Need help with site to site VPN on ASA 5505

ruben.ortega · ‎12-27-2012

Both sites have ASA5505 running version 8.2 (5)

I am very new to Cisco so please be patient with me

I used the site to site VPN wizard which seemed very straight forward and easy. I even watched a tutorial on youtube. I have a solid VPN connection light on both devices however I cannot ping from one side of the tunnel to the other.

I notice in the firewall dashboard under Top 10 Protected Servers under SYN Attack:

Server IP:Port (my VOIP srever)

Source IP (my IP phone)

bmurray · ‎12-27-2012

Can you send the configuration from both devices?

ruben.ortega · ‎12-27-2012

I sent you the config's

bmurray · ‎12-27-2012

I have sent the changed configs to you.

ruben.ortega · ‎12-28-2012

Okay...So I was able to make the change in the config (removed

nat (outside) 0 access-list outside_nat0_outbound)

After doing that I went to ASDM > Monitoring > VPN and set the filter to IPsec site-to-site and the session no longer shows up.

I deleted the VPN on both sides and recreated it using the wizard. I still can't see it in the VPN sessions under monitoring

bmurray · ‎12-28-2012

Did you change the access lists for nat and crypto as in the file I sent you?

ruben.ortega · ‎12-28-2012

I made changes to site B as per your suggestion. I used restore in the ASDM. Then I did a backup again to make sure the config was correct and it came back with something totally different. I sent you the files if you wouldn't mind taking a look.

I did not touch site A yet.

ruben.ortega · ‎01-04-2013

Like I said I am very new to Cisc o so please bear with me if I am doing something wrong here and thank you very much for your assistance so far!

I made the changes you sent me to the startup and running config as according to what you sent me. When I restore to the device it drops the line.

Before restore:

global (outside) 1 interface

nat 0 (inside) acceess-list outside_nat0_outbound

nat (inside) 1 192.168.1.0 255.255.255.0

After restore:

global (outside) 1 interface

nat (inside) 1 192.168.2.0 255.255.255.0

I am not sure what I am doing wrong

Jouni Forss · ‎01-04-2013

Hi,

You say that your L2L VPN connection was originally UP by judging the lights on the front panel of the ASAs

Taking that into account it would seem that you are missing some other configurations if traffic isnt passing through it completely

NAT0 isnt configured or you havent configured some other NAT correctly
Since you are testing with ICMP, you havent enabled "inspect icmp" to automatically allow the Echo-reply messages through the ASA
- inspect "icmp" is disabled by default on ASA
You perhaps lack some ACL rule

If you want other to check your situation it would be best to post the configurations here (and remove any sensitive information that you dont want to disclose)

If the problem is only related to ICMP not going through, the reason might even be as simple as needing to add the following configuraiton

policy-map global_policy

class inspection_default

inspect icmp

First 2 lines are just to move to the right configuration mode on the ASA. The "inspect icmp" is the actual configuration change.

If you only use ASDM its also possible to use the CLI on the ASDM interface and drop CLI format configurations to the ASA.

Tools -> Command Line Interface

Also you would have to choose the "Multiple Line" option

- Jouni

ruben.ortega · ‎01-04-2013

Thank you for your response and pointers.

I will post up Site A and Site B configs in a a little while!

ruben.ortega · ‎01-04-2013

Site A WAN address has been changed to 111.111.111.111

Site B WAN address have been changed to 222.222.222.222

SITE A CONFIG:

: Saved

: Written by enable_15 at 19:27:35.161 UTC Wed Dec 26 2012

!

ASA Version 8.2(5)

!

hostname ciscoasa

enable password 4OyzEsAocelbS8Zt encrypted

passwd M0tRZCzV9puBYIHK encrypted

names

name 192.168.2.0 Outside

name 111.111.111.111 Site-B-Firewall

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 111.111.111.111 255.255.255.252

!

interface Vlan5

no nameif

security-level 50

no ip address

!

banner login PROPERTY OF XXXXXXX. UNAUTHORIZED ACCESS IS PROHIBITED!

ftp mode passive

access-list outside_access_in extended permit tcp any 111.111.111.111 255.255.255.255 eq 3389

access-list outside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 Outside 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip verify reverse-path interface inside

ip verify reverse-path interface outside

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat 0 (inside) acceess-list outside_nat0_outbound

nat (inside) 1 192.168.1.0 255.255.255.0

static (inside,outside) tcp interface 3389 192.168.1.10 3389 netmask 255.255.255.255

route outside 0.0.0.0 0.0.0.0 111.111.111.111 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no sysopt connection permit-vpn

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer 222.222.222.222

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable inside

crypto isakmp enable outside

crypto isakmp policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd dns 8.8.8.8 8.8.4.4

!

dhcpd address 192.168.1.5-192.168.1.132 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection scanning-threat

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

group-policy DfltGrpPolicy attributes

tunnel-group 222.222.222.222 type ipsec-l2l

tunnel-group 222.222.222.222 ipsec-attributes

pre-shared-key *

!

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:d1c6d09621699c50ea664b70dd2a6067

ruben.ortega · ‎01-04-2013

SITE B CONFIG:

: Saved

: Written by enable_15 at 15:34:40.170 HST Wed Jan 2 2013

!

ASA Version 8.2(5)

!

hostname ciscoasb

enable password 4OyzEsAocelbS8Zt encrypted

passwd M0tRZCzV9puBYIHK encrypted

names

name 192.168.1.0 Waipahu description LAN

! ****SEEMS LIKE I MIGHT BE MISSING SITE A WAN HERE?****

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.2.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 222.222.222.222 255.255.255.0

!

banner login PROPERTY OF XXXXXXX. UNAUTHORIZED ACCESS IS PROHIBITED!

ftp mode passive

clock timezone HST -10

access-list outside_access_in extended permit tcp any host 222.222.222.222 eq 3389

access-list inside_cryptomap extended permit ip 192.168.2.0 255.255.255.0 interface outside

access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 Waipahu 255.255.255.0

access-list outside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 Waipahu 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip verify reverse-path interface inside

ip verify reverse-path interface outside

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 192.168.2.0 255.255.255.0

static (inside,outside) tcp interface 3389 192.168.2.10 3389 netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 222.222.222.222 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.2.0 255.255.255.0 inside