ASA site to site VPN issues

aromaya01 · ‎06-25-2012

Hi There,

I am having an issue setting up a site to site VPN with a provider. I have set up a capture to sniff any packets on the outside interface but there is no activity.

i can get to the internet IE www.google.co.uk etc.

Could someone have a look at the config that I have posted and see if I have missed anything?

Many thanks

Alex

DR-Firewall# sh run

: Saved

:

ASA Version 8.2(5)

!

hostname DR-Firewall

domain-name eratech.local

enable password w45xGJ7rDEHPmnpy encrypted

passwd w45xGJ7rDEHPmnpy encrypted

names

name 172.19.0.0 site-A-fake-network description Fake NAT network to avoid ip overlapping

name 10.0.0.0 RITM

name 172.18.0.0 Site-A-SN

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport access vlan 10

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

no nameif

security-level 100

no ip address

!

interface Vlan2

nameif outside

security-level 0

ip address 81.142.157.253 255.255.255.248

!

interface Vlan10

nameif inside

security-level 100

ip address 172.18.0.253 255.255.255.0

!

boot system disk0:/asa825-k8.bin

ftp mode passive

clock timezone GMT/BST 0

clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00

dns domain-lookup outside

dns server-group DefaultDNS

domain-name eratech.local

object-group network obj_any

object-group network Site-A-SN

network-object Site-A-SN 255.255.248.0

object-group network Site-B-SN

network-object RITM 255.255.0.0

object-group network Site-Fake-SN

network-object site-A-fake-network 255.255.248.0

access-list outside_1_cryptomap extended permit ip site-A-fake-network 255.255.248.0 Site-A-SN 255.255.248.0 log

access-list outside_1_cryptomap extended permit ip site-A-fake-network 255.255.248.0 object-group Site-B-SN log

access-list outside_1_cryptomap extended permit ip object-group Site-A-SN object-group Site-B-SN log

access-list access_in_out standard permit any

access-list access_out_in extended permit tcp any interface outside eq www

access-list access_out_in extended permit ip any any

access-list access_out_in extended permit tcp any interface inside eq telnet log

access-list fake_nat_outbound extended permit ip Site-A-SN 255.255.248.0 site-A-fake-network 255.255.248.0

access-list Out_In extended permit tcp any host 194.74.97.131 eq www

access-list Out_In extended permit tcp any host 194.74.97.132 eq www

access-list capture extended permit ip any any log

access-list capture extended permit ip host 87.84.164.147 any log

access-list capture extended permit ip any host 87.84.164.147 log

access-list web extended permit tcp any any eq www

access-list inside_to_outside extended permit ip any any

access-list outside_to_inside extended permit ip any any

access-list inside_nat0_outbound extended permit ip Site-A-SN 255.255.248.0 object-group Site-B-SN log

pager lines 24

logging enable

logging timestamp

logging standby

logging monitor informational

logging buffered debugging

logging trap debugging

logging asdm informational

logging queue 1000

mtu outside 1500

mtu inside 1500

ip local pool DHCP_Pool 10.10.10.10-10.10.10.100 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

asdm image disk0:/asdm-647.bin

asdm history enable

arp timeout 14400

static (inside,outside) 81.142.157.250 172.18.1.27 netmask 255.255.255.255

access-group access_out_in in interface outside

access-group inside_to_outside in interface inside

route outside 0.0.0.0 0.0.0.0 81.142.157.249 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

ldap attribute-map ASAMAP

map-name memberOf IETF-Radius-Class

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

http server enable

http 0.0.0.0 255.255.255.255 inside

http 172.18.1.0 255.255.255.0 inside

snmp-server host inside 172.18.1.33 community *****

no snmp-server location

no snmp-server contact

snmp-server community *****

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 10 match address outside_1_cryptomap

crypto map outside_map 10 set peer 87.84.164.147

crypto map outside_map 10 set transform-set ESP-AES-256-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

telnet Site-A-SN 255.255.255.0 inside

telnet timeout 5

ssh 172.18.1.0 255.255.255.0 inside

ssh timeout 5

ssh version 2

console timeout 0

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 172.18.1.11 source inside

tftp-server inside 172.18.1.10 asa825-k8.bin

webvpn

group-policy ERA_IPSec internal

username admin password YrdZmOn0BDcF8D5B encrypted privilege 15

username amdin password ohaZxWZwn/ERM31k encrypted privilege 15

tunnel-group 87.84.164.147 type ipsec-l2l

tunnel-group 87.84.164.147 ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:373cf5a24c75b4bf32d391ca18611286

: end

I also need to do a local translation between two subnets 172.19.x.x and 172.18.x.x

should this be achieved using static NAT or Dynamic.

Any help appreciated.

Thanks

Jennifer Halim · ‎06-25-2012

Are you trying to do NAT translation?

What do you want to translate to and from?

What are the remote LAN?

aromaya01 · ‎06-26-2012

Hi Jennifer,

Yes I am trying to do NAT translation.

I am trying to translate from 172.18.0.0/21 (Real subnet) to 172.19.0.0/21 (fake subnet)

The remote subnet is 10.0.0.0 255.255.0.0

Many thanks

alex

Jennifer Halim · ‎06-26-2012

Here you go:

access-list nat-vpn permit ip 172.18.0.0 255.255.248.0 10.0.0.0 255.255.0.0

static (inside,outside) 172.19.0.0 access-list nat-vpn

Jennifer Halim · ‎06-26-2012

and the crypto ACl should say:

access-list outside_1_cryptomap permit ip 172.19.0.0 255.255.248.0 10.0.0.0 255.255.0.0

aromaya01 · ‎06-26-2012

Thanks Jennifer, I will give this a try and let you know the outcome..

:-)

aromaya01 · ‎06-26-2012

Hi Jennifer,

I added the config, but the SA to the peer still doesn't come up.

A debug crypto isakmp and debug crypto ipsec brings nothing up in the logs.

Any ideas ?

As I say I can get to the internet from the FW.

Thanks

Alex

Jennifer Halim · ‎06-26-2012

Have the remote end been configured to accept the VPN tunnel?

Can you please share the output of the following after trying to initiate traffic towards the remote end:

show cry isa sa

show cry ipsec sa