Solved: Site 2 Site VPN Trouble

JB-TX · ‎05-20-2019

Hello all,

I am having trouble getting a site to site IPSEC VPN to come up. I can't ping across and I've reviewed my configurations multiple times and I cannot seem to see any obvious errors. Any help would be much appreciated.

ASA Version 8.4(5)
!
hostname SOUTH-ASA5505
domain-name DOMAIN.LOCAL
names
!
interface Ethernet0/0
 description WAN
 switchport access vlan 2
!
interface Ethernet0/1
 description LOCAL
!
interface Ethernet0/2
 shutdown
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.98.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 50.0.0.0 255.255.255.252
!
boot system disk0:/asa845-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name DOMAIN.LOCAL
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network 192.168.10.0
 subnet 192.168.10.0 255.255.255.0
object network 192.168.20.0
 subnet 192.168.20.0 255.255.255.0
object network 192.168.99.0
 subnet 192.168.99.0 255.255.255.0
object network 192.168.98.0
 subnet 192.168.98.0 255.255.255.0
object-group network NETWORK-OFFICE
 network-object object 192.168.10.0
 network-object object 192.168.20.0
 network-object object 192.168.99.0
object-group network NETWORK-SOUTH
 network-object object 192.168.98.0
access-list inbound extended permit icmp any any
access-list L2L-VPN extended permit ip object-group NETWORK-SOUTH object-group NETWORK-OFFICE
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static NETWORK-SOUTH NETWORK-SOUTH destination static NETWORK-OFFICE NETWORK-OFFICE no-proxy-arp route-lookup
!
object network obj_any
 nat (inside,outside) dynamic interface
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 50.0.0.0 1
route inside 192.168.98.0 255.255.255.0 192.168.98.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.98.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-AES128-SHA esp-aes esp-sha-hmac
crypto map VPN-MAP 10 match address L2L-VPN
crypto map VPN-MAP 10 set peer 96.0.0.0
crypto map VPN-MAP 10 set ikev1 transform-set ESP-AES128-SHA
crypto map VPN-MAP interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 15
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 15
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 15
management-access inside

dhcpd dns 8.8.8.8
dhcpd lease 28800
dhcpd domain DOMAIN.LOCAL
dhcpd option 3 ip 192.168.98.1
!
dhcpd address 192.168.98.100-192.168.98.150 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy GroupPolicy_96.0.0.0 internal
group-policy GroupPolicy_96.0.0.0 attributes
 vpn-tunnel-protocol ikev1

tunnel-group 96.0.0.0 type ipsec-l2l
tunnel-group 96.0.0.0 ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
  inspect http
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end

JB-TX · ‎05-20-2019

Ignore this post. I was stupid.. Everything came up after I properly pinged across... I wasn't using "ping inside 192.168.98.1"

Thanks for the help anyway

View solution in original post

Mike.Cifelli · ‎05-20-2019

Without parsing through the rest of the config here is one thing that popped out to me:

route outside 0.0.0.0 0.0.0.0 50.0.0.0 1

You are attempting to statically default route to a network ID and not a next hop address. HTH!

JB-TX · ‎05-20-2019

Ignore this post. I was stupid.. Everything came up after I properly pinged across... I wasn't using "ping inside 192.168.98.1"

Thanks for the help anyway