Re: Site to Site VPN Home Lab

azimmcdowell56347 · ‎02-01-2021

Hello Guys,

I can seem to figure out the site to site vpn for my Home lab and a friend.

after running packet tracer the 1st time it will fail, then after running it again it is successful I try to ping the a host on the remote network and is unsucessful he tries to ping a host on my network and he is unsuccessful.

Below is my Config

object network HOMe-2
subnet 192.168.2.0 255.255.255.0
object network REMOTE-JUSTIN
subnet 192.168.86.0 255.255.255.0
object network REMOTE-JUSTIN-2
subnet 192.168.0.0 255.255.0.0
access-list outside_cryptomap_1 extended permit ip object HOMe-2 object REMOTE-JUSTIN
access-list outside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static HOMe-2 HOMe-2 destination static REMOTE-JUSTIN REMOTE-JUSTIN net-to-net no-proxy-arp route-lookup
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.254 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 192.168.2.4 255.255.255.255 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev2 ipsec-proposal VPN-to-Justn
protocol esp encryption aes-256
protocol esp integrity sha-256
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map1 1 match address outside_cryptomap_1
crypto map outside_map1 1 set peer 173.49.XXX.XXX
crypto map outside_map1 1 set ikev2 ipsec-proposal VPN-to-Justn
crypto map outside_map1 1 set ikev2 pre-shared-key *****
crypto map outside_map1 interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha256
group 14
prf sha256
lifetime seconds 86400
crypto ikev2 policy 2
encryption aes-256
integrity sha384
group 14
prf sha384
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group14-sha256
ssh 192.168.2.4 255.255.255.255 inside
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy DfltGrpPolicy attributes
vpn-idle-timeout none
vpn-tunnel-protocol ikev2 l2tp-ipsec ssl-clientless
dynamic-access-policy-record DfltAccessPolicy
username boots password ***** pbkdf2 privilege 15
tunnel-group DefaultL2LGroup ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group VPN-TO-JUSTIN type ipsec-l2l
tunnel-group VPN-TO-JUSTIN general-attributes
tunnel-group VPN-TO-JUSTIN ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect snmp
inspect dns preset_dns_map
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection

Below is the packet tracer that fails

$icmp 192.168.2.4 60 255 192.168.86.20 detailed packet-tracer input inside icmp 192.168.2.4 60 255 192.168.$

Phase: 1
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
Found next-hop 192.168.1.254 using egress ifc outside

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static HOMe-2 HOMe-2 destination static REMOTE-JUSTIN REMOTE-JUSTIN net-to-net no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 192.168.86.20/0 to 192.168.86.20/0

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static HOMe-2 HOMe-2 destination static REMOTE-JUSTIN REMOTE-JUSTIN net-to-net no-proxy-arp route-lookup
<--- More ---> Additional Information:
Static translate 192.168.2.4/0 to 192.168.2.4/0
Forward Flow based lookup yields rule:
in id=0x7f864311cb80, priority=6, domain=nat, deny=false
hits=6, user_data=0x7f86449f5690, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.2.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=192.168.86.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=outside

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f8642f97890, priority=0, domain=nat-per-session, deny=true
hits=1484, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
<--- More ---> Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f864433c940, priority=0, domain=inspect-ip-options, deny=true
hits=766, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f864433c150, priority=66, domain=inspect-icmp-error, deny=false
hits=9, user_data=0x7f864433bde0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any

<--- More ---> Phase: 7
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7f864340d070, priority=70, domain=encrypt, deny=false
hits=4, user_data=0x0, cs_id=0x7f8644bc8dc0, reverse, flags=0x0, protocol=0
src ip/id=192.168.2.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=192.168.86.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=outside

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000055a94f39dee6 flow (need-ike)/snp_sp_action_cb:1575

Below is the packet tracer that is successful

acket-tracer input inside icmp 192.168.2.4 60 255 192.168.$

Phase: 1
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
Found next-hop 192.168.1.254 using egress ifc outside

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static HOMe-2 HOMe-2 destination static REMOTE-JUSTIN REMOTE-JUSTIN net-to-net no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 192.168.86.20/0 to 192.168.86.20/0

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static HOMe-2 HOMe-2 destination static REMOTE-JUSTIN REMOTE-JUSTIN net-to-net no-proxy-arp route-lookup
Additional Information:
Static translate 192.168.2.4/0 to 192.168.2.4/0
Forward Flow based lookup yields rule:
in id=0x7f864311cb80, priority=6, domain=nat, deny=false
hits=5, user_data=0x7f86449f5690, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.2.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=192.168.86.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=outside

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f8642f97890, priority=0, domain=nat-per-session, deny=true
hits=1477, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
<--- More ---> Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f864433c940, priority=0, domain=inspect-ip-options, deny=true
hits=753, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f864433c150, priority=66, domain=inspect-icmp-error, deny=false
hits=8, user_data=0x7f864433bde0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 7
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7f8644907f00, priority=70, domain=encrypt, deny=false
hits=2, user_data=0x440e4, cs_id=0x7f8644bc8dc0, reverse, flags=0x0, protocol=0
src ip/id=192.168.2.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=192.168.86.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=outside

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static HOMe-2 HOMe-2 destination static REMOTE-JUSTIN REMOTE-JUSTIN net-to-net no-proxy-arp route-lookup
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7f864435d270, priority=6, domain=nat-reverse, deny=false
hits=3, user_data=0x7f86449f22d0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.2.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=192.168.86.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=outside

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 552, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Module information for reverse flow ...

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

So I can see that it establishes a connection on both but then I still can't ping a host on either network

The configs are exact just Nats are reversed on the other end

balaji.bandi · ‎02-02-2021

If end device are windows, check windows FW before we get deep of the issue( as you mentioned tunnel up both Phase 1 and 2 ?)

post below output from both the side :

show crypto isakmp sa

show crypto ipsec sa

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

azimmcdowell56347 · ‎02-02-2021

Here is site one, Firewalls are turned off on both hosts

Black-ASA(config)# show crypto isakmp sa

There are no IKEv1 SAs

IKEv2 SAs:

Session-id:8, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local Remote Status Role
138205335 192.168.1.240/500 173.49.XXX.XXX/500 READY INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/42 sec
Child sa: local selector 192.168.2.0/0 - 192.168.2.255/65535
remote selector 192.168.86.0/0 - 192.168.86.255/65535
ESP spi in/out: 0x91c0a156/0x874709aa
Black-ASA(config)# show crypto ipsec sa
interface: outside
Crypto map tag: outside_map1, seq num: 1, local addr: 192.168.1.240

access-list outside_cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 192.168.86.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.86.0/255.255.255.0/0/0)
current_peer: 173.49.XXX.XXX

#pkts encaps: 1, #pkts encrypt: 1, #pkts digest: 1
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 192.168.1.240/500, remote crypto endpt.: 173.49.XXX.XXX/500
path mtu 1500, ipsec overhead 78(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 874709AA
current inbound spi : 91C0A156

inbound esp sas:
spi: 0x91C0A156 (2445320534)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 8, crypto-map: outside_map1
sa timing: remaining key lifetime (kB/sec): (4008960/28715)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x874709AA (2269579690)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 8, crypto-map: outside_map1
sa timing: remaining key lifetime (kB/sec): (3962879/28715)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

Black-ASA(config)#

azimmcdowell56347 · ‎02-02-2021

Here is the 2nd Site

DIGITECH-ASA-5506-X(config)# show crypto isakmp sa

There are no IKEv1 SAs

IKEv2 SAs:

Session-id:15, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local Remote Status Role
257464849 192.168.1.253/500 98.114.XXX.XXX/500 READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/3235 sec
Child sa: local selector 192.168.86.0/0 - 192.168.86.255/65535
remote selector 192.168.2.0/0 - 192.168.2.255/65535
ESP spi in/out: 0x874709aa/0x91c0a156
DIGITECH-ASA-5506-X(config)# show crypto ipsec sa
interface: outside
Crypto map tag: outside_map1, seq num: 1, local addr: 192.168.1.253

access-list outside_cryptomap extended permit ip 192.168.86.0 255.255.255.0 192.168.2.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.86.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
current_peer: 98.114.46.49

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 192.168.1.253/500, remote crypto endpt.: 98.114.XXX.XXX/500
path mtu 1500, ipsec overhead 78(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 91C0A156
current inbound spi : 874709AA

inbound esp sas:
spi: 0x874709AA (2269579690)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 15, crypto-map: outside_map1
sa timing: remaining key lifetime (kB/sec): (4285440/25535)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x91C0A156 (2445320534)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 15, crypto-map: outside_map1
sa timing: remaining key lifetime (kB/sec): (4331520/25535)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

DIGITECH-ASA-5506-X(config)#

balaji.bandi · ‎02-02-2021

Your S2S VPN configured Black ASA as Initiator and Digitech ASA as responder - is this your intention.

So black ASA intiated the connection, it do not see any decryptor other side :

#pkts encaps: 1, #pkts encrypt: 1, #pkts digest: 1
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

Post full configuration of both the side

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

azimmcdowell56347 · ‎02-02-2021

SITE 2 Config

DIGITECH-ASA-5506-X(config)# show run
: Saved

:
: Serial Number: JAD210801MM
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1249 MHz, 1 CPU (4 cores)
:
ASA Version 9.15(1)1
!
hostname DIGITECH-ASA-5506-X
domain-name digitech.net
enable password ***** pbkdf2
service-module 1 keepalive-timeout 4
service-module 1 keepalive-counter 6
service-module sfr keepalive-timeout 4
service-module sfr keepalive-counter 6
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
no mac-address auto

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 192.168.1.253 255.255.255.0
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.86.253 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
nameif management
security-level 0
ip address 192.168.45.6 255.255.255.0
!
boot system disk0:/asa9-15-1-1-lfbff-k8.SPA
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name digitech.net
object network HOME-86
subnet 192.168.86.0 255.255.255.0
object network REMOTE-AZIM
subnet 192.168.2.0 255.255.255.0
object network REMOTE-AZIM-2
subnet 192.168.0.0 255.255.0.0
access-list outside_cryptomap extended permit ip object HOME-86 object REMOTE-AZIM
access-list outside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-openjre-7151.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static HOME-86 HOME-86 destination static REMOTE-AZIM REMOTE-AZIM net-to-net no-proxy-arp route-lookup
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 192.168.86.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption aes
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption aes
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal VPN-TO-AZIM
protocol esp encryption aes-256
protocol esp integrity sha-256
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map1 1 match address outside_cryptomap
crypto map outside_map1 1 set peer 98.114.XXX.XXX
crypto map outside_map1 1 set ikev1 phase1-mode aggressive
crypto map outside_map1 1 set ikev2 ipsec-proposal VPN-TO-AZIM
crypto map outside_map1 1 set ikev2 pre-shared-key *****
crypto map outside_map1 interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha256
group 14
prf sha256
lifetime seconds 86400
crypto ikev2 policy 2
encryption aes-256
integrity sha384
group 14
prf sha384
lifetime seconds 86400
crypto ikev2 enable outside
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
ssh 192.168.86.20 255.255.255.255 inside
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy DfltGrpPolicy attributes
vpn-idle-timeout none
vpn-tunnel-protocol ikev2 l2tp-ipsec ssl-clientless
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol ikev2
dynamic-access-policy-record DfltAccessPolicy
username Manager password ***** encrypted privilege 15
username digital530 password ***** encrypted privilege 15
tunnel-group DefaultL2LGroup ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group VPN-TO-AZIM type ipsec-l2l
tunnel-group VPN-TO-AZIM general-attributes
tunnel-group VPN-TO-AZIM ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
inspect snmp
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:62e470181db4e452daadc19ee575c9dc
: end
DIGITECH-ASA-5506-X(config)#

azimmcdowell56347 · ‎02-02-2021

Site 1 Config

Black-ASA(config)# Show run
: Saved

:
: Serial Number: JAD21260AWL
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.15(1)1
!
hostname Black-ASA
domain-name Black.com
enable password ***** pbkdf2
service-module 1 keepalive-timeout 4
service-module 1 keepalive-counter 6
service-module sfr keepalive-timeout 4
service-module sfr keepalive-counter 6
names
no mac-address auto

!
interface GigabitEthernet1/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.2.240 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
nameif outside
security-level 0
ip address 192.168.1.240 255.255.255.0
!
interface Management1/1
management-only
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa9-15-1-1-lfbff-k8.SPA
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns server-group DefaultDNS
name-server 192.168.1.254
domain-name Black.com
object network HOMe-2
subnet 192.168.2.0 255.255.255.0
object network REMOTE-JUSTIN
subnet 192.168.86.0 255.255.255.0
object network REMOTE-JUSTIN-2
subnet 192.168.0.0 255.255.0.0
access-list outside_cryptomap_1 extended permit ip object HOMe-2 object REMOTE-JUSTIN
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-openjre-7151.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static HOMe-2 HOMe-2 destination static REMOTE-JUSTIN REMOTE-JUSTIN no-proxy-arp route-lookup
route outside 0.0.0.0 0.0.0.0 192.168.1.254 1
route inside 192.168.3.0 255.255.255.248 192.168.2.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 192.168.2.4 255.255.255.255 inside
http redirect inside 80
http redirect outside 80
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev2 ipsec-proposal VPN-to-Justn
protocol esp encryption aes-256
protocol esp integrity sha-256
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption aes
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption aes
protocol esp integrity sha-1
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map1 1 match address outside_cryptomap_1
crypto map outside_map1 1 set peer 173.49.XXX.XXX
crypto map outside_map1 1 set ikev2 ipsec-proposal VPN-to-Justn
crypto map outside_map1 1 set ikev2 pre-shared-key *****
crypto map outside_map1 1 set nat-t-disable
crypto map outside_map1 interface outside
crypto ca trustpoint Black-Trust
enrollment self
subject-name CN=Black-ASA
keypair Black-Key-3
no ca-check
proxy-ldc-issuer
crl configure
crypto ca trustpool policy
crypto ca certificate chain Black-Trust
certificate 55f71860
30820551 30820339 a0030201 02020455 f7186030 0d06092a 864886f7 0d01010b
05003038 31123010 06035504 03130942 6c61636b 2d415341 31223020 06092a86
4886f70d 01090216 13426c61 636b2d41 53412e42 6c61636b 2e636f6d 301e170d
32313032 30323037 30383137 5a170d33 31303133 31303730 3831375a 30383112
30100603 55040313 09426c61 636b2d41 53413122 30200609 2a864886 f70d0109
02161342 6c61636b 2d415341 2e426c61 636b2e63 6f6d3082 0222300d 06092a86
4886f70d 01010105 00038202 0f003082 020a0282 020100b4 6f7c2729 26a53092
d54ee219 fe457fbd 99dcb31b 350fa1b2 7d04a827 d91d89e5 7d6f55dd 3e54beab
87f3dd25 ce97525b da0e57d8 a4439dda 82899077 d42cb69d ba27faa1 3dd3d404
bc6814fe 011a48e2 28672955 c7275385 42064f8a 8be1de92 314538e1 2c4c653f
5429777f 80592a84 238b54ed c96dcc1f 6878a0c4 9e851163 97dc3d46 0577cc74
b6ba0e37 3a91a8d8 7896be59 35a55126 673d8b52 2c958ed0 996db1f7 57453dbb
a9b094be 29f7b1fc 95b02690 3feb39f3 ec8fea77 49333f26 0cddd148 6cfe9035
85513366 4d0a5355 8b3e939d 9ad60b79 4ac191f6 fa8c814b b0d6c90a 2226b048
454448c0 0c8ea3d7 f28a5b5f 0337f768 3ef009d4 1ebf3a1f 538a9c09 7a33aea3
13a17988 226aa6ae 294cedac e57f9694 759ddbaa e977bcda 44562918 e6c2742e
710f673c f22e677a 1a6a6fd6 5ee82327 a097d092 316c892c 052053d4 2583fc70
f63c4fce ba7e1979 1a3a95c7 0c3839b8 a1009889 f03941c5 456593c6 b6bc5b8e
0f72c5b1 146fed70 accbb31d e8005620 032f3490 d50cdb4b bcc3cd63 6569b1b5
6153f22c a60cb2e4 e9e3a046 3bd13ba0 5125e601 c1e42df3 152490f7 bf246e80
4fedfab8 693870bd 6f2f2ffc 94817cad 0fec8adf b0519dca 8321363b 0000b978
e2302890 b564c0bd ca579a24 b31f9042 476d405e bcf6478f f3d7d1d6 d90847e0
9e8c7af2 5a12d393 2151dca0 e1ee7937 2285f872 92109902 03010001 a3633061
300f0603 551d1301 01ff0405 30030101 ff300e06 03551d0f 0101ff04 04030201
86301f06 03551d23 04183016 8014839d 6bd0b005 166dbe1e 45e79e26 dd53e04a
10eb301d 0603551d 0e041604 14839d6b d0b00516 6dbe1e45 e79e26dd 53e04a10
eb300d06 092a8648 86f70d01 010b0500 03820201 0097cb4c dc29c119 e7aa6f2f
a4460756 101d797c ff58c01d 54ff0984 90b7031e 1648361d 48743678 fcfd8180
5cbcd00d 09fd5918 40a7371e 32bf1e89 1ae8dfe3 fb79601f ade8d29b 3bddf3ba
82addd7f dd8ea8cc f87fef55 1a1656a7 bc8ee27e faecc5f7 81be74e3 ae287aec
570f093f 08a60ec5 e017916e 771d1a99 e34a24c6 94551187 1c9b2bee 21a56273
9e3b8f1b 8fff547f 386b5c3c 50a53709 26a422d9 49656093 ba579c10 8ab100a4
b0bc3b44 84589d36 3569fe83 8838d343 d434a32d ec78db17 5d4e151b 52a7f98b
89ecf0a2 26da1a91 2955ae3a e926d5b6 ea42ede5 7c9aa61f 0190a611 fb6bbc08
6eb3b8af ef8b01db fed22624 99c2ac74 97abbd04 2c6c1679 40b837b1 def5ab74
79b74085 517a87e4 bb1e1020 edb5f9fc f0d319bd 9f6eea36 2ed72f23 dd6d0a27
eef277ae 9e72fed7 b32c6f89 141911ad 5a1a864d 02590d9e 134d5fe9 36686418
bb9c47ea ae694e5e 19c77cfd a38d7949 a5e698d7 7c8711b8 8a1ee1ba 82fc308f
40d3c582 e454bf13 cc966e97 48299ca6 b29eba04 58782098 46f749ac 375b4469
d5b0f46f 33b71ac0 83fc7d47 b313bbe8 942f784f f3c47517 617f0c6b e3ad07e5
933857ff 3b90de4a 86cdff60 6c815138 d953d77d c3259e6e cd89f5ea 3bc3063b
637ecf29 8d981cce 351cdae3 5117d93f 5f394a40 0d8c4d67 2def7666 b8acbf8a
c17f7e56 bf700596 4a4f555e fb961975 68331676 33
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha256
group 14
prf sha256
lifetime seconds 86400
crypto ikev2 policy 2
encryption aes-256
integrity sha384
group 14
prf sha384
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group14-sha256
ssh 192.168.2.4 255.255.255.255 inside
console timeout 0

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 216.239.35.4 source outside prefer
ssl trust-point Black-Trust
ssl trust-point Black-Trust inside
ssl trust-point Black-Trust outside
ssl trust-point Black-Trust inside vpnlb-ip
ssl trust-point Black-Trust outside vpnlb-ip
group-policy DfltGrpPolicy attributes
vpn-idle-timeout none
group-policy GP-Justin internal
group-policy GP-Justin attributes
vpn-tunnel-protocol ikev2
dynamic-access-policy-record DfltAccessPolicy
username boots password ***** pbkdf2 privilege 15
tunnel-group DefaultL2LGroup ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group VPN-TO-JUSTIN type ipsec-l2l
tunnel-group VPN-TO-JUSTIN general-attributes
default-group-policy GP-Justin
tunnel-group VPN-TO-JUSTIN ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect snmp
inspect dns preset_dns_map
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:e22bb359c28d54e6a4bca854462430d1
: end
Black-ASA(config)#

azimmcdowell56347 · ‎02-02-2021

The Traffic is only initiated from my end when I do packet tracer but other than that it does not try to establish on its own.

azimmcdowell56347 · ‎02-05-2021

Anyone?