Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Site2Site ASA5505 VPN on Packet Tracer 7.0 not working

Posted on 2016-11-11
7
Medium Priority
?
244 Views
Last Modified: 2016-11-20
Try this example in Packet Tracer 7 but it never worked, hope some experts can point me where the problem is. Here is my 2 sites configurations.

ASA1:

ASA Version 8.4(2)
!
hostname F1
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 172.16.1.2 255.255.255.252
!
!
route outside 0.0.0.0 0.0.0.0 172.16.1.1 1
!
access-list LAN_Traffic extended permit tcp 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
!
!
!
!
!
!
class-map inspection-default
class-map inspection_default
 match default-inspection-traffic
!
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect icmp
  inspect tftp
!
!
telnet timeout 5
ssh timeout 5
!
dhcpd auto_config outside
!
dhcpd enable inside
!
!
!
!
crypto ipsec ikev1 transform-set L2L esp-aes esp-sha-hmac
!
crypto map L2L 1 match address LAN_Traffic
crypto map L2L 1 set peer 172.16.2.2
crypto map L2L 1 set ikev1 transform-set L2L
crypto map L2L interface inside
crypto ikev1 enable inside
crypto ikev1 policy 1
 encr aes
 authentication pre-share
 group 2
!
tunnel-group 172.16.2.2 type ipsec-l2l
tunnel-group 172.16.2.2 ipsec-attributes
 ikev1 pre-shared-key cisco
!
F1#

ASA2:

:
ASA Version 8.4(2)
!
hostname F2
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.2.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 172.16.2.2 255.255.255.252
!
!
route outside 0.0.0.0 0.0.0.0 172.16.2.1 1
!
access-list LAN_Traffic extended permit tcp 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0
!
!
!
!
!
!
class-map inspection_default
 match default-inspection-traffic
!
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect icmp
  inspect tftp
!
!
telnet timeout 5
ssh timeout 5
!
dhcpd auto_config outside
!
dhcpd enable inside
!
!
!
!
crypto ipsec ikev1 transform-set L2L esp-aes esp-sha-hmac
!
crypto map L2L 1 match address LAN_Traffic
crypto map L2L 1 set peer 172.16.1.2
crypto map L2L 1 set ikev1 transform-set L2L
crypto map L2L interface inside
crypto ikev1 enable inside
crypto ikev1 policy 1
 encr aes
 authentication pre-share
 group 2
!
tunnel-group 172.16.1.2 type ipsec-l2l
tunnel-group 172.16.1.2 ipsec-attributes
 ikev1 pre-shared-key cisco
!
F2#

PC1 connected to ASA1 with IP 10.0.1.5 255.255.255.0 GW 10.0.1.1
PC2 connected to ASA2 with IP 10.0.2.5 255.255.255.0 GW 10.0.2.1

Can't ping between this two pc's

Thanks,
0
Comment
Question by:amdj
  • 5
  • 2
7 Comments
 
LVL 17

Assisted Solution

by:max_the_king
max_the_king earned 2000 total points
ID: 41884723
hi,
you need to apply crypto on outside interface

this is wrong on both asa:
crypto map L2L interface inside
crypto ikev1 enable inside

change inside with outside on both asa

max
0
 

Author Comment

by:amdj
ID: 41884778
@Max, didn't catch that but I changed it still doesn't work. I was following this tutorial here
http://packetlife.net/blog/2011/jul/11/lan-lan-vpn-asa-5505/


Thanks,
0
 
LVL 17

Assisted Solution

by:max_the_king
max_the_king earned 2000 total points
ID: 41884821
hi
you need to exempt nat  ...

nat (inside,outside) source static obj-local obj-local destination static obj-remote obj-remote

on both Asa.

where obj-local is internal inside Lan And obj-remote is inside Lan of the other site.

max
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 

Author Comment

by:amdj
ID: 41884905
@LVL15, maybe that's why it never worked, there is no nat command in (config)# in ASA5505 in Packet Tracer.
These are the only commands support in asa5505 in Packet Tracer.

F1(config)#?
  aaa             Enable, disable, or view user authentication, authorization
                  and accounting
  access-group    Bind an access-list to an interface to filter traffic
  access-list     Configure an access control element
  boot            Set system boot parameters
  class-map       Configure MPF Class Map
  clock           Configure time-of-day clock
  configure       Configure using various methods
  crypto          Configure IPSec, ISAKMP, Certification, authority, key
  dhcpd           Configure DHCP Server
  domain-name     Change domain name
  enable          Configure password for the enable command
  end             Exit from configure mode
  exit            Exit from configure mode
  group-policy    Configure or remove a group policy
  hostname        Change host name of the system
  http            Configure http server and https related commands
  interface       Select an interface to configure
  ipv6            Global IPv6 configuration commands
  name            Associate a name with an IP address
  names           Enable/Disable IP address to name mapping
  no              Negate a command or set its defaults
  ntp             Configure NTP
  object          Configure an object
  object-group    Create an object group for use in 'access-list', etc
  passwd          Change Telnet console access password
  policy-map      Configure MPF Parameter Map
  route           Configure a static route for an interface
  service-policy  Configure MPF service policy
  setup           Pre-configure the system
  ssh             Configure SSH options
  telnet          Add telnet access to system console or set idle timeout
  tunnel-group    Create and manage the database of connection specific records
                  for IPSec connections
  username        Configure user authentication local database
  webvpn          Configure the WebVPN service
F1(config)#

Thanks,
0
 

Author Comment

by:amdj
ID: 41884922
btw, I can't even ping between the two outside interfacese 172.16.1.2 and 172.16.2.2 and I've allowed icmp inspection.
Site2Site_asa_vpn.JPG
0
 

Accepted Solution

by:
amdj earned 0 total points
ID: 41888528
I got it working by inserting a router between the two ASA's and added a few access-list to allow traffic to go out and tcp, icmp etc..., it turned out there are some limitations in ASA in Packet Tracer, the nat command is not available so I  cannot configure an NAT exemption on the ASA 5505.

Thanks everyone!
0
 

Author Closing Comment

by:amdj
ID: 41894672
My own research!
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

782 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question