Solved

Site2Site ASA5505 VPN on Packet Tracer 7.0 not working

Posted on 2016-11-11
7
23 Views
Last Modified: 2016-11-20
Try this example in Packet Tracer 7 but it never worked, hope some experts can point me where the problem is. Here is my 2 sites configurations.

ASA1:

ASA Version 8.4(2)
!
hostname F1
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 172.16.1.2 255.255.255.252
!
!
route outside 0.0.0.0 0.0.0.0 172.16.1.1 1
!
access-list LAN_Traffic extended permit tcp 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
!
!
!
!
!
!
class-map inspection-default
class-map inspection_default
 match default-inspection-traffic
!
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect icmp
  inspect tftp
!
!
telnet timeout 5
ssh timeout 5
!
dhcpd auto_config outside
!
dhcpd enable inside
!
!
!
!
crypto ipsec ikev1 transform-set L2L esp-aes esp-sha-hmac
!
crypto map L2L 1 match address LAN_Traffic
crypto map L2L 1 set peer 172.16.2.2
crypto map L2L 1 set ikev1 transform-set L2L
crypto map L2L interface inside
crypto ikev1 enable inside
crypto ikev1 policy 1
 encr aes
 authentication pre-share
 group 2
!
tunnel-group 172.16.2.2 type ipsec-l2l
tunnel-group 172.16.2.2 ipsec-attributes
 ikev1 pre-shared-key cisco
!
F1#

ASA2:

:
ASA Version 8.4(2)
!
hostname F2
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.2.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 172.16.2.2 255.255.255.252
!
!
route outside 0.0.0.0 0.0.0.0 172.16.2.1 1
!
access-list LAN_Traffic extended permit tcp 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0
!
!
!
!
!
!
class-map inspection_default
 match default-inspection-traffic
!
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect icmp
  inspect tftp
!
!
telnet timeout 5
ssh timeout 5
!
dhcpd auto_config outside
!
dhcpd enable inside
!
!
!
!
crypto ipsec ikev1 transform-set L2L esp-aes esp-sha-hmac
!
crypto map L2L 1 match address LAN_Traffic
crypto map L2L 1 set peer 172.16.1.2
crypto map L2L 1 set ikev1 transform-set L2L
crypto map L2L interface inside
crypto ikev1 enable inside
crypto ikev1 policy 1
 encr aes
 authentication pre-share
 group 2
!
tunnel-group 172.16.1.2 type ipsec-l2l
tunnel-group 172.16.1.2 ipsec-attributes
 ikev1 pre-shared-key cisco
!
F2#

PC1 connected to ASA1 with IP 10.0.1.5 255.255.255.0 GW 10.0.1.1
PC2 connected to ASA2 with IP 10.0.2.5 255.255.255.0 GW 10.0.2.1

Can't ping between this two pc's

Thanks,
0
Comment
Question by:amdj
  • 5
  • 2
7 Comments
 
LVL 15

Assisted Solution

by:max_the_king
max_the_king earned 500 total points
Comment Utility
hi,
you need to apply crypto on outside interface

this is wrong on both asa:
crypto map L2L interface inside
crypto ikev1 enable inside

change inside with outside on both asa

max
0
 

Author Comment

by:amdj
Comment Utility
@Max, didn't catch that but I changed it still doesn't work. I was following this tutorial here
http://packetlife.net/blog/2011/jul/11/lan-lan-vpn-asa-5505/


Thanks,
0
 
LVL 15

Assisted Solution

by:max_the_king
max_the_king earned 500 total points
Comment Utility
hi
you need to exempt nat  ...

nat (inside,outside) source static obj-local obj-local destination static obj-remote obj-remote

on both Asa.

where obj-local is internal inside Lan And obj-remote is inside Lan of the other site.

max
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:amdj
Comment Utility
@LVL15, maybe that's why it never worked, there is no nat command in (config)# in ASA5505 in Packet Tracer.
These are the only commands support in asa5505 in Packet Tracer.

F1(config)#?
  aaa             Enable, disable, or view user authentication, authorization
                  and accounting
  access-group    Bind an access-list to an interface to filter traffic
  access-list     Configure an access control element
  boot            Set system boot parameters
  class-map       Configure MPF Class Map
  clock           Configure time-of-day clock
  configure       Configure using various methods
  crypto          Configure IPSec, ISAKMP, Certification, authority, key
  dhcpd           Configure DHCP Server
  domain-name     Change domain name
  enable          Configure password for the enable command
  end             Exit from configure mode
  exit            Exit from configure mode
  group-policy    Configure or remove a group policy
  hostname        Change host name of the system
  http            Configure http server and https related commands
  interface       Select an interface to configure
  ipv6            Global IPv6 configuration commands
  name            Associate a name with an IP address
  names           Enable/Disable IP address to name mapping
  no              Negate a command or set its defaults
  ntp             Configure NTP
  object          Configure an object
  object-group    Create an object group for use in 'access-list', etc
  passwd          Change Telnet console access password
  policy-map      Configure MPF Parameter Map
  route           Configure a static route for an interface
  service-policy  Configure MPF service policy
  setup           Pre-configure the system
  ssh             Configure SSH options
  telnet          Add telnet access to system console or set idle timeout
  tunnel-group    Create and manage the database of connection specific records
                  for IPSec connections
  username        Configure user authentication local database
  webvpn          Configure the WebVPN service
F1(config)#

Thanks,
0
 

Author Comment

by:amdj
Comment Utility
btw, I can't even ping between the two outside interfacese 172.16.1.2 and 172.16.2.2 and I've allowed icmp inspection.
Site2Site_asa_vpn.JPG
0
 

Accepted Solution

by:
amdj earned 0 total points
Comment Utility
I got it working by inserting a router between the two ASA's and added a few access-list to allow traffic to go out and tcp, icmp etc..., it turned out there are some limitations in ASA in Packet Tracer, the nat command is not available so I  cannot configure an NAT exemption on the ASA 5505.

Thanks everyone!
0
 

Author Closing Comment

by:amdj
Comment Utility
My own research!
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now