Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

ASA - Site to Site VPN w/ 9.1 code

Posted on 2013-02-04
6
2,765 Views
Last Modified: 2013-02-04
Hello I need a little help here. I have two brand new ASA 5505 and they are the first devices that I have installed with using the new 9.1 code. I was trying to add an exempt NAT rule in but I have learned that the NAT Exempt no longer works.

My question is what would my new command be so that I can get office 1 to talk to office 2 and vise versa. I just need to bypass the nat for the local subnets but I can't seem to fiqure it out.

Below is a copy of the code that I am using:

Office1
using internal subnet 192.168.0.0/24
--------

access-list VPN_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
 
access-list nat_bypass extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0

crypto IPSec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto IPSec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto IPSec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto IPSec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto map VPN_map 10 match address VPN_cryptomap
crypto map VPN_map 10 set peer 1.1.1.1
crypto map VPN_map 10 set transform-set ESP-AES-256-SHA
crypto map VPN_map interface outside

crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encryption aes-256
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 5
crypto isakmp policy 10 lifetime 86400
crypto isakmp enable Outside

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 IPSec-attributes
pre-shared-key randomkey


***************************************************************************

Office2
Using internal subnet 192.168.2.0/24
---------

access-list VPN_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
 
access-list nat_bypass extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0

crypto IPSec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto IPSec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto IPSec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto IPSec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto map VPN_map 10 match address VPN_cryptomap
crypto map VPN_map 10 set peer 2.2.2.2
crypto map VPN_map 10 set transform-set ESP-AES-256-SHA
crypto map VPN_map interface outside

crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encryption aes-256
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 5
crypto isakmp policy 10 lifetime 86400
crypto isakmp enable Outside

tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 IPSec-attributes
pre-shared-key randomkey
0
Comment
Question by:BAYCCS
  • 3
  • 3
6 Comments
 
LVL 1

Accepted Solution

by:
bsy01 earned 500 total points
ID: 38853277
Try the config Below:

Office 1

object network 192.168.0.x
 subnet 192.168.0.0 255.0.0.0

object network 192.168.2.x
 subnet 192.168.2.0 255.0.0.0

nat (inside,outside) source static 192.168.0.x 192.168.0.x destination static  192.168.2.x 192.168.2.x

Office 2

object network 192.168.2.x
 subnet 192.168.2.0 255.0.0.0

object network 192.168.0.x
 subnet 192.168.0.0 255.0.0.0


nat (inside,outside) source static 192.168.2.x 192.168.2.x destination static 192.168.0.x 192.168.0.x
0
 
LVL 5

Author Comment

by:BAYCCS
ID: 38853310
Hmm, I had to change your subnets from 255.0.0.0 to 255.255.255.0 because I was getting a "does not pair" error.

I see if created the new object groups and added the nat rule but the vpn did not come up.

Did I miss something with the config I posted above?

I verified that the 1.1.1.1 and 2.2.2.2 are the correct IPs also.
1
 
LVL 1

Expert Comment

by:bsy01
ID: 38853361
Can you post the configs?

I have found the packet-tracer tool to be helpful.

Try:

packet-tracer input inside tcp 192.168.0.10 80 192.168.2.10 80 detailed
0
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

 
LVL 5

Author Comment

by:BAYCCS
ID: 38853394
Sure here are both offices, minus some ips and passwords of course...
Office1.txt
Office2.txt
0
 
LVL 5

Author Comment

by:BAYCCS
ID: 38853410
Well as soon as I ran the packet tracer it came right up.... I am laughing so hard right now b/c I ran the packet tracer an hour ago and nothing happened.
0
 
LVL 1

Expert Comment

by:bsy01
ID: 38853420
Try adding a route to both firewalls.

route outside 192.168.2.0 255.255.255.0 2.2.2.2

route outside 192.168.0.0 255.555.255.0 1.1.1.1
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question