09-30-2012 11:37 AM - edited 02-21-2020 06:22 PM
I just try to build a Site-to-Site VPN over IPSec between a ASA5505 and a ASA5510.
But it don`t want to work. Here are the config`s of the ASA 5505 and ASA5510:
ASA5505:
: Saved
: Written by enable_15 at 20:02:51.175 UTC Wed Apr 7 2010
!
ASA Version 7.2(2)
!
hostname asa5505
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.178.254 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list Inside_ICMP extended permit icmp any any echo-reply
access-list Inside_ICMP extended permit icmp any any source-quench
access-list Inside_ICMP extended permit icmp any any unreachable
access-list Inside_ICMP extended permit icmp any any time-exceeded
access-list outside_cryptomap_10 remark ACL to encrypt traffic from Muenchen to Frankfurt
access-list outside_cryptomap_10 extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_nat_outbound remark Ausnahme Policy IPSec Encryption
access-list inside_nat_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_nat_outbound
static (inside,outside) interface 192.168.1.254 netmask 255.255.255.255
access-group Inside_ICMP in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.178.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set FRA-AES256SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 10 match address outside_cryptomap_10
crypto map outside_map 10 set peer 192.168.178.230
crypto map outside_map 10 set transform-set FRA-AES256SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 192.168.178.230 type ipsec-l2l
tunnel-group 192.168.178.230 ipsec-attributes
pre-shared-key Cisco1234
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:469da4f90cebc4e460849caade472273
: end
ASA5510:
: Saved
: Written by enable_15 at 15:26:19.983 UTC Sun Sep 30 2012
!
ASA Version 7.2(3)
!
hostname asa5510
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 192.168.178.230 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list Inside_ICMP extended permit icmp any any echo-reply
access-list Inside_ICMP extended permit icmp any any source-quench
access-list Inside_ICMP extended permit icmp any any unreachable
access-list Inside_ICMP extended permit icmp any any time-exceeded
access-list outside_cryptomap_10 remark ACL to encrypt traffic from Frankfurt to Muenchen
access-list outside_cryptomap_10 extended permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat_outbound remark Ausnahme Policy IPSec Encryption
access-list inside_nat_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_nat_outbound
static (inside,outside) interface 192.168.10.50 netmask 255.255.255.255
access-group Inside_ICMP in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.178.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set MUC-AES256SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 10 match address outside_cryptomap_10
crypto map outside_map 10 set peer 192.168.178.254
crypto map outside_map 10 set transform-set MUC-AES256SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn username blub password blub store-local
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
tunnel-group 192.168.178.254 type ipsec-l2l
tunnel-group 192.168.178.254 ipsec-attributes
pre-shared-key Cisco1234
prompt hostname context
Cryptochecksum:0b1021940edf26ed0e32a84b18a4a888
: end
I hope that somebody can tell me what I am doing wrong.
09-30-2012 01:04 PM
Hello Hans
it looks to be good to me.. except the default routes.. can you change them as follows and try to initiate traffic from inside pc to other end lan
ASA5505
-------------
route outside 0.0.0.0 0.0.0.0 192.168.178.230
ASA5510
-----------
route outside 0.0.0.0 0.0.0.0 192.168.178.254
let me know the result
Harish.
09-30-2012 01:45 PM
I changed the route but I can not Ping from one PC to a other PC over the VPN Tunnel.
I just set a debug crypto isakmp 127 and get the followed:
at the ASA5510:
CryptoSep 30 18:11:53 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Sep 30 18:11:53 [IKEv1]: There is no valid IKE proposal available, check IPSec SA configuration!
Sep 30 18:11:53 [IKEv1]: Removing peer from peer table failed, no match!
Sep 30 18:11:53 [IKEv1]: Error: Unable to remove PeerTblEntry
at the ASA5505:
12Apr 07 22:45:31 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Apr 07 22:45:31 [IKEv1]: IP = 192.168.178.230, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
7
Could it be the Time diffrence that no VPN Tunnel will go?
09-30-2012 01:49 PM
Hello ,
What's the output for' show crypto isakmp sa'. When you initiate the traffic?
Harish.
Sent from Cisco Technical Support iPhone App
09-30-2012 01:53 PM
asa5505# show crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 192.168.178.230
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG2
asa5505#
asa5510# show cry
asa5510# show crypto is
asa5510# show crypto isakmp sa
There are no isakmp sas
asa5510#
It seems to that the ASA5510 had the problem.
09-30-2012 02:00 PM
Hi,
Just for a testing purpose can you remove the static(inside, outside) ... Line from both end have try to initiate traffic .
Harish
Sent from Cisco Technical Support iPhone App
09-30-2012 02:10 PM
After remove the static (inside,outside) ... I can`t ping into the Internet oder the Router for the internet.
09-30-2012 11:22 PM
Hello Hans,
You can put that back in.
I just tried to test your config in my lab and is working perfectly without any issues..! can you run the following command and see 'sysopt connection permit-vpn' is present
show running-config all sysopt
regards
Harish.
10-01-2012 01:05 AM
Hi Harrish,
if I run the command, I get the following:
on the ASA5505:
asa5505# sh running-config all sysopt
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
no sysopt nodnsalias inbound
no sysopt nodnsalias outbound
no sysopt radius ignore-secret
sysopt connection permit-vpn
asa5505#
on the ASA5510:
asa5510# sh running-config all sysopt
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-ipsec
no sysopt nodnsalias inbound
no sysopt nodnsalias outbound
no sysopt radius ignore-secret
no sysopt uauth allow-http-cache
no sysopt noproxyarp outside
no sysopt noproxyarp inside
asa5510#
I am now trying to clean on both ASA the config and then try to do take all commands
new to get a clean config on both ASA. Could it be a fault maybe that I use a switch
between the both ASA to simulate the Internet?
regards
Hans-Juergen Guenter
10-01-2012 01:11 AM
Hello Hans,
Can you give 'sysopt connection permit-vpn' global configuration command on 5510 and try again,
regarding you switch in between to simulate internet, no fault on doing that except he static router..
what you can do in that case o create route as follows
route outside 0.0.0.0 0.0.0.0 192.168.178.1
route outside
regards
Harish.
10-01-2012 02:10 AM
Hi Harrish,
I tryed to take the "sysopt connection permit-vpn" but there ist only the permit-ipsec.
So I thing so I don`t can take a Site-to-Site VPN because the ASA5510 need a other IOS
or I need a other Licence so that I get the right commands to make a VPN between the
ASA5505 and the ASA5510.
regards
Hans-juergen Guenter
10-01-2012 02:15 AM
Hi,
I just set a debug crypto isakmp 127 and get the followed:
at the ASA5510:
CryptoSep 30 18:11:53 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Sep 30 18:11:53 [IKEv1]: There is no valid IKE proposal available, check IPSec SA configuration!
Sep 30 18:11:53 [IKEv1]: Removing peer from peer table failed, no match!
Sep 30 18:11:53 [IKEv1]: Error: Unable to remove PeerTblEntry
at the ASA5505:
12Apr 07 22:45:31 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Apr 07 22:45:31 [IKEv1]: IP = 192.168.178.230, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
7
Can you provide output on both ASAs of sh run crypto isakmp
Regards.
Alain
Don't forget to rate helpful posts.
10-01-2012 02:38 AM
Hi Alain, here are the outpu of sh run crypto isakmp:
ASA5510:
asa5510# sh run crypto isakmp
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
asa5510#
ASA5505
asa5505# sh run crypto isakmp
crypto isakmp enable outside
crypto isakmp policy 2
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
asa5505#
Regards,
Hans-Juergen Guenter
10-01-2012 05:14 AM
Hi,
post sh run crypto ipsec
Regards.
Alain
Don't forget to rate helpful posts.
10-01-2012 05:38 AM
ASA5505:
asa5505# sh run crypto ipsec
crypto ipsec transform-set FRA-3DESSHA esp-3des esp-sha-hmac
asa5505#
ASA5510:
asa5510# sh run crypto ipsec
crypto ipsec transform-set MUC-3DESSHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
asa5510#
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide