EESky
asked on
ASA L2L vpn can not connect
Expert
Here is a problem. Any expert can take a look at the configuration of ASA L2L vpn. The two asa can ping each other, but its vpn cannot connect. Thank you.
ASA3# sh run
: Saved
:
ASA Version 8.4(2)
!
hostname ASA3
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
nameif outside
security-level 0
ip address 172.16.1.1 255.255.255.0
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 10.1.1.1 255.0.0.0
!
ftp mode passive
access-list nonat extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 172.16.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco rd DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set Router-set esp-3des esp-md5-hmac
crypto map outside_map 1 match address nonat
crypto map outside_map 1 set peer 192.168.1.2
crypto map outside_map 1 set ikev1 transform-set Router-set
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 3600
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 192.168.1.2 type ipsec-l2l
tunnel-group 192.168.1.2 ipsec-attributes
ikev1 pre-shared-key *****
!
!
========================== ========== ========== ==
client# sh run
: Saved
:
ASA Version 8.4(2)
!
hostname client
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
nameif outside
security-level 0
ip address 192.168.1.2 255.255.255.0
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 10.2.2.1 255.255.255.0
!
!
ftp mode passive
access-list USGA095 extended permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco rd DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set FIRSTSET esp-3des esp-sha-hmac
crypto map S2SVPN 2 match address USGA095
crypto map S2SVPN 2 set peer 172.16.1.1
crypto map S2SVPN 2 set ikev1 transform-set FIRSTSET
crypto map S2SVPN interface outside
crypto ikev1 enable outside
crypto ikev1 policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 3600
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 172.16.1.1 type ipsec-l2l
tunnel-group 172.16.1.1 ipsec-attributes
ikev1 pre-shared-key *****
!
!
========================== =======
client# sh crypto isakmp sa
There are no IKEv1 SAs
There are no IKEv2 SAs
client#
ASA3# sh crypto isakmp sa
There are no IKEv1 SAs
There are no IKEv2 SAs
ASA3#
Here is a problem. Any expert can take a look at the configuration of ASA L2L vpn. The two asa can ping each other, but its vpn cannot connect. Thank you.
ASA3# sh run
: Saved
:
ASA Version 8.4(2)
!
hostname ASA3
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
nameif outside
security-level 0
ip address 172.16.1.1 255.255.255.0
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 10.1.1.1 255.0.0.0
!
ftp mode passive
access-list nonat extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 172.16.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set Router-set esp-3des esp-md5-hmac
crypto map outside_map 1 match address nonat
crypto map outside_map 1 set peer 192.168.1.2
crypto map outside_map 1 set ikev1 transform-set Router-set
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 3600
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 192.168.1.2 type ipsec-l2l
tunnel-group 192.168.1.2 ipsec-attributes
ikev1 pre-shared-key *****
!
!
==========================
client# sh run
: Saved
:
ASA Version 8.4(2)
!
hostname client
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
nameif outside
security-level 0
ip address 192.168.1.2 255.255.255.0
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 10.2.2.1 255.255.255.0
!
!
ftp mode passive
access-list USGA095 extended permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set FIRSTSET esp-3des esp-sha-hmac
crypto map S2SVPN 2 match address USGA095
crypto map S2SVPN 2 set peer 172.16.1.1
crypto map S2SVPN 2 set ikev1 transform-set FIRSTSET
crypto map S2SVPN interface outside
crypto ikev1 enable outside
crypto ikev1 policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 3600
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 172.16.1.1 type ipsec-l2l
tunnel-group 172.16.1.1 ipsec-attributes
ikev1 pre-shared-key *****
!
!
==========================
client# sh crypto isakmp sa
There are no IKEv1 SAs
There are no IKEv2 SAs
client#
ASA3# sh crypto isakmp sa
There are no IKEv1 SAs
There are no IKEv2 SAs
ASA3#
Nat 0 is missing in the configuration
Hi
>>access-list nonat extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
This has no place in an 8.4 VPN config? Oh wait I see you've delaired that in the cryptomap - thats what confused the first poster. DO NOT attempt to add a Nat0 command it will error!
You have no NAT stement for the VPN
See Cisco ASA 5500 Site to Site VPN (From CLI)
Pete
>>access-list nonat extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
This has no place in an 8.4 VPN config? Oh wait I see you've delaired that in the cryptomap - thats what confused the first poster. DO NOT attempt to add a Nat0 command it will error!
You have no NAT stement for the VPN
See Cisco ASA 5500 Site to Site VPN (From CLI)
Pete
Agreed, Nat 0 is not reqiured post 8.3.
Crypto ipsec transform-set is matching on both the ends. first one it is esp-3des esp-md5-hmac and the second one it is esp-3des esp-sha-hmac. use the same encyrption on both the ends
Also the Shared secret should match at both the ends.
Rest all seems to be good.
Crypto ipsec transform-set is matching on both the ends. first one it is esp-3des esp-md5-hmac and the second one it is esp-3des esp-sha-hmac. use the same encyrption on both the ends
Also the Shared secret should match at both the ends.
Rest all seems to be good.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you so much for your fast reply
@svijay_k, in fact, I do not use nat, instead I just use nonat as a name of access-less. And you are right about the "esp-3des esp-md5-hmac" now i already correct it.
@PeteLong, I already changed to "esp-3des esp-md5-hmac". And regarding access-list and Policy etc in two ASA, the access-list name is different, but the traffic in two asa is mirror relation. also some names are different, but the content in the two asa are the same.
However the VPN is still not working. any suggestion ? Thank you.
@svijay_k, in fact, I do not use nat, instead I just use nonat as a name of access-less. And you are right about the "esp-3des esp-md5-hmac" now i already correct it.
@PeteLong, I already changed to "esp-3des esp-md5-hmac". And regarding access-list and Policy etc in two ASA, the access-list name is different, but the traffic in two asa is mirror relation. also some names are different, but the content in the two asa are the same.
However the VPN is still not working. any suggestion ? Thank you.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you. I got it after i reconfigured it.