cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
375
Views
0
Helpful
1
Replies

ASA-ASA IPsec Tunnel

engineer_msu
Level 1
Level 1

Dear All,

I am trying to establish an IPsec tunnel between two ASA but is it not working, the first phase ISAKMP itself not coming up, I checked all the documentation and every thing but still not able to solve the issue.

Below is the Configuration of ASA-1 and ASA-2

ASA-1:

ASA-1# show runn

: Saved

:

ASA Version 8.0(2)

!

hostname ASA-1

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Ethernet0/0

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Ethernet0/1

nameif outside

security-level 0

ip address 212.93.199.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/5

shutdown

no nameif

no security-level

no ip address

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list LAN_Traffic extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list NO_NAT extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

pager lines 24

mtu inside 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list NO_NAT

nat (inside) 1 192.168.1.0 255.255.255.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set L2L esp-aes-256 esp-sha-hmac

crypto ipsec transform-set TS esp-3des esp-md5-hmac

crypto map L2L 10 match address LAN_Traffic

crypto map L2L 10 set peer 209.165.200.1

crypto map L2L 10 set transform-set TS

crypto map L2L interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 1

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

!

class-map ICMP-CLASS

match default-inspection-traffic

!

!

policy-map ICMP-POLICY

class ICMP-CLASS

  inspect icmp

!

service-policy ICMP-POLICY global

tunnel-group 209.165.200.1 type ipsec-l2l

tunnel-group 209.165.200.1 ipsec-attributes

pre-shared-key *

prompt hostname context

Cryptochecksum:00000000000000000000000000000000

: end

ASA-1#

---------------------------------------------------------------------------------------

ASA-2:

ASA-2# show runn

: Saved

:

ASA Version 8.0(2)

!

hostname ASA-2

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Ethernet0/0

nameif inside

security-level 100

ip address 192.168.2.1 255.255.255.0

!

interface Ethernet0/1

nameif outside

security-level 0

ip address 209.165.200.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/5

shutdown

no nameif

no security-level

no ip address

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list LAN_Traffic extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list NO_NAT extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

pager lines 24

mtu inside 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list NO_NAT

nat (inside) 1 192.168.2.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 209.165.200.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set L2Lesp-aes-256 esp-3des esp-sha-hmac

crypto ipsec transform-set L2L esp-aes-256 esp-sha-hmac

crypto ipsec transform-set TS esp-3des esp-md5-hmac

crypto map L2L 10 match address LAN_Traffic

crypto map L2L 10 set peer 212.93.199.1

crypto map L2L 10 set transform-set TS

crypto map L2L interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 1

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

!

class-map ICMP-CLASS

match default-inspection-traffic

!

!

policy-map ICMP-POLICY

class ICMP-CLASS

  inspect icmp

!

service-policy ICMP-POLICY global

tunnel-group 212.93.199.1 type ipsec-l2l

tunnel-group 212.93.199.1 ipsec-attributes

pre-shared-key *

prompt hostname context

Cryptochecksum:00000000000000000000000000000000

: end

---------------------------------------------------------------------------------------

The Log Messages I am receiving are:

ASA-1# Nov 30 02:26:13 [IKEv1]: IP = 209.165.200.1, Removing peer from peer table failed, no match!

Nov 30 02:26:13 [IKEv1]: IP = 209.165.200.1, Error: Unable to remove PeerTblEntry

Nov 30 02:26:15 [IKEv1]: IP = 209.165.200.1, Removing peer from peer table failed, no match!

Nov 30 02:26:15 [IKEv1]: IP = 209.165.200.1, Error: Unable to remove PeerTblEntry

1 Reply 1

engineer_msu
Level 1
Level 1

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080950890.shtml

The above page has explained the configuration of IPsec ASA to ASA in a very good way, I got my issue resolved.

Review Cisco Networking for a $25 gift card