Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1001
Views
0
Helpful
7
Replies

Trouble configuring VPN site-to-site

Mattias13
Level 1
Level 1

‎04-11-2018 12:28 AM - edited ‎03-05-2019 10:15 AM

Hello everyone. First of all I need to say that I am a beginner with Cisco devices (only been working with them for a few weeks now) Just so you guys know. 

 

As the topic reads I am experiencing trouble configuring site to site vpn. The plan was first to create VPN between a D-link DSR500N to a Cisco ASA 5505 device but I gave that up since I never got it to work. Instead I tried to follow several different guides, cisco official book and youtube videos that show how to create VPN Cisco to Cisco since that seemed a lot easier, but I still have not got it to work. I began troubleshooting and looking for problems where it could go wrong and the only thing I could find is that I get different output when writing in the CLI.

For example if I would write: 

Router(config)#Crypto isakmp enable

ERROR: % INCOMPLETE COMMAND

Router(config)#Crypto isakmp policy 10 - this command should enter Router(config-isakmp)# But instead for me this command enter Router(config-ikev1-policy)#

Why is it like that? 

 

I would be very thankful if someone can help me with this issue.

 

Have a good day.

Mattias

Labels:
0 Helpful
7 Replies 7

Julio E. Moisa
VIP
VIP

‎04-11-2018 04:00 AM

Hi Mattias,

Your router should be security K9 license, if it has, please provide us the configuration on the Cisco and Dlink.

 

Thank you in advance. 




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

Mattias13
Level 1
Level 1
In response to Julio E. Moisa

‎04-11-2018 06:37 AM

I checked the license and it is Security Plus. Right now I need to re-configure the VPN due to a mistake which forced me to restore an old config because the router stopped working. Do you want me to run "Show running-config" and then post it here?

Best regards.
0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Mattias13

‎04-11-2018 12:43 PM

show running-config would be a good start. It would also help if you provide some description of the network topology and perhaps a diagram showing the network. It would also help if you give us a description of what you want the vpn to do, what traffic should go through the vpn. If you have done some testing it would be nice to see some test results (like can you ping from one peer address to the other peer address).

 

HTH

 

Rick

HTH

Rick
0 Helpful

Mattias13
Level 1
Level 1
In response to Richard Burts

‎04-12-2018 12:59 AM

I attached a PDF file of the DLINK router config and down below you can see the config of the asa 5505.

 

To describe the network topology we have a office at site A and offsite storage (Site B). We want to send our backups that are encrypted through the VPN. ICMP is set to off.

 

Result of the command: "show running-config"

 

: Saved

:

ASA Version 9.0(2)

!

hostname BURouter

enable password xxxxxxxxx encrypted

names

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

 switchport access vlan 12

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

 description BU Inside

 nameif inside

 security-level 100

 ip address 10.x.x.x 255.255.0.0

!

interface Vlan2

 description Incoming

 nameif outside

 security-level 0

 ip address 92.x.x.x 255.255.255.192

!

interface Vlan12

 shutdown

 nameif BUkund1

 security-level 100

 no ip address

!

ftp mode passive

object network obj_any

 subnet 0.0.0.0 0.0.0.0

object network BUProd1

 host 10.x.x.x

 description Production BU 1

object service Synology

 service tcp destination eq xxxx

 description Port in till buprod

object network outsideGW

 host 92.x.x.x

 description Quicknet GW

object network Syn1

 host 10.x.x.x

 description BU1

object network RDP

 host 10.x.x.x

 description RDP Test

object service RDP

 service tcp destination eq 3389

object service RDP-Service

 service tcp source eq 3389

object service BU_Transport_xxxx_Inside

 service tcp destination eq xxxx

 description BU Transport xxxx INSIDE

object service Outside_BU_Transport_xxxx

 service tcp source eq xxxx

 description Outside BU Transport xxxx

object network net-local

 subnet 10.x.x.x 255.255.255.0

 description net-local

object network net-remote

 subnet 10.x.x.x 255.255.255.0

 description net-remote

access-list outside_access_in extended permit object Synology any object BUProd1

access-list outside_access_in extended permit object BU_Transport_Inside any object BUProd1

access-list outside_cryptomap extended permit ip object net-local object net-remote

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu BUkund1 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

!

object network obj_any

 nat (inside,outside) dynamic interface

object network BUProd1

 nat (any,outside) static interface

!

nat (inside,any) after-auto source static BUProd1 BUProd1 service Outside_BU_Transport_BU_Transport_Inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 92.x.x.x 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 10.x.x.x 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev2 ipsec-proposal AES256

 protocol esp encryption aes-256

 protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

 protocol esp encryption aes-192

 protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

 protocol esp encryption aes

 protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

 protocol esp encryption 3des

 protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal DES

 protocol esp encryption des

 protocol esp integrity sha-1 md5

crypto ipsec security-association pmtu-aging infinite

crypto map outside_map 1 match address outside_cryptomap

crypto map outside_map 1 set pfs group5

crypto map outside_map 1 set peer 193.x.x.x

crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto map outside_map 1 set ikev2 pre-shared-key *****

crypto map outside_map 1 set nat-t-disable

crypto map outside_map interface outside

crypto ca trustpool policy

crypto ikev2 policy 1

 encryption aes-256

 integrity sha

 group 5 2

 prf sha

 lifetime seconds 86400

crypto ikev2 policy 10

 encryption aes-192

 integrity sha

 group 5 2

 prf sha

 lifetime seconds 86400

crypto ikev2 policy 20

 encryption aes

 integrity sha

 group 5 2

 prf sha

 lifetime seconds 86400

crypto ikev2 policy 30

 encryption 3des

 integrity sha

 group 5 2

 prf sha

 lifetime seconds 86400

crypto ikev2 policy 40

 encryption des

 integrity sha

 group 5 2

 prf sha

 lifetime seconds 86400

crypto ikev2 enable inside

crypto ikev2 enable outside

crypto ikev1 policy 1

 authentication pre-share

 encryption aes-256

 hash sha

 group 5

 lifetime 86400

crypto ikev1 policy 2

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

 

dhcpd auto_config outside

dhcpd option 66 ip 10.x.x.x

!

dhcpd address 10.x.x.x-10.x.x.x inside

dhcpd dns 10.x.x.x interface inside

dhcpd lease 3000 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

 anyconnect-essentials

group-policy GroupPolicy_193.x.x.x internal

group-policy GroupPolicy_193.x.x.x attributes

 vpn-tunnel-protocol ikev2 l2tp-ipsec

tunnel-group 193.x.x.x type ipsec-l2l

tunnel-group 193.x.x.x   general-attributes

 default-group-policy GroupPolicy_193.x.x.x

tunnel-group 193.x.x.x ipsec-attributes

 peer-id-validate nocheck

 ikev2 remote-authentication pre-shared-key *****

 ikev2 local-authentication pre-shared-key *****

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:

: end

Preview file
204 KB
0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Mattias13

‎04-12-2018 10:58 AM

Mattias

 

Thank you for posting the configs. I understand your desire to protect sensitive information such as the public addresses of the devices. But I am puzzled at your masking of the private addresses. Showing something as 10.x.x.x does not improve your security (it is, after all, a private address and we have no way of knowing where it is or how to access it) and it presents difficulty in assessing whether the config of the peers match up appropriately.

 

I have looked through them and find several issues:

1) You define the subnet of the inside interface as a /16. But when you configure an object for it you change the mask to /24

object network net-local

 subnet 10.x.x.x 255.255.255.0

pretty clearly the Dlink expects it to be /16

2) Your ASA has an address translation for any traffic originating inside and going outside. There is nothing in the config to exempt the vpn traffic from that translation.

 

HTH

 

Rick

HTH

Rick
0 Helpful

Mattias13
Level 1
Level 1
In response to Richard Burts

‎04-12-2018 12:32 PM

Hey Richard, sorry if I masked the private address too much. I didn't know how much I could show/not show. If you want I can re-post it with the private addresses visible?

I changed to the correct netmask now, but I know for sure that I have put in the correct netmask before but since I have deleted and re-created the objects and vpn setup I think that might be the reason I maybe put the wrong netmask this time.

How do I enable nat exemption? On my other cisco device when I looked at VPN setup it was a little checkbox that you checked and then it was activated.

Best regards
0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Mattias13

‎04-13-2018 08:41 AM

Mattias

 

It is not necessary to post the config with the private addresses not masked. I point this out so that the next time you post on the forum you would think about what really needs to be protected. I recognize that there is an instinctive reaction when posting configs in public forum that we need to protect our addresses. But we should then think about what really needs to be protected.

 

If you have redone the configs multiple times it is quite possible that the other times did use the correct mask. I can only provide feedback on the version that got posted.

 

The way to do the nat exemption differs depending on whether you are using GUI/ASDM or from CLI. And the approach for nat/nat exemption is quite different depending on whether it is ASA or is IOS. For your config the nat exemption might look something like this

nat (inside,outside) source static net-local net-local destination static net-remote net-remote no-proxy-arp route-lookup

 

HTH

 

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card