Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

ASA - Site to Site VPN w/ 9.1 code

Posted on 2013-02-04
6
Medium Priority
?
2,885 Views
Last Modified: 2013-02-04
Hello I need a little help here. I have two brand new ASA 5505 and they are the first devices that I have installed with using the new 9.1 code. I was trying to add an exempt NAT rule in but I have learned that the NAT Exempt no longer works.

My question is what would my new command be so that I can get office 1 to talk to office 2 and vise versa. I just need to bypass the nat for the local subnets but I can't seem to fiqure it out.

Below is a copy of the code that I am using:

Office1
using internal subnet 192.168.0.0/24
--------

access-list VPN_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
 
access-list nat_bypass extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0

crypto IPSec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto IPSec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto IPSec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto IPSec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto map VPN_map 10 match address VPN_cryptomap
crypto map VPN_map 10 set peer 1.1.1.1
crypto map VPN_map 10 set transform-set ESP-AES-256-SHA
crypto map VPN_map interface outside

crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encryption aes-256
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 5
crypto isakmp policy 10 lifetime 86400
crypto isakmp enable Outside

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 IPSec-attributes
pre-shared-key randomkey


***************************************************************************

Office2
Using internal subnet 192.168.2.0/24
---------

access-list VPN_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
 
access-list nat_bypass extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0

crypto IPSec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto IPSec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto IPSec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto IPSec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto map VPN_map 10 match address VPN_cryptomap
crypto map VPN_map 10 set peer 2.2.2.2
crypto map VPN_map 10 set transform-set ESP-AES-256-SHA
crypto map VPN_map interface outside

crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encryption aes-256
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 5
crypto isakmp policy 10 lifetime 86400
crypto isakmp enable Outside

tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 IPSec-attributes
pre-shared-key randomkey
0
Comment
Question by:BAYCCS
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 1

Accepted Solution

by:
bsy01 earned 2000 total points
ID: 38853277
Try the config Below:

Office 1

object network 192.168.0.x
 subnet 192.168.0.0 255.0.0.0

object network 192.168.2.x
 subnet 192.168.2.0 255.0.0.0

nat (inside,outside) source static 192.168.0.x 192.168.0.x destination static  192.168.2.x 192.168.2.x

Office 2

object network 192.168.2.x
 subnet 192.168.2.0 255.0.0.0

object network 192.168.0.x
 subnet 192.168.0.0 255.0.0.0


nat (inside,outside) source static 192.168.2.x 192.168.2.x destination static 192.168.0.x 192.168.0.x
0
 
LVL 5

Author Comment

by:BAYCCS
ID: 38853310
Hmm, I had to change your subnets from 255.0.0.0 to 255.255.255.0 because I was getting a "does not pair" error.

I see if created the new object groups and added the nat rule but the vpn did not come up.

Did I miss something with the config I posted above?

I verified that the 1.1.1.1 and 2.2.2.2 are the correct IPs also.
1
 
LVL 1

Expert Comment

by:bsy01
ID: 38853361
Can you post the configs?

I have found the packet-tracer tool to be helpful.

Try:

packet-tracer input inside tcp 192.168.0.10 80 192.168.2.10 80 detailed
0
Fill in the form and get your FREE NFR key NOW!

Veeam® is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

 
LVL 5

Author Comment

by:BAYCCS
ID: 38853394
Sure here are both offices, minus some ips and passwords of course...
Office1.txt
Office2.txt
0
 
LVL 5

Author Comment

by:BAYCCS
ID: 38853410
Well as soon as I ran the packet tracer it came right up.... I am laughing so hard right now b/c I ran the packet tracer an hour ago and nothing happened.
0
 
LVL 1

Expert Comment

by:bsy01
ID: 38853420
Try adding a route to both firewalls.

route outside 192.168.2.0 255.255.255.0 2.2.2.2

route outside 192.168.0.0 255.555.255.0 1.1.1.1
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question