Re: ASA VPN

Grant73 · ‎06-18-2024

I have an ASA 5505 (9.2) and a 5510 (8.0) that I a trying to connect via a VPN tunnel. The problem is that while I've done this before and was a CCNA, I suffered a traumatic brain injury that caused me to forget specifics. I can't see what I'm doing wrong. Can someone help or paste where I need to go?

Thanks!

Grant

ccieexpert · ‎06-18-2024

this is one way to do it using IKEv2: https://www.cisco.com/c/en/us/support/docs/security-vpn/internet-security-association-key-management-protocol-isakmp/221560-configure-a-site-to-site-ikev2-tunnel-be.html

you can also VTI and dynamic routing as 2nd option.

MHM Cisco World · ‎06-18-2024

Share your config let me take look

MHM

Grant73 · ‎06-18-2024

ASA Version 9.2(4)
!
hostname asa5505
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
switchport access vlan 3
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
no nameif
no security-level
no ip address
!
interface Vlan2
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Vlan3
nameif outside
security-level 0
ip address 1.1.1.2 255.255.255.0
!
ftp mode passive
object network LocalVPN
object-group network LOCAL
network-object 10.2.2.0 255.255.255.0
object-group network XLATED-LOCAL
network-object 10.4.0.0 255.255.255.0
object-group network XLATED-REMOTE
network-object 10.3.0.0 255.255.255.0
object-group network asa1
network-object 10.1.1.0 255.255.255.0
object-group network asa2
network-object 10.2.2.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static LOCAL XLATED-LOCAL destination static XLATED-REMOTE XLATED-REMOTE
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
route outside 2.2.2.0 255.255.255.0 1.1.1.1 1
route outside 2.2.2.3 255.255.255.255 1.1.1.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set 3DES-HMAC esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set 3deshac esp-3des esp-md5-hmac
crypto ipsec security-association pmtu-aging 30
crypto map outside_map 10 set peer 1.1.2.2
crypto map outside_map 10 set security-association lifetime seconds 28800
crypto map outside_map interface outside
crypto ca trustpool policy
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 1.1.2.2 type ipsec-l2l
tunnel-group 1.1.2.2 ipsec-attributes
ikev1 pre-shared-key *****
!
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:41fc8eadafc3747ceab75471b4cd9a40
: end
asa5505(config)#

___________________________________________________________________________________

ASA Version 8.0(3)
!
hostname asa5510
enable password 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 1.1.2.2 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.2.2.2 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
object-group network LOCAL
network-object 10.2.2.0 255.255.255.0
object-group network XLATED-LOCAL
network-object 10.3.0.0 255.255.255.0
object-group network XLATED-REMOTE
network-object 10.4.0.0 255.255.255.0
object-group network REMOTE
object-group network asa1
network-object 10.1.1.0 255.255.255.0
object-group network asa2
network-object 10.2.2.0 255.255.255.0
access-list VPN extended permit ip object-group XLATED-LOCAL object-group XLATED-REMOTE
access-list asaencdom1 extended permit ip 192.168.1.0 255.255.255.0 1.1.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 1.1.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set asavpn esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 86400
crypto map MYMAP 10 match address asaencdom1
crypto map MYMAP 10 set peer 1.1.1.2
crypto map MYMAP 10 set security-association lifetime seconds 3600
crypto map MYMAP 10 set phase1-mode aggressive
crypto map MYMAP interface outside
crypto map crypto_map 10 set transform-set asavpn
crypto map crypto_map 10 set security-association lifetime seconds 3600
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
tunnel-group 1.1.1.2 type ipsec-l2l
tunnel-group 1.1.1.2 ipsec-attributes
pre-shared-key *
tunnel-group 10.2.2.2 type ipsec-l2l
tunnel-group 10.2.2.2 ipsec-attributes
pre-shared-key *
tunnel-group 10.1.1.2 type ipsec-l2l
tunnel-group 10.1.1.2 ipsec-attributes
pre-shared-key *
!
!
prompt hostname context
Cryptochecksum:1754144b8eaec3cb5653cacd1d6a0d23

MHM Cisco World · ‎06-19-2024

sure it not work
the crypto map config without ACL
you need to specify the ACL for traffic that protect by IPSec S2S
then add this ACL to crypto map via

crypto map NAME Seq match address <ACL number or NAME>

MHM

ccieexpert · ‎06-18-2024

first thing i see that you are using ikev1 ikev1 is obsolete for the most part, its weak and is superseded by ikev2.. please use the sample i gave earlier.

the major observations:

1) one side is set to aggressive crypto map MYMAP 10 set phase1-mode aggressive and other side is not

2) the ipsec phase 2 lifetimes dont match up.. not a big deal the lowest value should be accepted generally

3) the networks defined dont seem to connected or routed from the inside ? is this a real config or something you are doing in a lab ?

you can try to fix that or go to the ikev2..

also this is a good guide for that:

https://www.packetswitch.co.uk/cisco-asa-vpn-troubleshooting/

Grant73 · ‎06-19-2024

Thank you for these replies. This is a test network, so it isn't viewable from the outside network. I'll try these suggestions and see what happens.

Thanks!

Grant73 · ‎06-20-2024

I've run into issues with NAT. I remember all zeroes and an interface name. 9.2 is different. What do I enter if I want all users to be covered by a NAT statement?

Thanks!

MHM Cisco World · ‎06-20-2024

VPN traffic must not NAT so you need

Nat(Inside'Outside) static source object-group XLATED-LOCAL object-group XLATED-LOCAL static dest object-group XLATED-REMOTE object-group XLATED-REMOTE

That it.

MHM

Grant73 · ‎06-20-2024

Thank you for the quick reply! I have forgotten what XLATED-LOCAL and XLATED-REMOTE specifically reference. Is it local internal IP's of my firewalls? Sorry.

Thanks!

MHM Cisco World · ‎06-20-2024

Yes local to each FW

For example

10.0.0.0-ASA1-ipsec-ASA2-20.0.0.0

The local of asa1 is 10.0.0.0 and remote of asa1 is 20.0.0.0

The local of asa2 is 20.0.0.0 and remote is 10.0.0.0

Add this NAT and check VPN

MHM

Grant73 · ‎06-20-2024

MHM,

Thanks!

Grant73 · ‎06-27-2024

nat on the 8.0 FW only allows for (inside) or (outside) but not both. Is this normal?

Thanks!