08-11-2013 12:38 PM
Site-to-Site tunnel not coming between ASA 5520 and ASA 5505. Both has 8.0(5). Following is the config for HQ and Remote Site.
HQ
name 172.16.4.0 Homeless
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address xx.xx.xx.xx 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
!
boot system disk0:/asa805-k8.bin
object-group network Homeless_Network
network-object yy.yy.yy.yy 255.255.255.248
access-list outside_3_cryptomap extended permit ip 10.1.1.0 255.0.0.0 Homeless 255.255.252.0
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.0.0.0 Homeless 255.255.252.0
l
global (outside) 3 xx.xx.xx.xx
global (outside) 4 xx.xx.180.151
nat (inside) 5 access-list inside_nat0_outbound
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 yy.yy.yy.yy 1
dynamic-access-policy-record DfltAccessPolicy
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 10 set transform-set vpn-set
crypto dynamic-map dynmap 10 set reverse-route
crypto map mymap 3 match address outside_3_cryptomap
crypto map mymap 3 set pfs group5
crypto map mymap 3 set peer yy.yy.yy.yy
crypto map mymap 3 set transform-set ESP-AES-256-SHA
crypto map mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 50
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
tunnel-group yy.yy.yy.yy type ipsec-l2l
tunnel-group yy.yy.yy.yy ipsec-attributes
pre-shared-key *
!
Remote SITE
interface Vlan2
nameif outside
security-level 0
ip address yy.yy.yy.yy 255.255.255.248
!
!
interface Vlan60
nameif inside
security-level 100
ip address 172.16.7.200 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 60
!
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group5
crypto map outside_map 1 set peer xx.xx.xx.xx
crypto map outside_map 1 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
tunnel-group xx.xx.xx.xx type ipsec-l2l
tunnel-group xx.xx.xx.xx ipsec-attributes
pre-shared-key *
access-list inside_nat0_outbound extended permit ip 172.16.4.0 255.255.252.0 CityHall 255.0.0.0
access-list outside_1_cryptomap extended permit ip 172.16.4.0 255.255.252.0 10.0.0.0 255.0.0.0
access-group inbound in interface outside
access-group inside_nat0_outbound in interface inside
nat (inside) 0 access-list inside_nat0_outbound
08-11-2013 12:49 PM
Hi,
At HQ ASA atleast the NAT0 configuration is wrong
You have configured this
nat (inside) 5 access-list inside_nat0_outbound
This isnt NAT0 however. It would be configured with ID 5 if you had a corresponding "global" commands using ID 5 also. It would be a Dynamic Policy NAT/PAT.
The NAT0 configurations should use the ID 0
If an existing NAT0 "nat" statement/configuration already exists then you would use the existing ACL to define the traffic that doesnt need NAT
So your configuration should probably be this
nat (inside) 0 access-list inside_nat0_outbound
I can't see a different in the actual L2L VPN configurations though there are some configurations that are not visible that might affect connectivity BUT the above mentioned NAT0 configurations is clearly a problem.
Hope this helps
Please remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed
- Jouni
08-11-2013 01:00 PM
Thanks for the quick reply. I have following & it is not working
global (outside) 3 xx.xx.xx.99
global (outside) 4 xx.xx.180.151
global (outside) 5 xx.xx.xx.1
nat (inside) 0 access-list nonat
nat (inside) 3 access-list Subnet_10_130
nat (inside) 4 access-list Pat_for_vpn
nat (inside) 5 access-list inside_nat0_outbound
08-11-2013 01:06 PM
Hi,
The HQ sites NAT0 configuration should be configured under the ACL called "nonat"
nat (inside) 0 access-list nonat
I am not sure what the purpose of the ID 5 "nat" and "global" rule is. NAT0 means that you dont want to do any NAT. In this case the rules with ID 5 are performing a Dynamic Policy PAT
So if the ID 5 NAT configuration is not needed remove there and add the ACL rule to the existing "nonat" ACL
no nat (inside) 5 access-list inside_nat0_outbound
no access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 Homeless 255.255.252.0
access-list nonat extended permit ip 10.0.0.0 255.0.0.0 172.16.4.0 255.255.252.0
- Jouni
08-11-2013 01:00 PM
Also,
The HQ sites "inside" interface configuration seems a bit off as its configured with a network address. I don't think the ASA would even accept that configuration.
Also personally I would be hesitant to use the complete 10.0.0.0/8 network in VPN and NAT configurations.
- Jouni
08-11-2013 01:06 PM
Ok I change it to 10.1.1.0 255.255.255.0, & keeping access-list same.
It is not working
08-11-2013 01:08 PM
Hi,
You can't use a network address as an interface IP address.
- Jouni
08-11-2013 01:31 PM
sorry for the confusion. I have updated the inteface with correct ip address and it is not working.
08-11-2013 01:36 PM
Hi,
Where are you testing the connectivity from? I assume from a host behind either of the ASA firewalls?
What are you using to test the L2L VPN connection? Some TCP connection or PING / ICMP?
You could issue the following command on the ASA CLI. Issue the command TWICE because the first one usually always drop in the VPN Phase. If the VPN negotiation doesnt go through then the second attempt will also drop in VPN Phase
HQ ASA
packet-tracer input inside icmp 10.1.1.100 8 0 172.16.4.100
Insert the above command TWICE and copy/paste the whole output of the second time you issue that command here.
Also after the test you can check this output right after the second "packet-tracer" command
show crypto isakmp sa
- Jouni
08-11-2013 01:53 PM
show crypto isakmp sa
There are no isakmp sas
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Result:
input-interface: Test
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
08-11-2013 01:57 PM
Hi,
The "packet-tracer" output lists an interface called "Test"
This was not mentioned in the original posts configuration at any point.
- Jouni
08-11-2013 03:20 PM
It is working now. I had wrong crypto policy map on one side.
Thanks,
08-11-2013 08:11 PM
Do Rate Above Helpful posts if its working..
Jawad
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide