05-14-2013 02:47 AM - edited 03-04-2019 07:53 PM
Hi,
Can anyone help me to configure CISCO ASA 5510 for multiple IPsec tunnels?
On other side is CISCO 2801.
Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
05-14-2013 04:28 AM
I have ipsec tunnel to one location, and it work.
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 1.1.1.1
crypto map outside_map 1 set transform-set ESP-DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 1
lifetime 8
Can I create Crypto map outside_map 2 , like this but outher peer and outher ACL. Will it work?
05-14-2013 07:32 AM
Yes you create another instance using a next number in the same crypto map (you could use outside_map 2 or could use outside_map 10 or whatever next number you choose). In the new instance you specify a different peer and different ACL). I have done this numerous times and it works quite well.
HTH
Rick
05-14-2013 08:19 AM
this is my configuration on ASA
access-list outside_2_cryptomap extended permit ip 10.11.11.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 10.11.14.0 255.255.255.0 192.168.1.0 255.255.255.0
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer A.B.C.E.
crypto map outside_map 1 set transform-set ESP-DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map 2 set peer E.F.G.H.
crypto map outside_map 2 set transform-set ESP-DES-SHA
crypto map outside_map 2 set security-association lifetime seconds 28800
crypto map outside_map 2 set security-association lifetime kilobytes 4608000
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 1
lifetime 86400
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group A.B.C.D. type ipsec-l2l
tunnel-group A.B.C.D. ipsec-attributes
pre-shared-key *
tunnel-group E.F.G.H. type ipsec-l2l
tunnel-group E.F.G.H. ipsec-attributes
pre-shared-key *
Configuration on Router
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key * address xxxx
crypto isakmp key * address E.F.G.H.
!
!
crypto ipsec transform-set AES_256_SHA esp-aes 256 esp-sha-hmac
crypto ipsec transform-set ASA-IPSEC esp-des esp-sha-hmac
!
crypto map 111 ipsec-isakmp
set peer E.F.G.H
set transform-set AES_256_SHA
match address NET011
group 2
lifetime 28800
crypto isakmp key * address E.F.G.H.
!
!
crypto ipsec transform-set AES_256_SHA esp-aes 256 esp-sha-hmac
crypto ipsec transform-set ASA-IPSEC esp-des esp-sha-hmac
!
crypto map 10 11 ipsec-isakmp
set peer E.F.G.H set transform-set ASA-IPSEC
match address NET011
ip access-list extended NET011
permit ip 10.0.0.0 0.255.255.255 192.168.1.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.16 10.11.0.0 0.0.255.255
05-14-2013 09:05 AM
I see a couple of details that should be corrected and there is perhaps a larger question to discuss.
In the ASA there is a line missing which should be like this
crypto map outside_map 2 match address outside_2_cryptomap
In the router access list you have
permit ip 10.0.0.0 0.255.255.255 192.168.1.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.16 10.11.0.0 0.0.255.255
so in one line 192.168.1.0 is the destination and in the other line that same network is the source. Perhaps I do not understand your environment well enough, but it is hard for me to understand how in the same access list the same subnet is both source and destination. Perhaps we need more information about the topology of the networks and a better understanding of what you are trying to accomplish.
The larger question is that when I originally read your post I assumed that the ASA would have two tunnels and that each tunnel would terminate on a separate router. This scenario works fine. But it appears in the most recent post that perhaps both tunnels are terminating on the same router. This is a problem. I do not believe that it will work to have two tunnels from the ASA with both going to the same router.
I would think it was possible to put both kinds of traffic into a single tunnel. Or is there some reason that you need separate tunnels that I do not yet understand. Perhaps you can clarify this for us.
HTH
Rick
05-14-2013 12:16 PM
access-list outside_2_cryptomap extended permit ip 10.11.11.0 255.255.255.240 192.168.1.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 10.11.14.0 255.255.255.240 192.168.1.0 255.255.255.0
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer A.B.C.D.
crypto map outside_map 1 set transform-set ESP-DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set peer E.F.G.H.
crypto map outside_map 2 set transform-set ESP-DES-SHA
crypto map outside_map 2 set security-association lifetime seconds 28800
crypto map outside_map 2 set security-association lifetime kilobytes 4608000
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 1
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group A.B.C.D. type ipsec-l2l
tunnel-group A.B.C.D. ipsec-attributes
pre-shared-key *
tunnel-group E.F.G.H. type ipsec-l2l
tunnel-group E.F.G.H. ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
Router#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
b.b.b. b e.f.g.h MM_NO_STATE 0 ACTIVE (deleted)
05-14-2013 02:58 PM
Thank you for the clarification. So the site to site tunnel between the ASA and router B is working ok? Now you are trying to get a tunnel working between ASA and router A? There are a few other things for which clarification would be helpful.
- what are the inside addresses of the ASA that will send traffic through the tunnel? And what are the inside addresses of router A that will send traffic through the tunnel? These go into the ACL that identifies traffic for the VPN tunnel.
- and for comparison perhaps you could post the ACL used for the traffic to router B?
- can you verify that the key configured on the ASA matches the key configured on router A?
- in an earlier post the router seems to be using this transform set to communicate with the ASA
crypto ipsec transform-set AES_256_SHA esp-aes 256 esp-sha-hmac
but I do not see anything like that in the ASA config.
So perhaps it would be helpful if you post a fresh copy of the config from the ASA and from router A.
HTH
Rick
05-15-2013 01:18 AM
Yes ,Now i want to connect router A with ASA. ineside address of the ASA are 10.11.0.0. / 16 and Router A 192.168.1.0 /24. Keys are matches.
On Router
crypto isakmp policy 2
encr aes 256
authentication pre-share
!
crypto isakmp policy 105
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key * address abcd
crypto isakmp key * address efgh
!
!
crypto ipsec transform-set AES_256_SHA esp-aes 256 esp-sha-hmac
crypto ipsec transform-set ASA-IPSEC esp-des esp-sha-hmac
!
crypto map 105 11 ipsec-isakmp
set peer efgh
set transform-set ASA-IPSEC
match address NET011
ip access-list extended NET011
permit ip host 192.168.105.3 10.11.0.0 0.0.255.255
permit ip 192.168.105.0 0.0.0.16 10.11.0.0 0.0.255.255
access-list outside_2_cryptomap extended permit ip 10.11.11.0 255.255.255.240 19
2.168.105.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 10.11.14.0 255.255.255.240 19
2.168.105.0 255.255.255.0
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 195.178.56.186
crypto map outside_map 1 set transform-set ESP-DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set peer abdc
crypto map outside_map 2 set transform-set ESP-DES-SHA
crypto map outside_map 2 set security-association lifetime seconds 28800
crypto map outside_map 2 set security-association lifetime kilobytes 4608000
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 1
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer abcd
crypto map outside_map 1 set transform-set ESP-DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set peer efgh
crypto map outside_map 2 set transform-set ESP-DES-SHA
crypto map outside_map 2 set security-association lifetime seconds 28800
crypto map outside_map 2 set security-association lifetime kilobytes 4608000
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 1
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.11.11.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.101-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group adcd type ipsec-l2l
tunnel-group abcd ipsec-attributes
pre-shared-key *
tunnel-group abcd type ipsec-l2l
tunnel-group abcd ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
crypto isakmp policy 2
encr aes 256
authentication pre-share
!
crypto isakmp policy 105
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key * address abcd
crypto isakmp key * address e.f.g.h.
crypto ipsec transform-set AES_256_SHA esp-aes 256 esp-sha-hmac
crypto ipsec transform-set ASA-IPSEC esp-des esp-sha-hmac
crypto map 105 11 ipsec-isakmp
set peer e.f.g.h
set transform-set ASA-IPSEC
match address NET011
ip access-list extended NET011
permit ip 192.168.1.0 0.0.0.16 10.11.0.0 0.0.255.255
On ASA
access-list outside_2_cryptomap extended permit ip 10.11.11.0 255.255.255.240 192.168.1.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 10.11.14.0 255.255.255.240 192.168.1.0 255.255.255.0
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer a.b.c.d
crypto map outside_map 1 set transform-set ESP-DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set peer E.F.G.H.
crypto map outside_map 2 set transform-set ESP-DES-SHA
crypto map outside_map 2 set security-association lifetime seconds 28800
crypto map outside_map 2 set security-association lifetime kilobytes 4608000
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 1
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer abcd
crypto map outside_map 1 set transform-set ESP-DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set peer efgh
crypto map outside_map 2 set transform-set ESP-DES-SHA
crypto map outside_map 2 set security-association lifetime seconds 28800
crypto map outside_map 2 set security-association lifetime kilobytes 4608000
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 1
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group A.B.c.d type ipsec-l2l
tunnel-group A.b.c.d. ipsec-attributes
pre-shared-key *
tunnel-group e.f.g.h type ipsec-l2l
tunnel-group e.f.g.h ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
05-15-2013 05:44 AM
May 15 12:42:50.783: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal no
t accepted" state (R) MM_NO_STATE (peer 195.178.35.162)
May 15 12:42:50.783: ISAKMP (0): FSM action returned error: 2
May 15 12:42:50.787: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal no
t accepted" state (R) MM_NO_STATE (peer 195.178.35.162) e
May 15 12:42:59.767: ISAKMP:(0):SA is still budding. Attached new ipsec request
to it. (local 212.200.29.46, remote 195.178.35.162)
May 15 12:42:59.767: ISAKMP: Error while processing SA request: Failed to initia
lize SA
May 15 12:42:59.767: ISAKMP: Error while processing KMI message 0, error 2.
May 15 12:42:59.775: ISAKMP:(0):Notify has no hash. Rejected.
May 15 12:42:59.775: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTI
FY: state = IKE_I_MM1xit May 15 12:42:50.783: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal no
t accepted" state (R) MM_NO_STATE (peer 195.178.35.162)
May 15 12:42:50.783: ISAKMP (0): FSM action returned error: 2
May 15 12:42:50.787: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal no
t accepted" state (R) MM_NO_STATE (peer 195.178.35.162) e
May 15 12:42:59.767: ISAKMP:(0):SA is still budding. Attached new ipsec request
to it. (local 212.200.29.46, remote 195.178.35.162)
May 15 12:42:59.767: ISAKMP: Error while processing SA request: Failed to initia
lize SA
May 15 12:42:59.767: ISAKMP: Error while processing KMI message 0, error 2.
May 15 12:42:59.775: ISAKMP:(0):Notify has no hash. Rejected.
May 15 12:42:59.775: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTI
FY: state = IKE_I_MM1xit
05-15-2013 06:00 AM
Thanks for posting the output with the debug information. It shows that
Phase1 SA policy proposal not accepted
My original thought had been that there might be a mismatch in the pre-shared key. But you say that they match and the debug output seems to agree. So we need to look carefully at the phase 1 parameters.
One thing that I notice is that the access list on the router has an invalid mask
ip access-list extended NET011
permit ip 192.168.1.0 0.0.0.16 10.11.0.0 0.0.255.255
I also notice that the access list on the ASA has two permit statements for /28s where the router is permitting 10.11/16
access-list outside_2_cryptomap extended permit ip 10.11.11.0 255.255.255.240 192.168.1.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 10.11.14.0 255.255.255.240 192.168.1.0 255.255.255.0
Please re-write the access lists on both router and ASA so that they match each other. Then test again and let us know the results.
HTH
Rick
05-15-2013 06:27 AM
i re-write the ACL ,
ip access-list extended NET011
permit ip host 192.168.1.3 10.11.0.0 0.0.255.255
permit ip 192.168.1.0 0.0.0.255 10.11.0.0 0.0.255.255
access-list outside_2_cryptomap extended permit ip 10.11.14.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 10.11.11.0 255.255.255.0 192.168.1.0 255.255.255.0
May 15 13:25:09.864: ISAKMP:(1117):deleting SA reason "Recevied fatal informat
nal" state (I) QM_IDLE (peer )
May 15 13:25:09.864: ISAKMP:(1117):deleting SA reason "Recevied fatal informat
nal" state (I) QM_IDLE ()
Routerc#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
adbc dddd MM_NO_STATE 1118 ACTIVE (deleted)
acdc dddd MM_NO_STATE 1117 ACTIVE (deleted)
aaaa aaaa QM_IDLE 1109 ACTIVE
May 15 13:25:09.864: ISAKMP:(1117):deleting SA reason "Recevied fatal informat
nal" state (I) QM_IDLE (peer )
May 15 13:25:09.864: ISAKMP:(1117):deleting SA reason "Recevied fatal informat
nal" state (I) QM_IDLE ()
05-15-2013 06:35 AM
crypto isakmp policy 105
encr 3des
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp policy 106
group 2
lifetime 28800
crypto isakmp key * address a.b.c.d
crypto isakmp key * address e.f.g.h
Why in crypto isakmp policy 106 there ins't encryption des .
I repaet command
Router(config)#crypto isakmp policy 106
Router(config-isakmp)#encryption des
but still ther are no statement
05-15-2013 08:50 AM
The reason that the encryption des statement does not show up is that this is the default value for encryption and in show run the default values usually do not show up.
Perhaps I was not sufficiently clear when I talked about the access lists on the ASA and on the router. These access lists should be mirror images of each other - they each should permit the same kinds of traffic as the other but with source and destination reversed (and of course the different kind of mask used in IOS on router or in ASA).
What you have got at this point does not match between the devices.
ip access-list extended NET011
permit ip host 192.168.1.3 10.11.0.0 0.0.255.255
permit ip 192.168.1.0 0.0.0.255 10.11.0.0 0.0.255.255
access-list outside_2_cryptomap extended permit ip 10.11.14.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 10.11.11.0 255.255.255.0 192.168.1.0 255.255.255.0
On the router access list you are permitting a specific host on one line and permitting 192.168.1.0 to a /16 network. The ASA does not have any permit for that host and the ASA is permitting 192.168.1.0 to two networks that are /24.
I am not in a position to say whether one is correct or the other because I do not know what policy is involved in deciding what traffic should pass over the VPN. But until both devices are using the same policy to select traffic it is likely that the VPN will not work.
HTH
Rick
05-15-2013 12:30 PM
On router LAN address is 192.168.1.0 and host with address 192.168.1.3 should pass over VPN.
On ASA LAN address is 10.11.0.0 and host with address 10.11.11.0 and 10.11.14.0 should pass over VPN.
I put in ACL 192.168.1.0 to activate VPN
05-15-2013 12:47 PM
Part of what I have been trying to explain is that the access lists on both sides must allow the same things. So first, please tell me from the router side is the access specific for only host 192.168.1.3 or is the access for the whole network/subnet 192.168.1.0. Then please tell me whether the access is to all of 10.11.0.0/16 or is specific to10.11.11.0 and 10.11.14.0
So if you tell me that all of 192.168.1.0 needs to access all of 10.11.0.0/16 then I know how to configure the access list on the router which would be permit 192.168.1.0 0.0.0.255 10.11.0.0 0.0.255.255.
And if that is permitted on the router side then the ASA must also permit that. So the ASA access list must be permit 10.11.0.0 255.255.0.0 192.168.1.0 255.255.255.0
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide