cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1004
Views
0
Helpful
6
Replies

Cisco ASA- Site-to-Site VPN

jamesupcott1
Level 1
Level 1

Hi

I have 2 Cisco ASA 5506-X's which I am trying to establish a site-to-site vpn between. I am currently setting them up in a lab, and have connected them together on their outside interfaces using a /30. I have confirmed this works and I have IP connectivity between the two ASA's.

One ASA then connects to a 2960X L3 switch. For this I have configured the inside interface of the ASA with another /30, and configured an SVI on the switch where I have connectivity between the ASA and the switch with the other /30 address. On the switch itself I have then setup 2 SVI's, ultimately being the networks which I want to pass over the VPN.

On the other ASA I have a more simple setup with a single host plugged directly into the inside interface (So no switch at that end).

I have then configured the site-to-site vpn on both ends, and I have checked over and over that I have got the configuration correct.

I have posted both ASA config's below, would appreciate some help in understanding why the VPN isn't establishing?

Regards

James

***************************************************************************************************

ASA Version 9.6(1)
!
hostname TW1-OFFICE-ASA
domain-name ngd.local
enable password 8Ry2YjIyt7RRXU24 encrypted
names

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 10.0.0.1 255.255.255.252
!
interface GigabitEthernet1/2
no nameif
security-level 100
ip address 192.168.2.1 255.255.255.248
!
interface GigabitEthernet1/2.10
vlan 10
nameif Inside
security-level 100
ip address 192.168.1.1 255.255.255.248
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
ftp mode passive
dns server-group DefaultDNS
domain-name ngd.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network London-Phones
subnet 192.168.75.0 255.255.255.0
object network London-PC's
subnet 192.168.76.0 255.255.255.0
object network Remote_Network
subnet 172.16.100.0 255.255.255.0
object-group network All_Inside_Networks
network-object object London-PC's
network-object object London-Phones
network-object 192.168.1.0 255.255.255.248
access-list outside_cryptomap extended permit ip object-group All_Inside_Networks object Remote_Network
access-list outside_cryptomap_1 extended permit ip object-group All_Inside_Networks object Remote_Network
access-list Inside_access_in extended permit ip any any
access-list global_access extended permit ip any any
access-list outside_access_in extended permit ip object obj_any any
pager lines 24
logging asdm informational
mtu outside 1500
mtu Inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (any,outside) source dynamic All_Inside_Networks interface
nat (Inside,outside) source static All_Inside_Networks All_Inside_Networks destination static Remote_Network Remote_Network no-proxy-arp route-lookup
!
object network obj_any
nat (any,outside) dynamic interface
access-group outside_access_in in interface outside
access-group Inside_access_in in interface Inside
access-group global_access global
route outside 0.0.0.0 0.0.0.0 10.0.0.2 1
route Inside 192.168.75.0 255.255.255.0 192.168.1.2 1
route Inside 192.168.76.0 255.255.255.0 192.168.1.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.248 Inside
http 192.168.0.0 255.255.0.0 Inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 10.0.0.2
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 2 match address outside_cryptomap_1
crypto map outside_map 2 set peer 10.0.0.2
crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 2 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map interface outside
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
enrollment self
fqdn none
subject-name CN=192.168.1.1,CN=TW1-OFFICE-ASA
keypair ASDM_LAUNCHER
crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_1
enrollment self
fqdn none
subject-name CN=192.168.1.1,CN=TW1-OFFICE-ASA
keypair ASDM_LAUNCHER
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
certificate 5a0f1559
308202da 308201c2 a0030201 0202045a 0f155930 0d06092a 864886f7 0d010105
0500302f 31173015 06035504 03130e54 57312d4f 46464943 452d4153 41311430
12060355 0403130b 3139322e 3136382e 312e3130 1e170d31 37303531 32303331
3130385a 170d3237 30353130 30333131 30385a30 2f311730 15060355 0403130e
5457312d 4f464649 43452d41 53413114 30120603 55040313 0b313932 2e313638
2e312e31 30820122 300d0609 2a864886 f70d0101 01050003 82010f00 3082010a
02820101 009910d2 51906f28 fe2109c8 9b8f041e 601faf17 2ce91693 6f236be6
3849777a 3a3a1397 25721125 97521fcd d3a90d27 1f1c046f 3f0e682f 06212782
84c74a62 36612899 d56bc771 88ea88a0 6cd1687f 7bb3cd7d a165e946 fd6716fb
0d66b2c5 7d1b57bf 86914f1c 9c131013 e5ef6b8b 7730f214 f408c911 b3ab44b3
561771ad a920f1ea 28a6088f 57b460ed 44795173 aaf871e4 7e58c094 79cb0d90
3d814ecc f08d346a e2200be9 d44f937f 49a0da4a 320383cc 3d3e7888 fa49499c
124677d7 6db9af8d 9032cb2e 96a8ee52 b0ba31fd ec0a8db2 1a8efed9 b3c69b65
b2fcc048 ac159c9e 34fbc55b cabb0132 6c8d1274 e9d2359f 5bd8f298 369a416c
4d072d35 51020301 0001300d 06092a86 4886f70d 01010505 00038201 01003fd2
6a49d33b 0862fc06 87d0f6d9 b87d801f 54b5f92f f160f7c1 e3e49cf3 641219fa
8c213490 c4006f5d 85fbc7d6 f38e166d c2750041 179f790c 78c8b6d5 c73bedc2
a7b73af0 3a187324 0aca95fe 29007ab7 1cd45fc6 9b5ff3c0 24e8f32d 39e3d936
b4f879bc bf3b1a76 e08c4229 9c153af4 a68bb1ca 7ee4ef99 b02738e6 7e4048de
c6708f37 6ed308d8 d5be6382 53baf8da c3a064af dcecee09 6fe84991 b9b597b6
bc475a8b dff80ceb fe1d2416 346e910a e9926112 01d106fc aaa2a2f4 64199ec1
1594a35b e38b24d8 7b5e148c a55c490d 834461c3 0ec145c3 16cb28ac 810588ac
8a1ac73a 2217daf4 fa5f5001 cc8555ba 70e4af13 07a90fca 92518df2 e9e6
quit
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_1
certificate 5b0f1559
308202da 308201c2 a0030201 0202045b 0f155930 0d06092a 864886f7 0d010105
0500302f 31173015 06035504 03130e54 57312d4f 46464943 452d4153 41311430
12060355 0403130b 3139322e 3136382e 312e3130 1e170d31 37303531 32303333
3830315a 170d3237 30353130 30333338 30315a30 2f311730 15060355 0403130e
5457312d 4f464649 43452d41 53413114 30120603 55040313 0b313932 2e313638
2e312e31 30820122 300d0609 2a864886 f70d0101 01050003 82010f00 3082010a
02820101 009910d2 51906f28 fe2109c8 9b8f041e 601faf17 2ce91693 6f236be6
3849777a 3a3a1397 25721125 97521fcd d3a90d27 1f1c046f 3f0e682f 06212782
84c74a62 36612899 d56bc771 88ea88a0 6cd1687f 7bb3cd7d a165e946 fd6716fb
0d66b2c5 7d1b57bf 86914f1c 9c131013 e5ef6b8b 7730f214 f408c911 b3ab44b3
561771ad a920f1ea 28a6088f 57b460ed 44795173 aaf871e4 7e58c094 79cb0d90
3d814ecc f08d346a e2200be9 d44f937f 49a0da4a 320383cc 3d3e7888 fa49499c
124677d7 6db9af8d 9032cb2e 96a8ee52 b0ba31fd ec0a8db2 1a8efed9 b3c69b65
b2fcc048 ac159c9e 34fbc55b cabb0132 6c8d1274 e9d2359f 5bd8f298 369a416c
4d072d35 51020301 0001300d 06092a86 4886f70d 01010505 00038201 010068e4
7d9931d5 15ac6773 ecbf2f56 961f9112 3e52df6e f42e33ca 68cb3b3f 8fe1c8bf
cfa12894 c868435e 1c8be4e0 22fde8e7 d7a69210 7adc421b e81daaa3 89627fd4
d8a55f2e beb19cb4 a3f2a6fa 0ad9886f d77a4d76 bbef93e0 92e8981d c2619a3f
d83a440e ea831493 f81cbaad 93a69fce 98aa593d cf01b9e4 cb97b369 f407071a
88cf7317 c8aa3087 167f8cb3 b65113e3 b698ea1c 4871657c 05c150e8 e6199759
22d1181e 22a8f026 2166c0d4 dbce4287 2fdbe4bc 84af55a9 fa839c39 9ce12ef9
c9eecbff e7e5783d 7723be8e f5e22b50 d1b11834 76e85bd6 6b04326a a366e543
0b984890 961c8ea2 ce3de627 454fd695 f9d2e925 a6ad0ade 78f09436 213b
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.0.0 255.255.0.0 Inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
ssl trust-point ASDM_Launcher_Access_TrustPoint_1 Inside
ssl trust-point ASDM_Launcher_Access_TrustPoint_1 Inside vpnlb-ip
group-policy GroupPolicy_10.0.0.2 internal
group-policy GroupPolicy_10.0.0.2 attributes
vpn-tunnel-protocol ikev1 ikev2
dynamic-access-policy-record DfltAccessPolicy
tunnel-group 10.0.0.2 type ipsec-l2l
tunnel-group 10.0.0.2 general-attributes
default-group-policy GroupPolicy_10.0.0.2
tunnel-group 10.0.0.2 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:a2cc36c7c360abeea8f74e44f28617eb
: end

***************************************************************************************************************

ASA Version 9.6(1)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 10.0.0.2 255.255.255.252
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 172.16.100.1 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Remote-Network75
subnet 192.168.75.0 255.255.255.0
object network Remote-Network76
subnet 192.168.76.0 255.255.255.0
object network NETWORK_OBJ_172.16.100.0_24
subnet 172.16.100.0 255.255.255.0
object-group network REMOTE
network-object object Remote-Network75
network-object object Remote-Network76
access-list outside_cryptomap extended permit ip 172.16.100.0 255.255.255.0 object-group REMOTE
access-list outside_cryptomap_1 extended permit ip 172.16.100.0 255.255.255.0 object-group REMOTE
access-list global_access extended permit ip any any
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static NETWORK_OBJ_172.16.100.0_24 NETWORK_OBJ_172.16.100.0_24 destination static REMOTE REMOTE no-proxy-arp route-lookup
!
object network obj_any
nat (any,outside) dynamic interface
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group global_access global
route outside 192.168.75.0 255.255.255.0 10.0.0.1 1
route outside 192.168.76.0 255.255.255.0 10.0.0.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 172.16.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 10.0.0.1
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 2 match address outside_cryptomap_1
crypto map outside_map 2 set peer 10.0.0.1
crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 2 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
dhcpd address 172.16.100.2-172.16.100.254 inside
!
group-policy GroupPolicy_10.0.0.1 internal
group-policy GroupPolicy_10.0.0.1 attributes
vpn-tunnel-protocol ikev1 ikev2
dynamic-access-policy-record DfltAccessPolicy
tunnel-group 10.0.0.1 type ipsec-l2l
tunnel-group 10.0.0.1 general-attributes
default-group-policy GroupPolicy_10.0.0.1
tunnel-group 10.0.0.1 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:106dffa0c42259afed1b64d13d83272d
: end

1 Accepted Solution

Accepted Solutions

Is traffic from the source subnets routed ( by the L3 switch config) to the ASA?

Do you see it arriving?

If so, do you see the VPN even attempt to establish?

Try a packet-tracer with source being one of the inside subnet addresses and destination being the remote network. Please share the results. 

View solution in original post

6 Replies 6

Marvin Rhoads
Hall of Fame
Hall of Fame

I suspect the traffic in your first ASA is hitting the NAT rules in a way you dont want.

You have:

nat (any,outside) source dynamic All_Inside_Networks interface
nat (Inside,outside) source static All_Inside_Networks All_Inside_Networks destination static Remote_Network Remote_Network no-proxy-arp route-lookup
!
object network obj_any
nat (any,outside) dynamic interface

Try removing the first rule there. The last one already covers that traffic.

Thanks Marvin, I tried that however still no joy.

The networks I want to pass over the VPN are configured on the L3 switch connected to one of the ASA's. Should this be ok, or do the network addresses need to be configured on the ASA instead of the L3 switch for the VPN to work?

Is traffic from the source subnets routed ( by the L3 switch config) to the ASA?

Do you see it arriving?

If so, do you see the VPN even attempt to establish?

Try a packet-tracer with source being one of the inside subnet addresses and destination being the remote network. Please share the results. 

Thanks Marvin, I did a packet trace and noticed that there was no route, so I added a route to both ASA's and as soon as I did this the VPN tunnel established. The vpn tunnel is still established however I can't seem to get traffic from the local networks to each other over the VPN, however they are definitely configured as part of VPN.

Running packet tracer on a packet from inside going to out is successful. However when running outside to in, it is unsuccessful. Please find attached screenshot. The packet trace shows it is dropped at the VPN stage.

Regards

James

Problem sorted.

The solution to the overall problem was as you mentioned that I needed a route on both ASA's for the vpn tunnel to establish.

Regarding the issue where no traffic would pass over the VPN was due to the traffic coming back into the local ASA and not knowing where to go. The resolution to this was to apply a static route to the local ASA containing next hop being the l3 switch, telling the return traffic how to get to the LAN.

Thanks for your help Marvin

Great - glad to have helped.

Regarding your outside-in packet capture the reason it shows failure is because traffic arriving at the outside interface will always be encapsulated in IPsec and not have the true endpoint source address in clear text.

Please mark your question as answered if it has been.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: