Solved: VPN Site-to-Site setup question

jrmdynamac · ‎06-01-2011

I have 2 ASA 5505's that I need to set up with a tunnel between them. I followed the wizard on the primary device to set up the tunnel, but here is where I am confused on setting up the remote end.

On site 1: I set the peer IP address to the remote device's outside IP address.

On site 2: Do I set the peer IP address to the outside address from site 1 or from site 2?

I set it up with the opposite IP's, (site 1 to site 2 outside, and site 2 to site 1 outside) but I can not get a response from either side.

Do I need to set site 2 up with the same outside address that I did for site 1 meaning both Peer IP addresses will be the same?

How do I check to see if the tunnel is up?

Thanks

--Jon

Thotsaphon Lueangwattanaphong · ‎06-01-2011

Hi,

Do you want to do site-to-site VPN? If public ip addesses are assighned to the ouside interface of both ASAs ,site 1 to site 2 outside, and site 2 to site 1 outside is correct. You need to generate interesting traffic passed through the tunnel to get the process of building VPN.

If it works,how to check.

ASA#show crypto isakmp sa

You should see state is QM_IDLE and status is ACTIVE

ASA#show crypto ipsec sa

You should see packets encryped/decrypted properly here.

HTH,

Toshi

View solution in original post

Thotsaphon Lueangwattanaphong · ‎06-02-2011

Hi,

Sorry for my late reply. It seems the tunnel is up. I missed looking the configuration you posted.

Westchester(conf)#no name XXX.XXX.111.0 CastleRock

Westchester(conf)#name XXX.XXX.100.0 CastleRock

HTH,

Toshi

View solution in original post

Thotsaphon Lueangwattanaphong · ‎06-01-2011

Hi,

Do you want to do site-to-site VPN? If public ip addesses are assighned to the ouside interface of both ASAs ,site 1 to site 2 outside, and site 2 to site 1 outside is correct. You need to generate interesting traffic passed through the tunnel to get the process of building VPN.

If it works,how to check.

ASA#show crypto isakmp sa

You should see state is QM_IDLE and status is ACTIVE

ASA#show crypto ipsec sa

You should see packets encryped/decrypted properly here.

HTH,

Toshi

jrmdynamac · ‎06-01-2011

Hi Toshi,

Thanks for the reply. I do want site to site tunnel. I am a little confused on one thing though, what do you consider interesting traffic? I have the tunnel set up as stated, but if I try to ping an address of say 10.10.30.XXX on the remote side, I get no reply. Is this normal?

What I a looking to do is set up a mapped network drive on a remote server for backup purposes.

What I have is:

Site 1: internal address's = 10.10.20.0 /24

Outside address is : 9.9.9.9

Site 2: internal address's = 10.10.30.0 /24

Outside address is : 10.10.10.10

Site 1 tunnel peer is set to: 10.10.10.10

Site 2 tunnel peer is set to: 9.9.9.9

The Encyryption , authentication, and DH Group are both set to the same.

Once the tunnel is up, I want a server on Site 1 to have a mapped drive to a server on Site 2 for backup and recovery purposes, and be able to remote into desktop systems for troubleshooting issues.

Thanks

--Jon

Thotsaphon Lueangwattanaphong · ‎06-01-2011

Hi Jon,

We have to define interesting traffic for the tunnel. Let's say 10.10.20.0 /24 and 10.10.30.0 /24 are interesting traffic. You need to test connections from 10.10.20.0/24 to 10.10.30.0/24 and vise versa. You can test connections by using a ping command and it should work properly if you have not blocked ICMP between the path. Do you have any NAT on ASA? You may need to use NAT exempt or NAT-traversal to solve the problems if the tunnel is up but no traffic passed. It's a good idea if you can post the configuraions on both devices.

HTH,

Toshi

jrmdynamac · ‎06-01-2011

Here are the configs for each device. I tried to clean them out as much as possible, yet still leave enough in to trace any groups or IP trails.

Site 1 is primary and is named West-Chester

the remote site is Castle-Rock

Thanks Guys for the help

--Jon

mkosobucki · ‎06-01-2011

Could you paste your config? (make sure to strip passwords, company name etc.)

When doing site to site VPN, you need to make sure that there a routing possible between those sites. What interesting traffic means is subnets that should be allowed to go over traffic. It is possible that you want to tunnel all traffic over tunnels, but it is unlikely. Most likely you just want to be specific and allow subnet of your backup source with subnet of backup destination. Usually there is also point to point subnet that will be also part of "interesting traffic".

in your case extended access list defining interesting traffic would be:

access-list 100 permit ip host 9.9.9.9 host 10.10.10.10

on one side and on the other:

access-list 100 permit ip host 10.10.10.10. host 9.9.9.9

Ref:

http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080a9a7a3.shtml

jrmdynamac · ‎06-01-2011

Just posted both configs.

Thanks for the help

-Jon

Thotsaphon Lueangwattanaphong · ‎06-01-2011

Hi,

I think you should not need the following command.

CastleRock-ASA(conf)#no tunnel-group XXX.XXX.204.254 general-attributes

CastleRock-ASA(config-tunnel-general)#no default-group-policy CastleRock

West-Chester(conf)#no tunnel-group XXX.XXX.250.17 general-attributes

West-Chester(config-tunnel-general)#no default-group-policy WestChester

NAT exempt is there. Please make sure that the share-password in tunnel-group is the same on both ends. After removing above commands please test and let us know what logging says.

HTH,

Toshi

jrmdynamac · ‎06-02-2011

I removed both Tunnel-Group statements, but it will not allow me to remove the default-group-policy statements. tried to use the "no" statement in config t, but would not allow it, stopped at the "default" wording. Do I need to be in another section other than Config T?

Also, tried the ping with just the two statements removed and still nothing..

--Jon

jrmdynamac · ‎06-02-2011

OK, I think I may have found a problem. If I run the SHOW CRYPTO IPSEC SA command I get the following code:

CastleRock-ASA# sho crypto ipsec sa
interface: outside
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: XXX.XXX.250.17

      local ident (addr/mask/prot/port): (XXX.XXX.111.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (WestChester/255.255.255.0/0/0)
      current_peer: 216.196.204.254

On the line for the local Ident: the ip address scheme is wrong. It states XXX.XXX.111.0 and it should be XXX.XXX.100.0.

I have looked everywhere I can to find where this is set wrong, but can not find it. Do you have any suggestions on how I might change this or find where it is at to change it?

-Jon

Thotsaphon Lueangwattanaphong · ‎06-02-2011

Hi,

Sorry for my late reply. It seems the tunnel is up. I missed looking the configuration you posted.

Westchester(conf)#no name XXX.XXX.111.0 CastleRock

Westchester(conf)#name XXX.XXX.100.0 CastleRock

HTH,

Toshi

jrmdynamac · ‎06-02-2011

OK, I changed this on the West-Chester ASA. It still shows remote identity as being 111.0. Should I reload both ASA's or give it some time to change?

The Castle-Rock ASA still lists the ocal Ident as 111.0 as well.

West-Chester# sho crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: xxx.xxx.204.254

      access-list outside_1_cryptomap permit ip xxx.xxx.40.0 255.255.255.0 xxx.xxx.111.0 255.255.255.0
      local ident (addr/mask/prot/port): (xxx.xxx.40.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (xxx.xxx.111.0/255.255.255.0/0/0)
      current_peer: xxx.xxx.250.17

-

Thotsaphon Lueangwattanaphong · ‎06-02-2011

Hi,

The important parts of configuration should be something look like this.

CastleRock

!

name XXXX.XXXX.40.0 WestChester

!

access-list inside_nat0_outbound extended permit ip XXXX.XXXX.100.0 255.255.255.0 WestChester 255.255.255.0

!
access-list outside_1_cryptomap extended permit ip XXXX.XXXX.100.0 255.255.255.0 WestChester 255.255.255.0

!

nat (inside) 0 access-list inside_nat0_outbound

!

crypto map outside_map 1 match address outside_1_cryptomap

!

WestChester

!

name XXX.XXX.100.0 CastleRock

!

access-list inside_nat0_outbound extended permit ip XXX.XXX.40.0 255.255.255.0 CastleRock 255.255.255.0

!
access-list outside_1_cryptomap extended permit ip XXX.XXX.40.0 255.255.255.0 CastleRock 255.255.255.0

!

nat (inside) 0 access-list inside_nat0_outbound

!

crypto map outside_map 1 match address outside_1_cryptomap

!

You just try the following command first.

CastleRock#clear crypto isakmp

CastleRock#clear crypto ipsec sa

WestChester#clear crypto isakmp

WestChester#clear crypto ipsec sa

If it still doesn't work, you try to do the following command.

CastleRock(conf)#no crypto isakmp enable outside

CastleRock(conf)#crypto isakmp enable outside

WestChester(conf)#no crypto isakmp enable outside

WestChester(conf)#crypto isakmp enable outside

HTH,

Toshi