Posted on 2013-02-04
6
2,706 Views
Last Modified: 2013-02-04
Hello I need a little help here. I have two brand new ASA 5505 and they are the first devices that I have installed with using the new 9.1 code. I was trying to add an exempt NAT rule in but I have learned that the NAT Exempt no longer works.

My question is what would my new command be so that I can get office 1 to talk to office 2 and vise versa. I just need to bypass the nat for the local subnets but I can't seem to fiqure it out.

Below is a copy of the code that I am using:

Office1
using internal subnet 192.168.0.0/24
--------

access-list VPN_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
 
access-list nat_bypass extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0

crypto IPSec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto IPSec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto IPSec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto IPSec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto map VPN_map 10 match address VPN_cryptomap
crypto map VPN_map 10 set peer 1.1.1.1
crypto map VPN_map 10 set transform-set ESP-AES-256-SHA
crypto map VPN_map interface outside

crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encryption aes-256
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 5
crypto isakmp policy 10 lifetime 86400
crypto isakmp enable Outside

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 IPSec-attributes
pre-shared-key randomkey


***************************************************************************

Office2
Using internal subnet 192.168.2.0/24
---------

access-list VPN_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
 
access-list nat_bypass extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0

crypto IPSec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto IPSec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto IPSec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto IPSec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto map VPN_map 10 match address VPN_cryptomap
crypto map VPN_map 10 set peer 2.2.2.2
crypto map VPN_map 10 set transform-set ESP-AES-256-SHA
crypto map VPN_map interface outside

crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encryption aes-256
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 5
crypto isakmp policy 10 lifetime 86400
crypto isakmp enable Outside

tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 IPSec-attributes
pre-shared-key randomkey
0
Comment
Question by:BAYCCS
  • 3
  • 3
6 Comments
 
LVL 1

Accepted Solution

by:
bsy01 earned 500 total points
ID: 38853277
Try the config Below:

Office 1

object network 192.168.0.x
 subnet 192.168.0.0 255.0.0.0

object network 192.168.2.x
 subnet 192.168.2.0 255.0.0.0

nat (inside,outside) source static 192.168.0.x 192.168.0.x destination static  192.168.2.x 192.168.2.x

Office 2

object network 192.168.2.x
 subnet 192.168.2.0 255.0.0.0

object network 192.168.0.x
 subnet 192.168.0.0 255.0.0.0


nat (inside,outside) source static 192.168.2.x 192.168.2.x destination static 192.168.0.x 192.168.0.x
0
 
LVL 5

Author Comment

by:BAYCCS
ID: 38853310
Hmm, I had to change your subnets from 255.0.0.0 to 255.255.255.0 because I was getting a "does not pair" error.

I see if created the new object groups and added the nat rule but the vpn did not come up.

Did I miss something with the config I posted above?

I verified that the 1.1.1.1 and 2.2.2.2 are the correct IPs also.
1
 
LVL 1

Expert Comment

by:bsy01
ID: 38853361
Can you post the configs?

I have found the packet-tracer tool to be helpful.

Try:

packet-tracer input inside tcp 192.168.0.10 80 192.168.2.10 80 detailed
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 5

Author Comment

by:BAYCCS
ID: 38853394
Sure here are both offices, minus some ips and passwords of course...
Office1.txt
Office2.txt
0
 
LVL 5

Author Comment

by:BAYCCS
ID: 38853410
Well as soon as I ran the packet tracer it came right up.... I am laughing so hard right now b/c I ran the packet tracer an hour ago and nothing happened.
0
 
LVL 1

Expert Comment

by:bsy01
ID: 38853420
Try adding a route to both firewalls.

route outside 192.168.2.0 255.255.255.0 2.2.2.2

route outside 192.168.0.0 255.555.255.0 1.1.1.1
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now