Solved: Re: Ikev ipsec problem

TaniaKanth85411 · ‎05-31-2021

Hi.

please please please help, i need to configure a ip sec tunnel on my asa 5505, it isnt working, i know i am missing something, please help

hostname ciscoasa

names

!

interface Ethernet0/0

!

interface Ethernet0/1

switchport access vlan 2

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 20.20.30.0 255.255.255.224

!

interface Vlan2

nameif outside

security-level 0

ip address 100.100.200.1 255.255.255.248

!

interface Vlan3

no nameif

no security-level

no ip address

!

object network inside-net

subnet 20.20.30.0 255.255.255.224

!

access-list ikev1-list extended permit ip 20.20.30.0 255.255.255.224 10.10.10.0 255.255.255.128

!

object network inside-net

nat (inside,outside) dynamic interface

!

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect icmp

!

service-policy global_policy global

!

telnet timeout 5

ssh timeout 5

!

crypto ipsec ikev1 transform-set ikev1-set esp-aes esp-sha-hmac

!

crypto map ikev-map 1 match address ikev1-list

crypto map ikev1-map 1 set ikev1 transform-set ikev1-set

crypto map ikev1-map interface outside

crypto ikev1 enable outside

crypto ikev1 policy 1

encr aes

authentication pre-share

group 2

!

tunnel-group 100.100.200.1 type ipsec-l2l

tunnel-group 100.100.200.1 ipsec-attributes

ikev1 pre-shared-key this_is_a_key

!

Seb Rupik · ‎06-02-2021

sorry for the delay:

View solution in original post

Seb Rupik · ‎06-01-2021

Hi there,

you need to configure a NAT exemption rule to ensure that the the traffic destined to the IPSec peer site is not translated when it is routed via the 'outside' interface, this means it will be picked up by the crypto map ACL.

!
object network REMOTE_SITE_01
  subnet 10.10.10.0 255.255.255.128
!
nat (inside,outside) source static inside-net inside-net destination static REMOTE_SITE_01 REMOTE_SITE_01 no-proxy-arp route-lookup
!

You also have two crypto maps configured both with incomplete config:

!
crypto map ikev1-map 1 match address ikev1-list
crypto map ikev1-map 1 set ikev1 transform-set ikev1-set
crypto map ikev1-map interface outside
!

You also appear to have no peer IP configured:

!
crypto map ikev1-map 1 set peer ?.?.?.?
!

cheers,

Seb.

TaniaKanth85411 · ‎06-01-2021

Hi, i have just tried it, but i wont work? plus the peer is that the inside for my vlan on the other side or the outside? and is it the same process on both sides?

And do i need to delete this part??

!
crypto map ikev1-map 1 match address ikev1-list
crypto map ikev1-map 1 set ikev1 transform-set ikev1-set
crypto map ikev1-map interface outside
!

This is what it is saying

object network Remote_site_01

ciscoasa(config-network-object)#subnet 10.10.10.0 255.255.255.128

ciscoasa(config-network-object)#nat (inside,outside) source static inside-net inside-net destination static REMOTE_SITE_01 REMOTE_SITE_01 no-proxy-arp route-lookup

^

% Invalid input detected at '^' marker.

ciscoasa(config-network-object)#nat (inside,outside) source static inside-net inside-net destination static REMOTE_SITE_01 Remote_site_01 no-proxy-arp route-lookup

^

% Invalid input detected at '^' marker.

ciscoasa(config-network-object)#exit

ciscoasa#conf t

ciscoasa(config)#nat (inside,outside) source static inside-net inside-net destination static REMOTE_SITE_01 Remote_site_01 no-proxy-arp route-lookup

^

% Invalid input detected at '^' marker.

ciscoasa(config)#

ciscoasa(config)#nat (inside,outside) source static inside-net inside-net destination static remote_site_01 no-proxy-arp route-lookup

^

% Invalid input detected at '^' marker.

ciscoasa(config)#nat (inside,outside) source static inside-net inside-net destination static Remote_site_01 no-proxy-arp route-lookup

^

% Invalid input detected at '^' marker.

This is the confgiration on the other firewall

ASA Version 8.4(2)

!

hostname ciscoasa

names

!

interface Ethernet0/0

!

interface Ethernet0/1

switchport access vlan 2

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 20.20.30.0 255.255.255.224

!

interface Vlan2

nameif outside

security-level 0

ip address 100.100.200.1 255.255.255.248

!

interface Vlan3

no nameif

no security-level

no ip address

!

object network inside-net

subnet 20.20.30.0 255.255.255.224

!

access-list ikev1-list extended permit ip 20.20.30.0 255.255.255.224 10.10.10.0 255.255.255.128

!

object network inside-net

nat (inside,outside) dynamic interface

!

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect icmp

!

service-policy global_policy global

!

telnet timeout 5

ssh timeout 5

!

crypto ipsec ikev1 transform-set ikev1-set esp-aes esp-sha-hmac

!

crypto map ikev-map 1 match address ikev1-list

crypto map ikev1-map 1 set ikev1 transform-set ikev1-set

crypto map ikev1-map interface outside

crypto ikev1 enable outside

crypto ikev1 policy 1

encr aes

authentication pre-share

group 2

!

tunnel-group 100.100.200.1 type ipsec-l2l

tunnel-group 100.100.200.1 ipsec-attributes

ikev1 pre-shared-key this_is_a_key

!

Seb Rupik · ‎06-01-2021

Hi there,

The peer IP is the is typically the IP address of the interface on which the ctypto map has been applied.

Regarding your config error, it is case sensitive. You have created the object 'Remote_site_01' so use exactly that object name in the NAT statement:

!
nat (inside,outside) source static inside-net inside-net destination static Remote_site_01 Remote_site_01 no-proxy-arp route-lookup
!

cheers,

Seb.

TaniaKanth85411 · ‎06-01-2021

i am so sorry, but i dont get it.

Plus do i need the same confgirtion on the other side for this to work?

TaniaKanth85411 · ‎06-01-2021

Plus what do you mean by

You also have two crypto maps configured both with incomplete config?

sorry for the connfussion

Seb Rupik · ‎06-01-2021

In your original config you have a typo:

!
crypto map ikev-map 1 match address ikev1-list
crypto map ikev1-map 1 set ikev1 transform-set ikev1-set
crypto map ikev1-map interface outside
!

which gives you two crypto maps: ikev-map and ikev1-map .

Replace the first line with:

!
crypto map ikev1-map 1 match address ikev1-list
!

To fix the issue.

cheers,

Seb.

TaniaKanth85411 · ‎06-01-2021

I cat overwrite anything, is there a command which deletes the crypto map from the asa firewall, i tried typing no infront but it keeps saying

no crypto map ikev1-map 1 set ikev1 transform-set ikev1-set

% Incomplete command.

Seb Rupik · ‎06-01-2021

Just type:

!
crypto map ikev1-map 1 match address ikev1-list
!

...you will end up with:

!
crypto map ikev-map 1 match address ikev1-list
crypto map ikev1-map 1 match address ikev1-list
crypto map ikev1-map 1 set ikev1 transform-set ikev1-set
crypto map ikev1-map interface outside
!

...but it will work.

cheers,

Seb.

TaniaKanth85411 · ‎06-01-2021

#crypto map ikev1-map 1 match address ikev1-list

ERROR: unable to locate access-list ikev1-list

Seb Rupik · ‎06-01-2021

Add the following ACL and it should take without error:

!
nat (inside,outside) source static inside-net inside-net destination static Remote_site_01 Remote_site_01 no-proxy-arp route-lookup
!

The remote side will need identical configuration except the peer IP will need changing and the crypto ACL and NAT exception statement will need reversing; swapping the source and destination address around.

TaniaKanth85411 · ‎06-01-2021

Hi.

It still wont take it,

nat (inside,outside) source static inside-net inside-net destination static Remote_site_01 Remote_site_01 no-proxy-arp route-lookup

^

% Invalid input detected at '^' marker.

i have pasted the file now

Seb Rupik · ‎06-02-2021

sorry for the delay:

TaniaKanth85411 · ‎06-01-2021

Hi, i now kow its the acl - the configuration look like this now, but i still wont take

nat (inside,outside) source static inside-net inside-net destination static Remote_site_01 Remote_site_01 no-proxy-arp route-lookup

interface Vlan1

nameif inside

security-level 100

ip address 10.10.10.0 255.255.255.128

!

interface Vlan2

nameif outside

security-level 0

ip address 100.100.100.1 255.255.255.248

!

object network REMOTE_SITE_01

subnet 10.10.10.0 255.255.255.128

object network Remote_site_01

subnet 10.10.10.0 255.255.255.128

object network local

!

route inside 192.168.10.0 255.255.255.0 10.10.10.253 1

route inside 172.16.10.0 255.255.255.0 10.10.10.253 1

route outside 0.0.0.0 0.0.0.0 100.100.100.2 1

!

access-list ikev1-list extended permit ip 172.16.30.0 255.255.255.192 10.10.10.0 255.255.255.128

access-list ikev1-list extended permit ip 192.168.40.0 255.255.255.192 10.10.10.0 255.255.255.128

!

telnet timeout 5

ssh timeout 5

!

crypto ipsec ikev1 transform-set ikev1-set esp-aes esp-sha-hmac

!

crypto map ikev1-map 1 match address ikev1-list

crypto map ikev1-map 1 set ikev1 transform-set ikev1-set

crypto map ikev1-map interface outside

crypto map ikev-map 1 match address ikev1-list

crypto ikev1 policy 1

encr aes

hash md5

authentication pre-share

group 2

!

tunnel-group 100.100.200.1 type ipsec-l2l

tunnel-group 100.100.200.1 ipsec-attributes

ikev1 pre-shared-key this_is_a_key

!