Solved

Site2Site ASA5505 VPN on Packet Tracer 7.0 not working

Posted on 2016-11-11
7
101 Views
Last Modified: 2016-11-20
Try this example in Packet Tracer 7 but it never worked, hope some experts can point me where the problem is. Here is my 2 sites configurations.

ASA1:

ASA Version 8.4(2)
!
hostname F1
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 172.16.1.2 255.255.255.252
!
!
route outside 0.0.0.0 0.0.0.0 172.16.1.1 1
!
access-list LAN_Traffic extended permit tcp 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
!
!
!
!
!
!
class-map inspection-default
class-map inspection_default
 match default-inspection-traffic
!
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect icmp
  inspect tftp
!
!
telnet timeout 5
ssh timeout 5
!
dhcpd auto_config outside
!
dhcpd enable inside
!
!
!
!
crypto ipsec ikev1 transform-set L2L esp-aes esp-sha-hmac
!
crypto map L2L 1 match address LAN_Traffic
crypto map L2L 1 set peer 172.16.2.2
crypto map L2L 1 set ikev1 transform-set L2L
crypto map L2L interface inside
crypto ikev1 enable inside
crypto ikev1 policy 1
 encr aes
 authentication pre-share
 group 2
!
tunnel-group 172.16.2.2 type ipsec-l2l
tunnel-group 172.16.2.2 ipsec-attributes
 ikev1 pre-shared-key cisco
!
F1#

ASA2:

:
ASA Version 8.4(2)
!
hostname F2
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.2.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 172.16.2.2 255.255.255.252
!
!
route outside 0.0.0.0 0.0.0.0 172.16.2.1 1
!
access-list LAN_Traffic extended permit tcp 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0
!
!
!
!
!
!
class-map inspection_default
 match default-inspection-traffic
!
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect icmp
  inspect tftp
!
!
telnet timeout 5
ssh timeout 5
!
dhcpd auto_config outside
!
dhcpd enable inside
!
!
!
!
crypto ipsec ikev1 transform-set L2L esp-aes esp-sha-hmac
!
crypto map L2L 1 match address LAN_Traffic
crypto map L2L 1 set peer 172.16.1.2
crypto map L2L 1 set ikev1 transform-set L2L
crypto map L2L interface inside
crypto ikev1 enable inside
crypto ikev1 policy 1
 encr aes
 authentication pre-share
 group 2
!
tunnel-group 172.16.1.2 type ipsec-l2l
tunnel-group 172.16.1.2 ipsec-attributes
 ikev1 pre-shared-key cisco
!
F2#

PC1 connected to ASA1 with IP 10.0.1.5 255.255.255.0 GW 10.0.1.1
PC2 connected to ASA2 with IP 10.0.2.5 255.255.255.0 GW 10.0.2.1

Can't ping between this two pc's

Thanks,
0
Comment
Question by:amdj
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
7 Comments
 
LVL 16

Assisted Solution

by:max_the_king
max_the_king earned 500 total points
ID: 41884723
hi,
you need to apply crypto on outside interface

this is wrong on both asa:
crypto map L2L interface inside
crypto ikev1 enable inside

change inside with outside on both asa

max
0
 

Author Comment

by:amdj
ID: 41884778
@Max, didn't catch that but I changed it still doesn't work. I was following this tutorial here
http://packetlife.net/blog/2011/jul/11/lan-lan-vpn-asa-5505/


Thanks,
0
 
LVL 16

Assisted Solution

by:max_the_king
max_the_king earned 500 total points
ID: 41884821
hi
you need to exempt nat  ...

nat (inside,outside) source static obj-local obj-local destination static obj-remote obj-remote

on both Asa.

where obj-local is internal inside Lan And obj-remote is inside Lan of the other site.

max
0
Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

 

Author Comment

by:amdj
ID: 41884905
@LVL15, maybe that's why it never worked, there is no nat command in (config)# in ASA5505 in Packet Tracer.
These are the only commands support in asa5505 in Packet Tracer.

F1(config)#?
  aaa             Enable, disable, or view user authentication, authorization
                  and accounting
  access-group    Bind an access-list to an interface to filter traffic
  access-list     Configure an access control element
  boot            Set system boot parameters
  class-map       Configure MPF Class Map
  clock           Configure time-of-day clock
  configure       Configure using various methods
  crypto          Configure IPSec, ISAKMP, Certification, authority, key
  dhcpd           Configure DHCP Server
  domain-name     Change domain name
  enable          Configure password for the enable command
  end             Exit from configure mode
  exit            Exit from configure mode
  group-policy    Configure or remove a group policy
  hostname        Change host name of the system
  http            Configure http server and https related commands
  interface       Select an interface to configure
  ipv6            Global IPv6 configuration commands
  name            Associate a name with an IP address
  names           Enable/Disable IP address to name mapping
  no              Negate a command or set its defaults
  ntp             Configure NTP
  object          Configure an object
  object-group    Create an object group for use in 'access-list', etc
  passwd          Change Telnet console access password
  policy-map      Configure MPF Parameter Map
  route           Configure a static route for an interface
  service-policy  Configure MPF service policy
  setup           Pre-configure the system
  ssh             Configure SSH options
  telnet          Add telnet access to system console or set idle timeout
  tunnel-group    Create and manage the database of connection specific records
                  for IPSec connections
  username        Configure user authentication local database
  webvpn          Configure the WebVPN service
F1(config)#

Thanks,
0
 

Author Comment

by:amdj
ID: 41884922
btw, I can't even ping between the two outside interfacese 172.16.1.2 and 172.16.2.2 and I've allowed icmp inspection.
Site2Site_asa_vpn.JPG
0
 

Accepted Solution

by:
amdj earned 0 total points
ID: 41888528
I got it working by inserting a router between the two ASA's and added a few access-list to allow traffic to go out and tcp, icmp etc..., it turned out there are some limitations in ASA in Packet Tracer, the nat command is not available so I  cannot configure an NAT exemption on the ASA 5505.

Thanks everyone!
0
 

Author Closing Comment

by:amdj
ID: 41894672
My own research!
0

Featured Post

[Webinar] Code, Load, and Grow

Managing multiple websites, servers, applications, and security on a daily basis? Join us for a webinar on May 25th to learn how to simplify administration and management of virtual hosts for IT admins, create a secure environment, and deploy code more effectively and frequently.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How secure is Anywhere Access on 2012r2 Essentials server 9 70
Cisco AnyConnect VPN 4 47
HP Storage and Cisco Nexus 4 73
SSL VPN and open two factor authentication 3 80
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question