Site to Site VPN Sample Config

Maddhattr · ‎10-31-2018

I am still leaning the cisco ASA and need some help with my tunnels. I was able to stand up and connect a VPN tunnel to my site successfully. The tunnel connects without issue and seem to be reliable in that it stays connected. One end is a Palo Alto firewall (which I am very familiar with) and the other is the ASA.

However I seem to have issues passing traffic reliably. I can get one range connected and working sometimes. Any of the other subnets I need to connect will not do so. I can even see the ping / rdp traffic hitting the ASA and the connections being created. Yet the traffic does not reach it destination or is not returned.

Attached is the config. Let me know if there is something else I should pull or look at.

Maddhattr · ‎10-31-2018

I just removed the Proxy ID's and made the tunnel to allow ANY. After about 5 minutes ping started to happen. The only problem is now I can ping anything on the ASA. LOL I will attempt to limit this traffic with access rules. My prference would be for the tunnel to have limited traffic on it still. It also take a long time for traffic to be established.

The other issue I will run into is that I need to have more than one tunnel as multiple locations will be access the data that the ASA is connected to. I am not sure how to set up routes or NAT rules to make this work.

Any suggestions are welcome.

Thanks!

mkazam001 · ‎11-03-2018

This is an example of a line that is defining what traffic will be encrypted & sent over the tunnel:

crypto map ISP01_map0 1 match address ISP01_cryptomap_1

So, you need to find the sequence number that includes the IP address of your remote peer - then check what is allowed in that access-list.

In the above example, the access-list is called

ISP01_cryptomap_1

Abheesh Kumar · ‎11-03-2018

Hi Maddhattr,

Below is the sample configuration for site to site vpn and site to site vpn with dynamic ip. hope this will help you to configure.

Site to Site VPN Sample Config

!
object network Local-Subnet
subnet 10.100.1.0 255.255.255.0
!
object network Remote-Subnet
subnet 10.100.2.0 255.255.255.0
!
access-list VPN-to-Remote extended permit ip object Local-Subnet Remote-Subnet
!
nat (inside,outside) source static Local-Subnet Local-Subnet destination static Remote-Subnet Remote-Subnet
!
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
crypto ipsec ikev1 transform-set transfrom esp-3des esp-sha-hmac
!
crypto map out_map 10 match address VPN-to-Remote
crypto map out_map 10 set pfs
crypto map out_map 10 set peer 1.1.1.2
crypto map out_map 10 set ikev1 transform-set transfrom
crypto map out_map 10 set security-association lifetime seconds 28800
crypto map out_map 10 set security-association lifetime kilobytes 4608000
!
crypto map out_map interface outside
!
tunnel-group 1.1.1.2 type ipsec-l2l
tunnel-group 1.1.1.2 ipsec-attributes
ikev1 pre-shared-key ####
!

Site to Site VPN with dynamic IP

crypto ikev1 policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
!
crypto ipsec ikev1 transform-set ESP-DES esp-des esp-sha-hmac
!
access-list crypto_acl_10 extended permit ip host 1.1.1.1 host 2.2.2.2
!
crypto dynamic-map DYNAMIC-VPN match address crypto_acl_10
crypto dynamic-map DYNAMIC-VPN 10 set ikev1 transform-set ESP-DES
crypto dynamic-map DYNAMIC-VPN 10 set reverse-route
!
crypto map out_map 11 ipsec-isakmp dynamic DYNAMIC-VPN
crypto map out_map interface outside
!
tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key #####

Hope that helps,

-Abheesh

ASA 5525 Tunnel traffic not passing

Site to Site VPN Sample Config

Site to Site VPN with dynamic IP