Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
447
Views
0
Helpful
2
Replies

IPsec Site-to-site between ASA and IOS

Anuar Shahrin
Level 1
Level 1

‎06-04-2013 04:58 PM - edited ‎02-21-2020 06:57 PM

Hi all,

Im doing a lab to test on ipsec site-to-site between ASA and IOS.

I hit this problem where i couldnt figure out.

Im able to ping the LAN of the router but from router, im unable to ping the LAN in ASA. and im seeing drop packets from ASA. 

Please assist.

Here is the configuration from both device.

Router show run

==================

Router#sh run

Building configuration...

Current configuration : 1458 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

dot11 syslog

ip cef

!

!

!

!

!

multilink bundle-name authenticated

!        

!

!

!

archive

log config

  hidekeys

!

!

crypto isakmp policy 5

encr aes

authentication pre-share

group 2

crypto isakmp key tabunghaji address 192.168.10.2

!

!

crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac

!

crypto map VPN-TUNNEL 1 ipsec-isakmp

set peer 192.168.10.2

set transform-set AES-SHA

match address ACL-VPN

!

!        

!

!

!

!

interface FastEthernet0/0

description P2P with ASA

ip address 192.168.10.1 255.255.255.252

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map VPN-TUNNEL

!

interface FastEthernet0/1

description LAN

ip address 10.1.10.2 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 192.168.10.2

ip route 10.1.20.0 255.255.255.0 192.168.10.2

!

!

ip http server

no ip http secure-server

ip nat inside source list ACL-NAT interface FastEthernet0/0 overload

!

ip access-list extended ACL-NAT

deny   ip 10.1.10.0 0.0.0.255 10.1.20.0 0.0.0.255

permit ip any any

ip access-list extended ACL-VPN

permit ip 10.1.10.0 0.0.0.255 10.1.20.0 0.0.0.255

!

!

!

!

!

!

!

control-plane

!

!

!        

line con 0

line aux 0

line vty 0 4

login

!

scheduler allocate 20000 1000

end

Router#

Router#show crypto ipsec sa

interface: FastEthernet0/0

    Crypto map tag: VPN-TUNNEL, local addr 192.168.10.1

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (10.1.10.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (10.1.20.0/255.255.255.0/0/0)

   current_peer 192.168.10.2 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 10, #recv errors 0

     local crypto endpt.: 192.168.10.1, remote crypto endpt.: 192.168.10.2

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

=========================================

ASA config

HQ-ASA# sh run

: Saved

:

ASA Version 8.0(4)

!

hostname HQ-ASA

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 192.168.10.2 255.255.255.252

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.1.20.2 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

access-list IPSEC_VPN extended permit ip 10.1.20.0 255.255.255.0 any

access-list ACL-INSIDE-NONAT extended permit ip 10.1.20.0 255.255.255.0 10.1.10.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-623.bin

no asdm history enable

arp timeout 14400

nat (inside) 0 access-list ACL-INSIDE-NONAT

route outside 0.0.0.0 0.0.0.0 192.168.10.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map MAP_outside 20 match address IPSEC_VPN

crypto map MAP_outside 20 set peer 192.168.10.1

crypto map MAP_outside 20 set transform-set ESP-AES128-SHA

crypto map MAP_outside 20 set security-association lifetime seconds 28800

crypto map MAP_outside 20 set security-association lifetime kilobytes 10000

crypto map MAP_outside interface outside

crypto isakmp enable outside

crypto isakmp policy 5

authentication pre-share

encryption aes

hash sha

group 2     

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

tunnel-group 192.168.10.2 type ipsec-l2l

tunnel-group 192.168.10.2 ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:65869f07e8dafe7ab63dd9528a2fb6bf

: end

HQ-ASA# 

HQ-ASA# show crypto isakmp stats

Global IKE Statistics

Active Tunnels: 0

Previous Tunnels: 0

In Octets: 3984

In Packets: 14

In Drop Packets: 10

In Notifys: 0

In P2 Exchanges: 0

In P2 Exchange Invalids: 0

In P2 Exchange Rejects: 0

In P2 Sa Delete Requests: 0

Out Octets: 944

Out Packets: 12

Out Drop Packets: 0

Out Notifys: 10

Out P2 Exchanges: 0

Out P2 Exchange Invalids: 0

Out P2 Exchange Rejects: 0

Out P2 Sa Delete Requests: 0

Initiator Tunnels: 0

Initiator Fails: 0

Responder Fails: 2

System Capacity Fails: 0

Auth Fails: 2

Decrypt Fails: 0

Hash Valid Fails: 0

No Sa Fails: 10

HQ-ASA#

Labels:
0 Helpful
2 Replies 2

arun.stha
Level 1
Level 1

‎06-04-2013 07:16 PM

Hi,

If VPN is UP and all policy are fine..

Try this once,

Go to asa device management tab - >interface and there select your management interface as ur inside interface...

I guess it will work..

0 Helpful

Anuar Shahrin
Level 1
Level 1
In response to arun.stha

‎06-04-2013 08:22 PM

Thank you arun, i will check again on the ASA later today.

0 Helpful
Customers Also Viewed These Support Documents