Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1216
Views
0
Helpful
7
Replies

Site to SIte VPN not establish ASA8.4

lmel
Level 1
Level 1

‎06-29-2021 05:51 PM - edited ‎06-29-2021 05:54 PM

Hello

 

im trying to establish an ipsec tunnel between 2 ASAs 8.4 with no luck, but i dont seem to find out what is missing Can someone check if my configuration ts ok? i

 

SITE A
Object-group network COMPANY-ANG
Network-object 192.168.100.0 255.255.255.0
Network-object 192.168.1.0 255.255.255.0
Network-object 10.0.20.0 255.255.255.0
Object-group network COMPANY-REMOTE
Network-object 192.168.200.0 255.255.255.0
Network-object 10.0.0.0 255.255.255.0
Network-object 192.168.0.0 255.255.255.0
nat (inside,outside) source static COMPANY-ANG COMPANY-REMOTE destination static COMPANY-ANG COMPANY-REMOTE no-proxy-arp

 

access-list VPN-INTERESTING-TRAFFIC extended permit ip object-group COMPANY-ANG object-group COMPANY-REMOTE

 

crypto ikev1 enable outside
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address VPN-INTERESTING-TRAFFIC
crypto map outside_map 1 set pfs group2
crypto map outside_map 1 set peer 1.1.1.1
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map interface outside

crypto ikev1 policy 10
authentication pre-share
hash sha
group 2
lifetime 86400
exit

 

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key Lyon123!
isakmp keepalive threshold 10 retry 2
exit

 

SITE B
Object-group network COMPANY-LX
Network-object 192.168.200.0 255.255.255.0
Network-object 192.168.0.0 255.255.255.0
Network-object 10.0.0.0 255.255.255.0
Object-group network COMPANY-REMOTE
Network-object 192.168.100.0 255.255.255.0
Network-object 10.0.20.0 255.255.255.0
Network-object 192.168.1.0 255.255.255.0
nat (inside,outside) source static COMPANY-LX COMPANY-REMOTE destination static COMPANY-LX COMPANY-REMOTE no-proxy-arp

 

access-list VPN-INTERESTING-TRAFFIC extended permit ip object-group COMPANY-LX object-group COMPANY-REMOTE

 

crypto isakmp identity address
crypto ikev1 enable outside
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address VPN-INTERESTING-TRAFFIC
crypto map outside_map 1 set pfs group2
crypto map outside_map 1 set peer 4.4.4.4
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map interface outside


crypto ikev1 policy 10
authentication pre-share
hash sha
group 2
lifetime 86400
exit


tunnel-group 4.4.4.4 type ipsec-l2l
tunnel-group 4.4.4.4 ipsec-attributes
pre-shared-key Lyon123!
isakmp keepalive threshold 10 retry 2
exit

 

0 Helpful
7 Replies 7

Rob Ingram
VIP
VIP

‎06-30-2021 12:17 AM

Hi @lmel 

Your NAT rules look wrong, the original source & translated source should be the same and the original destination & translated destination should also be the same.

 

nat (inside,outside) source static COMPANY-ANG COMPANY-REMOTE destination static COMPANY-ANG COMPANY-REMOTE no-proxy-arp
!
access-list VPN-INTERESTING-TRAFFIC extended permit ip object-group COMPANY-ANG object-group COMPANY-REMOTE

If your source network is COMPANY-ANG and the destination is COMPANY-REMOTE, then the NAT exemption rules should look like this:-

 

nat (inside,outside) source static COMPANY-ANG COMPANY-ANG destination static COMPANY-REMOTE COMPANY-REMOTE no-proxy-arp

This will ensure traffic over the VPN from COMPANY-ANG network to COMPANY-REMOTE network is not unintentially translated.

 

Mirror this configuration on the other ASA:-

 

nat (inside,outside) source static COMPANY-LX COMPANY-LX  destination static COMPANY-REMOTE COMPANY-REMOTE no-proxy-arp

 HTH

0 Helpful

lmel
Level 1
Level 1

‎06-30-2021 03:03 AM

Hey thank you for the reply

 

i changed the nat rule but i didn't work, plus when an issue the command "sh crypto isakmp sa" the tunnel is not even trying to associate...something wrong beside the nat rule?

 

SITE B FULL CONFIG

ciscoasa# sh crypto isakmp sa

There are no IKEv1 SAs

There are no IKEv2 SAs

 


...........................................................................
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.200.2 255.255.255.0
!
interface Ethernet0/1
nameif outside
security-level 0
ip address 1.1.1.1
!

object-group network COMPANY-LX
network-object 192.168.200.0 255.255.255.0
network-object 192.168.0.0 255.255.255.0
network-object 10.0.0.0 255.255.255.0
object-group network COMPANY-REMOTE
network-object 192.168.100.0 255.255.255.0
network-object 10.0.20.0 255.255.255.0
network-object 192.168.1.0 255.255.255.0
access-list VPN-INTERESTING-TRAFFIC extended permit ip object-group COMPANY-LX object-group COMPANY-REMOTE

nat (inside,outside) source static COMPANY-LX COMPANY-LX destination static COMPANY-REMOTE COMPANY-REMOTE no-proxy-arp

 

nat (inside,outside) source dynamic any interface

 

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address VPN-INTERESTING-TRAFFIC
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 4.4.4.4
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

tunnel-group 4.4.4.4 type ipsec-l2l
tunnel-group 4.4.4.4 ipsec-attributes
ikev1 pre-shared-key *****
!

 

0 Helpful

Rob Ingram
VIP
VIP
In response to lmel

‎06-30-2021 03:10 AM

@lmel 

Hard to tell without seeing the full configuration from both ASAs.

Is IKEv1/ISAKMP enabled on SITEA ASA (your configuration above doesn't specify it)?

Can the ASAs ping each other's public IP address?

How are you testing? You need to generate traffic from the source networks (not the ASA itself).

Turn on IKEv1/ISAKMP debugs, generate traffic and provide the output for review.

0 Helpful

lmel
Level 1
Level 1
In response to Rob Ingram

‎06-30-2021 07:26 AM

Hi
I was able to establish the VPN connection ....but now, i cant ping local networks across the tunnel.

im tryng to ping from a PC with ip 192.168.100.66 to a PC with IP 10.0.0.66 on SITE A and from 10.0.0.66 to 192.168.100.66

None of them reply to ping

Are the ACL ok? what can originate this behavior with ping?

 

thanks again

Thanks again

0 Helpful

Rob Ingram
VIP
VIP
In response to lmel

‎06-30-2021 07:49 AM

@lmel 

You don't provide enough information to help us troubleshoot the issue for you.

 

Provide the output of "show crypto ipsec sa" from both ASA.

Run packet-tracer to simulate the traffic flow, provide the output

Provide the output of "show nat detail" from both ASA

Do you have VPN filter/Interface ACL configured that could block the traffic?

Is there a local firewall configured on the PCs that could be blocking the traffic?

0 Helpful

lmel
Level 1
Level 1
In response to Rob Ingram

‎07-02-2021 05:11 AM

Hello

I found out, if i put the generic NAT rule at the TOP of the configuration, it blocks PING between sites....if i change the order (NAT exempt first and than generic NAT rule) everything works 

 

Is this make any sense?

 

That is my running config working

 

SITE A

object network LX_192.168.0.0
subnet 192.168.0.0 255.255.255.0
object network Lx_10.0.0.0
subnet 10.0.0.0 255.255.255.0
object network Lx_192.168.200.0
subnet 192.168.200.0 255.255.255.0
object network Mulemba_10.0.20.0
subnet 10.0.20.0 255.255.255.0
object network Mulemba_192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network Mulemba_192.168.100.0
subnet 192.168.100.0 255.255.255.0

object-group network HQ_NETWORK
network-object object LX_192.168.0.0
network-object object Lx_10.0.0.0
network-object object Lx_192.168.200.0
object-group network BRANCH_NETWORK
network-object object Mulemba_10.0.20.0
network-object object Mulemba_192.168.1.0
network-object object Mulemba_192.168.100.0
access-list outside_1_cryptomap extended permit ip object-group HQ_NETWORK object-group BRANCH_NETWORK

 

nat (inside,outside) source static HQ_NETWORK HQ_NETWORK destination static BRANCH_NETWORK BRANCH_NETWORK no-proxy-arp route-lookup
nat (inside,outside) source dynamic any interface


crypto ikev1 enable outside


tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key ****

crypto ikev1 policy 10
Hash sha
Authentication pre-share
Group 5
Lifetime 28800
Encryption aes-256

crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes-256 esp-sha-hmac
Crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 1.1.1.1
crypto map outside_map 1 set ikev1 transform-set ESP-AES-SHA
crypto map outside_map 1 set security-association lifetime seconds 7200
crypto map outside_map 1 set pfs group5
crypto map outside_map interface outside

 

 

SITE B
object network LX_192.168.0.0
subnet 192.168.0.0 255.255.255.0
object network Lx_10.0.0.0
subnet 10.0.0.0 255.255.255.0
object network Lx_192.168.200.0
subnet 192.168.200.0 255.255.255.0
object network Mulemba_10.0.20.0
subnet 10.0.20.0 255.255.255.0
object network Mulemba_192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network Mulemba_192.168.100.0
subnet 192.168.100.0 255.255.255.0

object-group network HQ_NETWORK
network-object object LX_192.168.0.0
network-object object Lx_10.0.0.0
network-object object Lx_192.168.200.0
object-group network BRANCH_NETWORK
network-object object Mulemba_10.0.20.0
network-object object Mulemba_192.168.1.0
network-object object Mulemba_192.168.100.0
access-list outside_1_cryptomap extended permit ip object-group BRANCH_NETWORK object-group HQ_NETWORK

 

nat (inside,outside) source static BRANCH_NETWORK BRANCH_NETWORK destination static HQ_NETWORK HQ_NETWORK no-proxy-arp route-lookup
nat (inside,outside) source dynamic any interface

 

crypto ikev1 enable outside


tunnel-group 4.4.4.4 type ipsec-l2l
tunnel-group 4.4.4.4 ipsec-attributes
ikev1 pre-shared-key ****

crypto ikev1 policy 10
Hash sha
Authentication pre-share
Group 5
Lifetime 28800
Encryption aes-256

crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes-256 esp-sha-hmac
Crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 4.4.4.4
crypto map outside_map 1 set ikev1 transform-set ESP-AES-SHA
crypto map outside_map 1 set security-association lifetime seconds 7200
crypto map outside_map 1 set pfs group5
crypto map outside_map interface outside

 

0 Helpful

Rob Ingram
VIP
VIP
In response to lmel

‎07-02-2021 05:32 AM

@lmel 

Yes of course, the order of the NAT rules is important. The command "show nat detail" would have confirmed the order, so it would have been obvious that traffic was unintentially translated behind the outside interface, instead of hitting the NAT exemption rule.

 

Packet-tracer would have also confirmed your traffic was matching the wrong NAT rule.

 

Normally I use the syntax below, which includes the command "after-auto", so therefore it will be processed last and you don't need to worry about re-ordering the nat rules when you add additional nat rules.

 

nat (INSIDE,OUTSIDE) after-auto source dynamic interface

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card