cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11447
Views
5
Helpful
12
Replies

Packet Tracer and ASA 5505 - Frustrated.‏

kbermingham1
Level 1
Level 1

Folks,

 

I am just going around in circles trying to configure a site to site VPN using the CLI on the ASA 5505 in Packet Tracer 6.1.1

 

When I am configuring isakmp the command just do not seem to be abailable and it's really hampering my understanding of the subject matter etc.

 

I would be terribly obliged if someone could help me understand why this is so. The crypto isakmp command does not seem to exist either?

 

Please see attached my packet tracer file I am working with and maybe you could spot something in the 5505 config that might explain this.

 

Regards,

 

Kevin

1 Accepted Solution

Accepted Solutions

Hi Kevin,

No need to add any static routes. The config posted above looks fine.

Please remember to select a correct answer and rate helpful posts. 

Please open a new thread for any new query.

regards,

Bratin Saha

Cisco TAC

View solution in original post

12 Replies 12

Bratin Saha
Level 1
Level 1

Hi Kevin,

Good Morning.

I was checking on the Cisco Packet Tracer version 6.1.0.0120 and the ASA5505 provided here comes with the default version of 8.4(2). In order to create an ikev1 policy, you will have to configure "crypto ikev1 enable <interface-nameif>" command instead of "crypto isakmp" command. Just go to configure terminal, type command "crypto" followed by a "question mark" to see the available options.

Also verify that the VPN -3DES-AES license shows enabled under "show version".

Please mark this as answered if the information provided help resolve the query. Please open a new thread for any new query.

regards,

Bratin Saha

Cisco TAC

Thanks Bratin, yes you could be onto something here. I'm just trying to configure a site to site VPN howver all the tutorials on the web seem to point to creating it via the isakmp. Do you know of any tutorials or labs that configure it in the way you are suggesting?

Hi Kevin,

Here is a sample configuration output for ASA version 8.4.

crypto ikev1 enable outside

crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400

tunnel-group 192.168.1.1 type ipsec-l2l
tunnel-group 192.168.1.1 ipsec-attributes
ikev1 pre-shared-key cisco
!Note the IKEv1 keyword at the beginning of the pre-shared-key command.

object network 10.2.2.0_24
subnet 10.2.2.0 255.255.255.0
object network 10.1.10_24
subnet 10.1.1.0 255.255.255.0

access-list 100 extended permit ip object 10.2.2.0_24 object 10.1.1.0_24

crypto ipsec ikev1 transform-set myset esp-aes esp-sha-hmac

crypto map outside_map 20 match address 100
crypto map outside_map 20 set peer 192.168.254.1
crypto map outside_map 20 set ikev1 transform-set myset
crypto map outside_map 20 set pfs
crypto map outside_map interface outside

nat (inside,outside) 1 source static 10.2.2.0_24 10.2.2.0_24 destination static
10.1.1.0_24 10.1.1.0_24 no-proxy-arp route-lookup

Below is a link on the same, however it from the older versions (before 8.2). But this will help you get the concept and also has some troubleshooting methods. Cisco had to introduce "crypto ikev1 enable" command instead of continuing with "crypto isakmp enable" command since we had to add support for "ikev2". So this change was done in version 8.4(1) onwards.

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100678-l2l-asa5505-config.html

Please mark this as answered if the information provided help resolve the query. Please open a new thread for any new query.

regards,

Bratin Saha

Cisco TAC

Hi Bratin, This is really helpful and I sppreciate you taking the time however I have one more query, for some reason I cannot get the nat command to work.

I am running os version 8.4 on Packet Tracer 6.2.0 but I get unrecognised command evertime I run it.

The command above that deals with NAT ...

nat (inside,outside) 1 source static 10.2.2.0_24 10.2.2.0_24 destination static 10.1.1.0_24 10.1.1.0_24 no-proxy-arp route-lookup

Does this have to be run as a subcommand in the network object piece and if so how do I do it? Which network object do I run it under?

ciscoasa(config)#

ciscoasa(config)#nat ?

% Unrecognized command

ciscoasa(config)#nat

^

% Invalid input detected at '^' marker.

ciscoasa(config)#

Thank you for all your help so far. Kevin

Hi Kevin,

That was a sample example with an ASA having 2 interfaces - inside and outside.

The NAT statement is run from global configuration mode, i.e., ciscoasa(config)#.

I did not find the "NAT configuration" option in the packet tracer version 6.1.0.0120 either, however in a lab scenario, we usually don't need one as we are using non-routable addresses to practice. So, you can skip the NAT config line which was put there.

Please mark this as answered if the information provided help resolve the query. Please open a new thread for any new query.

regards,

Bratin Saha

Cisco TAC

Thank you Bratin, One I have completed the config is there a way (besides being able to pint from one side to another ) that the data is in fact encrypted? Kevin

Also would it be possible to show whci parts of the config you have shown are phase 1 and phase 2?

Answering both queries.

Yes the configuration posted by you looks fine and you need to have a similar configuration on the peer device (router or asa) with a mirror image ACL. Meaning that on the peer unit the ACL format would look like "SITE-B to SITE-A".

The command "show crypto ipsec sa" can be run which includes parameters such as encaps/decaps - if both are increasing in sync it means that the tunnel is 'good'. If both don't have a value and you are trying to send traffic, it means that the traffic is unable to go over the VPN tunnel. If either of the encaps/ decaps has counter increasing it means that either encryption/ decryption (but not both) is working.

In the configuration, the section that has crypto ikev1 policy (one or more) is usually the phase I configuration, while the section that has crypto map transform-set, etc., is usually the phase II configuration.

Though from a very old 8.0.x, the following link has the segregation.

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100678-l2l-asa5505-config.html

Packet Tracer recent versions has 8.4 as the minimum version so don't compare much with 8.0 version.

Please mark this as answered if the information provided help resolve the query. Please open a new thread for any new query.

regards,

Bratin Saha

Cisco TAC

Bratin,

Do I need to have any static routes or does the tunnel just take care of routing?

Kevin

Hi Kevin,

No need to add any static routes. The config posted above looks fine.

Please remember to select a correct answer and rate helpful posts. 

Please open a new thread for any new query.

regards,

Bratin Saha

Cisco TAC

Hey Bratin,

Does this look OK...

ciscoasa#show running-config

: Saved

:

ASA Version 8.4(2)

!

hostname ciscoasa

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 185.51.105.2 255.255.255.252

!

object network SITE-A

subnet 192.168.1.0 255.255.255.0

object network SITE-B

subnet 192.168.2.0 255.255.255.0

object network TEST

!

route outside 0.0.0.0 0.0.0.0 185.51.105.1 1

!

access-list VPN-TRAFFIC extended permit icmp object SITE-A object SITE-B

!

!

telnet timeout 5

ssh timeout 5

!

dhcpd address 192.168.1.5-192.168.1.35 inside

dhcpd enable inside

!

dhcpd auto_config outside

!

!

crypto ipsec ikev1 transform-set MYTRANSFORMSET esp-aes esp-sha-hmac

!

crypto map outside_map 20 match address VPN-TRAFFIC

crypto map outside_map 20 set peer 185.51.106.2

crypto map outside_map 20 set ikev1 transform-set MYTRANSFORMSET

crypto map outside_map interface outside

crypto ikev1 enable outside

crypto ikev1 policy 10

encr aes

authentication pre-share

group 2

!

tunnel-group 185.51.105.2 type ipsec-l2l

tunnel-group 185.51.105.2 ipsec-attributes

ikev1 pre-shared-key cisco

!

ciscoasa#

Hi,

 

Its dont works for me.

 

I try everything and same result:

MM_NO_STATE

 

F1:

interface Vlan1

nameif outside

security-level 0

ip address 172.16.1.2 255.255.255.252

!

interface Vlan2

nameif inside

security-level 100

ip address 10.0.1.1 255.255.255.0

!

object network F1

subnet 10.0.1.0 255.255.255.0

object network F2

subnet 10.0.2.0 255.255.255.0

!

route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

!

access-list LAN_Traffic extended permit icmp object F1 object F2

access-list LAN_Traffic extended permit tcp object F1 object F2 eq www

crypto ipsec ikev1 transform-set L2L esp-aes esp-sha-hmac

!

crypto map L2L 1 match address LAN_Traffic

crypto map L2L 1 set peer 172.16.2.2

crypto map L2L 1 set ikev1 transform-set L2L

crypto map L2L interface outside

crypto ikev1 enable outside

crypto ikev1 policy 10

encr aes

authentication pre-share

group 2

!

tunnel-group 172.16.2.2 type ipsec-l2l

tunnel-group 172.16.2.2 ipsec-attributes

ikev1 pre-shared-key ThisIsAWeakKey

 

F2:

interface Vlan1

nameif outside

security-level 0

ip address 172.16.2.2 255.255.255.252

!

interface Vlan2

nameif inside

security-level 100

ip address 10.0.2.1 255.255.255.0

!

object network F1

subnet 10.0.1.0 255.255.255.0

object network F2

subnet 10.0.2.0 255.255.255.0

!

route outside 0.0.0.0 0.0.0.0 172.16.2.1 1

!

access-list LAN_Traffic extended permit icmp object F2 object F1

access-list LAN_Traffic extended permit tcp object F2 object F1 eq www

 

crypto ipsec ikev1 transform-set L2L esp-aes esp-sha-hmac

!

crypto map L2L 1 match address LAN_Traffic

crypto map L2L 1 set peer 172.16.1.2

crypto map L2L 1 set ikev1 transform-set L2L

crypto map L2L interface outside

crypto ikev1 enable outside

crypto ikev1 policy 10

encr aes

authentication pre-share

group 2

!

tunnel-group 172.16.1.2 type ipsec-l2l

tunnel-group 172.16.1.2 ipsec-attributes

ikev1 pre-shared-key ThisIsAWeakKey