01-04-2011 06:16 AM
Hi,
I ran the site-to-site wizard on two ASAs to let communication flow between two internal networks, one internal behind each of them.
The wizard ran fine, but what caught my attention was that there was no possibility to tell the ASA 2 that it is the connecting peer (and not the main / server peer). The guide states "At the remote site, configure the second adaptive security appliance to serve as a VPN peer. Use the procedure you used to configure the local adaptive security appliance, starting with "Configure the Adaptive Security Appliance at the Local Site" section and finishing with "View VPN Attributes and Complete Wizard" section." - but I could not found such setting.
I would expect one of them to initiate a connection to the other, and to see them in "monitoring". But on both ASAs, in monitoring ASDM tab I see "site-to-site: 0" (while seeing some active remote access clients).
ASA 1 ("main office")
outside interface: wan
outside address: 100.100.0.14 255.255.255.252
inside interface: vlan580
inside address: 10.10.10.1 255.255.255.0
ASA 2
outside interface: outside
outside address: 200.200.105.126 255.255.255.252
inside interface: inside
inside address: 10.180.3.1 255.255.255.0
See chart for visualisation.
Here are what I think is the relevant config from the ASAs.
## ASA 1
access-list wan_1_cryptomap extended permit ip 10.10.10.0 255.255.255.0 10.180.3.0 255.255.255.0
access-list vlan581_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 10.180.3.0 255.255.255.0
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 1 match address wan_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 200.200.105.126
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface wan
crypto ca trustpoint ASDM_TrustPoint0
fqdn asa01
subject-name CN=asa01
no client-types
crl configure
crypto isakmp enable wan
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 200.200.105.126 type ipsec-l2l
tunnel-group 200.200.105.126 ipsec-attributes
pre-shared-key ****
## ASA 2
access-list outside_1_cryptomap extended permit ip 10.180.3.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.180.3.0 255.255.255.0 10.10.10.0 255.255.255.0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 100.100.0.14
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
tunnel-group 100.100.0.14 type ipsec-l2l
tunnel-group 100.100200.200.0.14 ipsec-attributes
pre-shared-key *****
Solved! Go to Solution.
01-04-2011 06:50 AM
Basically it works like this
The tunnel does not initiate until it recieves some traffic destined to the other side.
Either end can set up the tunnels to the other ASA so whoever of the peers that recieves a packet with destination to the network behind the other peer will initiate the setup of the vpn tunnel.
When you do things in the ASDM it sometimes changes a bit. so in a different versions of asdm it might look a little different from the other.
a peer = the other side of the vpn connection. you have 2 peers one at each side of the tunnel.
so try to generate som traffic from your end to the other end and check for the tunnel again.
good luck
HTH
01-04-2011 06:50 AM
Basically it works like this
The tunnel does not initiate until it recieves some traffic destined to the other side.
Either end can set up the tunnels to the other ASA so whoever of the peers that recieves a packet with destination to the network behind the other peer will initiate the setup of the vpn tunnel.
When you do things in the ASDM it sometimes changes a bit. so in a different versions of asdm it might look a little different from the other.
a peer = the other side of the vpn connection. you have 2 peers one at each side of the tunnel.
so try to generate som traffic from your end to the other end and check for the tunnel again.
good luck
HTH
01-04-2011 07:18 AM
Makes sense. the IP of ASA 2 was incorrect too, it's x.x.x.125 and not x.x.x.126.
When I from 10.180.3.0/24 (behind ASA 2) try to reach something at 10.10.10.0/24 (behind ASA 1), phase 2 completes.
At the client on 10.180.3.0 the connection times out, which leads me to believe either a blocking firewall rule or perhaps that 10.10.10.0/24 is nated outbounds on ASA 1.
On ASA 1, here are the rules for NAT and access-list for vlan580 / 10.10.10.0/24:
access-list vlan580_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 100.100.8.0 255.255.255.0
global (wan) 1 interface nat (vlan401) 0 access-list vlan411_nat0_outbound nat (vlan401) 1 0.0.0.0 0.0.0.0 nat (vlan580) 0 access-list vlan580_nat0_outbound nat (vlan580) 1 0.0.0.0 0.0.0.0 nat (vlan581) 0 access-list vlan581_nat0_outbound Seems to me the remote network 10.180.3.0/24 should be in vlan580_nat0_outbound, is that correct? How could I debug this further?
01-04-2011 07:43 AM
Nevermind, it works now.
Thanks a lot!
01-05-2011 12:52 AM
Great !
Thanx for the rating
/Hobbe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide