Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

ASA - Site to Site VPN w/ 9.1 code

Posted on 2013-02-04
6
Medium Priority
?
2,910 Views
Last Modified: 2013-02-04
Hello I need a little help here. I have two brand new ASA 5505 and they are the first devices that I have installed with using the new 9.1 code. I was trying to add an exempt NAT rule in but I have learned that the NAT Exempt no longer works.

My question is what would my new command be so that I can get office 1 to talk to office 2 and vise versa. I just need to bypass the nat for the local subnets but I can't seem to fiqure it out.

Below is a copy of the code that I am using:

Office1
using internal subnet 192.168.0.0/24
--------

access-list VPN_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
 
access-list nat_bypass extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0

crypto IPSec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto IPSec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto IPSec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto IPSec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto map VPN_map 10 match address VPN_cryptomap
crypto map VPN_map 10 set peer 1.1.1.1
crypto map VPN_map 10 set transform-set ESP-AES-256-SHA
crypto map VPN_map interface outside

crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encryption aes-256
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 5
crypto isakmp policy 10 lifetime 86400
crypto isakmp enable Outside

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 IPSec-attributes
pre-shared-key randomkey


***************************************************************************

Office2
Using internal subnet 192.168.2.0/24
---------

access-list VPN_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
 
access-list nat_bypass extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0

crypto IPSec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto IPSec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto IPSec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto IPSec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto map VPN_map 10 match address VPN_cryptomap
crypto map VPN_map 10 set peer 2.2.2.2
crypto map VPN_map 10 set transform-set ESP-AES-256-SHA
crypto map VPN_map interface outside

crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encryption aes-256
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 5
crypto isakmp policy 10 lifetime 86400
crypto isakmp enable Outside

tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 IPSec-attributes
pre-shared-key randomkey
0
Comment
Question by:BAYCCS
  • 3
  • 3
6 Comments
 
LVL 1

Accepted Solution

by:
bsy01 earned 2000 total points
ID: 38853277
Try the config Below:

Office 1

object network 192.168.0.x
 subnet 192.168.0.0 255.0.0.0

object network 192.168.2.x
 subnet 192.168.2.0 255.0.0.0

nat (inside,outside) source static 192.168.0.x 192.168.0.x destination static  192.168.2.x 192.168.2.x

Office 2

object network 192.168.2.x
 subnet 192.168.2.0 255.0.0.0

object network 192.168.0.x
 subnet 192.168.0.0 255.0.0.0


nat (inside,outside) source static 192.168.2.x 192.168.2.x destination static 192.168.0.x 192.168.0.x
0
 
LVL 5

Author Comment

by:BAYCCS
ID: 38853310
Hmm, I had to change your subnets from 255.0.0.0 to 255.255.255.0 because I was getting a "does not pair" error.

I see if created the new object groups and added the nat rule but the vpn did not come up.

Did I miss something with the config I posted above?

I verified that the 1.1.1.1 and 2.2.2.2 are the correct IPs also.
1
 
LVL 1

Expert Comment

by:bsy01
ID: 38853361
Can you post the configs?

I have found the packet-tracer tool to be helpful.

Try:

packet-tracer input inside tcp 192.168.0.10 80 192.168.2.10 80 detailed
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 5

Author Comment

by:BAYCCS
ID: 38853394
Sure here are both offices, minus some ips and passwords of course...
Office1.txt
Office2.txt
0
 
LVL 5

Author Comment

by:BAYCCS
ID: 38853410
Well as soon as I ran the packet tracer it came right up.... I am laughing so hard right now b/c I ran the packet tracer an hour ago and nothing happened.
0
 
LVL 1

Expert Comment

by:bsy01
ID: 38853420
Try adding a route to both firewalls.

route outside 192.168.2.0 255.255.255.0 2.2.2.2

route outside 192.168.0.0 255.555.255.0 1.1.1.1
0

Featured Post

Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
Considering cloud tradeoffs and determining the right mix for your organization.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question