ASA 8.6 vpn tunnel to ASA 7.0

hancock34 · ‎07-17-2013

Currently, I have several vpn tunnels connected to the ASA 7.0 firewall. I just received a new firewall that is running ASA 8.6 and after using the connection wizards for site-to-site VPN on both firewalls, the connection was never made. I have tried looking at each individual aspect on each configurations to make sure everything is in sync, but to no avail.

Are these two versions of ASA even compatible? I've seen a lot of posts saying how things have changed after a certain version of ASA but I haven't been able to pinpoint my problem. Any knowledge/advice would be greatly appreciated.

Marvin Rhoads · ‎07-17-2013

As long as you don't use any of the features like IKEv2 that were not supported on the older ASA code, an IPSec LAN-LAN tunnel is definitely compatible. Basic IPSec hasn't changed and is interoperable not only across ASA revisions but across third parties. That's the benefit of a standard after all.

If it's possible to supply us the respective configurations (at least the bits for the tunnel), we could give much more focused advice.

hancock34 · ‎07-17-2013

Here are the two configurations. The first one is from our new firewall (ASA 8.6) and the second one is from our older firewall (ASA 7.0). I tried to remove any unnecessary text from the config. I hope I included everything. Thanks a lot for checking into it for me.

76.72.227.2

ASA Version 8.6(1)2
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 76.72.227.2 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.22.1 255.255.255.0
!

-----

access-list outside_cryptomap extended permit ip 192.168.22.0 255.255.255.0 object OP
access-list outside_cryptomap_1 extended permit ip object NETWORK_OBJ_192.168.22.0_24 object-group VPN_Remote
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-66114.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static NETWORK_OBJ_192.168.22.0_24 NETWORK_OBJ_192.168.22.0_24 destination static OP OP no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.22.0_24 NETWORK_OBJ_192.168.22.0_24 destination static Nefcom Nefcom no-proxy-arp route-lookup
nat (outside,outside) source static NETWORK_OBJ_192.168.22.0_24 NETWORK_OBJ_192.168.22.0_24 destination static VPN_Remote VPN_Remote no-proxy-arp route-lookup
route outside 0.0.0.0 0.0.0.0 76.72.227.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 69.57.112.7 255.255.255.255 outside
http 69.57.112.171 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal 3des
protocol esp encryption 3des
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5

crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set peer 4.59.12.146
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map interface outside
no crypto isakmp nat-traversal
crypto ikev2 policy 1
encryption 3des
integrity sha
group 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev1 enable outside
crypto ikev1 enable inside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 69.57.112.7 255.255.255.255 outside
ssh 69.57.112.171 255.255.255.255 outside
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 10

console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption aes128-sha1 3des-sha1
webvpn
group-policy GroupPolicy_4.59.12.146 internal
group-policy GroupPolicy_4.59.12.146 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy2 internal
group-policy GroupPolicy2 attributes
vpn-filter value outside_cryptomap
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol ikev1 ikev2

tunnel-group 4.59.12.146 type ipsec-l2l
tunnel-group 4.59.12.146 general-attributes
default-group-policy GroupPolicy_4.59.12.146
tunnel-group 4.59.12.146 ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global

Cryptochecksum:88a9dfb89148b5c977e3d86fe6253f6f
: end

------------------------------------------------------------------------------------

4.59.12.146

ASA Version 7.0(8)

!

interface Ethernet0/0

speed 100

duplex full

nameif outside

security-level 0

ip address 4.59.12.146 255.255.255.252

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.4.1 255.255.252.0

!

---

access-list inside_nat0_outbound extended permit ip object-group local_VPN 192.168.22.0 255.255.255.0

access-list outside_cryptomap_200 extended permit ip 192.168.4.0 255.255.252.0 192.168.22.0 255.255.255.0

access-list outside_cryptomap_200 extended permit ip object-group local_VPN 192.168.22.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool TTCAVPN 192.168.200.200-192.168.200.225 mask 255.255.255.0

no failover

icmp permit any outside

icmp permit 192.168.8.0 255.255.252.0 inside

asdm image disk0:/asdm-508.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (outside) 0 access-list outside_nat0_outbound

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) 76.72.237.12 192.168.4.24 netmask 255.255.255.255

static (inside,outside) 76.72.237.13 192.168.4.19 netmask 255.255.255.255

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 192.168.106.0 255.255.255.0 192.168.4.1 1

route outside 0.0.0.0 0.0.0.0 4.59.12.145 1

timeout xlate 3:00:00

timeout conn 3:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 69.57.112.7 255.255.255.255 outside

http 192.168.8.0 255.255.252.0 outside

http 192.168.4.0 255.255.252.0 inside

http 69.57.112.7 255.255.255.255 inside

http 192.168.1.0 255.255.255.0 management

snmp-server host outside 69.57.112.63 community estoid version 2c

snmp-server location Orange Park, FL

snmp-server contact Klate Hancock

<--- More --->

snmp-server community estoid

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800

crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 40 set security-association lifetime seconds 28800

crypto dynamic-map outside_dyn_map 40 set security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 60 set security-association lifetime seconds 28800

crypto dynamic-map outside_dyn_map 60 set security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_cryptomap_40

crypto map outside_map 200 set peer 76.72.227.2

crypto map outside_map 200 set transform-set ESP-DES-SHA

crypto map outside_map 200 set security-association lifetime seconds 28800

crypto map outside_map 200 set security-association lifetime kilobytes 4608000

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption des

isakmp policy 30 hash md5

isakmp policy 30 group 2

isakmp policy 30 lifetime 86400

tunnel-group 76.72.227.2 type ipsec-l2l

tunnel-group 76.72.227.2 general-attributes

default-group-policy OP

tunnel-group 76.72.227.2 ipsec-attributes

pre-shared-key *

tunnel-group 76.72.227.2TS type ipsec-l2l

tunnel-group 76.72.227.2TS ipsec-attributes

pre-shared-key *

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

telnet timeout 5

ssh timeout 60

console timeout 0

management-access inside

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd enable management

!

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

<--- More --->

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

Cryptochecksum:08bbdfea66c477281348b4a193fb5f47

: end

Shaoqin Li · ‎07-17-2013

can you get log?

phase 1 config looks fine

can you remove unnecessary phase 2 proposals in your 8.6 ASA only leave esp-sha?

Sent from Cisco Technical Support iPad App

hancock34 · ‎07-18-2013

I removed all the proposals that did not apply and I'm still having the same issue. I can ping both firewalls from one another so I know they see each other, but the tunnel just will not come up.

After looking at the updates after asa 8.3 was released, it seems that the nat configuration has changed.

In my 7.0 asa I see this nat config:

nat (outside) 0 access-list outside_nat0_outbound

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

When I try to mirror that on the new 8.6 asa, the commands don't seem to do what I need..or maybe I'm going in the wrong direction.

Thanks again for the help.