03-02-2014 06:28 AM - edited 03-11-2019 08:52 PM
Hello All,
I would like to to ask some assistance. Acctually, I am not experience about site to site vpn, especially ASA.
I had a problem about configuration, I already try using manual guide from Cisco, Youtube, and many website.
but won't established between site A and site B. I'm using ASDM to configuration site to site VPN.
From the configuration below, is there configuration that I missed?
or any configuration that is should add?
need an assistance from all of you.
Thanks in advance.
==============================================
configuration from site A :
: Saved
:
ASA Version 8.3(1)
!
hostname IdFW
enable password XXXXXXXXXX encrypted
passwd XXXXXXXXXX encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address CHANGE FOR SECURITY 255.255.255.248
!
interface Ethernet0/1
shutdown
no nameif
security-level 0
no ip address
!
interface Ethernet0/2
nameif inside
security-level 100
ip address CHANGE FOR SECURITY 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Kito_CKR
subnet 192.168.2.0 255.255.255.0
object network Kito_CKR_Firewall
host CHANGE FOR SECURITY
object network Kito_Keiai
subnet 192.168.62.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip object Kito_Keiai object Kito_CKR
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
nat (inside,outside) source static Kito_Keiai Kito_Keiai destination static Kito_CKR Kito_CKR
!
object network obj_any
nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 CHANGE FORSECURITY
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 outside
http 192.168.62.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer CHANGE FOR SECURITY
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
telnet 0.0.0.0 0.0.0.0 outside
telnet 192.168.62.0 255.255.255.0 inside
telnet timeout 60
ssh timeout 60
console timeout 0
dhcpd ping_timeout 750
dhcpd auto_config outside
!
dhcpd address 192.168.62.21-192.168.62.70 inside
dhcpd dns 192.168.62.100 203.142.82.222 interface inside
dhcpd enable inside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username XXXXX password XXXXXXXXXX encrypted privilege 15
username XXXXX password XXXXXXXXXX encrypted privilege 15
tunnel-group CHANGE FOR SECURITY type ipsec-l2l
tunnel-group CHANGE FOR SECURITY ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:fbf0d162ac0143b573773b00f5318e69
: end
===============================================
And this is configuration from site B:
ASA Version 8.3(1)
!
hostname Cakung
enable password XXXXXXXXX encrypted
passwd XXXXXXXXXX encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address CHANGE FOR SECURITY 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Kito_Keiai
subnet 192.168.62.0 255.255.255.0
object network Kito_CKR
subnet 192.168.2.0 255.255.255.0
object network Kito_Keiai_Firewall
host CHANGE FOR SECURITY
access-list outside_1_cryptomap extended permit ip object Kito_CKR object Kito_Keiai
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
nat (inside,outside) source static Kito_CKR Kito_CKR destination static Kito_Keiai Kito_Keiai
!
object network obj_any
nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 CHANGE FOR SECURITY 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.2.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer CHANGE FOR SECURITY
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.2.10-192.168.2.99 inside
dhcpd dns 202.150.128.65 202.150.129.65 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username cakung password 2nzxozIPDPgkxYxq encrypted
username fajri password mrfGvG80qovUNcb7 encrypted privilege 15
tunnel-group CHANGE FOR SECURITY type ipsec-l2l
tunnel-group CHANGE FOR SECURITY ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect esmtp
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:441bf282c04d90b45b08d606946276e8
: end
03-04-2014 05:46 AM
Chetan the nat 0 statements you are suggesting are pre-8.3 syntax. I believe the OP already has the statements syntax appropriate for the 8.3 code he is running.
03-04-2014 07:25 PM
Hi Marvin,
thats right, i can't type nat 0.
Site to site that i has ask before already connect, i add any CLI.
I can connect to server from site B to Site A.
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object icmp
service-object tcp destination eq domain
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq echo
service-object tcp destination eq ftp
service-object tcp destination eq hostname
service-object tcp destination eq pop3
service-object tcp destination eq smtp
service-object tcp destination eq telnet
!
access-list outside_1_cryptomap extended permit ip object Kito_CKR object Kito_Keiai
access-list inside_access_in remark LocalNetwork >< RemoteNetwork
access-list inside_access_in extended permit ip object Kito_CKR object Kito_Keiai
access-list outside_access_in remark RemoteNetwork >< LocalNetwork
access-list outisde_access_in remark RemoteNetwork >< LocalNetwork
access-list outisde_access_in extended permit ip object Kito_Keiai object Kito_CKR
access-list inside_access_in_1 remark VPN S2S
access-list inside_access_in_1 extended permit ip object Kito_CKR object Kito_Keiai
access-list inside_access_in_1 remark permit from inside network
access-list inside_access_in_1 extended permit object-group DM_INLINE_SERVICE_1 object Kito_CKR any
access-list outside_access_in_1 extended permit ip object Kito_Keiai object Kito_CKR
!
access-group inside_access_in_1 in interface inside
access-group outside_access_in_1 in interface outside
Thank you for any kind help Marvin, Chetan, Javier.
03-05-2014 05:43 AM
Hello Fajri,
Glad to know that it is working now.
Please do not forget to rate helpful posts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide