Michael Smolens
asked on
ASA - Site to Site VPN w/ 9.1 code
Hello I need a little help here. I have two brand new ASA 5505 and they are the first devices that I have installed with using the new 9.1 code. I was trying to add an exempt NAT rule in but I have learned that the NAT Exempt no longer works.
My question is what would my new command be so that I can get office 1 to talk to office 2 and vise versa. I just need to bypass the nat for the local subnets but I can't seem to fiqure it out.
Below is a copy of the code that I am using:
Office1
using internal subnet 192.168.0.0/24
--------
access-list VPN_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nat_bypass extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
crypto IPSec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto IPSec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto IPSec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto IPSec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map VPN_map 10 match address VPN_cryptomap
crypto map VPN_map 10 set peer 1.1.1.1
crypto map VPN_map 10 set transform-set ESP-AES-256-SHA
crypto map VPN_map interface outside
crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encryption aes-256
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 5
crypto isakmp policy 10 lifetime 86400
crypto isakmp enable Outside
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 IPSec-attributes
pre-shared-key randomkey
************************** ********** ********** ********** ********** *********
Office2
Using internal subnet 192.168.2.0/24
---------
access-list VPN_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list nat_bypass extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
crypto IPSec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto IPSec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto IPSec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto IPSec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map VPN_map 10 match address VPN_cryptomap
crypto map VPN_map 10 set peer 2.2.2.2
crypto map VPN_map 10 set transform-set ESP-AES-256-SHA
crypto map VPN_map interface outside
crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encryption aes-256
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 5
crypto isakmp policy 10 lifetime 86400
crypto isakmp enable Outside
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 IPSec-attributes
pre-shared-key randomkey
My question is what would my new command be so that I can get office 1 to talk to office 2 and vise versa. I just need to bypass the nat for the local subnets but I can't seem to fiqure it out.
Below is a copy of the code that I am using:
Office1
using internal subnet 192.168.0.0/24
--------
access-list VPN_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nat_bypass extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
crypto IPSec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto IPSec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto IPSec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto IPSec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map VPN_map 10 match address VPN_cryptomap
crypto map VPN_map 10 set peer 1.1.1.1
crypto map VPN_map 10 set transform-set ESP-AES-256-SHA
crypto map VPN_map interface outside
crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encryption aes-256
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 5
crypto isakmp policy 10 lifetime 86400
crypto isakmp enable Outside
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 IPSec-attributes
pre-shared-key randomkey
**************************
Office2
Using internal subnet 192.168.2.0/24
---------
access-list VPN_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list nat_bypass extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
crypto IPSec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto IPSec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto IPSec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto IPSec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map VPN_map 10 match address VPN_cryptomap
crypto map VPN_map 10 set peer 2.2.2.2
crypto map VPN_map 10 set transform-set ESP-AES-256-SHA
crypto map VPN_map interface outside
crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encryption aes-256
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 5
crypto isakmp policy 10 lifetime 86400
crypto isakmp enable Outside
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 IPSec-attributes
pre-shared-key randomkey
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Can you post the configs?
I have found the packet-tracer tool to be helpful.
Try:
packet-tracer input inside tcp 192.168.0.10 80 192.168.2.10 80 detailed
I have found the packet-tracer tool to be helpful.
Try:
packet-tracer input inside tcp 192.168.0.10 80 192.168.2.10 80 detailed
ASKER
ASKER
Well as soon as I ran the packet tracer it came right up.... I am laughing so hard right now b/c I ran the packet tracer an hour ago and nothing happened.
Try adding a route to both firewalls.
route outside 192.168.2.0 255.255.255.0 2.2.2.2
route outside 192.168.0.0 255.555.255.0 1.1.1.1
route outside 192.168.2.0 255.255.255.0 2.2.2.2
route outside 192.168.0.0 255.555.255.0 1.1.1.1
ASKER
I see if created the new object groups and added the nat rule but the vpn did not come up.
Did I miss something with the config I posted above?
I verified that the 1.1.1.1 and 2.2.2.2 are the correct IPs also.