05-26-2023 05:17 PM - edited 05-26-2023 05:21 PM
Hello Community,
I have put the following IPSEC config together. It must be wrong because the tunnel is not showing up.
ASA1
======
conf t
! rename Management nameif to outsideP2p
conf t
int Management 0/0
nameif outsideP2p
! enable crypto ikev1
crypto ikev1 enable outsideP2p
crypto ikev1 policy 2
encryption aes-256
hash sha
group 2
authentication pre-share
lifetime 86400
! define tunnel group
tunnel-group 10.244.7.16 type ipsec-l2l
tunnel-group 10.244.7.16 ipsec-attributes
ikev1 pre-shared-key test123
access-list 1 extended permit ip 10.10.12.0 255.255.255.0 10.10.12.0 255.255.255.0
! transform set
crypto ipsec ikev1 transform-set ipsec-vpn esp-aes-256 esp-sha-hmac
! crypto map
crypto map site-a 10 match address 1
crypto map site-a 10 set peer 10.244.7.16
crypto map site-a 10 set ikev1 transform-set ipsec-vpn
crypto map site-a 10 set pfs
! apply crypto map to outside interface
crypto map site-a interface outsideP2p
10:21
==================================================
ASA2
======
conf t
! rename Management nameif to outsideP2p
conf t
int Management 0/0
nameif outsideP2p
! enable crypto ikev1
crypto ikev1 enable outsideP2p
crypto ikev1 policy 2
encryption aes-256
hash sha
group 2
authentication pre-share
lifetime 86400
! define tunnel group
tunnel-group 10.244.7.15 type ipsec-l2l
tunnel-group 10.244.7.15 ipsec-attributes
ikev1 pre-shared-key test123
access-list 1 extended permit ip 10.10.12.0 255.255.255.0 10.10.12.0 255.255.255.0
! transform set
crypto ipsec ikev1 transform-set ipsec-vpn esp-aes-256 esp-sha-hmac
! crypto map
crypto map site-a 10 match address 1
crypto map site-a 10 set peer 10.244.7.15
crypto map site-a 10 set ikev1 transform-set ipsec-vpn
crypto map site-a 10 set pfs
! apply crypto map to outside interface
crypto map site-a interface outsideP2p
Goal:
1 - Site to Site VPN between 2 ASA firewalls running 9.12.4.58. Outside interface is the management 0/0 interface. I intended to have a virtual interface like a loopback. I know loopbacks aren't supported on ASAs but my goal is to have a logical interface like what a loopback would be. I want to ping between the two logical interfaces on each ASA.
2 - Diagram:
logical interfce 10.10.12.1/24< - > ASA1 10.244.7.15 Management 0/0 < - - IPSEC TUNNEL - - > Management 0/0 10.244.7.16 ASA2 < - > 10.10.12.2/24 logical interface.
Note: "logical interface" is what I used in place of Loopback since Loopbacks aren't supported on ASAs. Any tips here would be greatly appreciated.
3 - The ASA1 and ASA2 devices are on the same subnet and the same switch. (no routing in between)
4 - Any help would be greatly appreciated.
05-27-2023 03:49 PM
all config is OK
you dont share the config of interfaces but I will assume you not use mgmt interface as I mention before
now try initiate the traffic
ping 10.244.8.16 source 10.244.7.15
or
ping 10.244.7.15 source 10.244.8.16
depend which side you want to initiate the traffic
05-28-2023 07:17 AM
Great news! I gave up trying to build an IPSEC VPN between two Cisco ASAs. Instead, I built one between a Palo Alto 850 and a Cisco ASA 5585 and it came right up. Man out of all the VPNs I've built before (Fortinet, Palo Alto and Cisco ASA), Cisco's config syntax was the most user-unfriendly but it does work. I used the following link to get an idea of how I'd make it work in the end.
https://www.gns3network.com/ipsec-tunnel-between-palo-alto-and-cisco-asa-firewall/
05-28-2023 07:43 AM
really Great News
cisco user-unfriendly, I disagree with this point, IPSec VPN is simple but the Data/Mgmt plane of IPsec is more secure.
that why it accept some config and not accept other.
anyway
glad your issue is solve
have a nice day
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide