03-02-2014 06:28 AM - edited 03-11-2019 08:52 PM
Hello All,
I would like to to ask some assistance. Acctually, I am not experience about site to site vpn, especially ASA.
I had a problem about configuration, I already try using manual guide from Cisco, Youtube, and many website.
but won't established between site A and site B. I'm using ASDM to configuration site to site VPN.
From the configuration below, is there configuration that I missed?
or any configuration that is should add?
need an assistance from all of you.
Thanks in advance.
==============================================
configuration from site A :
: Saved
:
ASA Version 8.3(1)
!
hostname IdFW
enable password XXXXXXXXXX encrypted
passwd XXXXXXXXXX encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address CHANGE FOR SECURITY 255.255.255.248
!
interface Ethernet0/1
shutdown
no nameif
security-level 0
no ip address
!
interface Ethernet0/2
nameif inside
security-level 100
ip address CHANGE FOR SECURITY 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Kito_CKR
subnet 192.168.2.0 255.255.255.0
object network Kito_CKR_Firewall
host CHANGE FOR SECURITY
object network Kito_Keiai
subnet 192.168.62.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip object Kito_Keiai object Kito_CKR
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
nat (inside,outside) source static Kito_Keiai Kito_Keiai destination static Kito_CKR Kito_CKR
!
object network obj_any
nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 CHANGE FORSECURITY
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 outside
http 192.168.62.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer CHANGE FOR SECURITY
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
telnet 0.0.0.0 0.0.0.0 outside
telnet 192.168.62.0 255.255.255.0 inside
telnet timeout 60
ssh timeout 60
console timeout 0
dhcpd ping_timeout 750
dhcpd auto_config outside
!
dhcpd address 192.168.62.21-192.168.62.70 inside
dhcpd dns 192.168.62.100 203.142.82.222 interface inside
dhcpd enable inside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username XXXXX password XXXXXXXXXX encrypted privilege 15
username XXXXX password XXXXXXXXXX encrypted privilege 15
tunnel-group CHANGE FOR SECURITY type ipsec-l2l
tunnel-group CHANGE FOR SECURITY ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:fbf0d162ac0143b573773b00f5318e69
: end
===============================================
And this is configuration from site B:
ASA Version 8.3(1)
!
hostname Cakung
enable password XXXXXXXXX encrypted
passwd XXXXXXXXXX encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address CHANGE FOR SECURITY 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Kito_Keiai
subnet 192.168.62.0 255.255.255.0
object network Kito_CKR
subnet 192.168.2.0 255.255.255.0
object network Kito_Keiai_Firewall
host CHANGE FOR SECURITY
access-list outside_1_cryptomap extended permit ip object Kito_CKR object Kito_Keiai
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
nat (inside,outside) source static Kito_CKR Kito_CKR destination static Kito_Keiai Kito_Keiai
!
object network obj_any
nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 CHANGE FOR SECURITY 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.2.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer CHANGE FOR SECURITY
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.2.10-192.168.2.99 inside
dhcpd dns 202.150.128.65 202.150.129.65 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username cakung password 2nzxozIPDPgkxYxq encrypted
username fajri password mrfGvG80qovUNcb7 encrypted privilege 15
tunnel-group CHANGE FOR SECURITY type ipsec-l2l
tunnel-group CHANGE FOR SECURITY ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect esmtp
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:441bf282c04d90b45b08d606946276e8
: end
03-02-2014 08:11 AM
Hmm. The configurations look pretty clean and correct in the important bits.
Site a has "crypto isakmp identity address" which is not strictly needed as the default (auto) will choose address for PSK-based VPN. Site b has policy 30 defined three times.
What happens when you introduce interesting traffic from one internal subnet destined for the remote end? Do you see log messages of ISAKMP SA trying to establish and failing? Check by using the command "show crypto isakmp sa" and watching syslog for relevant messages. If Phase 1 tries and fails to establish, you may need to run "debug crypto isakmp 7" and watch the logs for more verbose output. If phase one establishes (i.e. you see the SA up in MM - Main Mode) you may have an issue with Phase 2. You can similarly check it with "show crypto ispec sa" and associated debug command.
You can also try the packet-tracer (either from command line or ASDM GUI) to see how the ASA would interpret traffic coming from one internal network and destined for the remote one across the VPN.
p.s. please remember to disable insecure telnet access to the ASA - especially on outside interface!
03-02-2014 08:35 PM
Hi Marvin,
Thank you for your response. Yes, first of all I config this ASA must connect first site to site.
I already type command "show crypto isakmp sa" and "show crypto ipsec sa", and the result :
Site A:
Result of the command: "show crypto isakmp sa"
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: CHANGE FOR SECURITY
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Result of the command: "show crypto ipsec sa"
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: CHANGE FOR SECURITY
access-list outside_1_cryptomap extended permit ip 192.168.62.0 255.255.255.0 192.168.2.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.62.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
current_peer: CHANGE FOR SECURITY
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 312, #pkts decrypt: 312, #pkts verify: 312
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: CHANGE FOR SECURITY/0, remote crypto endpt.: CHANGE FOR SECURITY/0
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 1E3788BF
current inbound spi : 367002EC
inbound esp sas:
spi: 0x367002EC (913310444)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 1, }
slot: 0, conn_id: 24576, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4373971/18329)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x1E3788BF (506955967)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 1, }
slot: 0, conn_id: 24576, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4374000/18329)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
==================================================================
Site B:
Result of the command: "show crypto isakmp sa"
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: CHANGE FOR SECURITY
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Result of the command: "show crypto ipsec sa"
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: CHANGE FOR SECURITY
access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.62.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.62.0/255.255.255.0/0/0)
current_peer: CHANGE FOR SECURITY
#pkts encaps: 319, #pkts encrypt: 319, #pkts digest: 319
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 319, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: CHANGE FOR SECURITY/0, remote crypto endpt.: CHANGE FOR SECURITY/0
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 367002EC
current inbound spi : 1E3788BF
inbound esp sas:
spi: 0x1E3788BF (506955967)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 1, }
slot: 0, conn_id: 16384, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3915000/18266)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x367002EC (913310444)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 1, }
slot: 0, conn_id: 16384, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914970/18266)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
whether it was able to connect site to site?
Thanks in advance.
03-02-2014 09:25 PM
OK, since you see "MM_ACTIVE", you have a good Phase 1 (ISAKMP SA).
Since your ipsec sa shows encaps (good) but no decaps (bad) - and vice versa at other end - it means the return packets are not getting into the VPN in that one direction.
Can you confirm routing at site a sends packets destined for site b to the ASA?
03-02-2014 11:46 PM
Hi Marvin,
Sorry, how do i confirm routing at site a sends packet destined for site b?
by using packet tracer?
thanks in advance.
03-03-2014 06:04 AM
You could confirm the routing in several ways.
The easiest is to do a traceroute from a host at site a towards a destination at site b. While the firewall does not typically decrement the icmp ttl necessary for traceroute to pass through it cleanly; you should see the traceroute path at least reach the firewall. (And, in the absence of a working VPN, it will time out there.)
03-03-2014 07:38 AM
I try to traceroute from the ASA, trace complete when i traceroute from outside interface site A to outside interface site B.
But when i try tracerroute from inside interface site A to inside interface site B, they unreach.
ASDM syslog show up any ping test from another site.
it's there any configuration must i add, like access list or anything else?
Thanks in advance.
03-02-2014 01:30 PM
Hi,
Two things:
1- I can't seem to see a NAT exempt for the VPN traffic in question.
2- The ASA does not support Telnet on the outside interface. Just get rid of the command to make the configuration cleaner.
HTH.
Sent from Cisco Technical Support Android App
03-02-2014 02:32 PM
I thought his lines:
nat (inside,outside) source static Kito_Keiai Kito_Keiai destination static Kito_CKR Kito_CKR
and
nat (inside,outside) source static Kito_CKR Kito_CKR destination static Kito_Keiai Kito_Keiai
...covered the necessary NAT exemption at Site_A and Site_B respectively.
03-02-2014 08:33 PM
Hello Marvin!
I think you are right, for some reason I did not see them... On the phone is not pretty clear though.
On the other hand, please run a packet-tracer from inside outside. :)
Sent from Cisco Technical Support Android App
03-02-2014 08:54 PM
Hi Javier,
yes the NAT i create using name.
For the telnet from outside, maybe you probably right. because after i config telnet, i can't telnet to from outside.
Later i will remove this configuration.
Base on result that i write above, result for the "show crypto isakmp sa" and "show crypto ipsec sa".
Do you think it should be already connect to site to site vpn?
it's there any command or menu on ASDM for i check this connection site to site?
thank's in advance.
03-03-2014 12:19 AM
Hi Fajri,
1)Try to ping the remote side B IP from the Side A Ip.
and also share the result of packet tracer on side A firewall for both direction.
2)on time of Pinging check packets are encrpt/decrypt or not.
3)otherwise, clear once the 2nd pahse of ipsec, and than try,
4) Try with identity with ip instead
See you are using one side A "crypto isakmp identity address" but not using other side, try to do it in "AUTO mode" most probably after that it will work
03-03-2014 03:50 AM
Hi Chetan,
i already remove config "crypto isakmp identity address".
I try to ping from site A to site B, it still "Request time out".
Here the result of packet tracer on side A firewall.
It is right?
I really need your advice, has been stuck for a few days.
Thanks in advance.
03-03-2014 07:50 AM
Hi,
Please check the following and share your analysis:
1- If you clear the IPSec SA counters "show crypto ipsec sa counters", try to ping from the LAN to the remote network does it work? if not, what do you see on the "show crypto ipsec sa" output?
2- If you do not see any encapsulations (assuming that tunnel is already established), place a packet-capture.
From CLI: packet-capture capture_name interface inside match ip host switch_ip host remote_ip
Then generate some traffic and run the command: show capture capture_name
Do you see the ICMP echo requests on the output above?
- Run a packet-tracer: packet-tracer input inside icmp switch_ip 8 0 remote_ip detailed
Basically, we need to confirm the traffic flow, routing and status of the tunnel.
HTH.
03-03-2014 10:15 PM
Hi fajri,
U know everything looks perfacts, as in packet tracer when traffic is from inside to outside its moving, but in other direction its showing denied becuase u select the inside interface instead of outside interface.
Can we test with change in your nat statement.
let we do Nat Exemption instead of doing static nat from inside to outside.
Site A
----------
access-list no_nat extended permit ip SiteA Subnet SiteB Subnet
nat(inside) 0 access-list no_nat
Site B
-----------
access-list no_nat extended permit ip SiteB Subnet SiteA Subnet
nat(inside) 0 access-list no_nat
than
clear crypto ipsec sa ........
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide