Solved: Re: Home Lab ASA5505 Site-2-Site VPN

johnmcgrath29 · ‎05-06-2024

Afternoon All,

I am currently working on a Site-2-Site VPN at home I have connected a cable between both Outside Interfaces. It's been a while since I have done this on an ASA5505. I have this little voice telling me there is an issue with the different versions on the device anyway I will post my home lab This lab is air gapped so not worried about IP's etc.. also think I missed something with the TFTP configuration not sure on that haven't tested it yet any way here is the config for the first firewall

ASA Version 8.2(1)
!
hostname FW1-Site1
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan3
no nameif
no security-level
no ip address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
ftp mode passive
access-list VPN-Tunnel extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list tftp_acl extended permit udp host 10.1.1.1 host 169.254.168.110 eq tftp
access-list ICMP extended permit icmp any any
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
router ospf 1
network 10.0.0.0 255.0.0.0 area 0
log-adj-changes
!
route inside 0.0.0.0 0.0.0.0 10.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set VPN-TS esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map VPN-Map 10 match address VPN-Tunnel
crypto map VPN-Map 10 set peer 192.168.2.1
crypto map VPN-Map 10 set transform-set VPN-TS
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tftp-server inside 169.254.168.110 /
tunnel-group 192.168.2.1 type ipsec-l2l
tunnel-group 192.168.2.1 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:1a2ed9e50e0ea001cfa6db072dce2d64
: end

Here is the configuration on the second firewall

ASA Version 9.1(5)
!
hostname FW2-Site2
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
shutdown
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif inside
security-level 100
ip address 10.2.2.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.2.1 255.255.255.0
!
ftp mode passive
access-list VPN-Tunnel extended permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list tftp_acl extended permit udp host 10.1.1.1 host 169.254.168.110 eq tftp
access-list ICMP extended permit icmp any any
pager lines 24
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
router ospf 1
network 10.0.0.0 255.0.0.0 area 0
log-adj-changes
!
route inside 0.0.0.0 0.0.0.0 10.2.2.0 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set VPN-TS esp-3des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map VPN-Map 10 match address VPN-Tunnel
crypto map VPN-Map 10 set peer 192.168.1.1
crypto map VPN-Map 10 set ikev1 transform-set VPN-TS
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tftp-server inside 169.254.168.110 /
webvpn
anyconnect-essentials
tunnel-group 192.168.1.1 type ipsec-l2l
tunnel-group 192.168.1.1 ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:024a771f66f299a8b5cbd4544f301e7a
: end

What am I missing or is the voice in my head about software versions right ?

Rob Ingram · ‎05-07-2024

@johnmcgrath29 I do not see that you have enabled crypto map on the outside interface. E.g.

crypto map VPN-Map interface outside

Generate interesting traffic from a device behind the ASA to a remote device behind the other ASA in other words from a source IP communicating with a destination IP address that matches your crypto ACL. When you test from the ASA the egress source is the outside interface and therefore does not match your crypto ACL.

View solution in original post

Rob Ingram · ‎05-06-2024

@johnmcgrath29 as a start, change the security level of the outside interface of FW1-Site1 to 0.

interface Vlan2
nameif outside
security-level 0
ip address 192.168.1.1 255.255.255.0

You've also configured the default route via the inside interface "route inside 0.0.0.0 0.0.0.0 10.1.1.1 1" change to the correct interface and next hop.

Ensure you can ping the peer IP address and then generat interesting traffic from a device behind the ASA to a remote device behind the other ASA.

johnmcgrath29 · ‎05-07-2024

Morning Gents,

I have make both these changes to the Firewall still can't ping the peer for some reason here is the config after the changes where made

hostname FW1-Site1
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 50
ip address 10.1.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.1.1 255.255.255.0
!
interface Vlan3
no nameif
no security-level
no ip address
!
interface Ethernet0/0
switchport access vlan 2
switchport trunk allowed vlan 1-2
!
interface Ethernet0/1
switchport trunk allowed vlan 1-2
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
ftp mode passive
access-list VPN-Tunnel extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list tftp_acl extended permit udp host 10.1.1.1 host 169.254.168.110 eq tftp
access-list ICMP extended permit icmp any any
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
router ospf 1
network 10.0.0.0 255.0.0.0 area 0
network 192.168.0.0 255.255.0.0 area 0
log-adj-changes
!
route outside 0.0.0.0 0.0.0.0 192.168.2.1 1
route outside 0.0.0.0 0.0.0.0 0.0.0.0 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set VPN-TS esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map VPN-Map 10 match address VPN-Tunnel
crypto map VPN-Map 10 set peer 192.168.2.1
crypto map VPN-Map 10 set transform-set VPN-TS
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tftp-server inside 169.254.168.110 /
tunnel-group 192.168.2.1 type ipsec-l2l
tunnel-group 192.168.2.1 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:5fc59dfb10b283552e457a2d61c02ae9
: end

second firewall

ASA Version 9.1(5)
!
hostname FW2-Site2
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
shutdown
!
interface Ethernet0/1
switchport trunk allowed vlan 1-2
shutdown
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif inside
security-level 50
ip address 10.2.2.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.2.1 255.255.255.0
!
ftp mode passive
access-list VPN-Tunnel extended permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list ICMP extended permit icmp any any
pager lines 24
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
router ospf 1
network 10.0.0.0 255.0.0.0 area 0
network 192.168.0.0 255.255.0.0 area 0
log-adj-changes
!
route outside 0.0.0.0 0.0.0.0 0.0.0.0 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set VPN-TS esp-3des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map VPN-Map 10 match address VPN-Tunnel
crypto map VPN-Map 10 set peer 192.168.1.1
crypto map VPN-Map 10 set ikev1 transform-set VPN-TS
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
tunnel-group 192.168.1.1 type ipsec-l2l
tunnel-group 192.168.1.1 ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:3fffefd6796a594ea67d0c317d0de7be
: end

FW2-Site2#
FW2-Site2#
FW2-Site2# traceroute 192.168.1.1

Type escape sequence to abort.
Tracing the route to 192.168.1.1
ERROR: No route to host

FW2-Site2#

johnmcgrath29 · ‎05-07-2024

I scrubbed the configuration completely and started from scratch going through it line by line I did find the interest bit in it

FW1-Site1(config)# crypto isakmp enable out
FW1-Site1(config)# crypto isakmp enable outside
FW1-Site1(config)# crypto isakmp policy 10
FW1-Site1(config-isakmp-policy)# authentication ?

crypto-isakmp-policy mode commands/options:
crack set auth crack
pre-share set auth pre-share
rsa-sig set auth rsa-sig
FW1-Site1(config-isakmp-policy)# authentication pre-
FW1-Site1(config-isakmp-policy)# authentication pre-share ?

Two different sub-menu I assume this is to do with the IOS Difference FW1-Site1 ASA Version 8.2(1) FW2-Site2 ASA Version 9.1(5)

FW2-Site2(config)# crypto map VPN-Map 10 match address VPN-Tunnel
FW2-Site2(config)# crypto map VPN-Map 10 set peer 192.168.1.1
FW2-Site2(config)# crypto map VPN-Map 10 set transform-set VPN-TS
FW2-Site2(config)# !
FW2-Site2(config)# crypto isakmp enable outside
FW2-Site2(config)# crypto isakmp policy 10
FW2-Site2(config-ikev1-policy)# ?

johnmcgrath29 · ‎05-07-2024

I have completely changed the configuration and started from scratch

ASA Version 8.2(1)
!
hostname FW1-Site1
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 50
ip address 10.1.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport trunk allowed vlan 1-2
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
ftp mode passive
access-list VPN-Tunnel extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list ICMP extended permit icmp any any
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route outside 192.168.2.0 255.255.255.0 192.168.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set VPN-TS esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map VPN-Map 10 match address VPN-Tunnel
crypto map VPN-Map 10 set peer 192.168.2.1
crypto map VPN-Map 10 set transform-set VPN-TS
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 192.168.1.1 type ipsec-l2l
tunnel-group 192.168.1.1 ipsec-attributes
pre-shared-key *
tunnel-group 192.168.2.1 type ipsec-l2l
tunnel-group 192.168.2.1 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:81372e4db6ff1fd23f5d16fe77415ffa
: end

Second Firewall

ASA Version 9.1(5)
!
hostname FW2-Site2
enable password 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport trunk allowed vlan 1-2
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif inside
security-level 50
ip address 10.2.2.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.2.1 255.255.255.0
!
ftp mode passive
access-list VPN-Tunnel extended permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list ICMP extended permit icmp any any
pager lines 24
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
route outside 192.168.1.0 255.255.255.0 192.168.1.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set VPN-TS esp-3des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map VPN-Map 10 match address VPN-Tunnel
crypto map VPN-Map 10 set peer 192.168.1.1
crypto map VPN-Map 10 set ikev1 transform-set VPN-TS
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
tunnel-group 192.168.1.1 type ipsec-l2l
tunnel-group 192.168.1.1 ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 2
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:e75c6caf7dedd14561dc545cb49980b7
: end

when I ping I am not getting to no route issue so I think it's something to do with tunnel maybe?

FW2-Site2# ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
FW2-Site2#

Rob Ingram · ‎05-07-2024

@johnmcgrath29 I do not see that you have enabled crypto map on the outside interface. E.g.

crypto map VPN-Map interface outside

Generate interesting traffic from a device behind the ASA to a remote device behind the other ASA in other words from a source IP communicating with a destination IP address that matches your crypto ACL. When you test from the ASA the egress source is the outside interface and therefore does not match your crypto ACL.

johnmcgrath29 · ‎05-08-2024

I am currently looking for a second hand 8 port managed switch to put on the second firewall I only have one currently soon as I get the second switch. I will add it bit of a hunt can't find much under £150 pounds at the moment will see if I can get something a bit cheaper soon as I do I will connect it to the out device and then connect my laptop to one of the switches

MHM Cisco World · ‎05-08-2024

Friend you can run lab with one SW

Make each Firewall connect to SW via specific VLAN and make host connect to SW in two group

Group 1 vlan 1 for FW1

Group 2 vlan 2 for FW2

MHM

johnmcgrath29 · ‎05-14-2024

Sorry Gentlemen for the late reply I have Had to do some other things put both of your help was much appreciated

MHM Cisco World · ‎05-06-2024

there is default route toward INside ??

and OSPF config only include one subnet ?

how both peer connect to each other ?

MHM

johnmcgrath29 · ‎05-07-2024

Yeah thank you for stopping that I have made some many changes I didn't catch it working on that all of yesterday I am now going to work through this all day today

MHM Cisco World · ‎05-07-2024

what is issue now?

MHM