Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1314
Views
0
Helpful
7
Replies

Setup two separate IPSec VPNS on ASA 5505

Go to solution
ematelyan
Level 1
Level 1

‎05-13-2013 08:18 AM - edited ‎02-21-2020 06:53 PM

Hello,

I'm having trouble setting up a second IPSec VPN tunnel on my Cisco ASA 5505 to another office.  I was able to setup the first one with no problem through the ASDM, but have not been able to get the second one up. 

The IPSec tunnel is connecting to a WRVS4400N router at the other office.  I tried debugging crypto isakmp, and crypto ipsec, but I'm getting nothing.  Below is the config.  Does something look wrong on my end?   I also attached a screenshot of the parameters setup on the remote router.

Result of the command: "show run"

: Saved
:
ASA Version 8.2(5)
!
hostname WayneASA

!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 70.91.18.205 255.255.255.252
!
interface Vlan5
shutdown
no nameif
security-level 50
ip address 192.168.10.1 255.255.255.0
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 75.75.75.75
name-server 75.75.76.76
domain-name 3gtms.com
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list inside_access_in extended permit ip any any
access-list IPSec_Access extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list inside_nat0 extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.224
access-list inside_nat0 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list inside_nat0 extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list TunnelSplit1 standard permit 192.168.10.0 255.255.255.224
access-list TunnelSplit1 standard permit 192.168.1.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list RemoteTunnel_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list RemoteTunnel_splitTunnelAcl_1 standard permit 192.168.1.0 255.255.255.0

pager lines 24
logging enable
mtu inside 1500
mtu outside 1500
ip local pool VPNPool 192.168.10.1-192.168.10.30 mask 255.255.255.224
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0
nat (inside) 1 0.0.0.0 0.0.0.0

access-group inside_access_in in interface inside
access-group out_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 70.91.18.206 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set VPNTransformSet esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map IPSec_map 1 match address IPSec_Access
crypto map IPSec_map 1 set peer 50.199.234.229
crypto map IPSec_map 1 set transform-set VPNTransformSet
crypto map IPSec_map 2 match address outside_2_cryptomap
crypto map IPSec_map 2 set pfs group1
crypto map IPSec_map 2 set peer 98.101.139.210
crypto map IPSec_map 2 set transform-set VPNTransformSet
crypto map IPSec_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map IPSec_map interface outside
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 50.199.234.229

crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd address 192.168.1.100-192.168.1.199 inside
dhcpd dns 75.75.75.75 75.75.76.76 interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy RemoteTunnel internal
group-policy RemoteTunnel attributes
dns-server value 75.75.75.75 75.75.76.76
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RemoteTunnel_splitTunnelAcl_1
default-domain value 3gtms.com
username eric password 0vcSd5J/TLsFy7nU encrypted privilege 15
username lestofts password URsSXKLozQMSeCBk encrypted privilege 5
username lestofts attributes
service-type remote-access
username algobel password lBWy5eNbHMCDPzuL encrypted
username algobel attributes
service-type remote-access
tunnel-group RemoteTunnel type remote-access
tunnel-group RemoteTunnel general-attributes
address-pool VPNPool
default-group-policy RemoteTunnel
tunnel-group RemoteTunnel ipsec-attributes
pre-shared-key *****
tunnel-group 50.199.234.229 type ipsec-l2l
tunnel-group 50.199.234.229 ipsec-attributes
pre-shared-key *****
tunnel-group 98.101.139.210 type ipsec-l2l
tunnel-group 98.101.139.210 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect icmp
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect dns
  inspect pptp
  inspect sip 
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:a86adc4b23977672679b6fb72d0bc187
: end

Labels:
Preview file
204 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎05-13-2013 08:45 AM

You are also missing the NAT0 rule

access-list inside_nat0 extended permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0

- Jouni

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎05-13-2013 08:29 AM

Hi,

Could you start by changing the WRVS4400N local subnet address from 192.168.5.1 to 192.168.5.0

And then trying again.

For the most part the configurations seem fine, though the mixed Phase1 and Phase2 parameters seem pretty wierd and also the lifetime values seem strange.

Also remove this from the ASA

no crypto map IPSec_map 2 set pfs group1

You dont have PFS enabled on the WRVS4400N device

Hope this helps

- Jouni

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎05-13-2013 08:31 AM

Actually,

The WRVS4400 configured remote peer IP address DOESNT match this ASAs "outside" IP address either?

- Jouni

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎05-13-2013 08:32 AM

Nor does the remote LAN on the WRVS4400N match the LAN network on the ASA?

Or am I missing/missunderstanding something completely?

- Jouni

0 Helpful

Go to solution
ematelyan
Level 1
Level 1
In response to Jouni Forss

‎05-13-2013 08:39 AM

Whoops!  Sorry, that was the wrong ASA.  This is the correct one.  I fixed the 192.168.5.1 to 192.168.5.0

Result of the command: "show run"

: Saved
:
ASA Version 8.2(5)
!
hostname SheltonASA

name 192.168.1.0 Wayne-Network
name 50.199.234.229 Shelton-Firewall
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address Shelton-Firewall 255.255.255.252
!
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 75.75.75.75
name-server 75.75.76.76
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list inside_access_in extended permit ip any any
access-list inside_nat0 extended permit ip 192.168.2.0 255.255.255.0 192.168.11.0 255.255.255.224
access-list inside_nat0 extended permit ip 192.168.2.0 255.255.255.0 Wayne-Network 255.255.255.0
access-list TunnelSplit1 standard permit 192.168.11.0 255.255.255.224
access-list TunnelSplit1 standard permit 192.168.2.0 255.255.255.0
access-list IPSec_Access extended permit ip 192.168.2.0 255.255.255.0 Wayne-Network 255.255.255.0
access-list RemoteTunnel_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0
access-list outside_access_in extended permit object-group TCPUDP any host Shelton-Firewall eq 5065

access-list Raleigh_IPSec extended permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNPool 192.168.11.1-192.168.11.30 mask 255.255.255.224
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 50.199.234.230 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
crypto ipsec transform-set VPNTransformSet esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DynamicMap 1 set pfs group1
crypto dynamic-map DynamicMap 1 set transform-set VPNTransformSet
crypto dynamic-map DynamicMap 1 set reverse-route
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map VPNMap 1 ipsec-isakmp dynamic DynamicMap
crypto map IPSec_map 1 match address IPSec_Access
crypto map IPSec_map 1 set peer 70.91.18.205
crypto map IPSec_map 1 set transform-set VPNTransformSet
crypto map IPSec_map 2 match address Raleigh_IPSec
crypto map IPSec_map 2 set peer 98.101.139.210
crypto map IPSec_map 2 set transform-set ESP-DES-MD5
crypto map IPSec_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map IPSec_map interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd address 192.168.2.100-192.168.2.199 inside
dhcpd dns 75.75.75.75 75.75.76.76 interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy RemoteTunnel internal
group-policy RemoteTunnel attributes
dns-server value 75.75.75.75 75.75.76.76
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RemoteTunnel_splitTunnelAcl
username eric password 0vcSd5J/TLsFy7nU encrypted
tunnel-group 50.199.234.229 type ipsec-l2l
tunnel-group 70.91.18.205 type ipsec-l2l
tunnel-group 70.91.18.205 ipsec-attributes
pre-shared-key *****
tunnel-group RemoteTunnel type remote-access
tunnel-group RemoteTunnel general-attributes
address-pool VPNPool
default-group-policy RemoteTunnel
tunnel-group RemoteTunnel ipsec-attributes
pre-shared-key *****
tunnel-group 98.101.139.210 type ipsec-l2l
tunnel-group 98.101.139.210 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect pptp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:5246b3eb475b26e0e483a987dd62285f
: end

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to ematelyan

‎05-13-2013 08:44 AM

Hi,

Atleast this

crypto map IPSec_map 2 set transform-set ESP-DES-MD5

Needs to be this

crypto map IPSec_map 2 set transform-set ESP-3DES-MD5

- Jouni

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎05-13-2013 08:45 AM

You are also missing the NAT0 rule

access-list inside_nat0 extended permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0

- Jouni

0 Helpful

Go to solution
ematelyan
Level 1
Level 1
In response to Jouni Forss

‎05-13-2013 09:20 AM

You're a genius!  That did the trick.  Thanks for the quick reply!

0 Helpful
Customers Also Viewed These Support Documents