Solved

Site2Site ASA5505 VPN on Packet Tracer 7.0 not working

Posted on 2016-11-11
7
37 Views
Last Modified: 2016-11-20
Try this example in Packet Tracer 7 but it never worked, hope some experts can point me where the problem is. Here is my 2 sites configurations.

ASA1:

ASA Version 8.4(2)
!
hostname F1
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 172.16.1.2 255.255.255.252
!
!
route outside 0.0.0.0 0.0.0.0 172.16.1.1 1
!
access-list LAN_Traffic extended permit tcp 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
!
!
!
!
!
!
class-map inspection-default
class-map inspection_default
 match default-inspection-traffic
!
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect icmp
  inspect tftp
!
!
telnet timeout 5
ssh timeout 5
!
dhcpd auto_config outside
!
dhcpd enable inside
!
!
!
!
crypto ipsec ikev1 transform-set L2L esp-aes esp-sha-hmac
!
crypto map L2L 1 match address LAN_Traffic
crypto map L2L 1 set peer 172.16.2.2
crypto map L2L 1 set ikev1 transform-set L2L
crypto map L2L interface inside
crypto ikev1 enable inside
crypto ikev1 policy 1
 encr aes
 authentication pre-share
 group 2
!
tunnel-group 172.16.2.2 type ipsec-l2l
tunnel-group 172.16.2.2 ipsec-attributes
 ikev1 pre-shared-key cisco
!
F1#

ASA2:

:
ASA Version 8.4(2)
!
hostname F2
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.2.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 172.16.2.2 255.255.255.252
!
!
route outside 0.0.0.0 0.0.0.0 172.16.2.1 1
!
access-list LAN_Traffic extended permit tcp 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0
!
!
!
!
!
!
class-map inspection_default
 match default-inspection-traffic
!
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect icmp
  inspect tftp
!
!
telnet timeout 5
ssh timeout 5
!
dhcpd auto_config outside
!
dhcpd enable inside
!
!
!
!
crypto ipsec ikev1 transform-set L2L esp-aes esp-sha-hmac
!
crypto map L2L 1 match address LAN_Traffic
crypto map L2L 1 set peer 172.16.1.2
crypto map L2L 1 set ikev1 transform-set L2L
crypto map L2L interface inside
crypto ikev1 enable inside
crypto ikev1 policy 1
 encr aes
 authentication pre-share
 group 2
!
tunnel-group 172.16.1.2 type ipsec-l2l
tunnel-group 172.16.1.2 ipsec-attributes
 ikev1 pre-shared-key cisco
!
F2#

PC1 connected to ASA1 with IP 10.0.1.5 255.255.255.0 GW 10.0.1.1
PC2 connected to ASA2 with IP 10.0.2.5 255.255.255.0 GW 10.0.2.1

Can't ping between this two pc's

Thanks,
0
Comment
Question by:amdj
  • 5
  • 2
7 Comments
 
LVL 15

Assisted Solution

by:max_the_king
max_the_king earned 500 total points
ID: 41884723
hi,
you need to apply crypto on outside interface

this is wrong on both asa:
crypto map L2L interface inside
crypto ikev1 enable inside

change inside with outside on both asa

max
0
 

Author Comment

by:amdj
ID: 41884778
@Max, didn't catch that but I changed it still doesn't work. I was following this tutorial here
http://packetlife.net/blog/2011/jul/11/lan-lan-vpn-asa-5505/


Thanks,
0
 
LVL 15

Assisted Solution

by:max_the_king
max_the_king earned 500 total points
ID: 41884821
hi
you need to exempt nat  ...

nat (inside,outside) source static obj-local obj-local destination static obj-remote obj-remote

on both Asa.

where obj-local is internal inside Lan And obj-remote is inside Lan of the other site.

max
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:amdj
ID: 41884905
@LVL15, maybe that's why it never worked, there is no nat command in (config)# in ASA5505 in Packet Tracer.
These are the only commands support in asa5505 in Packet Tracer.

F1(config)#?
  aaa             Enable, disable, or view user authentication, authorization
                  and accounting
  access-group    Bind an access-list to an interface to filter traffic
  access-list     Configure an access control element
  boot            Set system boot parameters
  class-map       Configure MPF Class Map
  clock           Configure time-of-day clock
  configure       Configure using various methods
  crypto          Configure IPSec, ISAKMP, Certification, authority, key
  dhcpd           Configure DHCP Server
  domain-name     Change domain name
  enable          Configure password for the enable command
  end             Exit from configure mode
  exit            Exit from configure mode
  group-policy    Configure or remove a group policy
  hostname        Change host name of the system
  http            Configure http server and https related commands
  interface       Select an interface to configure
  ipv6            Global IPv6 configuration commands
  name            Associate a name with an IP address
  names           Enable/Disable IP address to name mapping
  no              Negate a command or set its defaults
  ntp             Configure NTP
  object          Configure an object
  object-group    Create an object group for use in 'access-list', etc
  passwd          Change Telnet console access password
  policy-map      Configure MPF Parameter Map
  route           Configure a static route for an interface
  service-policy  Configure MPF service policy
  setup           Pre-configure the system
  ssh             Configure SSH options
  telnet          Add telnet access to system console or set idle timeout
  tunnel-group    Create and manage the database of connection specific records
                  for IPSec connections
  username        Configure user authentication local database
  webvpn          Configure the WebVPN service
F1(config)#

Thanks,
0
 

Author Comment

by:amdj
ID: 41884922
btw, I can't even ping between the two outside interfacese 172.16.1.2 and 172.16.2.2 and I've allowed icmp inspection.
Site2Site_asa_vpn.JPG
0
 

Accepted Solution

by:
amdj earned 0 total points
ID: 41888528
I got it working by inserting a router between the two ASA's and added a few access-list to allow traffic to go out and tcp, icmp etc..., it turned out there are some limitations in ASA in Packet Tracer, the nat command is not available so I  cannot configure an NAT exemption on the ASA 5505.

Thanks everyone!
0
 

Author Closing Comment

by:amdj
ID: 41894672
My own research!
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

947 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now