Solved: SITE -To-SITE VPN

jack samuel · ‎01-05-2012

Hi,

I'm trying to create a site to site vpn on ASA both side, but the tunnel is not initiating, here are the configs and the packet tracer.If you notice the packet tracer the traffic is drop due to acl, but i m permitting the traffic on outside interface still the tunnell is not up

lan-A-----ASA1------router-------ASA2------- lan-B.

Traffic initiating from LAN-A to LAN-B.

ASA1(config)# packet-tracer input inside tcp 1.1.1.0 23 3.3.3.0 23

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: NAT-EXEMPT

Subtype:

Result: ALLOW

Config:

nat (inside) 0 access-list nonat

nat-control

match ip inside 1.1.1.0 255.255.255.0 outside 3.3.3.0 255.255.255.0

NAT exempt

translate_hits = 1, untranslate_hits = 0

Additional Information:

Phase: 5

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

nat-control

match ip inside any outside any

dynamic translation to pool 1 (192.168.20.1 [Interface PAT])

translate_hits = 0, untranslate_hits = 0

Additional Information:

Phase: 6

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

nat-control

match ip inside any outside any

dynamic translation to pool 1 (192.168.20.1 [Interface PAT])

translate_hits = 0, untranslate_hits = 0

Additional Information:

Phase: 7

Type: VPN

Subtype: encrypt

Result: DROP

Config:

Additional Information:

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

ASA1:

ASA1(config)# sh running-config

: Saved

:

ASA Version 8.0(2)

!

hostname ASA1

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 192.168.20.1 255.255.255.0

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.10.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/5

shutdown

no nameif

no security-level

no ip address

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list vpn extended permit ip 1.1.1.0 255.255.255.0 3.3.3.0 255.255.255.0

access-list nonat extended permit ip 1.1.1.0 255.255.255.0 3.3.3.0 255.255.255.0

access-list outside extended permit ip 3.3.3.0 255.255.255.0 1.1.1.0 255.255.255.0

access-list outside extended permit icmp any any

pager lines 24

logging enable

logging buffered notifications

mtu outside 1500

mtu inside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

access-group outside in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.20.2 1

route inside 1.1.1.0 255.255.255.0 192.168.10.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac

crypto map ipsec 10 match address vpn

crypto map ipsec 10 set peer 192.168.30.1

crypto map ipsec 10 set transform-set myset

crypto map ipsec interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

!

tunnel-group asa2 type ipsec-l2l

tunnel-group asa2 ipsec-attributes

pre-shared-key *

prompt hostname context

Cryptochecksum:00000000000000000000000000000000

: end

ASA1(config)#

ASA2:

ASA2(config)# sh running-config

: Saved

:

ASA Version 8.0(2)

!

hostname ASA2

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 192.168.30.1 255.255.255.0

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.40.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/5

shutdown

no nameif

no security-level

no ip address

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list nonat extended permit ip 3.3.3.0 255.255.255.0 1.1.1.0 255.255.255.0

access-list vpn extended permit ip 3.3.3.0 255.255.255.0 1.1.1.0 255.255.255.0

access-list outside extended permit ip 1.1.1.0 255.255.255.0 3.3.3.0 255.255.255.0

access-list outside extended permit icmp any any

pager lines 24

logging enable

logging buffered notifications

mtu outside 1500

mtu inside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat-control

nat (inside) 0 access-list nonat

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

access-group outside in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.30.2 1

route inside 3.3.3.0 255.255.255.0 192.168.40.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac

crypto map IPSec_map 10 match address vpn

crypto map IPSec_map 10 set peer 192.168.20.1

crypto map IPSec_map 10 set transform-set myset

crypto map IPSec_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

!

tunnel-group asa1 type ipsec-l2l

tunnel-group asa1 ipsec-attributes

pre-shared-key *

prompt hostname context

Cryptochecksum:00000000000000000000000000000000

: end

ajay chauhan · ‎01-06-2012

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807ea936.shtml

This might help.

For queston 1- I have tried so many times it just work with IP in all cisco docs no where name is mentoned.Even best practice is to use the IP.

Question 2 and 3 the link given has remote as dynamic IP with full config on ASA.

Hope this help.

& its good to know ping started working sometimes diffrent tricks

Thanks

Ajay

View solution in original post

ajay chauhan · ‎01-05-2012

can you change tunnel-group name to remote IP both sides ? and try.

tunnel-group 192.168.20.1 type ipsec-l2l

jack samuel · ‎01-06-2012

Hello

the tunnel came up but i have one issue my telnet is working but icmp is not working. ????

When i enter sysopt connection permit-vpn command icmp works.

Any hints

thanks

ajay chauhan · ‎01-06-2012

The command " sysopt connection permit-vpn" tells the ASA to allow the VPN traffic regardless of access-lists.

however please configure inspact commands are here and try .

policy-map global_policy
    class inspection_default
     inspect icmp
 
 Thanks
 Ajay

jack samuel · ‎01-06-2012

Hello Ajay,

Without doing the above inspect and removing the sysopt connection permit-vpn command it is working, i dont know how ???

Questions:

The tunnel groups are the only name's why they have changed to IP's
If my remote end is not a fixed public IP and if i want to put a DDNS name of remote branch router which is on ADSL then it will work ??????
what will be the crypto map IPsec_map 10 set peer ?????? (I hope it will be DDNS name)

pls reply

Tx

ajay chauhan · ‎01-06-2012

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807ea936.shtml

This might help.

For queston 1- I have tried so many times it just work with IP in all cisco docs no where name is mentoned.Even best practice is to use the IP.

Question 2 and 3 the link given has remote as dynamic IP with full config on ASA.

Hope this help.

& its good to know ping started working sometimes diffrent tricks

Thanks

Ajay

jack samuel · ‎01-13-2012

Hi,

I have a query regarding the link given above mail . Can a PIX can initiate a connection to the vpn tunnel????
I want to know what configuration i have to do on the ADSL router for the DDNS update, In other words Dynamic DNS update configuration on router

Thanks

ajay chauhan · ‎01-14-2012

Hi Jack,

The router can initiate connections to the PIX, but the PIX cannot initiate connections to the router. See the link below-

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807ea936.shtml

The PIX can initiate connections to the router, but the router cannot initiate connections to the PIX. See the link below-

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807fbdc8.shtml

So whoever has got dynamic IP can initiate the connection.

This external link might help to configure DDNS on ADSL. However I never tried.

http://joe-ma-how-to.blogspot.com/2008/05/dynamic-dns-on-cisco-adsl-router.html

Thanks

Ajay

jack samuel · ‎01-14-2012

Hello,

If i wanna initiate a conenction from both the router and the ASA is it possible ??? when ASA is on static IP and the router on dynamic

Tx

ajay chauhan · ‎01-14-2012

Hi Jack,

Answer would be NO.

Thanks

Ajay

jack samuel · ‎01-14-2012

Hello,

Thanks for all replies,

I want the vpn configuration for ASA 8.4. Is there any configuration example for 8.4. If not possible than can u highlight the major changes that i have to take care for the configuration in 8.4