Solved: Re:Configuring Site-to-Site VPN on two ASA5505 - Page 2

tsabsuavyaj · ‎07-23-2013

I have two ASA5505 ver 8.4(6) and ver 9.0(2) configured for a site-to-site vpn lab, but with no success. I could ping any outside address from both ASA's, but couldn't ping the LAN on the other end of the ASA. Below is the error message when trying to verify if the VPN tunnel is established. For reference, the configurations are provided below. Any help is much appreciated.

ASA1# show crypto isakmp sa

There are no IKEv1 SAs

There are no IKEv2 SAs

ASA1# show crypto ipsec sa

There are no ipsec sas

ASA1:

crypto isakmp enable outside

object network net-local

subnet 192.168.1.0 255.255.255.0

object network net-remote

subnet 192.168.2.0 255.255.255.0

!

access-list outside_1_cryptomap permit ip object net-local object net-remote

tunnel-group 200.200.200.1 type ipsec-l2l

tunnel-group 200.200.200.1 ipsec-attributes

pre-shared-key pass1234

isakmp keepalive threshold 10 retry 2

!

crypto isakmp policy 10 authentication pre-share

crypto isakmp policy 10 encrypt 3des

crypto isakmp policy 10 hash sha

crypto isakmp policy 10 group 2

crypto isakmp policy 10 lifetime 86400

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer 200.200.200.1

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

!

nat (inside,outside) 1 source static net-local net-local destination static net-remote net-remote

exit

ASA2:

crypto isakmp enable outside

object network net-local

subnet 192.168.2.0 255.255.255.0

object network net-remote

subnet 192.168.1.0 255.255.255.0

!

access-list outside_1_cryptomap permit ip object net-local object net-remote

tunnel-group 100.100.100.1 type ipsec-l2l

tunnel-group 100.100.100.1 ipsec-attributes

pre-shared-key pass1234

isakmp keepalive threshold 10 retry 2

!

crypto isakmp policy 10 authentication pre-share

crypto isakmp policy 10 encrypt 3des

crypto isakmp policy 10 hash sha

crypto isakmp policy 10 group 2

crypto isakmp policy 10 lifetime 86400

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer 100.100.100.1

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

!

nat (inside,outside) 1 source static net-local net-local destination static net-remote net-remote

exit

ASA1# sh run int

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

ASA1#

ASA1# ping 192.168.2.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

ASA1# ping google.com

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 173.194.46.71, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 10/12/20 ms

ASA1#

ASA2# sh run int

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

shutdown

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.2.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

ASA2# ping 192.168.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

!

ASA2# ping google.com

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 173.194.46.64, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 10/14/20 ms

ASA2#

tsabsuavyaj · ‎07-25-2013

The tunnel is up now. I will post the detail and the complete config later, but just want to post my status and thank everyone for all the help everyone has contributed.

Many thanks again

Sent from Cisco Technical Support Android App

tsabsuavyaj · ‎07-25-2013

Again, I really appreciate everyone's contribution to this Site-to-Site VPN lab issue that I've been struggling with for the last couple of days. Because of everyone's help, I now have a running Site-to-Site VPN tunnel. Provided below is a minor revision to the original config from my first post. Basically what is added to the revised config below is the command "crypto ikev1 enable outside". The rest of the config has been not changed. Althought I'm not certain if the command "crypto ikev1 enable outside" did the trick, maybe someone can confirm this.

Anyhow, after the ASAs were put to its factory-default config (#configure factory-default), I connected a workstation to the Inside Interface of each of the ASA to verify internet access. And that was confirmed prior to applying the configs below.

And here is my mistake. I failed to realize that in order for the VPN tunnel to establish a connection, I must first issue a ping command from a host on the local LAN to a host on the remote LAN (Interesting Traffic). Instead, I kept on issuing pings from the ASA to a host on the remote LAN, unlike routers. Yep, the ICMP deny any outside statement was removed for testing purposes.

And finally I have an active message.

ASA1# sh crypto isakmp sa

IKEv1 SAs:

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1 IKE Peer: 200.200.200.1

Type : L2L Role : responder

Rekey : no State : MM_ACTIVE

There are no IKEv2 SAs

Here is the complete Site-to-Site VPN configurations:

ASA1:

crypto ikev1 enable outside

crypto isakmp enable outside

object network net-local

subnet 192.168.1.0 255.255.255.0

object network net-remote

subnet 192.168.2.0 255.255.255.0

!

access-list outside_1_cryptomap permit ip object net-local object net-remote

tunnel-group 200.200.200.1 type ipsec-l2l

tunnel-group 200.200.200.1 ipsec-attributes

pre-shared-key pass1234

isakmp keepalive threshold 10 retry 2

!

crypto isakmp policy 10 authentication pre-share

crypto isakmp policy 10 encrypt 3des

crypto isakmp policy 10 hash sha

crypto isakmp policy 10 group 2

crypto isakmp policy 10 lifetime 86400

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer 200.200.200.1

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

!

nat (inside,outside) 1 source static net-local net-local destination static net-remote net-remote

exit

ASA2:

crypto ikev1 enable outside

crypto isakmp enable outside

object network net-local

subnet 192.168.2.0 255.255.255.0

object network net-remote

subnet 192.168.1.0 255.255.255.0

!

access-list outside_1_cryptomap permit ip object net-local object net-remote

tunnel-group 100.100.100.1 type ipsec-l2l

tunnel-group 100.100.100.1 ipsec-attributes

pre-shared-key pass1234

isakmp keepalive threshold 10 retry 2

!

crypto isakmp policy 10 authentication pre-share

crypto isakmp policy 10 encrypt 3des

crypto isakmp policy 10 hash sha

crypto isakmp policy 10 group 2

crypto isakmp policy 10 lifetime 86400

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer 100.100.100.1

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

!

nat (inside,outside) 1 source static net-local net-local destination static net-remote net-remote

exit

Verification:

#show crypto isakmp sa

#show crypto ipsec sa

Marvin Rhoads · ‎07-25-2013

Thanks for the update.

Bottom line - add one command and realize the ASA doesn't count self-generated traffic as interesting since it will just send it out sourced from its outside interface (based on its routing table) and never atempt to establish a VPN for that traffic.

Happy studies.