cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2107
Views
0
Helpful
4
Replies

Solved: VPN S2S/L2L between 2 ASA 5505 Packet tracer

MrEtho53
Level 1
Level 1

Hello, I'm new in the community of packet tracer.

I am trying to create a VPN between 2 Cisco ASA 5505 (Site to site) via packet tracer.

2018-02-14 10_32_24-VirtualBox.png

I would like my PC from my Site 1 (192.168.1.1) to ping my 2nd PC from my Site 2 (192.168.2.1)

Unfortunately if I send a ping from my PC 1 (192.168.1.1) the ASA 5505 site 2 (10.10.10.2) blocks my package

I tried to follow different tutorial found on the net but none gives a positive result.

 

regards.

 

ASA0 configuration

ASA Version 8.4(2)
!
hostname ASAVevey
names
!
interface Ethernet0/0
!
interface Ethernet0/1
 switchport access vlan 2
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.2 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 10.10.10.1 255.255.255.0
!
object network LAN-inside
 subnet 192.168.1.0 255.255.255.0
!
route outside 192.168.2.0 255.255.255.0 10.10.10.2 1
!
access-list ACL1 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outside extended permit icmp any any
!
!
access-group outside out interface outside
object network LAN-inside
 nat (inside,outside) dynamic interface
!
class-map inspection_default
 match default-inspection-traffic
!
policy-map global_policy
 class inspection_default
  inspect icmp 
!
!
telnet timeout 5
ssh timeout 5
!
dhcpd auto_config outside
!
dhcpd enable inside
!
crypto ipsec ikev1 transform-set myset esp-aes esp-sha-hmac
!
crypto map cmap 1 match address ACL1
crypto map cmap 1 set peer 10.10.10.2 
crypto map cmap 1 set ikev1 transform-set myset 
crypto map cmap interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
 encr aes
 authentication pre-share
 group 2
!
tunnel-group 10.10.10.2 type ipsec-l2l
tunnel-group 10.10.10.2 ipsec-attributes
 ikev1 pre-shared-key cisco123

ASA1 configuration

ASA Version 8.4(2)
!
hostname ASALausanne
names
!
interface Ethernet0/0
!
interface Ethernet0/1
 switchport access vlan 2
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.2.2 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 10.10.10.2 255.255.255.0
!
object network LAN-inside
 subnet 192.168.2.0 255.255.255.0
!
route outside 192.168.1.0 255.255.255.0 10.10.10.1 1
!
access-list ACL2 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside extended permit icmp any any
!
access-group outside out interface outside
object network LAN-inside
 nat (inside,outside) dynamic interface
!
class-map inspection_default
 match default-inspection-traffic
!
policy-map global_policy
 class inspection_default
  inspect icmp 
!
telnet timeout 5
ssh timeout 5
!
dhcpd auto_config outside
!
dhcpd enable inside
!
crypto ipsec ikev1 transform-set myset esp-aes esp-sha-hmac
!
crypto map cmap 1 match address ACL2
crypto map cmap 1 set peer 10.10.10.1 
crypto map cmap 1 set ikev1 transform-set myset 
crypto map cmap interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
 encr aes
 authentication pre-share
 group 2
!
tunnel-group 10.10.10.1 type ipsec-l2l
tunnel-group 10.10.10.1 ipsec-attributes
 ikev1 pre-shared-key cisco123
!
1 Accepted Solution

Accepted Solutions

Hello @MrEtho53,

 

There is no alternative in Packet-Tracer that´s what you get, nothing else. I would suggest using GNS3 or EVE-NG (better option) for your labs. 

 

Unfortunately, Packet-tracer is very limited in Firewalling.

 

HTH

Gio

View solution in original post

4 Replies 4

Bogdan Nita
VIP Alumni
VIP Alumni

It seems you are nating the vpn packets, that will cause not to match the crypto-acl.

In order to avoid that you can configure identity nat for the vpn traffic. Should be something like:

 

ASA0 configuration:

object network LAN-remote
subnet 192.168.2.0 255.255.255.0
!
nat (inside,outside) source static LAN-inside LAN-inside destination static LAN-remote LAN-remote no-proxy-arp route-lookup

 

ASA1 configuration:

object network LAN-remote
subnet 192.168.1.0 255.255.255.0
!
nat (inside,outside) source static LAN-inside LAN-inside destination static LAN-remote LAN-remote no-proxy-arp route-lookup

 

HTH

Bogdan

Thank you very much for your answer, unfortunately in packet tracer my Firewall ASA 5505 doesn't have the nat command in "(config) #".

 

So what can I do in alternative?

 

See it below:

A big thanks.

 

ASAVevey(config)#?
  aaa             Enable, disable, or view user authentication, authorization
                  and accounting
  access-group    Bind an access-list to an interface to filter traffic
  access-list     Configure an access control element
  boot            Set system boot parameters
  class-map       Configure MPF Class Map
  clock           Configure time-of-day clock
  configure       Configure using various methods
  crypto          Configure IPSec, ISAKMP, Certification, authority, key
  dhcpd           Configure DHCP Server
  domain-name     Change domain name
  enable          Configure password for the enable command
  end             Exit from configure mode
  exit            Exit from configure mode
  group-policy    Configure or remove a group policy
  hostname        Change host name of the system
  http            Configure http server and https related commands
  interface       Select an interface to configure
  ipv6            Global IPv6 configuration commands
  name            Associate a name with an IP address
  names           Enable/Disable IP address to name mapping
  no              Negate a command or set its defaults
  ntp             Configure NTP
  object          Configure an object
  object-group    Create an object group for use in 'access-list', etc
  passwd          Change Telnet console access password
  policy-map      Configure MPF Parameter Map
  route           Configure a static route for an interface
  service-policy  Configure MPF service policy
  setup           Pre-configure the system
  ssh             Configure SSH options
  telnet          Add telnet access to system console or set idle timeout
  tunnel-group    Create and manage the database of connection specific records
                  for IPSec connections
  username        Configure user authentication local database
  webvpn          Configure the WebVPN service

Hello @MrEtho53,

 

There is no alternative in Packet-Tracer that´s what you get, nothing else. I would suggest using GNS3 or EVE-NG (better option) for your labs. 

 

Unfortunately, Packet-tracer is very limited in Firewalling.

 

HTH

Gio

Considering it is a lab and you want to test the vpn, you could remove the nat config.

 

object network LAN-inside
 no nat (inside,outside) dynamic interface

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: