Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1848
Views
0
Helpful
6
Replies

ASA 5510 second Site to Site VPN

MARK CASEY
Level 1
Level 1

‎06-25-2013 06:41 PM

Hi

I have an ASA with  a working Site to site VPN, I am trying to add a second one to a different site but its not even trigggering when I ping the remote subnet.

I can connect and use he VPN to MarkHome, but the connection to TuttBryant doesn't even come up

With debug isakmp and ipsec enabled I get activity when I connect to the first, but nothing when I try and ping the second

packet-tracer input inside icmp 10.242.2.200 3 3 10.10.10.1

and

packet-tracer input inside icmp 10.242.2.200 3 3 192.168.21.240

show the same so I think the nat statements are correct

Below is an extract from my config

At this point I am lost

Anyone got any suggestions ?

Mark

Saved

:

ASA Version 8.4(2)

!

name 165.228.113.155 MarkHomePublic

name 210.10.104.22 TuttBryantPublic

object network MarkHome

subnet 10.10.10.0 255.255.255.0

object network MarkHomePublic

host 165.228.113.155

description Mark Caseys Home Public IP

object network TuttBryant

subnet 192.168.0.0 255.255.0.0

description Tutt Bryant network connections

object network TuttBryantPublic

host 210.10.104.22

description Tutt Bryant Public Interface

access-list outside_cryptomap extended permit ip object Pegasus-LAN object MarkHome

access-list outside_cryptomap_2 extended permit ip object Pegasus-LAN object TuttBryant

nat (inside,outside) source static Pegasus-LAN Pegasus-LAN destination static MarkHome MarkHome

nat (inside,outside) source static Pegasus-LAN Pegasus-LAN destination static TuttBryant TuttBryant

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal ESP-AES-256-SHA

protocol esp encryption aes-256

protocol esp integrity sha-1

crypto ipsec ikev2 ipsec-proposal ESP-3DES-SHA

protocol esp encryption 3des

protocol esp integrity sha-1

crypto dynamic-map outside_dyn_map 65535 set pfs

crypto dynamic-map outside_dyn_map 65535 set ikev1 transform-set ESP-AES-256-SHA ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA

crypto dynamic-map outside_dyn_map 65535 set ikev2 ipsec-proposal ESP-AES-256-SHA ESP-3DES-SHA

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 match address outside_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer MarkHomePublic

crypto map outside_map 1 set ikev1 transform-set ESP-DES-SHA

crypto map outside_map 2 match address outside_cryptomap_2

crypto map outside_map 2 set pfs

crypto map outside_map 2 set peer TuttBryantPublic

crypto map outside_map 2 set ikev1 transform-set ESP-AES-256-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp identity hostname

no crypto isakmp nat-traversal

crypto ikev2 policy 10

encryption aes-256

integrity sha

group 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption 3des

integrity sha

group 2

prf sha

lifetime seconds 86400

crypto ikev2 enable outside

crypto ikev2 cookie-challenge never

crypto ikev1 enable outside

crypto ikev1 policy 1

authentication pre-share

encryption des

hash sha    

group 1

lifetime 86400

crypto ikev1 policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 15

authentication pre-share

encryption aes-256

hash md5

group 2

lifetime 86400

crypto ikev1 policy 20

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

group-policy TuttBryantGP internal

group-policy TuttBryantGP attributes

vpn-tunnel-protocol ikev1

group-policy MarkHomeGP internal

group-policy MarkHomeGP attributes

vpn-idle-timeout 30

vpn-tunnel-protocol ikev1

tunnel-group 165.228.113.155 type ipsec-l2l

tunnel-group 165.228.113.155 general-attributes

default-group-policy MarkHomeGP

tunnel-group 165.228.113.155 ipsec-attributes

ikev1 pre-shared-key *****

isakmp keepalive disable

tunnel-group 210.10.104.22 type ipsec-l2l

tunnel-group 210.10.104.22 general-attributes

default-group-policy TuttBryantGP

tunnel-group 210.10.104.22 ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group-map DefaultCertificateMap 10 pegasussales

Labels:
0 Helpful
6 Replies 6

Harish Balakrishnan
Spotlight
Spotlight

‎06-26-2013 12:16 AM

Hello

what is debug isakmp 127 giving you while you generate the traffic ? it mostly looks like a negitioation issue from the other end

regards

Harish.

0 Helpful

MARK CASEY
Level 1
Level 1

‎06-26-2013 05:43 PM

Thats the problem

Showing nothing at all

Mark

0 Helpful

Bikas Pandey
Level 1
Level 1
In response to MARK CASEY

‎06-27-2013 03:52 AM

Hi Mark,

You need to start troubleshooting from IKE phase 1 then Phase 2.If you are confirm that there is no issue then you can use the below command to check what is happenning : -

packet-tracer input LAN protocol souce-address protocol-type destination-address protocol type.

Or the best way is to use the ASDM.

Tools>Packet Tracer.

Regards,

Bikas Pandey.

0 Helpful

MARK CASEY
Level 1
Level 1
In response to Bikas Pandey

‎06-27-2013 05:58 AM

Thanks for that

But as best I can determine, phase 1 doesn't start, but the packets are being recieved on the internal interface

So I can't debug it.

Clearly I have something wrong in the base configuration, but they are so similar that I cant see what I have got wrong

Mark

0 Helpful

Gajendra R'
Level 1
Level 1
In response to MARK CASEY

‎06-28-2013 02:00 AM

hi Mark,

   as of i understand from your config you have not configure route toward to the MarkHomePublic and TuttBryantPublic.

    I hope it may work ...

Thanks

0 Helpful

MARK CASEY
Level 1
Level 1
In response to Gajendra R'

‎06-28-2013 06:02 PM

That did it

I did a packet capture from the source to the target using the relevant access lists and found that it only showed for the working lan

I had to add a route to an intemediate router to get it to work

Thanks all

Mark

0 Helpful
Customers Also Viewed These Support Documents