02-14-2018 01:39 AM - edited 02-21-2020 07:21 AM
I am trying to create a VPN between 2 Cisco ASA 5505 (Site to site) via packet tracer.
I would like my PC from my Site 1 (192.168.1.1) to ping my 2nd PC from my Site 2 (192.168.2.1)
Unfortunately if I send a ping from my PC 1 (192.168.1.1) the ASA 5505 site 2 (10.10.10.2) blocks my package
I tried to follow different tutorial found on the net but none gives a positive result.
regards.
ASA0 configuration
ASA Version 8.4(2) ! hostname ASAVevey names ! interface Ethernet0/0 ! interface Ethernet0/1 switchport access vlan 2 ! interface Vlan1 nameif inside security-level 100 ip address 192.168.1.2 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 10.10.10.1 255.255.255.0 ! object network LAN-inside subnet 192.168.1.0 255.255.255.0 ! route outside 192.168.2.0 255.255.255.0 10.10.10.2 1 ! access-list ACL1 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside extended permit icmp any any ! ! access-group outside out interface outside object network LAN-inside nat (inside,outside) dynamic interface ! class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default inspect icmp ! ! telnet timeout 5 ssh timeout 5 ! dhcpd auto_config outside ! dhcpd enable inside ! crypto ipsec ikev1 transform-set myset esp-aes esp-sha-hmac ! crypto map cmap 1 match address ACL1 crypto map cmap 1 set peer 10.10.10.2 crypto map cmap 1 set ikev1 transform-set myset crypto map cmap interface outside crypto ikev1 enable outside crypto ikev1 policy 1 encr aes authentication pre-share group 2 ! tunnel-group 10.10.10.2 type ipsec-l2l tunnel-group 10.10.10.2 ipsec-attributes ikev1 pre-shared-key cisco123
ASA1 configuration
ASA Version 8.4(2) ! hostname ASALausanne names ! interface Ethernet0/0 ! interface Ethernet0/1 switchport access vlan 2 ! interface Vlan1 nameif inside security-level 100 ip address 192.168.2.2 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 10.10.10.2 255.255.255.0 ! object network LAN-inside subnet 192.168.2.0 255.255.255.0 ! route outside 192.168.1.0 255.255.255.0 10.10.10.1 1 ! access-list ACL2 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list outside extended permit icmp any any ! access-group outside out interface outside object network LAN-inside nat (inside,outside) dynamic interface ! class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default inspect icmp ! telnet timeout 5 ssh timeout 5 ! dhcpd auto_config outside ! dhcpd enable inside ! crypto ipsec ikev1 transform-set myset esp-aes esp-sha-hmac ! crypto map cmap 1 match address ACL2 crypto map cmap 1 set peer 10.10.10.1 crypto map cmap 1 set ikev1 transform-set myset crypto map cmap interface outside crypto ikev1 enable outside crypto ikev1 policy 1 encr aes authentication pre-share group 2 ! tunnel-group 10.10.10.1 type ipsec-l2l tunnel-group 10.10.10.1 ipsec-attributes ikev1 pre-shared-key cisco123 !
Solved! Go to Solution.
02-14-2018 07:41 AM
Hello @MrEtho53,
There is no alternative in Packet-Tracer that´s what you get, nothing else. I would suggest using GNS3 or EVE-NG (better option) for your labs.
Unfortunately, Packet-tracer is very limited in Firewalling.
HTH
Gio
02-14-2018 03:35 AM
It seems you are nating the vpn packets, that will cause not to match the crypto-acl.
In order to avoid that you can configure identity nat for the vpn traffic. Should be something like:
ASA0 configuration:
object network LAN-remote
subnet 192.168.2.0 255.255.255.0
!
nat (inside,outside) source static LAN-inside LAN-inside destination static LAN-remote LAN-remote no-proxy-arp route-lookup
ASA1 configuration:
object network LAN-remote
subnet 192.168.1.0 255.255.255.0
!
nat (inside,outside) source static LAN-inside LAN-inside destination static LAN-remote LAN-remote no-proxy-arp route-lookup
HTH
Bogdan
02-14-2018 04:26 AM
Thank you very much for your answer, unfortunately in packet tracer my Firewall ASA 5505 doesn't have the nat command in "(config) #".
So what can I do in alternative?
See it below:
A big thanks.
ASAVevey(config)#? aaa Enable, disable, or view user authentication, authorization and accounting access-group Bind an access-list to an interface to filter traffic access-list Configure an access control element boot Set system boot parameters class-map Configure MPF Class Map clock Configure time-of-day clock configure Configure using various methods crypto Configure IPSec, ISAKMP, Certification, authority, key dhcpd Configure DHCP Server domain-name Change domain name enable Configure password for the enable command end Exit from configure mode exit Exit from configure mode group-policy Configure or remove a group policy hostname Change host name of the system http Configure http server and https related commands interface Select an interface to configure ipv6 Global IPv6 configuration commands name Associate a name with an IP address names Enable/Disable IP address to name mapping no Negate a command or set its defaults ntp Configure NTP object Configure an object object-group Create an object group for use in 'access-list', etc passwd Change Telnet console access password policy-map Configure MPF Parameter Map route Configure a static route for an interface service-policy Configure MPF service policy setup Pre-configure the system ssh Configure SSH options telnet Add telnet access to system console or set idle timeout tunnel-group Create and manage the database of connection specific records for IPSec connections username Configure user authentication local database webvpn Configure the WebVPN service
02-14-2018 07:41 AM
Hello @MrEtho53,
There is no alternative in Packet-Tracer that´s what you get, nothing else. I would suggest using GNS3 or EVE-NG (better option) for your labs.
Unfortunately, Packet-tracer is very limited in Firewalling.
HTH
Gio
02-15-2018 05:05 AM
Considering it is a lab and you want to test the vpn, you could remove the nat config.
object network LAN-inside no nat (inside,outside) dynamic interface
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: