Help with ASA site to site to site VPN's

david.contreras · ‎02-14-2012

In looking for examples for this type of info the only thing close to what we want to do is this URL http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804675ac.shtml

We have a new third party company that needs access to our main site and the other VPN site. We want to NAT the third party companies IPs (belgium).

Below our the configurations that we think are working.

The configuration allows for Belgium to initiate communication.

Hub(config)# sh run

: Saved

:

ASA Version 7.2(4)

!

hostname NEC-Hub

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 172.16.83.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

same-security-traffic permit intra-interface

access-list retail extended permit ip 172.16.83.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list belgium extended permit ip 172.16.83.0 255.255.255.0 192.168.42.0 255.255.255.248

access-list belgium extended permit ip 172.16.1.0 255.255.255.0 192.168.42.0 255.255.255.248

pager lines 24

logging enable

logging timestamp

logging buffered informational

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 2 172.16.83.100-172.16.83.150

global (outside) 1 interface

nat (inside) 0 access-list retail

nat (outside) 2 192.168.42.0 255.255.255.248

route outside 0.0.0.0 0.0.0.0 x.x.54.129 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

aaa authentication enable console LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto ipsec transform-set aes128 esp-aes esp-sha-hmac

crypto ipsec transform-set aes256 esp-aes esp-sha-hmac

crypto map outside_map 3 match address retail

crypto map outside_map 3 set peer x.x.54.158

crypto map outside_map 3 set transform-set aes128

crypto map outside_map 4 match address belgium

crypto map outside_map 4 set peer x.x.54.157

crypto map outside_map 4 set transform-set aes256

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 2

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 10000

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

username dberry password j1w0Nw.TRRF.yJBG encrypted privilege 15

username cits password apnB12ZmUe8JqSD4 encrypted privilege 15

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

tunnel-group x.x.54.158 type ipsec-l2l

tunnel-group x.x.54.158 ipsec-attributes

pre-shared-key *

tunnel-group x.x.54.157 type ipsec-l2l

tunnel-group x.x.54.157 ipsec-attributes

pre-shared-key *

!

prompt hostname context

Cryptochecksum:618f483d3a1e23eab56ba4a78acf2508

: end

Belgium(config)# sh run
: Saved
:
ASA Version 7.2(3)
!
hostname Belgium
domain-name necam.com
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.42.1 255.255.255.248
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.54.157 255.255.255.224
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name necam.com
access-list nec_hawaii extended permit ip 192.168.42.0 255.255.255.248 172.16.83.0 255.255.255.0
access-list nec_hawaii extended permit ip 192.168.42.0 255.255.255.248 172.16.1.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging buffered informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nec_hawaii
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 x.x.54.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 1.1.1.1 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec transform-set aes128 esp-aes esp-sha-hmac
crypto map necmap 1 match address nec_hawaii
crypto map necmap 1 set peer x.x.54.138
crypto map necmap 1 set transform-set aes128
crypto map necmap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
tunnel-group x.x.54.138 type ipsec-l2l
tunnel-group x.x.54.138 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:870af263e897d109ab569c6f08e0632a
: end

HawaiiRet(config)# sh run
: Saved
:
ASA Version 8.2(1)
!
hostname HawaiiRet
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.54.158 255.255.255.224
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
access-list nec extended permit ip 172.16.1.0 255.255.255.0 172.16.83.0 255.255.255.0
access-list nec extended permit ip 172.16.1.0 255.255.255.0 192.168.42.0 255.255.255.248
pager lines 24
logging enable
logging timestamp
logging buffered informational
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nec
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 x.x.54.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec transform-set aes128 esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map necmap 1 match address nec
crypto map necmap 1 set peer x.x.54.138
crypto map necmap 1 set transform-set aes128
crypto map necmap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group x.x.54.138 type ipsec-l2l
tunnel-group x.x.54.138 ipsec-attributes
pre-shared-key *
!
!
prompt hostname context
Cryptochecksum:c890fe9ee21aa68e16549947783b0d83
: end

Lee Valentin · ‎02-14-2012

Whichever ASA is the hub, you're missing the ACL that allows one remote network to talk to the other remote network. Looks like you're allowing it one way.

For example

access-list belgium extended permit ip 172.16.83.0 255.255.255.0 192.168.42.0 255.255.255.248

access-list belgium extended permit ip 172.16.1.0 255.255.255.0 192.168.42.0 255.255.255.248

access-list belgium extended permit ip 192.168.42.0 255.255.255.0 172.16.1.0 255.255.255.248

This may work for you but I've never seen anyone match access list in a crypto map with the same nat 0 ACL. If it works, that's pretty cool. Otherwise, you should have separate ACLs.

Good luck