12-15-2010 05:21 PM
Hello everyone,
New ASA user and I'm stuck !
This should be a pretty stock install, but of course not….smile. I'm pretty sure I'm just lost with the "routing".
Two ASA 5505s, version 8.05 - configured for LAN to LAN IPsec VPN.
All traffic at site B needs to go through the tunnel, to site A resources.
MAIN SITE A:
outside:200.200.200.131 / GW: 200.200.200.192
inside: 10.99.10.1
REMOTE SITE B:
outside:63.63.63.201 GW: 63.63.63.193
inside: 192.168.1.1
Connected to the inside of site B, I try a host at site A --- i get no connection (times out), BUT -- it does establish the VPN tunnel - and everything appears to check good (ipsec tunnel wise).
Thank you for your time and help,
john-
SITE A:
ASA Version 8.0(5)
!
hostname office
domain-name office.org
!
interface Vlan1
nameif inside
security-level 100
ip address 10.99.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 200.200.200.131 255.255.255.224
!
ftp mode passive
dns server-group DefaultDNS
domain-name office.org
access-list outside_1_cryptomap extended permit ip 10.99.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.99.10.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 200.200.200.129 1
route outside 192.168.1.0 255.255.255.0 63.63.63.201 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.99.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 63.63.63.201
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
dhcpd address 10.99.10.3-10.99.10.33 inside
dhcpd dns 8.8.8.8 interface inside
dhcpd lease 14400 interface inside
dhcpd domain office.org interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 63.63.63.201 type ipsec-l2l
tunnel-group 63.63.63.201 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
: end
REMOTE SITE:
ASA Version 8.0(5)
!
hostname remote
domain-name remote.org
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 63.63.63.201 255.255.255.224
!
!
ftp mode passive
dns server-group DefaultDNS
domain-name remote.org
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.99.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.99.10.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 63.63.63.193 1
route outside 10.99.10.0 255.255.255.0 200.200.200.131 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 200.200.200.131
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd dns 8.8.8.8 interface inside
dhcpd lease 14400 interface inside
dhcpd domain remote.org interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 200.200.200.131 type ipsec-l2l
tunnel-group 200.200.200.131 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
: end
no asdm history enable
Solved! Go to Solution.
12-21-2010 12:05 AM
Pre-config looks good. Can you please share the config from both side after the changes and test.
12-21-2010 02:27 PM
Jennifer,
I have made the changes:
Full internet access from the remote network.
Not able to ping gateways from either side.
Show isa sa = There are no isa sas
Show ipsec sa = There are no ipsec sa
Here is the current config / changed from the "pre-config" I sent you.
hostname MAIN
!
access-list outside_1_cryptomap extended permit ip any 192.168.1.0 255.255.255.0
!
global (outside) 1 interface
!
nat (outside) 1 192.168.1.0 255.255.255.0
!
route outside 0.0.0.0 0.0.0.0 206.227.2.129 1
!
same-security-traffic permit intra-interface
hostname REMOTE
!
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 any
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 any
!
global (outside) 1 interface
!
nat (inside) 1 0.0.0.0 0.0.0.0
!
route outside 0.0.0.0 0.0.0.0 63.199.70.193 1
I also ran all of the clear cry ipsec, isa, and xlate on both devices --- then as a last resort, power cycled to make absolutely sure the units were cleared. No changes.
john-
12-21-2010 02:32 PM
Doesn't sound right at all.
If the remote site has full internet connectivity and the vpn tunnel is down, that means it's going out to the internet as clear text and it's not even triggering the vpn tunnel as both output of "sh cry isa sa" and "sh cry ipsec sa" is blank.
Do you mind posting the full config from both ASA after the changes, when it's not working, please.
12-21-2010 02:52 PM
12-21-2010 02:58 PM
Great, thanks for that.
You are missing the NAT 0 with ACL, not sure why you remove them from both sides as it was in the config originally.
Please kindly re-add the following:
Main Site:
access-list inside_nat0_outbound extended permit ip 10.99.10.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
Remote Site:
nat (inside) 0 access-list inside_nat0_outbound
Then "clear xlate" on both sides, and you should be able to bring the VPN tunnel back up.
12-21-2010 03:34 PM
Ok ----
Here is the present run-configs, after making ONLY the changes you instructed:
Cleared the ipsec, isa, xlate on both devices.
MAIN:
access-list outside_1_cryptomap extended permit ip any 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.99.10.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
nat (outside) 1 192.168.1.0 255.255.255.0
REMOTE:
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
We NOW have NO internet access from either inside networks.
But - still no pinging to the gateways, from either side - so no VPN.
But a little step closer.....
john-
12-21-2010 03:59 PM
OK, please keep the existing configuration that you have, and add the following:
Main Site:
nat (inside) 1 10.99.10.1 255.255.255.0
12-21-2010 04:06 PM
Two more things missing from the config:
Main Site:
crypto map outside_map 1 match address outside_1_cryptomap
Remote Site:
crypto map outside_map 1 match address outside_1_cryptomap
12-21-2010 04:40 PM
Ok-
These two items added, without issue.
Main Site:
crypto map outside_map 1 match address outside_1_cryptomap
Remote Site:
crypto map outside_map 1 match address outside_1_cryptomap
But error with this command:
*Main Site*:
nat (inside) 1 10.99.10.1 255.255.255.0
WARNING: IP address <10.99.10.1> and netmask <255.255.255.0> inconsistent
john-
12-21-2010 04:41 PM
Ooops, typo, should be:
nat (inside) 1 10.99.10.0 255.255.255.0
12-21-2010 05:12 PM
Jennifer,
W O W ------
That was easy !
The remote workstation has internet access, but ONLY through the tunnel now.
Disconnect the MAIN asa - and no connectivity on the remote workstations.
YOU DID IT ! ---- despite my help.....
Tomorrow I will add the tunneled route - and mess with the Untangle box.
Thank you for all your time and knowledge, learned a lot -- I will study the saved configurations.
I will close this 5 mile long post, as successful....
and I'll keep you posted on the Untangle issue ( just for your information).
Thank you again,
john-
12-21-2010 05:14 PM
Great news.
Happy to help and good to know it's working now.
Yeah, keep me posted on the Untangle server.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide