Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
711
Views
0
Helpful
4
Replies

Site-to-site, two ASAs

Go to solution
3moloz123
Level 1
Level 1

‎01-04-2011 06:16 AM

Hi,

I ran the site-to-site wizard on two ASAs to let communication flow between two internal networks, one internal behind each of them.

The wizard ran fine, but what caught my attention was that there was no possibility to tell the ASA 2 that it is the connecting peer (and not the main / server peer). The guide states "At the remote site, configure the second adaptive security appliance to serve as a VPN peer. Use the procedure you used to configure the local adaptive security appliance, starting with "Configure the Adaptive Security Appliance at the Local Site" section and finishing with "View VPN Attributes and Complete Wizard" section." - but I could not found such setting.

I would expect one of them to initiate a connection to the other, and to see them in "monitoring". But on both ASAs, in monitoring ASDM tab I see "site-to-site: 0" (while seeing some active remote access clients).

ASA 1 ("main office")

outside interface: wan

outside address: 100.100.0.14 255.255.255.252

inside interface: vlan580

inside address: 10.10.10.1 255.255.255.0

ASA 2

outside interface: outside

outside address: 200.200.105.126 255.255.255.252

inside interface: inside

inside address: 10.180.3.1 255.255.255.0

See chart for visualisation.

Here are what I think is the relevant config from the ASAs.

## ASA 1

access-list wan_1_cryptomap extended permit ip 10.10.10.0 255.255.255.0 10.180.3.0 255.255.255.0

access-list vlan581_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 10.180.3.0 255.255.255.0

crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 20 set pfs group1

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 1 match address wan_1_cryptomap

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer 200.200.105.126

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface wan

crypto ca trustpoint ASDM_TrustPoint0

fqdn asa01

subject-name CN=asa01

no client-types

crl configure

crypto isakmp enable wan

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group 200.200.105.126 type ipsec-l2l

tunnel-group 200.200.105.126 ipsec-attributes

pre-shared-key ****

## ASA 2

access-list outside_1_cryptomap extended permit ip 10.180.3.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.180.3.0 255.255.255.0 10.10.10.0 255.255.255.0

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 20 set pfs group1

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer 100.100.0.14

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

no crypto isakmp nat-traversal

tunnel-group 100.100.0.14 type ipsec-l2l

tunnel-group 100.100200.200.0.14 ipsec-attributes

pre-shared-key *****

Labels:
Preview file
18 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hobbe
Level 7
Level 7

‎01-04-2011 06:50 AM

Basically it works like this

The tunnel does not initiate until it recieves some traffic destined to the other side.

Either end can set up the tunnels to the other ASA so whoever of the peers that recieves a packet with destination to the network behind the other peer will initiate the setup of the vpn tunnel.

When you do things in the ASDM it sometimes changes a bit. so in a different versions of asdm it might look a little different from the other.

a peer = the other side of the vpn connection. you have 2 peers one at each side of the tunnel.

so try to generate som traffic from your end to the other end and check for the tunnel again.

good luck

HTH

View solution in original post

0 Helpful
4 Replies 4

Go to solution
hobbe
Level 7
Level 7

‎01-04-2011 06:50 AM

Basically it works like this

The tunnel does not initiate until it recieves some traffic destined to the other side.

Either end can set up the tunnels to the other ASA so whoever of the peers that recieves a packet with destination to the network behind the other peer will initiate the setup of the vpn tunnel.

When you do things in the ASDM it sometimes changes a bit. so in a different versions of asdm it might look a little different from the other.

a peer = the other side of the vpn connection. you have 2 peers one at each side of the tunnel.

so try to generate som traffic from your end to the other end and check for the tunnel again.

good luck

HTH

0 Helpful

Go to solution
3moloz123
Level 1
Level 1
In response to hobbe

‎01-04-2011 07:18 AM

Makes sense. the IP of ASA 2 was incorrect too, it's x.x.x.125 and not x.x.x.126.

When I from 10.180.3.0/24 (behind ASA 2) try to reach something at 10.10.10.0/24 (behind ASA 1), phase 2 completes.

At the client on 10.180.3.0 the connection times out, which leads me to believe either a blocking firewall rule or perhaps that 10.10.10.0/24 is nated outbounds on ASA 1.

On ASA 1, here are the rules for NAT and access-list for vlan580 / 10.10.10.0/24:

access-list vlan580_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 100.100.8.0 255.255.255.0 

global (wan) 1 interface
nat (vlan401) 0 access-list vlan411_nat0_outbound
nat (vlan401) 1 0.0.0.0 0.0.0.0
nat (vlan580) 0 access-list vlan580_nat0_outbound
nat (vlan580) 1 0.0.0.0 0.0.0.0
nat (vlan581) 0 access-list vlan581_nat0_outbound

Seems to me the remote network 10.180.3.0/24 should be in vlan580_nat0_outbound, is that correct?

How could I debug this further?
78034-site-to-site_debug.txt.zip
0 Helpful

Go to solution
3moloz123
Level 1
Level 1
In response to 3moloz123

‎01-04-2011 07:43 AM

Nevermind, it works now.

Thanks a lot!

0 Helpful

Go to solution
hobbe
Level 7
Level 7
In response to 3moloz123

‎01-05-2011 12:52 AM

Great !

Thanx for the rating

/Hobbe

0 Helpful
Customers Also Viewed These Support Documents