Solved: Re: Basic L2L VPN Lab Configuration

RadioMercy · ‎11-17-2020

I am working on getting my CCNA and am setting up a home lab. I have 2 5506-x ASA's connected to each other via 1/1 and pc's connection via ports 1/2. I am using the most basic configuration I could come up with. I execute the command line configurations listed below and then use the ASDM Site-to-Site configuration wizard to attempt to bring the tunnel up and it all just fails. The ACL is never triggered by any traffic towards the remote networks. Here are my basic configs, the rest is done by the wizard. Why isn't this working?

ASA #1
-----------------------------------------------------------
pager 0
no debug all
!
config factory-default
!
pager 65
!
! Clear and remove all of the BVI settings
interface GigabitEthernet1/2
no nameif
no bridge-group 1
interface GigabitEthernet1/3
no nameif
no bridge-group 1
interface GigabitEthernet1/4
no nameif
no bridge-group 1
interface GigabitEthernet1/5
no nameif
no bridge-group 1
interface GigabitEthernet1/6
no nameif
no bridge-group 1
interface GigabitEthernet1/7
no nameif
no bridge-group 1
interface GigabitEthernet1/8
no nameif
no bridge-group 1
!
clear configure interface BVI1
!
no object network obj_any1
no object network obj_any2
no object network obj_any3
no object network obj_any4
no object network obj_any5
no object network obj_any6
no object network obj_any7
!
hostname asa1
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.0
no shut

interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 10.0.1.1 255.255.255.0
no shut

ASA #2
-----------------------------------------------------------
pager 0
no debug all
!
config factory-default
!
pager 65
!
! Clear and remove all of the BVI settings
interface GigabitEthernet1/2
no nameif
no bridge-group 1
interface GigabitEthernet1/3
no nameif
no bridge-group 1
interface GigabitEthernet1/4
no nameif
no bridge-group 1
interface GigabitEthernet1/5
no nameif
no bridge-group 1
interface GigabitEthernet1/6
no nameif
no bridge-group 1
interface GigabitEthernet1/7
no nameif
no bridge-group 1
interface GigabitEthernet1/8
no nameif
no bridge-group 1
!
clear configure interface BVI1
!
no object network obj_any1
no object network obj_any2
no object network obj_any3
no object network obj_any4
no object network obj_any5
no object network obj_any6
no object network obj_any7
!
hostname asa2
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 1.1.1.2 255.255.255.0
no shut

interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 10.0.2.1 255.255.255.0
no shut

Please help!

RadioMercy · ‎11-18-2020

I continued researching similar issues in this community and found my answer. I issued the following two commands and it all started working.

management-access inside

icmp permit any inside

Thank you for all of the efforts!

View solution in original post

Georg Pauwen · ‎11-17-2020

Hello,

you basically have two ASAs with empty configurations. What are you trying to build, a site to site VPN ?

RadioMercy · ‎11-17-2020

Yes, I am doing the most basic configuration and then using the ASDM Site-to-Site VPN Wizard to configure the VPN but it is not working.

Richard Burts · ‎11-17-2020

We do not have enough information here to be able to understand the real issue or to give good advice. We see on each ASA an outside interface that appears to be a point to point connection to a peer ASA and an inside interface that might function as the LAN for the site to site VPN. Then we get a very general statement about using ASDM. How can we see a problem in this?

My suggestion is to go through your process with ASDM, then pause, produce a copy of the running config for at least one of the ASAs (both would be better) and post it here. Once we can see the config that it has produced we might be better able to find the problem.

A second step would be after you have completed your configuration efforts in ASDM to turn on debugging for ISAKMP, generate some traffic from one ASA toward the other ASA, and post any debug output.

HTH

Rick

RadioMercy · ‎11-17-2020

I am trying to configure a Site-to-Site VPN so that I can use ASDM to connect to the remote ASA. Here is the configuration of both ASA's. The tunnel comes up but I cannot seem to contact the remote ASA from either side.

ASA #1

----------------------------------------------------------

pager 0
no debug all
!
config factory-default
!
pager 65
!
! Clear and remove all of the BVI settings
interface GigabitEthernet1/2
no nameif
no bridge-group 1
interface GigabitEthernet1/3
no nameif
no bridge-group 1
interface GigabitEthernet1/4
no nameif
no bridge-group 1
interface GigabitEthernet1/5
no nameif
no bridge-group 1
interface GigabitEthernet1/6
no nameif
no bridge-group 1
interface GigabitEthernet1/7
no nameif
no bridge-group 1
interface GigabitEthernet1/8
no nameif
no bridge-group 1
!
clear configure interface BVI1
!
no object network obj_any1
no object network obj_any2
no object network obj_any3
no object network obj_any4
no object network obj_any5
no object network obj_any6
no object network obj_any7
!
hostname asa1
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.0
no shut
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 10.0.1.1 255.255.255.0
no shut
!
!
!
crypto ikev1 enable outside
!
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
!
tunnel-group 1.1.1.2 type ipsec-l2l
tunnel-group 1.1.1.2 ipsec-attributes
ikev1 pre-shared-key cisco
!
object network 10.0.1.0_24
subnet 10.0.1.0 255.255.255.0
object network 10.0.2.0_24
subnet 10.0.2.0 255.255.255.0
!
access-list 100 extended permit ip object 10.0.1.0_24 object 10.0.2.0_24
!
crypto ipsec ikev1 transform-set myset esp-aes esp-sha-hmac
!
crypto map outside_map 20 match address 100
crypto map outside_map 20 set peer 1.1.1.2
crypto map outside_map 20 set ikev1 transform-set myset
crypto map outside_map 20 set pfs
crypto map outside_map interface outside
!
nat (inside,outside) 1 source static 10.0.1.0_24 10.0.1.0_24 destination static 10.0.2.0_24 10.0.2.0_24 no-proxy-arp route-lookup

route outside 0 0 1.1.1.2

ASA #2

----------------------------------------------------------

pager 0
no debug all
!
config factory-default
!
pager 65
!
! Clear and remove all of the BVI settings
interface GigabitEthernet1/2
no nameif
no bridge-group 1
interface GigabitEthernet1/3
no nameif
no bridge-group 1
interface GigabitEthernet1/4
no nameif
no bridge-group 1
interface GigabitEthernet1/5
no nameif
no bridge-group 1
interface GigabitEthernet1/6
no nameif
no bridge-group 1
interface GigabitEthernet1/7
no nameif
no bridge-group 1
interface GigabitEthernet1/8
no nameif
no bridge-group 1
!
clear configure interface BVI1
!
no object network obj_any1
no object network obj_any2
no object network obj_any3
no object network obj_any4
no object network obj_any5
no object network obj_any6
no object network obj_any7
!
hostname asa2
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 1.1.1.2 255.255.255.0
no shut
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 10.0.2.1 255.255.255.0
no shut
!
!
!
crypto ikev1 enable outside
!
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
!
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key cisco
!
object network 10.0.1.0_24
subnet 10.0.1.0 255.255.255.0
object network 10.0.2.0_24
subnet 10.0.2.0 255.255.255.0
!
access-list 100 extended permit ip object 10.0.2.0_24 object 10.0.1.0_24
!
crypto ipsec ikev1 transform-set myset esp-aes esp-sha-hmac
!
crypto map outside_map 20 match address 100
crypto map outside_map 20 set peer 1.1.1.1
crypto map outside_map 20 set ikev1 transform-set myset
crypto map outside_map 20 set pfs
crypto map outside_map interface outside
!
nat (inside,outside) 1 source static 10.0.2.0_24 10.0.2.0_24 destination static 10.0.1.0_24 10.0.1.0_24 no-proxy-arp route-lookup

route outside 0 0 1.1.1.1

Georg Pauwen · ‎11-18-2020

Hello,

the configs look by the book. Do you have 'real' or simulated ASAs ?

RadioMercy · ‎11-18-2020

Hi Georg,

I am using real 550x-X ASA's, they are sitting next to each other connected via gi1/1 and I have a laptop connected to gi1/2 of ASA1. I am trying to reach the HTTP server on ASA2 so that I can use ASDM to remote configure ASA2. I am also unable to ping the inside IP of ASA2 from the laptop connected to ASA1.

Thank you in advance for your assistance.

RadioMercy · ‎11-18-2020

I continued researching similar issues in this community and found my answer. I issued the following two commands and it all started working.

management-access inside

icmp permit any inside

Thank you for all of the efforts!

Richard Burts · ‎11-18-2020

Thanks for the update. Glad to know that you found answers to the issues and that it is now working.

HTH

Rick