Solved: Re: Routing for LAN to LAN asa5505s - Page 3

montoya-j · ‎12-15-2010

Hello everyone,

New ASA user and I'm stuck !

This should be a pretty stock install, but of course not….smile. I'm pretty sure I'm just lost with the "routing".

Two ASA 5505s, version 8.05 - configured for LAN to LAN IPsec VPN.

All traffic at site B needs to go through the tunnel, to site A resources.

MAIN SITE A:

outside:200.200.200.131 / GW: 200.200.200.192

inside: 10.99.10.1

REMOTE SITE B:

outside:63.63.63.201 GW: 63.63.63.193

inside: 192.168.1.1

Connected to the inside of site B, I try a host at site A --- i get no connection (times out), BUT -- it does establish the VPN tunnel - and everything appears to check good (ipsec tunnel wise).

Thank you for your time and help,

john-

SITE A:

ASA Version 8.0(5)

!

hostname office

domain-name office.org

!

interface Vlan1

nameif inside

security-level 100

ip address 10.99.10.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 200.200.200.131 255.255.255.224

!

ftp mode passive

dns server-group DefaultDNS

domain-name office.org

access-list outside_1_cryptomap extended permit ip 10.99.10.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.99.10.0 255.255.255.0 192.168.1.0 255.255.255.0

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 200.200.200.129 1

route outside 192.168.1.0 255.255.255.0 63.63.63.201 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 10.99.10.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer 63.63.63.201

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

!

dhcpd address 10.99.10.3-10.99.10.33 inside

dhcpd dns 8.8.8.8 interface inside

dhcpd lease 14400 interface inside

dhcpd domain office.org interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

tunnel-group 63.63.63.201 type ipsec-l2l

tunnel-group 63.63.63.201 ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

: end

REMOTE SITE:

ASA Version 8.0(5)

!

hostname remote

domain-name remote.org

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 63.63.63.201 255.255.255.224

!

ftp mode passive

dns server-group DefaultDNS

domain-name remote.org

access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.99.10.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.99.10.0 255.255.255.0

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 63.63.63.193 1

route outside 10.99.10.0 255.255.255.0 200.200.200.131 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer 200.200.200.131

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd dns 8.8.8.8 interface inside

dhcpd lease 14400 interface inside

dhcpd domain remote.org interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

tunnel-group 200.200.200.131 type ipsec-l2l

tunnel-group 200.200.200.131 ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

: end

no asdm history enable

Jennifer Halim · ‎12-21-2010

Pre-config looks good. Can you please share the config from both side after the changes and test.

montoya-j · ‎12-21-2010

Jennifer,

I have made the changes:

Full internet access from the remote network.

Not able to ping gateways from either side.

Show isa sa = There are no isa sas

Show ipsec sa = There are no ipsec sa

Here is the current config / changed from the "pre-config" I sent you.

hostname MAIN

!

access-list outside_1_cryptomap extended permit ip any 192.168.1.0 255.255.255.0

!

global (outside) 1 interface

!

nat (outside) 1 192.168.1.0 255.255.255.0

!

route outside 0.0.0.0 0.0.0.0 206.227.2.129 1

!

same-security-traffic permit intra-interface

hostname REMOTE

!

access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 any

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 any

!

global (outside) 1 interface

!

nat (inside) 1 0.0.0.0 0.0.0.0

!

route outside 0.0.0.0 0.0.0.0 63.199.70.193 1

I also ran all of the clear cry ipsec, isa, and xlate on both devices --- then as a last resort, power cycled to make absolutely sure the units were cleared. No changes.

john-

Jennifer Halim · ‎12-21-2010

Doesn't sound right at all.

If the remote site has full internet connectivity and the vpn tunnel is down, that means it's going out to the internet as clear text and it's not even triggering the vpn tunnel as both output of "sh cry isa sa" and "sh cry ipsec sa" is blank.

Do you mind posting the full config from both ASA after the changes, when it's not working, please.

montoya-j · ‎12-21-2010

Jennifer,

I'm logged in on the remote network right now, mailing this to you.

Attached are the running configs right now.

thanks,

-john

Jennifer Halim · ‎12-21-2010

Great, thanks for that.

You are missing the NAT 0 with ACL, not sure why you remove them from both sides as it was in the config originally.

Please kindly re-add the following:

Main Site:

access-list inside_nat0_outbound extended permit ip 10.99.10.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

Remote Site:

nat (inside) 0 access-list inside_nat0_outbound

Then "clear xlate" on both sides, and you should be able to bring the VPN tunnel back up.

montoya-j · ‎12-21-2010

Ok ----

Here is the present run-configs, after making ONLY the changes you instructed:

Cleared the ipsec, isa, xlate on both devices.

MAIN:

access-list outside_1_cryptomap extended permit ip any 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.99.10.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

nat (outside) 1 192.168.1.0 255.255.255.0

REMOTE:

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

We NOW have NO internet access from either inside networks.

But - still no pinging to the gateways, from either side - so no VPN.

But a little step closer.....

john-

Jennifer Halim · ‎12-21-2010

OK, please keep the existing configuration that you have, and add the following:

Main Site:

nat (inside) 1 10.99.10.1 255.255.255.0

Jennifer Halim · ‎12-21-2010

Two more things missing from the config:

Main Site:

crypto map outside_map 1 match address outside_1_cryptomap

Remote Site:

crypto map outside_map 1 match address outside_1_cryptomap

montoya-j · ‎12-21-2010

Ok-

These two items added, without issue.

Main Site:

crypto map outside_map 1 match address outside_1_cryptomap

Remote Site:

crypto map outside_map 1 match address outside_1_cryptomap

But error with this command:

*Main Site*:

nat (inside) 1 10.99.10.1 255.255.255.0

WARNING: IP address <10.99.10.1> and netmask <255.255.255.0> inconsistent

john-

Jennifer Halim · ‎12-21-2010

Ooops, typo, should be:

nat (inside) 1 10.99.10.0 255.255.255.0

montoya-j · ‎12-21-2010

Jennifer,

W O W ------

That was easy !

The remote workstation has internet access, but ONLY through the tunnel now.

Disconnect the MAIN asa - and no connectivity on the remote workstations.

YOU DID IT ! ---- despite my help.....

Tomorrow I will add the tunneled route - and mess with the Untangle box.

Thank you for all your time and knowledge, learned a lot -- I will study the saved configurations.

I will close this 5 mile long post, as successful....

and I'll keep you posted on the Untangle issue ( just for your information).

Thank you again,

john-

Jennifer Halim · ‎12-21-2010

Great news.

Happy to help and good to know it's working now.

Yeah, keep me posted on the Untangle server.