Re: Cisco ASA5515-X ASA9.0(2) ASDM7.1(2) IPsec Site-To-Site

grant.fribbens · ‎04-22-2013

Hi All,

I am trying to create an IPsec tunnel between two ASA5515-X systems with the same levels of software in but I have found that even if I create the IPsec IKEV1 pre-shared key VPN tunnel using the VPN wizard at both ends in ASDM the tunnel never gets established. If I use the wizard to point to make an IPSec connection to an IPCop firewall I can get the ASA to say that the connectiion is up and running but am unable to ping across networks. My netork diagram is as follows:-

Datacenter 1 LAN Datacenter 1 ASA Outside Datacenter 2 ASA Outside Datacenter 2 LAN

10.3.3.0/24 x.x.x.4/28 x.x.x.4/28 10.2.3.0/24

One of the issues I have is that I have turned on debugging and used the debug commands but am not seeing either ASA trying to establish a connection as nothing is showing in the loggin asdm window for the ISAKMP or IPSec connection apart from when I fire the connection at the IPCop box.

Regards

Grant Fribbens

Marvin Rhoads · ‎04-22-2013

You'd need to share more of your ASA configurations to get more detailed feedback but at a high level it sounds as if you don't have an access-list applied to you interface that defines the interesting traffic for your crypto map to make it fire up the VPN tunnel (this kicking off Phase 1 and 2 negotiations).

predrag2006 · ‎04-23-2013

Also if you dont mind post the debug outputs from debug crypto isakmp and debug crypto ipsec (santizie the external ip before pasting) for the IPCop case. Also you can provide with logs from IPCop regarding the tunnel as well. Then I might be able to give you some response about it

(enable session recording in your SSH/Telnet client)

debug crypto ipsec

debug crypto isakmp

terminal monitor

In order to see the traffic u need to start the interesting traffic (for example, pinging the remote end from internal ip address).

Message was edited by: Predrag Petrovic

Predrag Petrovic

grant.fribbens · ‎04-23-2013

Hi,

Thank you for your responses. I have tried using the debug commands as suggested and I get nothing at all and I am running a ping request to the other network. I am posting my configs for the ASA's and a network diagram. I am trying to achieve that all management devices are in vlan 16, and there are individual vlan's on the 3750-X switch which will also be able to have internet access via VLAN3 on either side. Also the vlans on the switch must be able to communicate to the other side via the IPSec VPN connection.

Regards

Grant Fribbens

predrag2006 · ‎04-27-2013

That's strange, usually you would get debug output when you initialize interesting traffic. I will look the config files as soon as I get free time.

Predrag Petrovic

rpadwal · ‎04-29-2013

Hi Grant,

Please make the following changes and let me know if it helps

Datum ASA

crypto map outside_map4 1 match address outside_cryptomap_1

crypto map outside_map4 1 set pfs <<<<<<<<<<<<<

crypto map outside_map4 1 set peer xx.xx.26.4

crypto map outside_map4 1 set ikev1 transform-set myset

change the nat priority to 1

no nat (inside,outside) source static DATUM_LAN DATUM_LAN destination static PEER1_LAN PEER1_LAN

nat (inside,outside) 1 source static DATUM_LAN DATUM_LAN destination static PEER1_LAN PEER1_LAN

============================================================================================

Peer ASA

crypto map outside_map1 1 match address outside_cryptomap

crypto map outside_map1 1 set pfs <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

crypto map outside_map1 1 set peer xx.xx.89.4

crypto map outside_map1 1 set ikev1 transform-set myset

change the nat priority to 1

no nat (inside,outside) source static PEER1_LAN PEER1_LAN destination static DATUM_LAN DATUM_LAN

nat (inside,outside) 1 source static PEER1_LAN PEER1_LAN destination static DATUM_LAN DATUM_LAN

Thanks and regards

Rohan

Thanks and Regards, ROHAN :)