ASA 5505 to 5510 Site-to-Site VPN IPSec don`t go - Page 2

Hans Juergen Guenter · ‎09-30-2012

I just try to build a Site-to-Site VPN over IPSec between a ASA5505 and a ASA5510.

But it don`t want to work. Here are the config`s of the ASA 5505 and ASA5510:

ASA5505:

: Saved

: Written by enable_15 at 20:02:51.175 UTC Wed Apr 7 2010

!

ASA Version 7.2(2)

!

hostname asa5505

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 192.168.178.254 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

shutdown

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list Inside_ICMP extended permit icmp any any echo-reply

access-list Inside_ICMP extended permit icmp any any source-quench

access-list Inside_ICMP extended permit icmp any any unreachable

access-list Inside_ICMP extended permit icmp any any time-exceeded

access-list outside_cryptomap_10 remark ACL to encrypt traffic from Muenchen to Frankfurt

access-list outside_cryptomap_10 extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list inside_nat_outbound remark Ausnahme Policy IPSec Encryption

access-list inside_nat_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0

pager lines 24

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

nat (inside) 0 access-list inside_nat_outbound

static (inside,outside) interface 192.168.1.254 netmask 255.255.255.255

access-group Inside_ICMP in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.178.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set FRA-AES256SHA esp-aes-256 esp-sha-hmac

crypto map outside_map 10 match address outside_cryptomap_10

crypto map outside_map 10 set peer 192.168.178.230

crypto map outside_map 10 set transform-set FRA-AES256SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group 192.168.178.230 type ipsec-l2l

tunnel-group 192.168.178.230 ipsec-attributes

pre-shared-key Cisco1234

telnet timeout 5

ssh timeout 5

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:469da4f90cebc4e460849caade472273

: end

ASA5510:

: Saved

: Written by enable_15 at 15:26:19.983 UTC Sun Sep 30 2012

!

ASA Version 7.2(3)

!

hostname asa5510

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 192.168.178.230 255.255.255.0

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.10.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list Inside_ICMP extended permit icmp any any echo-reply

access-list Inside_ICMP extended permit icmp any any source-quench

access-list Inside_ICMP extended permit icmp any any unreachable

access-list Inside_ICMP extended permit icmp any any time-exceeded

access-list outside_cryptomap_10 remark ACL to encrypt traffic from Frankfurt to Muenchen

access-list outside_cryptomap_10 extended permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list inside_nat_outbound remark Ausnahme Policy IPSec Encryption

access-list inside_nat_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0

pager lines 24

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside) 0 access-list inside_nat_outbound

static (inside,outside) interface 192.168.10.50 netmask 255.255.255.255

access-group Inside_ICMP in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.178.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set MUC-AES256SHA esp-aes-256 esp-sha-hmac

crypto map outside_map 10 match address outside_cryptomap_10

crypto map outside_map 10 set peer 192.168.178.254

crypto map outside_map 10 set transform-set MUC-AES256SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

vpdn username blub password blub store-local

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

tunnel-group 192.168.178.254 type ipsec-l2l

tunnel-group 192.168.178.254 ipsec-attributes

pre-shared-key Cisco1234

prompt hostname context

Cryptochecksum:0b1021940edf26ed0e32a84b18a4a888

: end

I hope that somebody can tell me what I am doing wrong.

cadet alain · ‎10-01-2012

Hi,

ok can you do :

packet-tracer input inside icmp 192.168.1.1 0 8 192.168.10.1 detailed

Regards.

Alain

Don't forget to rate helpful posts.

Hans Juergen Guenter · ‎10-01-2012

Hi Alain,

result of packet-tracer on ASA5505:

asa5505# packet-tracer input inside icmp 192.168.1.1 0 8 192.168.10.1 detailed

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0x3522a20, priority=1, domain=permit, deny=false

hits=1103, user_data=0x0, cs_id=0x0, l3_type=0x8

src mac=0000.0000.0000, mask=0000.0000.0000

dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 2

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 4

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0x35396f8, priority=500, domain=permit, deny=true

hits=0, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=192.168.1.1, mask=255.255.255.255, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

asa5505#

Regards,

Hans-Juergen Guenter

cadet alain · ‎10-01-2012

Hi,

1)what are those entries for on both firewalls:

static (inside,outside) interface 192.168.1.254 netmask 255.255.255.255

2) why are there no nat (inside) 1 and nat(global) 1 entries? no one on the LANs is using these firewalls for internet access?

Regards.

Alain

Don't forget to rate helpful posts.

Hans Juergen Guenter · ‎10-01-2012

Hi,

I changed the static (insid,outside) to global (outside) 1 and nat (inside) 1 entrys

Regards,

Hans-Juergen Guenter

cadet alain · ‎10-01-2012

Hi,

clear xlate before initiating new traffic.

is your VPN still failing ? what does the packet tracer output says this time ?

Regards.

Alain

Don't forget to rate helpful posts.

Hans Juergen Guenter · ‎10-01-2012

Hi Alain,

yes my VPN is still failing. Now I try to configure each ASA only for send and

recieve ICMP to the Internet. After that I try to make a Site-to-Site VPN over

the Wizzard of ASDM.

Regards,

Hans-Juergen Guenter

Hans Juergen Guenter · ‎10-01-2012

It still doesn`t go. I don`t know why.

I think do something wrong but I don`t found the error.

Hans Juergen Guenter · ‎10-02-2012

Hi to alle they help me to solve the Problem.

Now it works, the VPN site-to-site IPSec Tunnel works. Only one Problem

still happend, because I can not ping a client into the remote Network.

The entry that solve the Problem was:

access-list no_NAT extended permit ip Network Network

nat (inside) 0 access-list no_NAT

I have done that on both ASA.

For that problem that still will be there, I will open a new discussion.

best regards

Hans-Juergen Guenter