Site-to-Site VPN between Cisco ASA 5505 (8.4) and Cisco Router (IOS 15.2)

aarkicisco · ‎11-20-2013

Hi, I'm trying to create Site-to-Site VPN between Cisco ASA 5505 and Cisco Router 3945.

I've tried create configuration with and without ASA wizard, but anyway it doesn't work.

Please help me to find where is the issue.

I have two sites and would like to get access from 192.168.83.0 to 192.168.17.0

192.168.17.0 --- S1.S1.S1.S1 (IOS Router) ==================== S2.S2.S2.S2 (ASA 5505) --- 192.168.83.0

Here is my current configuration.

Thanks for your help.

IOS Configuration

version 15.2

...

!

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 2

crypto isakmp key cisco address 198.0.183.225

crypto isakmp invalid-spi-recovery

!

crypto ipsec transform-set AES-SET esp-aes esp-sha-hmac

mode transport

!

crypto map static-map 1 ipsec-isakmp

set peer S2.S2.S2.S2

set transform-set AES-SET

set pfs group2

match address 100

!

interface GigabitEthernet0/0

ip address S1.S1.S1.S1 255.255.255.240

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

crypto map static-map

!

interface GigabitEthernet0/1

ip address 192.168.17.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

access-list 100 permit ip 192.168.17.0 0.0.0.255 192.168.83.0 0.0.0.255

!

ASA Configuration

ASA Version 8.4(3)

!

...

!

interface Ethernet0/0

switchport access vlan 2

!

...

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.83.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address S2.S2.S2.S2 255.255.255.248

!

ftp mode passive

same-security-traffic permit intra-interface

object network inside-network

subnet 192.168.83.0 255.255.255.0

object network datacenter

host S1.S1.S1.S1

object network datacenter-network

subnet 192.168.17.0 255.255.255.0

object network NETWORK_OBJ_192.168.83.0_24

subnet 192.168.83.0 255.255.255.0

access-list outside_access_in extended permit icmp any any echo-reply

access-list outside_access_in extended deny ip any any log

access-list outside_cryptomap extended permit ip 192.168.83.0 255.255.255.0 object datacenter-network

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool vpn_pool 192.168.83.200-192.168.83.254 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside,outside) source dynamic inside-network interface

nat (inside,outside) source static inside-network inside-network destination static inside-network inside-network no-proxy-arp route-lookup

nat (inside,outside) source static inside-network inside-network destination static datacenter-network datacenter-network no-proxy-arp route-lookup

nat (inside,outside) source static NETWORK_OBJ_192.168.83.0_24 NETWORK_OBJ_192.168.83.0_24 destination static datacenter-network pdatacenter-network no-proxy-arp route-lookup

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 DEFAULT_GATEWAY 1

...

crypto ipsec ikev1 transform-set vpn-transform-set esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set vpn-transform-set mode transport

crypto ipsec ikev1 transform-set L2L_SET esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set L2L_SET mode transport

crypto dynamic-map dyno 10 set ikev1 transform-set vpn-transform-set

crypto map vpn 1 match address outside_cryptomap

crypto map vpn 1 set pfs

crypto map vpn 1 set peer S1.S1.S1.S1

crypto map vpn 1 set ikev1 transform-set L2L_SET

crypto map vpn 20 ipsec-isakmp dynamic dyno

crypto map vpn interface outside

crypto isakmp nat-traversal 3600

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

...

group-policy GroupPolicy_S1.S1.S1.S1 internal

group-policy GroupPolicy_S1.S1.S1.S1 attributes

vpn-tunnel-protocol ikev1

group-policy remote_vpn_policy internal

group-policy remote_vpn_policy attributes

vpn-tunnel-protocol ikev1 l2tp-ipsec

username artem password 8xs7XK3To4s5WfTvtKAutA== nt-encrypted

username admin password rqiFSVJFung3fvFZ encrypted privilege 15

tunnel-group DefaultRAGroup general-attributes

address-pool vpn_pool

default-group-policy remote_vpn_policy

tunnel-group DefaultRAGroup ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group DefaultRAGroup ppp-attributes

authentication ms-chap-v2

tunnel-group S1.S1.S1.S1 type ipsec-l2l

tunnel-group S1.S1.S1.S1 general-attributes

default-group-policy GroupPolicy_S1.S1.S1.S1

tunnel-group S1.S1.S1.S1 ipsec-attributes

ikev1 pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:f55f10c19a0848edd2466d08744556eb

: end

Karsten Iwen · ‎11-20-2013

there are two things:

1) the transform-set has to be tunnel-mode, so you can remove the "transport" commands.

2) You don't show the NAT-config of the router. Do you have NAT-exemption in place for the VPN-traffic?

Please send the router-output of "show crypto session detail" after sending some traffic through the tunnel.

aarkicisco · ‎11-21-2013

Thanks for helping me again. I really appreciate.

I don't hve any NAT-exemptions in Cisco IOS Router. Transform-set I will change soon, but I've tried with tunnel mode and it didn't work.

Maybe NAT-exemptions is the issue. Can you advice me which exemptions should be in Cisco IOS Router?

Because on Cisco ASA I guess I have everything.

Here is show crypto session detail

router(config)#do show crypto session detail

Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection

K - Keepalives, N - NAT-traversal, T - cTCP encapsulation

X - IKE Extended Authentication, F - IKE Fragmentation

Interface: GigabitEthernet0/0

Session status: DOWN

Peer: 198.0.183.225 port 500 fvrf: (none) ivrf: (none)

Desc: (none)

Phase1_id: (none)

IPSEC FLOW: permit ip 192.168.17.0/255.255.255.0 192.168.83.0/255.255.255.0

Active SAs: 0, origin: crypto map

Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0

Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0

Should I see something in crypto isakmp sa?

pp-border#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id status

IPv6 Crypto ISAKMP SA

Thanks again for your help.

Karsten Iwen · ‎11-21-2013

Maybe NAT-exemptions is the issue. Can you advice me which exemptions should be in Cisco IOS Router?

If you didn't configure that, the VPN-traffic is NATed with your general internet-policy and the crypto-map doesn't see VPN-the traffic any more.

Make sure to have a deny-statement at the beginning of your NAT-ACL for the traffic from 192.168.17.0/24 to 192.168.83.0/24.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni