Solved: Re: ASA 5505 - Whats Wrong with this Configuration

mfdarvesh · ‎04-05-2020

Cisco Packet Tracer 6.2 - I am trying configure Site-to-Site VPN between HQ and Branch Office. Can someone help me, whats wrong with this configuration.

Network Topology:

Show Crypto ipsec sa, shows no sa

HQ-ASA

ASA Version 8.4(2)
!
hostname HQ-ASA
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.200.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 10.0.0.1 255.255.255.0
!
object network BR
subnet 192.168.210.0 255.255.255.0
object network HQ
subnet 192.168.200.0 255.255.255.0
!
route outside 0.0.0.0 0.0.0.0 10.0.0.2 1
!
access-list HQ<->BR extended permit icmp object HQ object BR
access-list HQ<->BR extended permit tcp object HQ object BR
access-list OUTSIDE extended permit tcp object BR object HQ
access-list OUTSIDE extended permit icmp object BR object HQ
!
!
access-group OUTSIDE out interface inside
!
!
!
!
!
!
!
telnet timeout 5
ssh timeout 5
!
dhcpd auto_config outside
!
!
!
!
crypto ipsec ikev1 transform-set HQ->BR esp-3des esp-md5-hmac
!
crypto map VPNMAP 10 match address HQ<->BR
crypto map VPNMAP 10 set peer 10.10.10.1
crypto map VPNMAP 10 set security-association lifetime seconds 86400
crypto map VPNMAP 10 set ikev1 transform-set HQ->BR
crypto map VPNMAP interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
tunnel-group 10.10.10.1 type ipsec-l2l
tunnel-group 10.10.10.1 ipsec-attributes
ikev1 pre-shared-key cisco123

BR-ASA

hostname BR-ASA
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.210.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 10.10.10.1 255.255.255.0
!
object network BR
subnet 192.168.210.0 255.255.255.0
object network HQ
subnet 192.168.200.0 255.255.255.0
!
route outside 0.0.0.0 0.0.0.0 10.10.10.2 1
!
access-list BR<->HQ extended permit tcp object BR object HQ
access-list BR<->HQ extended permit icmp object BR object HQ
access-list OUTSIDE extended permit icmp object HQ object BR
access-list OUTSIDE extended permit tcp object HQ object BR
!
!
access-group OUTSIDE out interface inside
!
!
!
!
!
!
!
telnet timeout 5
ssh timeout 5
!
!
!
!
!
crypto ipsec ikev1 transform-set BR->HQ esp-3des esp-md5-hmac
!
crypto map VPNMAP 10 match address BR<->HQ
crypto map VPNMAP 10 set peer 10.0.0.1
crypto map VPNMAP 10 set security-association lifetime seconds 86400
crypto map VPNMAP 10 set ikev1 transform-set BR->HQ
crypto map VPNMAP interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
tunnel-group 10.0.0.1 type ipsec-l2l
tunnel-group 10.0.0.1 ipsec-attributes
ikev1 pre-shared-key cisco123

Georg Pauwen · ‎04-07-2020

Sorry about that, my bad, I forgot to apply the access lists again.

You need to give it a few minutes before you see the SAs, the ASAs seem to start slowly...

Attached the revised file. Start a ping -t from the PCs and wait for a few minutes, you should then see the SAs...

View solution in original post

Cristian Matei · ‎04-05-2020

Hi,

1. Do you have IP connectiivity between the two ASA's: 10.0.0.1 and 10.10.10.1?

2. Configure your crypto-ACL's, where the encryption domain is defined, with IP statements, not TCP/ICMP statements:

no access-list HQ<->BR extended permit icmp object HQ object BR
no access-list HQ<->BR extended permit tcp object HQ object BR

access-list HQ<->BR extended permit ip object HQ object BR

no access-list BR<->HQ extended permit tcp object BR object HQ
no access-list BR<->HQ extended permit icmp object BR object HQ

access-list BR<->HQ extended permit ip object BR object HQ

Regards,
Cristian Matei.

mfdarvesh · ‎04-05-2020

Thank you
1. Yes - ISP Router is forwarding traffic, I can ping both firewalls from each other.
2. Added this line but problem still exists

Georg Pauwen · ‎04-06-2020

Hello,

post the (zipped) Packet Tracer project (.pkt) file...

Cristian Matei · ‎04-06-2020

Hi,

Have you remove the existing 2 lines and added just that one IP statement? Generate traffic between the protected subnets and post the output of "show crypto ipsec sa" and "show crypto isakmp sa".

Regards,
Cristian Matei.

mfdarvesh · ‎04-06-2020

@Cristian Matei

Downloaded Packet Tracer 7.3 and reconfigured with ASA 5506-x. Remove that two lines and added this online on both sides:

Result on HQ-ASA:

Result on BR-ASA

In Simulation Mode - Ping from BR to HQ:

Result on HQ-ASA

Packed managed to cross ISP Router and Error on HQ-ASA

@Georg Pauwen

Configuration file is attached pl

Cristian Matei · ‎04-06-2020

Hi,

Can you reactivate IKE on the outside interface by removing and re-applying the command "crypto ikev1 enable outside"? Lso ensure to generate traffic between he protected subnets, don't ping from the ASA< but from behind the ASA.

Regards,

Cristian Matei.

mfdarvesh · ‎04-06-2020

Remove and reapplied. It shows this:

run a ping and after that no IKEV1 sa, as usual. Complete configuration file is also attached above.

Georg Pauwen · ‎04-06-2020

Hello,

I opened your file, the PC at HQ-ASA site had no default gateway, also, the router had no routes to the remote subnets.

Attached the working file...

mfdarvesh · ‎04-06-2020

@Georg Pauwen thank you very much for your time and effort. I observed that access-group OUTSIDE was removed but after downloading and straight pinging from BR to HQ, not working. Below is attached image of ping result. May be my packet tracer is faulty ..

Georg Pauwen · ‎04-07-2020

Sorry about that, my bad, I forgot to apply the access lists again.

You need to give it a few minutes before you see the SAs, the ASAs seem to start slowly...

Attached the revised file. Start a ping -t from the PCs and wait for a few minutes, you should then see the SAs...

mfdarvesh · ‎04-07-2020

Thank you again for your time and efforts.

At first ping not started for 5 minutes. Closed Packet Tracer and re-opened. Ping started immediately and now it is working.

One thing more regarding IP Route of subnets at ISP Router -> I was not aware of this practice. Previously, if we place Routers instead of Firewall, we don't need any configuration on ISP Router apart from Interface configuration. Added a new thing in my knowledge, I really appreciate -> Thank you again