Setting up VPN in ASA 5505

Mike Hinson · ‎01-15-2014

I am trying to set up a VPN connection with the host being a ASA 5510. The connection is DSL with a static IP. This is the config I have.

I hooked the ASA up to the DSL today and could not get it to work. Anybody see any issues?

hostname landfill
domain-name default.domain.invalid
enable password 8WchzxzEGYY00Jo0 encrypted
passwd DdwidD3e3hOlIuQu encrypted
names
name 10.0.0.0 Chester
name 10.20.0.0 ChesterGov
name 10.200.4.0 Landfill

interface Vlan1
nameif inside
security-level 100
ip address 10.200.4.1 255.255.255.0

interface Vlan2
nameif outside
security-level 0
ip address 204.116.85.166 255.255.255.0
!
interface Ethernet0/0
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7

ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list outside_1_cryptomap extended permit ip Landfill 255.255.255.0 Chester 255.0.0.0
access-list inside_nat0_outbound extended permit ip Landfill 255.255.255.0 Chester 255.0.0.0
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside Chester 255.0.0.0 207.144.35.1 1
route outside 0.0.0.0 0.0.0.0 207.144.35.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http Chester 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 64.53.58.229
crypto map outside_map 1 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
telnet ChesterGov 255.255.0.0 inside
telnet timeout 5
ssh 64.53.58.229 255.255.255.255 outside
ssh 68.115.233.128 255.255.255.224 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 10.20.50.12 97.107.96.139
dhcpd wins 10.20.50.12
dhcpd ping_timeout 750
dhcpd domain chester.local
!
dhcpd address 10.200.10.10-10.200.10.41 inside
dhcpd enable inside
!

tftp-server inside 10.20.50.12 building-confg
tunnel-group 204.116.85.166 type ipsec-l2l
tunnel-group 204.116.85.166 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:87752a68b46be0350d19a1a4afcf8fc7

Jouni Forss · ‎01-16-2014

Hi,

I presume you mean you are trying to set up a L2L VPN with another site?

We would need to know the configurations of the remote sites VPN device also or the VPN parameters you agreed upon before configuring this connections.

I would also suggest not using DES that you seem to have configured so far.

But as I said, we need information about the other end or the agreed parameters to know if there is a problem with the above configurations.

If you want to take some output from the ASA then run ICMP from some PC on the LAN towards the remote network that is supposed to be behind the L2L VPN and take this output from the ASA

show crypto isakmp sa

You could take it multiple times to and post any different looking outputs here

- Jouni

Mike Hinson · ‎01-16-2014

Heres some of the config in the host sites 5510

no snmp-server location

no snmp-server contact

snmp-server community public

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800

crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5

crypto dynamic-map outside_dyn_map 40 set security-association lifetime seconds 28800

crypto dynamic-map outside_dyn_map 40 set security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 60 set pfs group1

crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 60 set security-association lifetime seconds 28800

crypto dynamic-map outside_dyn_map 60 set security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer 208.104.72.50

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 1 set security-association lifetime seconds 28800

crypto map outside_map 1 set security-association lifetime kilobytes 4608000

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set pfs group1

crypto map outside_map 2 set peer 204.116.169.241

crypto map outside_map 2 set transform-set ESP-3DES-SHA

crypto map outside_map 2 set security-association lifetime seconds 28800

crypto map outside_map 2 set security-association lifetime kilobytes 4608000

crypto map outside_map 3 match address outside_3_cryptomap

crypto map outside_map 3 set pfs group1

crypto map outside_map 3 set peer 97.107.100.254

crypto map outside_map 3 set transform-set ESP-3DES-SHA

crypto map outside_map 3 set security-association lifetime seconds 28800

crypto map outside_map 3 set security-association lifetime kilobytes 4608000

crypto map outside_map 4 match address outside_4_cryptomap

crypto map outside_map 4 set pfs group1

crypto map outside_map 4 set peer 204.116.85.194

crypto map outside_map 4 set transform-set ESP-3DES-SHA

crypto map outside_map 4 set security-association lifetime seconds 28800

crypto map outside_map 4 set security-association lifetime kilobytes 4608000

crypto map outside_map 6 match address outside_6_cryptomap

crypto map outside_map 6 set pfs group1

crypto map outside_map 6 set peer 204.116.85.166

crypto map outside_map 6 set transform-set ESP-3DES-MD5

crypto map outside_map 6 set security-association lifetime seconds 28800

crypto map outside_map 6 set security-association lifetime kilobytes 4608000

crypto map outside_map 7 match address outside_7_cryptomap

crypto map outside_map 7 set pfs group1

crypto map outside_map 7 set peer 207.144.35.240

crypto map outside_map 7 set transform-set ESP-3DES-SHA

crypto map outside_map 7 set security-association lifetime seconds 28800

crypto map outside_map 7 set security-association lifetime kilobytes 4608000

crypto map outside_map 140 match address outside_cryptomap_140

crypto map outside_map 140 set peer 64.53.58.172

crypto map outside_map 140 set transform-set ESP-DES-MD5

crypto map outside_map 140 set security-association lifetime seconds 28800

crypto map outside_map 140 set security-association lifetime kilobytes 4608000

crypto map outside_map 200 match address outside_cryptomap_200

crypto map outside_map 200 set peer 207.144.35.246

crypto map outside_map 200 set transform-set ESP-DES-MD5

crypto map outside_map 200 set security-association lifetime seconds 28800

crypto map outside_map 200 set security-association lifetime kilobytes 4608000

crypto map outside_map 220 match address outside_cryptomap_220

crypto map outside_map 220 set pfs

crypto map outside_map 220 set peer city

crypto map outside_map 220 set transform-set ESP-DES-MD5 ESP-DES-SHA

crypto map outside_map 220 set security-association lifetime seconds 28800

crypto map outside_map 220 set security-association lifetime kilobytes 4608000

crypto map outside_map 260 match address outside_cryptomap_260

crypto map outside_map 260 set pfs group1

crypto map outside_map 260 set peer 204.116.85.199

crypto map outside_map 260 set transform-set ESP-3DES-SHA

crypto map outside_map 260 set security-association lifetime seconds 28800

crypto map outside_map 260 set security-association lifetime kilobytes 4608000

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 5

lifetime 86400

crypto isakmp policy 20

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes-256

hash md5

group 5

lifetime 86400

crypto isakmp policy 40

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 10.200.254.0 255.255.255.0 outside

telnet Chester 255.0.0.0 inside

telnet 10.200.254.0 255.255.255.0 inside

telnet timeout 15

ssh 0.0.0.0 0.0.0.0 outside

ssh Chester 255.0.0.0 inside

ssh timeout 15

console timeout 0

management-access inside

vpdn group pppoe_group request dialout pppoe

vpdn group pppoe_group localname dslchesterco

vpdn group pppoe_group ppp authentication pap

vpdn username dslchesterco password

vpdn username ebuchanan password

vpdn username Solicitor-VPN password

vpdn username Chester-Remote-VPN

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

tftp-server inside 10.200.254.2 chester-asa-confg

group-policy Chester-Remote-VPN internal

group-policy Chester-Remote-VPN attributes

wins-server value 10.20.50.12 10.30.10.2

dns-server value 10.20.50.12 10.30.10.2

vpn-idle-timeout 30

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Chester-Remote-VPN_splitTunnelAcl

default-domain value chester.local

split-dns value chester.local

group-policy Solicitor-VPN internal

group-policy Solicitor-VPN attributes

wins-server value 10.20.50.12 10.30.50.12

dns-server value 10.20.50.12 10.30.50.12

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Solicitor-VPN_splitTunnelAcl

default-domain value chester

split-dns value chester.local

username csitech password uN.U3w31eUDYxY64 encrypted privilege 15

username cfs-project password JmJeAqC9Blf2zQWq encrypted

username dslchesterco password ciDK9zmi.hYU0D1i encrypted

username Chester-Remote-VPN password 27gb7s010tGddMN2 encrypted

username Solicitor-VPN password tjIGjYYj9qOEJSN9 encrypted

tunnel-group 204.116.85.199 type ipsec-l2l

tunnel-group 204.116.85.199 ipsec-attributes

pre-shared-key *

tunnel-group 64.53.58.172 type ipsec-l2l

tunnel-group 64.53.58.172 ipsec-attributes

pre-shared-key *

tunnel-group 204.116.85.166 type ipsec-l2l

tunnel-group 204.116.85.166 ipsec-attributes

pre-shared-key *

tunnel-group 207.144.35.246 type ipsec-l2l

tunnel-group 207.144.35.246 ipsec-attributes

pre-shared-key *

tunnel-group 64.53.58.225 type ipsec-l2l

tunnel-group 64.53.58.225 ipsec-attributes

pre-shared-key *

tunnel-group 204.116.85.194 type ipsec-l2l

tunnel-group 204.116.85.194 ipsec-attributes

pre-shared-key *

tunnel-group Chester-Remote-VPN type remote-access

tunnel-group Chester-Remote-VPN general-attributes

address-pool VPN-Pool

default-group-policy Chester-Remote-VPN

tunnel-group Chester-Remote-VPN ipsec-attributes

pre-shared-key *

tunnel-group 208.104.72.50 type ipsec-l2l

tunnel-group 208.104.72.50 ipsec-attributes

pre-shared-key *

tunnel-group 204.116.169.241 type ipsec-l2l

tunnel-group 204.116.169.241 ipsec-attributes

pre-shared-key *

tunnel-group Solicitor-VPN type remote-access

tunnel-group Solicitor-VPN general-attributes

address-pool VPN-Pool

default-group-policy Solicitor-VPN

tunnel-group Solicitor-VPN ipsec-attributes

pre-shared-key *

tunnel-group 97.107.100.254 type ipsec-l2l

tunnel-group 97.107.100.254 ipsec-attributes

pre-shared-key *

tunnel-group 207.144.35.240 type ipsec-l2l

tunnel-group 207.144.35.240 ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

Jouni Forss · ‎01-16-2014

Hi,

There is some missmatch with the L2L VPN Configurations atleast.

You could add these on the ASA5505

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto map outside_map 1 set transform-set ESP-3DES-MD5

crypto map outside_map 1 set pfs group1

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

I can't see the actual ACL configuration of the "access-list" called "outside_6_cryptomap" from the ASA5510 so I can't confirm if its correct.

Hope this helps

- Jouni