Cisco ASA 5510 8.2(5) > Cisco ASA 5510 8.2(5) (Site to Site)

gordon.macfarlane · ‎05-10-2013

I have a site to site VPN configured

Site 1 information:

: Saved
:
ASA Version 8.2(5) 
!
hostname site1
domain-name domain.com
enable password password encrypted
passwd password encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.xxx 255.255.255.224 
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 172.16.10.22 255.255.248.0 
!
interface Ethernet0/2
 nameif WirelessLAN
 security-level 100
 ip address 10.10.1.1 255.0.0.0 
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
boot system disk0:/asa825-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name domain.com
access-list encrypt_acl extended permit ip 172.16.8.0 255.255.248.0 192.168.100.0 255.255.255.0 
access-list encrypt_acl extended permit ip 192.168.100.0 255.255.255.0 172.16.8.0 255.255.248.0 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu WirelessLAN 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list encrypt_acl
nat (inside) 101 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 109.231.237.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL 
aaa authentication ssh console LOCAL 
http server enable
http 192.168.1.0 255.255.255.0 management
http 172.16.8.0 255.255.255.0 inside
http 172.16.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set London2Remote1 esp-aes-256 esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map IPSec_map 10 match address encrypt_acl
crypto map IPSec_map 10 set peer xxx.xxx.xxx.xxx 
crypto map IPSec_map 10 set transform-set London2Remote1
crypto map IPSec_map interface outside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 172.16.8.0 255.255.255.0 inside
ssh 172.16.10.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.146.137.13 source outside
ntp server 91.208.177.20 source outside
ntp server 82.219.4.30 source outside
ntp server 176.74.25.227 source outside
webvpn
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
: end
no asdm history enable

Site 2 informaiton:

: Saved

:

ASA Version 8.2(5)

!

hostname ZMUKGBITTest

domain-name domain.com

enable password password encrypted

passwd password encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address xxx.xxx.xxx.xxx 255.255.255.224

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.100.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa825-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name domain.com

access-list encrypt_acl extended permit ip 192.168.100.0 255.255.255.0 172.16.8.0 255.255.248.0

access-list encrypt_acl extended permit ip 172.16.8.0 255.255.248.0 192.168.100.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 101 interface

nat (inside) 0 access-list encrypt_acl

nat (inside) 101 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 109.231.237.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 192.168.100.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set Remote12London esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map IPSec_map 10 match address encrypt_acl

crypto map IPSec_map 10 set peer xxx.xxx.xxx.xxx

crypto map IPSec_map 10 set transform-set Remote12London

crypto map IPSec_map interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 192.168.100.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

dhcpd address 192.168.100.10-192.168.100.100 inside

dhcpd dns 8.8.8.8 8.8.4.4 interface inside

dhcpd lease 86400 interface inside

dhcpd domain rdfmedia.com interface inside

dhcpd enable inside

!

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 192.146.137.13 source outside

ntp server 91.208.177.20 source outside

ntp server 82.219.4.30 source outside

ntp server 176.74.25.227 source outside

webvpn

tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l

tunnel-group xxx.xxx.xxx.xxx ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

: end

no asdm history enable

My issue is that I am unable to get any traffic going thru from site 1 to site 2 via VPN tunnel

Any ideas would be appreciated

Jouni Forss · ‎05-10-2013

Hi,

I would start by changing some of the unusual configurations

To start we shouldnt really use the ACL that defines the encrypted/decrypted traffic with both of directions mentioned on the same device

Site 1

no access-list encrypt_acl extended permit ip 192.168.100.0 255.255.255.0 172.16.8.0 255.255.248.0

Site 2

no access-list encrypt_acl extended permit ip 172.16.8.0 255.255.248.0 192.168.100.0 255.255.255.0

Other thing is that I'd rather use separate ACL for NAT0 and for VPN ACL

Site 1

access-list INSIDE-NAT0 permit ip 172.16.8.0 255.255.248.0 192.168.100.0 255.255.255.0

no nat (inside) 0 access-list encrypt_acl

nat (inside) 0 access-list INSIDE-NAT0

Site 2

access-list INSIDE-NAT0 permit ip 192.168.100.0 255.255.255.0 172.16.8.0 255.255.248.0

no nat (inside) 0 access-list encrypt_acl

nat (inside) 0 access-list INSIDE-NAT0

If you are testing traffic with ICMP I would suggest configuring the following on both ASA units

fixup protocol icmp

It enables ICMP Inspection

Can you try those changes for a start. If they dont help tell me what you testing the connection with. Has the L2L VPN negotiation gone through? (show crypto isakmp sa and show crypto ipsec sa peer )

- Jouni