09-30-2012 11:37 AM - edited 02-21-2020 06:22 PM
I just try to build a Site-to-Site VPN over IPSec between a ASA5505 and a ASA5510.
But it don`t want to work. Here are the config`s of the ASA 5505 and ASA5510:
ASA5505:
: Saved
: Written by enable_15 at 20:02:51.175 UTC Wed Apr 7 2010
!
ASA Version 7.2(2)
!
hostname asa5505
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.178.254 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list Inside_ICMP extended permit icmp any any echo-reply
access-list Inside_ICMP extended permit icmp any any source-quench
access-list Inside_ICMP extended permit icmp any any unreachable
access-list Inside_ICMP extended permit icmp any any time-exceeded
access-list outside_cryptomap_10 remark ACL to encrypt traffic from Muenchen to Frankfurt
access-list outside_cryptomap_10 extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_nat_outbound remark Ausnahme Policy IPSec Encryption
access-list inside_nat_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_nat_outbound
static (inside,outside) interface 192.168.1.254 netmask 255.255.255.255
access-group Inside_ICMP in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.178.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set FRA-AES256SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 10 match address outside_cryptomap_10
crypto map outside_map 10 set peer 192.168.178.230
crypto map outside_map 10 set transform-set FRA-AES256SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 192.168.178.230 type ipsec-l2l
tunnel-group 192.168.178.230 ipsec-attributes
pre-shared-key Cisco1234
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:469da4f90cebc4e460849caade472273
: end
ASA5510:
: Saved
: Written by enable_15 at 15:26:19.983 UTC Sun Sep 30 2012
!
ASA Version 7.2(3)
!
hostname asa5510
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 192.168.178.230 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list Inside_ICMP extended permit icmp any any echo-reply
access-list Inside_ICMP extended permit icmp any any source-quench
access-list Inside_ICMP extended permit icmp any any unreachable
access-list Inside_ICMP extended permit icmp any any time-exceeded
access-list outside_cryptomap_10 remark ACL to encrypt traffic from Frankfurt to Muenchen
access-list outside_cryptomap_10 extended permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat_outbound remark Ausnahme Policy IPSec Encryption
access-list inside_nat_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_nat_outbound
static (inside,outside) interface 192.168.10.50 netmask 255.255.255.255
access-group Inside_ICMP in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.178.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set MUC-AES256SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 10 match address outside_cryptomap_10
crypto map outside_map 10 set peer 192.168.178.254
crypto map outside_map 10 set transform-set MUC-AES256SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn username blub password blub store-local
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
tunnel-group 192.168.178.254 type ipsec-l2l
tunnel-group 192.168.178.254 ipsec-attributes
pre-shared-key Cisco1234
prompt hostname context
Cryptochecksum:0b1021940edf26ed0e32a84b18a4a888
: end
I hope that somebody can tell me what I am doing wrong.
10-01-2012 05:42 AM
Hi,
ok can you do :
packet-tracer input inside icmp 192.168.1.1 0 8 192.168.10.1 detailed
Regards.
Alain
Don't forget to rate helpful posts.
10-01-2012 05:50 AM
Hi Alain,
result of packet-tracer on ASA5505:
asa5505# packet-tracer input inside icmp 192.168.1.1 0 8 192.168.10.1 detailed
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x3522a20, priority=1, domain=permit, deny=false
hits=1103, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x35396f8, priority=500, domain=permit, deny=true
hits=0, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=192.168.1.1, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
asa5505#
Regards,
Hans-Juergen Guenter
10-01-2012 06:32 AM
Hi,
1)what are those entries for on both firewalls:
static (inside,outside) interface 192.168.1.254 netmask 255.255.255.255
2) why are there no nat (inside) 1 and nat(global) 1 entries? no one on the LANs is using these firewalls for internet access?
Regards.
Alain
Don't forget to rate helpful posts.
10-01-2012 06:46 AM
Hi,
I changed the static (insid,outside) to global (outside) 1 and nat (inside) 1 entrys
Regards,
Hans-Juergen Guenter
10-01-2012 07:14 AM
Hi,
clear xlate before initiating new traffic.
is your VPN still failing ? what does the packet tracer output says this time ?
Regards.
Alain
Don't forget to rate helpful posts.
10-01-2012 09:30 AM
Hi Alain,
yes my VPN is still failing. Now I try to configure each ASA only for send and
recieve ICMP to the Internet. After that I try to make a Site-to-Site VPN over
the Wizzard of ASDM.
Regards,
Hans-Juergen Guenter
10-01-2012 02:14 PM
It still doesn`t go. I don`t know why.
I think do something wrong but I don`t found the error.
10-02-2012 06:06 AM
Hi to alle they help me to solve the Problem.
Now it works, the VPN site-to-site IPSec Tunnel works. Only one Problem
still happend, because I can not ping a client into the remote Network.
The entry that solve the Problem was:
access-list no_NAT extended permit ip Network Network
nat (inside) 0 access-list no_NAT
I have done that on both ASA.
For that problem that still will be there, I will open a new discussion.
best regards
Hans-Juergen Guenter
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide