Solved: Re: Site to Site 5505 and 5510

toddyboman · ‎03-08-2011

I have been battling this problem for a while know........

I have made so many changes I am affraid I have things in my config I don't really need.....

But anyways here is how I am attempting to set up.....

Main office info...
static ip 111.111.111.111
ip of inside network devices 192.168.10.0-192.168.10.24
ip of server 192.168.10.3
Remote office #2
static ip 222.222.222.222
ip of inside network devices 192.168.20.0-192.168.20.24
Remote office #3

statice ip 333.333.333.333

ip of inside network devices 192.168.30.0-192.168.30.24

I think once I get one vpn established to one remote office added offices 3, 4, and 5 should/would be the same. Just a matter of changing/adding the different ip address per office.

I used the VPN wizard to try to set up vpn to office #2 and office #3.....then it wouldn't work so I found some cmd line stuff on cisco website so I tried that......It seemed to work a bit better but still missing something.......

Here is some info you may want to see......

Asa 5510 (main office)

Sh run nat
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 101 0.0.0.0 0.0.0.0

Result of the command: "sh run access-list"

access-list inside_mpc extended permit tcp any any inactive
access-list inside_nat0_outbound_1 extended permit ip 192.168.10.0 255.255.255.0 host 222.222.222.222
access-list inside_nat0_outbound_1 extended permit ip 192.168.10.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 any
access-list outside_2_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list outside_cryptomap_3 extended permit ip host 111.111.111.111 host 222.222.222.222
access-list 121_list extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list 121_list extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0

Result of the command: "sh run crypto"

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs group1
crypto map outside_map 2 set peer 333.333.333.333
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 3 match address outside_cryptomap_3
crypto map outside_map 3 set pfs group1
crypto map outside_map 3 set peer 222.222.222.222
crypto map outside_map 3 set transform-set ESP-AES-128-SHA
crypto map mcmap 1 match address 121_list
crypto map mcmap 1 set peer 222.222.222.222
crypto map mcmap 1 set transform-set FirstSet
crypto map mcmap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

Result of the command: "sh run tunnel-group"
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
tunnel-group 222.222.222.222 type ipsec-l2l
tunnel-group 222.222.222.222 ipsec-attributes
pre-shared-key *
tunnel-group 333.333.333.333 type ipsec-l2l
tunnel-group 333.333.333.333 ipsec-attributes
pre-shared-key *

Result of the command: "sh run nat"

Thanks again for any and all help!!

Federico Coto Fajardo · ‎03-08-2011

Hi,

Some changes that you need to make:

The ACL applied to the crypto map should specify the local LANs.
So, you should not have a line like this:
access-list outside_cryptomap_3 extended permit ip host 111.111.111.111 host 222.222.222.222
Because with the above you're saying that you want traffic to be encrypted between those two IP addresses.
You do want the tunnel established between those two addresses, but you want traffic encrypted between the LANs on both ends.

Also, you have the same traffic defined for two different tunnels.
access-list outside_1_cryptomap extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list outside_cryptomap_2 extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0

You cannot have the remote 192.168.10.0/24 defined on two different tunnels since the ASA won't know which tunnel to use to reach 192.168.10.0/24

I would suggest to adjust your ACLs and let us know if you have any questions.

Hope it helps.

Federico.

View solution in original post

kmittal · ‎03-08-2011

Hi

this one should help you :-

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080950890.shtml

Thanks

Kumar Mittal

please rate the post

View solution in original post

Federico Coto Fajardo · ‎03-10-2011

You can see that the tunnel is up now (phase 1) but there's no traffic flowing through the tunnel.

In order to check what's going on you can include this test on both sides:
Add the command management-access inside

PING from one ASA to the other ping inside x.x.x.x --> x.x.x.x is the inside IP of the peer ASA

After this, check the output of sh cry ips sa to check if packets are being encrypted/decrypted.

Do the test on both directions.

Federico.

View solution in original post

Federico Coto Fajardo · ‎03-08-2011

Hi,

Some changes that you need to make:

The ACL applied to the crypto map should specify the local LANs.
So, you should not have a line like this:
access-list outside_cryptomap_3 extended permit ip host 111.111.111.111 host 222.222.222.222
Because with the above you're saying that you want traffic to be encrypted between those two IP addresses.
You do want the tunnel established between those two addresses, but you want traffic encrypted between the LANs on both ends.

Also, you have the same traffic defined for two different tunnels.
access-list outside_1_cryptomap extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list outside_cryptomap_2 extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0

You cannot have the remote 192.168.10.0/24 defined on two different tunnels since the ASA won't know which tunnel to use to reach 192.168.10.0/24

I would suggest to adjust your ACLs and let us know if you have any questions.

Hope it helps.

Federico.

kmittal · ‎03-08-2011

Hi

this one should help you :-

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080950890.shtml

Thanks

Kumar Mittal

please rate the post

toddyboman · ‎03-08-2011

OK dumb question......but how can i delete or access the ACL's on the 5505.......i don't see the option to edit/delete them.

I do on the 5510 but NOT on the 5505......

The 5505 is ASA version 7.2(4) ASDM 5.2(4)


Also, you have the same traffic defined for two different tunnels.
access-list outside_1_cryptomap extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list outside_cryptomap_2 extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0
You cannot have the remote 192.168.10.0/24 defined on two different tunnels since the ASA won't know which tunnel to use to reach 192.168.10.0/24
I would suggest to adjust your ACLs and let us know if you have any questions.
Hope it helps.
Federico.

kmittal - thanks for the link.

Federico Coto Fajardo · ‎03-09-2011

Via CLI is the same for both ASAs.

Add the keyword ''no'' before the line you want to delete and re-add it (edit).

Via ASDM, you should have an Edit button for the ACL (and for each specific ACE).

Federico.

toddyboman · ‎03-09-2011

Thanks Fererico.

SO I made the changes you suggested and used the link and document provided......

Trying the show crypto isakmp sa and show crypto ipsec sa I recieve the following....

Remote office.....5505

Result of the command: "show crypto isakmp sa"

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 209.142.191.13
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE

Result of the command: "show crypto ipsec sa"

interface: outside
Crypto map tag: macmap, seq num: 1, local addr: 222.222.222.222

      access-list 121_list permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
      current_peer: 111.111.111.111

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

local crypto endpt.: 222.222.222.222, remote crypto endpt.: 111.111.111.111

path mtu 1492, ipsec overhead 58, media mtu 1500
current outbound spi: F0EBAD11

    inbound esp sas:
      spi: 0x9E243B60 (2653174624)
         transform: esp-3des esp-md5-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 12036, crypto-map: macmap
         sa timing: remaining key lifetime (kB/sec): (3825000/28554)
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0xF0EBAD11 (4041977105)
         transform: esp-3des esp-md5-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 12036, crypto-map: macmap
         sa timing: remaining key lifetime (kB/sec): (3825000/28554)
         IV size: 8 bytes
         replay detection support: Y

Main office 5510

Result of the command: "show crypto isakmp sa"

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 207.119.92.137
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE

Result of the command: "show crypto ipsec sa"

interface: outside
Crypto map tag: mcmap, seq num: 1, local addr: 111.111.111.111

      access-list 121_list extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0)
      current_peer: 222.222.222.222

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

local crypto endpt.: 111.111.111.111, remote crypto endpt.: 222.222.222.222

      path mtu 1492, ipsec overhead 58, media mtu 1500
      current outbound spi: 9E243B60
      current inbound spi : F0EBAD11

    inbound esp sas:
      spi: 0xF0EBAD11 (4041977105)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 49602560, crypto-map: mcmap
         sa timing: remaining key lifetime (kB/sec): (4374000/28420)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0x9E243B60 (2653174624)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 49602560, crypto-map: mcmap
         sa timing: remaining key lifetime (kB/sec): (4374000/28420)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

Thanks again for the help!!!

Federico Coto Fajardo · ‎03-10-2011

You can see that the tunnel is up now (phase 1) but there's no traffic flowing through the tunnel.

In order to check what's going on you can include this test on both sides:
Add the command management-access inside

PING from one ASA to the other ping inside x.x.x.x --> x.x.x.x is the inside IP of the peer ASA

After this, check the output of sh cry ips sa to check if packets are being encrypted/decrypted.

Do the test on both directions.

Federico.

toddyboman · ‎03-10-2011

5505 at remote office shows....

Result of the command: "ping inside 192.168.10.1"

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 50/56/70 ms

Result of the command: "show crypto ips sa"

interface: outside
Crypto map tag: macmap, seq num: 1, local addr: 222.222.222.222

      access-list 121_list permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
      current_peer: 111.111.111.111

      #pkts encaps: 19, #pkts encrypt: 19, #pkts digest: 19
      #pkts decaps: 19, #pkts decrypt: 19, #pkts verify: 19
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 19, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

local crypto endpt.: 222.222.222.222, remote crypto endpt.: 111.111.111.111

path mtu 1492, ipsec overhead 58, media mtu 1500
current outbound spi: 6F2C3889

    inbound esp sas:
      spi: 0x33626D30 (862088496)
         transform: esp-3des esp-md5-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 12037, crypto-map: macmap
         sa timing: remaining key lifetime (kB/sec): (3824998/28609)
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x6F2C3889 (1865169033)
         transform: esp-3des esp-md5-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 12037, crypto-map: macmap
         sa timing: remaining key lifetime (kB/sec): (3824998/28609)
         IV size: 8 bytes
         replay detection support: Y

5510 at my Main office shows...

Result of the command: "ping inside 192.168.20.1"

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/46/50 ms

Result of the command: "show crypto ips sa"

interface: outside
Crypto map tag: mcmap, seq num: 1, local addr: 111.111.111.111

      access-list 121_list extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0)
      current_peer: 222.222.222.222

      #pkts encaps: 24, #pkts encrypt: 24, #pkts digest: 24
      #pkts decaps: 24, #pkts decrypt: 24, #pkts verify: 24
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 24, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

local crypto endpt.: 111.111.111.111, remote crypto endpt.: 222.222.222.222

      path mtu 1492, ipsec overhead 58, media mtu 1500
      current outbound spi: 33626D30
      current inbound spi : 6F2C3889

    inbound esp sas:
      spi: 0x6F2C3889 (1865169033)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 49606656, crypto-map: mcmap
         sa timing: remaining key lifetime (kB/sec): (4373997/28437)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x01FFFFFF
    outbound esp sas:
      spi: 0x33626D30 (862088496)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 49606656, crypto-map: mcmap
         sa timing: remaining key lifetime (kB/sec): (4373997/28437)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

So I think it is all set!

NOW I just need to set up the remote office computers to connect to the server through this vpn connection

Federico Coto Fajardo · ‎03-10-2011

Toddy,

The output seems fine :-)

If everything is working please consider rating the thread and mark it as answered.

Otherwise please post if you need any extra help.

Thanks!

Federico.

toddyboman · ‎03-10-2011

I will indeed mark this thread as answered!

And THANK YOU for the help!!