Solved: ASA 5505 - I can't create a VPN IPSEC between two ASA 5505

monter_85 · ‎07-22-2015

Hello,

I have two ASA 5505 with licence base and I'm trying create a VPN IPSEC using CLI. These are the steps that I made:

1- Configure ASA-1 (hostname, vlan 1 and vlan 2)

2- Configure a route static

3- Create object network (local and remote)

4- Create access-list

5- create crypto ikev1

6-create tunnel-group

7-configure nat

and I repeat the above steps with the another ASA but change ip's.

Are correct the above steps?

Why can not I create a VPN IPSEC between devices?.

Boris Uskov · ‎07-22-2015

No, you don't need. ASA's configuration is ok. Packet tracer prooved it. I think it may be a problem on hosts. Please, check the firewall on PC's and try to switch it off, if it is running.

View solution in original post

Boris Uskov · ‎07-22-2015

Hello!

What about the step of creating crypto transform sets and crypto maps?

What does mean step 5 "create crypto ikev1"? Does it include crypto transform sets and crypto maps?

Have you enabled crypto ikev1 on outside interfaces (ex. crypto ikev1 enable outside)?

Have you connected crypto map to outside interface (ex. crypto map outside_map interface outside )?

Also be aware, that the IPsec tunnel will be UP only when the interesting traffic appears. Interesting traffic is the traffic, which is described in your crypto-acl (step 4 I believe).

monter_85 · ‎07-22-2015

Hello Boris

Note: Between ASAs are directly connected and the configuration is a Site-to-Site IKEv1 IPSEC VPN

Data of the configuration network:

ASA-1:

LAN ASA 1: 192.168.1.0/24

VLAN 1: 192.168.1.1 255.255.255.0

VLAN 2: 200.200.200.1 255.255.255.252

ASA-2:

LAN ASA 2:192.168.2.0/24

VLAN 1: 192.168.2.1 255.255.255.0

VLAN 2: 200.200.200.2 255.255.255.252

This is the configuration of the devices:

ASA-1

1- Configure ASA-1 (hostname, vlan 1 and vlan 2)

interface vlan 2
no ip address dhcp setroute
ip addr 200.200.200.1 255.255.255.252

2- Configure a route static

route outside 0 0 200.200.200.2

3- Create object network (local and remote)
object network obj-local
subnet 192.168.1.0 255.255.255.0
object network obj-remote
subnet 192.168.2.0 255.255.255.0

4- Create access-list

access-list LAN1-to-LAN2 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

5- create crypto ikev1

crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 3600
crypto ikev1 enable outside
crypto isakmp identity address

6-create tunnel-group

tunnel-group 200.200.200.2 type ipsec-l2l
tunnel-group 200.200.200.2 ipsec-attributes
ikev1 pre-shared-key cisco123

crypto ipsec ikev1 transform-set ASA1TS esp-aes-192 esp-sha-hmac
crypto map ASA1VPN 10 match address LAN1-to-LAN2
crypto map ASA1VPN 10 set peer 200.200.200.2
crypto map ASA1VPN 10 set ikev1 transform-set ASA1TS
crypto map ASA1VPN 10 set security-association lifetime seconds 3600
crypto map ASA1VPN interface outside

7-configure nat
nat (inside,outside) 1 source static obj-local obj-local destination static obj-remote obj-remote

ASA-2

1- Configure ASA-1 (hostname, vlan 1 and vlan 2)

no dhcpd address 192.168.1.5-192.168.1.36 inside
no dhcpd enable inside
interface vlan 1
ip addr 192.168.2.1 255.255.255.0
dhcpd address 192.168.2.5-192.168.2.36 inside
dhcpd enable inside

interface vlan 2
no ip address dhcp setroute
ip addr 200.200.200.2 255.255.255.252

2- Configure a route static

route outside 0 0 200.200.200.1

3- Create object network (local and remote)
object network obj-local
subnet 192.168.2.0 255.255.255.0
exit
object network obj-remote
subnet 192.168.1.0 255.255.255.0

4- Create access-list

access-list LAN2-to-LAN1 extended permit ip 192.168.2.0 255.255 192.168.1.0 255.255.255.0

5- create crypto ikev1

crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 3600

crypto ikev1 enable outside
crypto isakmp identity address

6-create tunnel-group

tunnel-group 200.200.200.1 type ipsec-l2l
tunnel-group 200.200.200.1 ipsec-attributes
ikev1 pre-shared-key cisco123

crypto ipsec ikev1 transform-set ASA2TS esp-aes-192 esp-sha-hmac
crypto map ASA2VPN 10 match address LAN2-to-LAN1
crypto map ASA2VPN 10 set peer 200.200.200.2
crypto map ASA2VPN 10 set ikev1 transform-set ASA2TS
crypto map ASA2VPN 10 set security-association lifetime seconds 3600
crypto map ASA2VPN interface outside

7-configure nat
nat (inside,outside) 1 source static obj-local obj-local destination static obj-remote obj-remote

After, i made a ping since 192.168.2.1 to 192.168.1.1 and no response

With the above configuration, why cant not made the tunnel?

What is it wrong?

Boris Uskov · ‎07-22-2015

Hello,

please, try to add on both ASAs:

icmp permit any inside

management-access inside

If I undestand you correct, you are performing pings from ASA. Correct? If so, what command do you use for ping?

I expect you to use
ping inside 192.168.2.1

while you need to specify source IP address for ICMP requests explicitly.

Also, post the output of:

show crypto isakmp sa

show crypto ipsec sa

Boris Uskov · ‎07-22-2015

Oh and one more very important thing! If you want to ping inside interface of second ASA from the inside interface of first ASA, you need to have both inside interfaces in UP state. So, you need to connect some device to inside interfaces of both ASAs.

monter_85 · ‎07-22-2015

Hello,

In each LAN I have a host:

LAN ASA-1:

PC: 192.168.1.5

LAN ASA-2:

PC: 192.168.2.5

when I try made the following:

ping since PC(ASA-2) with IP: 192.168.2.5 to PC(ASA-1) with IP 192.168.1.5 no there is a response.

I don't understant because there is a response when two ASAs are permit traffic IP between two lans.

Do I need create a new rule that permit traffic icmp?

When execute the command "show crypto isakmp sa", the terminal shows:

ASA-1# show crypto isakmp sa

IKEv1 SAs:

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 200.200.200.2
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE

There are no IKEv2 SAs

And, when execute the command "show crypto ipsec sa", the terminal shows:

ASA-1# show crypto ipsec sa0
Botnet
interface: outside In Configs:
    Crypto map tag: ASA1VPN, seq num: 10, local addr: 200.200.200.1
Out Configs:                             0isabled       perpet
      local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
      current_peer: 200.200.200.2

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 200.200.200.1/0, remote crypto endpt.: 200.200.200.2/
0
      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: 8A6D541C
      current inbound spi : 9B58DC91

    inbound esp sas:
      spi: 0x9B58DC91 (2606292113)
         transform: esp-aes-192 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 4096, crypto-map: ASA1VPN

slot: 0, conn_id: 4096, crypto-map: ASA1VPN
         sa timing: remaining key lifetime (kB/sec): (3914999/2928)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x0000000F
        outbound esp sas:
        spi: 0x8A6D541C (2322420764)
         transform: esp-aes-192 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 4096, crypto-map: ASA1VPN
         sa timing: remaining key lifetime (kB/sec): (3915000/2928)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

Boris Uskov · ‎07-22-2015

It seems, that VPN is OK. It can be a firewall issue.

And, yes, it seems, that you need to create a new rule for inspection icmp traffic.

Please, try the following on both ASAs:

policy-map global_policy
class inspection_default

inspect icmp

monter_85 · ‎07-22-2015

This rule doen't work.

show configuration of the rule in the file running-config

policy-map global_policy
class inspection_default
...
inspect icmp

Boris Uskov · ‎07-22-2015

Ok, please, send the output of:

show run service-policy

show run access-group

show run all sysopt

And let's perform a packet-tracer test on one of the ASAs:

packet-tracer input inside icmp 192.168.1.5 8 0 192.168.2.5

Boris Uskov · ‎07-22-2015

And, also, I advise you to add "no-proxy-arp" option for NAT rule:

no nat (inside,outside) 1 source static obj-local obj-local destination static obj-remote obj-remote

nat (inside,outside) 1 source static obj-local obj-local destination static obj-remote obj-remote no-proxy-arp

monter_85 · ‎07-22-2015

I change the rule but continue equal ...

Do I need configure access-list to permit traffic icmp?

Boris Uskov · ‎07-22-2015

No, you don't need. ASA's configuration is ok. Packet tracer prooved it. I think it may be a problem on hosts. Please, check the firewall on PC's and try to switch it off, if it is running.

monter_85 · ‎07-22-2015

Hello,

thanks a lot.

the problem is the Windows firewall.

Boris Uskov · ‎07-22-2015

Ok, super. I'm glad, I was helpful :)

monter_85 · ‎07-22-2015

ASA-1# show run service-policy
service-policy global_policy global

ASA-1# show run access-group
ASA-1#

ASA-1# show run all sysopt
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
sysopt connection reclassify-vpn
no sysopt connection preserve-vpn-flows
no sysopt radius ignore-secret
no sysopt noproxyarp inside
no sysopt noproxyarp outside

and, test on ASA1:

ASA-1# packet-tracer input inside icmp 192.168.1.5 8 0 192.168.2.5

Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static obj-local obj-local destination static obj-re
mote obj-remote
Additional Information:
NAT divert to egress interface outside
Untranslate 192.168.2.5/0 to 192.168.2.5/0

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype:

mote obj-remote
Additional Information:
Static translate 192.168.1.5/0 to 192.168.1.5/0

Phase: 7
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static obj-local obj-local destination static obj-re
mote obj-remote
Additional Information:

Phase: 9
Type: VPN
Subtype: ipsec-tunnel-flow

Config:
Additional Information:

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 165, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow