Solved

ASA - Site to Site VPN w/ 9.1 code

Posted on 2013-02-04
6
2,752 Views
Last Modified: 2013-02-04
Hello I need a little help here. I have two brand new ASA 5505 and they are the first devices that I have installed with using the new 9.1 code. I was trying to add an exempt NAT rule in but I have learned that the NAT Exempt no longer works.

My question is what would my new command be so that I can get office 1 to talk to office 2 and vise versa. I just need to bypass the nat for the local subnets but I can't seem to fiqure it out.

Below is a copy of the code that I am using:

Office1
using internal subnet 192.168.0.0/24
--------

access-list VPN_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
 
access-list nat_bypass extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0

crypto IPSec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto IPSec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto IPSec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto IPSec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto map VPN_map 10 match address VPN_cryptomap
crypto map VPN_map 10 set peer 1.1.1.1
crypto map VPN_map 10 set transform-set ESP-AES-256-SHA
crypto map VPN_map interface outside

crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encryption aes-256
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 5
crypto isakmp policy 10 lifetime 86400
crypto isakmp enable Outside

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 IPSec-attributes
pre-shared-key randomkey


***************************************************************************

Office2
Using internal subnet 192.168.2.0/24
---------

access-list VPN_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
 
access-list nat_bypass extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0

crypto IPSec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto IPSec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto IPSec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto IPSec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto map VPN_map 10 match address VPN_cryptomap
crypto map VPN_map 10 set peer 2.2.2.2
crypto map VPN_map 10 set transform-set ESP-AES-256-SHA
crypto map VPN_map interface outside

crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encryption aes-256
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 5
crypto isakmp policy 10 lifetime 86400
crypto isakmp enable Outside

tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 IPSec-attributes
pre-shared-key randomkey
0
Comment
Question by:BAYCCS
  • 3
  • 3
6 Comments
 
LVL 1

Accepted Solution

by:
bsy01 earned 500 total points
ID: 38853277
Try the config Below:

Office 1

object network 192.168.0.x
 subnet 192.168.0.0 255.0.0.0

object network 192.168.2.x
 subnet 192.168.2.0 255.0.0.0

nat (inside,outside) source static 192.168.0.x 192.168.0.x destination static  192.168.2.x 192.168.2.x

Office 2

object network 192.168.2.x
 subnet 192.168.2.0 255.0.0.0

object network 192.168.0.x
 subnet 192.168.0.0 255.0.0.0


nat (inside,outside) source static 192.168.2.x 192.168.2.x destination static 192.168.0.x 192.168.0.x
0
 
LVL 5

Author Comment

by:BAYCCS
ID: 38853310
Hmm, I had to change your subnets from 255.0.0.0 to 255.255.255.0 because I was getting a "does not pair" error.

I see if created the new object groups and added the nat rule but the vpn did not come up.

Did I miss something with the config I posted above?

I verified that the 1.1.1.1 and 2.2.2.2 are the correct IPs also.
1
 
LVL 1

Expert Comment

by:bsy01
ID: 38853361
Can you post the configs?

I have found the packet-tracer tool to be helpful.

Try:

packet-tracer input inside tcp 192.168.0.10 80 192.168.2.10 80 detailed
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 5

Author Comment

by:BAYCCS
ID: 38853394
Sure here are both offices, minus some ips and passwords of course...
Office1.txt
Office2.txt
0
 
LVL 5

Author Comment

by:BAYCCS
ID: 38853410
Well as soon as I ran the packet tracer it came right up.... I am laughing so hard right now b/c I ran the packet tracer an hour ago and nothing happened.
0
 
LVL 1

Expert Comment

by:bsy01
ID: 38853420
Try adding a route to both firewalls.

route outside 192.168.2.0 255.255.255.0 2.2.2.2

route outside 192.168.0.0 255.555.255.0 1.1.1.1
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question