Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1002
Views
5
Helpful
8
Replies

ASA 5505 site to site VPN issue

arty_
Level 1
Level 1

‎04-21-2021 06:31 AM

I am very new to firewalls and am currently implementing a VPN between two 5505 (I try 5506 as well) with the following configurations for one side and the corresponding configs to the other side. Currently am unable to ping from inside to the other side's inside. Currently trying this out with the Packet Tracer. Truly appreciate any help.

 

 

ASA Version 8.4(2)

!

hostname Firewall

domain-name modcentre.com

enable password 4IncP7vTjpaba2aF encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.10.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 10.1.1.1 255.255.255.0

!

object network BRANCH-INSIDE

subnet 192.168.20.0 255.255.255.0

object network HEAD-INSIDE

subnet 192.168.10.0 255.255.255.0

object network HEAD-OUTSIDE

host 10.1.1.1

object network inside-net

subnet 192.168.10.0 255.255.255.0

!

route outside 0.0.0.0 0.0.0.0 10.1.1.2 1

!

access-list VPN-TRAFFIC extended permit ip object HEAD-INSIDE object BRANCH-INSIDE

access-list VPN-TRAFFIC extended permit icmp object HEAD-INSIDE object BRANCH-INSIDE

access-list VPN-TRAFFIC extended permit tcp object HEAD-INSIDE object BRANCH-INSIDE

access-list PrivateTraffic extended permit tcp object BRANCH-INSIDE object HEAD-INSIDE

access-list PrivateTraffic extended permit icmp object BRANCH-INSIDE object HEAD-INSIDE

!

!

access-group PrivateTraffic out interface inside

object network inside-net

nat (inside,outside) dynamic interface

!

aaa authentication ssh console LOCAL

!

username admin-main password 4RVZybJILa4vBBrC encrypted

!

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect icmp

!

service-policy global_policy global

!

telnet timeout 5

ssh 192.168.10.0 255.255.255.0 inside

ssh 192.168.10.3 255.255.255.255 inside

ssh timeout 10

!

dhcpd auto_config outside

!

dhcpd address 192.168.10.3-192.168.10.12 inside

dhcpd enable inside

!

!

!

crypto ipsec ikev1 transform-set L2L esp-aes 256 esp-sha-hmac

!

crypto map outside_map 1 match address VPN-TRAFFIC

crypto map outside_map 1 set peer 10.1.2.1

crypto map outside_map 1 set security-association lifetime seconds 28800

crypto map outside_map 1 set ikev1 transform-set L2L

crypto map outside_map interface outside

crypto ikev1 policy 1

encr 3des

authentication pre-share

group 5

!

tunnel-group 10.1.2.1 type ipsec-l2l

tunnel-group 10.1.2.1 ipsec-attributes

ikev1 pre-shared-key cisco

 

Labels:
0 Helpful
8 Replies 8

Rob Ingram
VIP
VIP

‎04-21-2021 06:40 AM

@arty_ 

Does the VPN actually establish when you attempt to generate traffic over the VPN?

Provide the output of "show crypto isakmp sa" and "show crypto ipsec sa" for review.

Can you provide the full configuration of both ASAs please?

What IP address are you pinging, the other ASAs inside interface or a client device behind the remote ASA?

0 Helpful

arty_
Level 1
Level 1
In response to Rob Ingram

‎04-21-2021 06:45 AM

 

For the show crypto isakmp sa

 

There are no IKEv1 SAs

 

There are no IKEv2 SAs

 

For the show crypto ipsec sa

 

There are no ipsec sas 

 

The configs in the other ASA,

 

ASA Version 8.4(2)

!

hostname Firewall-br

domain-name modcentre.com

enable password 4IncP7vTjpaba2aF encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.20.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 10.1.2.1 255.255.255.0

!

object network BRANCH-INSIDE

subnet 192.168.20.0 255.255.255.0

object network BRANCH-OUTSIDE

host 10.1.2.1

object network HEAD-INSIDE

subnet 192.168.10.0 255.255.255.0

object network inside-net

subnet 192.168.20.0 255.255.255.0

!

route outside 0.0.0.0 0.0.0.0 10.1.2.2 1

!

access-list VPN-TRAFFIC extended permit ip object BRANCH-INSIDE object HEAD-INSIDE

access-list VPN-TRAFFIC extended permit icmp object BRANCH-INSIDE object HEAD-INSIDE

access-list PrivateTraffic extended permit tcp object HEAD-INSIDE object BRANCH-INSIDE

access-list PrivateTraffic extended permit icmp object HEAD-INSIDE object BRANCH-INSIDE

!

!

access-group PrivateTraffic out interface inside

object network inside-net

nat (inside,outside) dynamic interface

!

aaa authentication ssh console LOCAL

!

username admin-br password 4RVZybJILa4vBBrC encrypted

!

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect icmp

!

service-policy global_policy global

!

telnet timeout 5

ssh 192.168.20.3 255.255.255.255 inside

ssh 192.168.10.3 255.255.255.255 outside

ssh timeout 10

!

dhcpd auto_config outside

!

dhcpd address 192.168.20.3-192.168.20.12 inside

dhcpd enable inside

!

!

!

crypto ipsec ikev1 transform-set L2L esp-aes 256 esp-sha-hmac

!

crypto map outside_map 1 match address VPN-TRAFFIC

crypto map outside_map 1 set peer 10.1.1.1

crypto map outside_map 1 set security-association lifetime seconds 28800

crypto map outside_map 1 set ikev1 transform-set L2L

crypto map outside_map interface outside

crypto ikev1 enable outside

crypto ikev1 policy 1

encr 3des

authentication pre-share

group 5

!

tunnel-group 10.1.1.1 type ipsec-l2l

tunnel-group 10.1.1.1 ipsec-attributes

ikev1 pre-shared-key cisco

!

0 Helpful

Rob Ingram
VIP
VIP

‎04-21-2021 06:50 AM - edited ‎04-21-2021 06:53 AM

What about answering the other question about the device you are pinging?

 

You'll need NAT exemption rules on both ASAs, as traffic is likely unintentially natted.

 

HEAD Office ASA
nat (INSIDE,OUTSIDE) source static HEAD-INSIDE HEAD-INSIDE destination static BRANCH-INSIDE BRANCH-INSIDE no-proxy-arp

 

BRANCH Office ASA
nat (INSIDE,OUTSIDE) source static BRANCH-INSIDE BRANCH-INSIDE destination static HEAD-INSIDE HEAD-INSIDE no-proxy-arp

arty_
Level 1
Level 1
In response to Rob Ingram

‎04-21-2021 07:03 AM

This error comes when I enter a nat command

 

% Invalid input detected at '^' marker.

0 Helpful

Rob Ingram
VIP
VIP

‎04-21-2021 07:29 AM

Provide a screenshot of the error, that "'^' marker" tells you exactly where the syntax issue is, without seeing it I can only guess.

 

Change the interface names to lower case (it may be an issue in older versions).

0 Helpful

arty_
Level 1
Level 1
In response to Rob Ingram

‎04-21-2021 07:42 AM

The ss is attached

 

Preview file
7 KB
0 Helpful

Rob Ingram
VIP
VIP
In response to arty_

‎04-21-2021 07:49 AM

So does the object called BRANCH-INSIDE actually exist on the ASA?

0 Helpful

arty_
Level 1
Level 1
In response to Rob Ingram

‎04-21-2021 09:18 AM - edited ‎04-27-2021 05:53 AM

I tried the NAT configuration under a object network command as well to see if that would work, but it is still showing an error.

0 Helpful
Customers Also Viewed These Support Documents