Solved

Help me make this VPN connect site to site with another ASA please.

Posted on 2015-01-11
7
228 Views
Last Modified: 2015-01-15
Somehow the attached CLI commands do not allow for IPSEC VPN. I adapted the commands from a PIX configuration that continues to work just fine. The attached configuration on the ASA will allow internet access. IP addresses doublechecked, but they are changed to protect the innocent here. VPN does not connect with ASA 5505, identical hardware, ASDM configuration seems very similar. Have I been looking at it too long?
 
ASA Version 8.2(5)
!
hostname TEST
enable password test encrypted
passwd test encrypted
names
name 192.168.168.21 Aaaa
name 192.168.168.0 BBBB
name 192.168.1.0 Cccc
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
 switchport access vlan 5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.168.1 255.255.255.224
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 70.169.57.80 255.255.255.224
!
interface Vlan5
 description dmz
 no nameif
 security-level 50
 ip address dhcp
!
ftp mode passive
clock timezone GMT 0
object-group service DM_INLINE_TCP_1 tcp
 port-object eq www
 port-object eq https
object-group service DM_INLINE_TCP_2 tcp
 port-object eq www
 port-object eq https
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp host Aaaa any object-group DM_INLINE_TCP_2
access-list outside_access_in extended permit tcp any interface outside object-group DM_INLINE_TCP_1
access-list outside_1_cryptomap extended permit ip BBBB 255.255.255.0 Cccc 255.255.255.0
access-list inside_nat0_outbound extended permit ip BBBB 255.255.255.0 Cccc 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm location Aaaa 255.255.255.255 inside
asdm location Cccc 255.255.255.0 inside
asdm location BBBB 255.255.255.0 inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 ipaddress 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http Cccc 255.255.255.0 inside
http BBBB 255.255.255.224 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set rhitransform esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 40 match address outside_1_cryptomap
crypto map outside_map 40 set peer ip
crypto map outside_map 40 set transform-set rhitransform
crypto map outside_map 40 set security-association lifetime seconds 14400
crypto map outside_map 40 set security-association lifetime kilobytes 608000
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet BBBB 255.255.255.224 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address ip-ip inside
dhcpd dns ip-ip interface inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
tunnel-group ipaddress type ipsec-l2l
tunnel-group ipaddress ipsec-attributes
 pre-shared-key TEST
 isakmp keepalive threshold 600 retry 10
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum: test
0
Comment
Question by:JohnDoctor
  • 3
  • 3
7 Comments
 
LVL 18

Expert Comment

by:jmeggers
Comment Utility
First off, what does the other side's configuration look like? Need to see that to check the things that need to match.

Second, what do you see when you show crypto isakmp SA's? Is Phase 1 completing and it's just not passing traffic, or is it not connecting at all. Related question: I'm assuming the devices can reach each other over the Internet, but if they can't that's an obvious problem.

John
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
debug crypto isakmp 25
debug crypto ipsec 25
term mon

what is the debug output (it will be in the logs) when an attempt is made?
0
 

Author Comment

by:JohnDoctor
Comment Utility
Please note the attached is the configuration on the other end that works, same hardware. Identifying info removed. The devices can ping each other. More research to follow, but is there a clue in comparing the two configurations?

ASA Version 8.2(5)
!!!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!            
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 3
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 1.1.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 1.1.1.1 255.255.255.224
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address 1.1.1.1 255.255.255.0
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name TESTING
object-group service DM_INLINE_TCP_1 tcp
 port-object eq www
 port-object eq https
object-group service DM_INLINE_TCP_2 tcp
 port-object eq www
 port-object eq https
:etc
access-list nonat-acl extended permit ip Work 255.255.255.0 ra 255.255.255.0
access-list nonat-acl extended permit ip Work 255.255.255.0 net 255.255.255.0
access-list nonat-acl extended permit ip host Z A 255.255.252.0
access-list nonat-acl extended permit ip host A A 255.255.252.0
access-list nonat-acl extended permit ip host 1.1.1.1 2.2.2.2 255.255.255.128
access-list inbound-acl extended permit icmp any any echo-reply
access-list inbound-acl extended permit icmp any any time-exceeded
access-list inbound-acl extended permit icmp any any traceroute
access-list inbound-acl extended permit tcp any interface outside eq https inactive
access-list inbound-acl extended permit tcp any interface outside eq www
access-list inbound-acl extended permit tcp host SERVER interface inside eq www inactive
access-list inbound-acl extended permit tcp any interface outside eq smtp
access-list inbound-acl extended permit tcp any interface outside inactive
access-list outbound-acl extended permit tcp host GroupLAN any object-group DM_INLINE_TCP_8
: etc…..
access-list outbound-acl extended deny tcp any any eq smtp
access-list outbound-acl extended deny tcp any any eq www
access-list outbound-acl extended permit tcp any any eq https inactive
access-list outbound-acl extended permit ip any any
access-list home-vpn-acl extended permit ip Work 255.255.255.0 home 255.255.255.0
access-list ra-splittunnel-acl standard permit Work 255.255.255.0
access-list np-splittunnel-acl remark Split tunnel
access-list np-splittunnel-acl standard permit host X
access-list nat extended permit ip host X 1.1.1.1 255.255.255.128
access-list outside_cryptomap extended permit ip host 1.1.1.1 3.3.3.3
access-list outside_cryptomap_1 extended permit ip host X Q 255.255.252.0
pager lines 15
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool ra-pool 1.1.1.1-1.1.1.10 mask 255.255.255.0
ip verify reverse-path interface inside
ip verify reverse-path interface outside
ip audit name IDS1 attack action alarm drop reset
ip audit name IDS2 info action alarm drop reset
ip audit interface inside IDS2
ip audit interface inside IDS1
ip audit interface outside IDS2
ip audit interface outside IDS1
ip audit signature 2000 disable
ip audit signature 2004 disable
ip audit signature 2005 disable
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply outside
icmp deny any outside
asdm location Computer 255.255.255.255 inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat-acl
nat (inside) 1 Work 255.255.255.0
nat (dmz) 1 Play 255.255.255.0
static (inside,outside) tcp interface smtp Mail smtp netmask 255.255.255.255
static (inside,outside) tcp interface www Website www netmask 255.255.255.255
static (inside,outside) 1.1.1.1  access-list NAT
access-group outbound-acl in interface inside
access-group inbound-acl in interface outside
route outside 0.0.0.0 0.0.0.0 4.4.4.4 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host SERVER
 timeout 5
 key heart
http server enable
http A 255.255.255.0 inside
http B 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetinbound
service resetoutside
crypto ipsec transform-set rhitransform esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map map 50 set transform-set rhitransform
crypto map rhimap 40 match address elsewhere
crypto map rhimap 40 set peer IPaddress
crypto map rhimap 40 set transform-set Atransform
crypto map rhimap 40 set security-association lifetime seconds 14400
crypto map rhimap 40 set security-association lifetime kilobytes 608000
crypto map rhimap 65535 ipsec-isakmp dynamic map
crypto map rhimap interface outside
crypto ca trustpoint ASDM_Trust2
 enrollment self
 subject-name CN=WorkPIX
 crl configure
crypto ca certificate chain ASDM_TrustPoint0
 certificate ffffffffffffffffffffffffffffffffffffffffffffff
  quit
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet place 255.255.255.0 inside
telnet ra 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside interface inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_Trust2 outside
webvpn
 svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
 svc profiles RHIProfile disk0:/rhiprofile.xml
 svc enable
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 address-pools value rhira-pool

username Joe password Test encrypted privilege 0
tunnel-group 5.5.5.5 type ipsec-l2l
tunnel-group 5.5.5.5 ipsec-attributes
 pre-shared-key Testing
 isakmp keepalive threshold 600 retry 10
tunnel-group sslvpn-group type remote-access
tunnel-group sslvpn-group general-attributes
 address-pool pool
 default-group-policy sslvpn-policy
tunnel-group sslvpn-group webvpn-attributes
 group-alias connect enable
tunnel-group ipsec-group type remote-access
tunnel-group ipsec-group general-attributes
 address-pool pool
 authentication-server-group RADIUS LOCAL
 default-group-policy ipsec-policy
tunnel-group ipsec-group ipsec-attributes
 pre-shared-key TESTTEST
tunnel-group NP type remote-access
tunnel-group NP general-attributes
 address-pool pool
 authentication-server-group RADIUS
 default-group-policy np-policy
tunnel-group NP ipsec-attributes
 pre-shared-key TESTTESTTEST
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
 pre-shared-key TESTTESTTSTEST
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
 pre-shared-key TEST5
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect http
  inspect pptp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile Cisco
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:ffffffffffffffffffffffffffffffff
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
The problem with grunging too much of the data is that we cannot do a compare to see where the problem might lie.

So, create the crypto maps to be identical to each other with the exception of the peer IP and the access-list name.

The access-lists on each end must be an exact inverse match of each other.

Do a "more system:running" to verify the pre-shared keys.

Turn on crypto debugging as mentioned above and run a test.

Report back.
0
 

Author Comment

by:JohnDoctor
Comment Utility
-Here is the result of show crypto isakmp sa:

ASA(config)# show crypto isakmp sa

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: [the outside IP address of the other ASA]
    Type    : user            Role    : initiator
    Rekey   : no              State   : MM_WAIT_MSG2

ASA(config)# show crypto isakmp sa detail

There are no isakmp sas

-I compared crypto sections: here is one issue. The ASA that I am trying to connect with, that works with the PIX, has this statement about a certificate that is not on the ASA that I am trying to configure. However, the PIX that does connect to the ASA that I am trying to connect with is also lacking the certificate. Do I need a certificate on the ASA even though I did not have one on the PIX?
crypto ca trustpoint ASDM_TrustPointX
 enrollment self
 subject-name CN=PIX
 crl configure
crypto ca certificate chain ASDM_TrustPointX
 certificate ffffffffff...............

-Note also that the pre-shared keys are verified identical on exam with more system:running.

-Do I need to start over with the crypto maps and access-lists? ASDM configuration seems identical.

Thanks again for your consideration.
0
 
LVL 28

Accepted Solution

by:
Jan Springer earned 500 total points
Comment Utility
I don't expect you to have either or both phases up.

debug crypto isakmp 25
debug crypto ipsec 25
term mon

what is the debug output (it will be in the logs) when an attempt is made?
0
 

Author Comment

by:JohnDoctor
Comment Utility
The connection profile had a digit of the IP address as a 8 instead of an 0. (Yes, I know.) Careful review of the debug file was what it took. Thanks!
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Suggested Solutions

#SSL #TLS #Citrix #HTTPS #PKI #Compliance #Certificate #Encryption #StoreFront #Web Interface #Citrix XenApp
Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now