network setup:
inside network range(10.0.0.0/8)---(Ethernet 0/1)ASA #1(Etehrnet 0/2)---192.168.5.0/24<---->(Etehrnet 0/2)ASA #2(Etehrnet 0/3) <----> inside network range (20.0.0.0/8)
ASA1 config:
============
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.0.0.1 255.0.0.0
interface Ethernet0/2
nameif outside
security-level 0
ip address 192.168.5.1 255.255.255.0
route outside 20.0.0.0 255.0.0.0 192.168.5.2
Define Obejct Network:(For local and Remote):
==============================================
object network localnetwork
subnet 10.0.0.0 255.0.0.0
object network remotenetwork
subnet 20.0.0.0 255.0.0.0
Define access-list :
====================
access-list ASA1-Access-list extended permit ip object localnetwork object remotenetwork
access-list ASA1-Access-list extended permit icmp object localnetwork object remotenetwork
Define NAT:
==========
nat (inside,outside) source static localnetwork localnetwork destination static remotenetwork remotenetwork
Define ISAKMP POLICY:
====================
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
isakmp identity address
crypto ikev1 enable outside
Create the IPSEC transform-set:(encryption,hashing)
===================================================
crypto ipsec ikev1 transform-set ASA1-transform-set esp-aes-256 esp-sha-hmac
Create a TUNNEL group:
======================
tunnel-group 192.168.5.2 type ipsec-l2l
tunnel-group 192.168.5.2 ipsec-attributes
ikev1 pre-shared-key cisco123
Create a MAP and enable it:
===========================
crypto map ASA1VPN 1 match address ASA1-Access-list
crypto map ASA1VPN 1 set pfs
crypto map ASA1VPN 1 set peer 192.168.5.2
crypto map ASA1VPN 1 set ikev1 transform-set ASA1-transform-set
crypto map ASA1VPN 1 set security-association lifetime seconds 28800
crypto map ASA1VPN interface outside
================================================================================================================
*********************************************************************************************************************************************************************
ASA2 config:
============
interface Ethernet0/3
nameif inside
security-level 100
ip address 20.0.0.1 255.0.0.0
interface Ethernet0/2
nameif outside
security-level 0
ip address 192.168.5.2 255.255.255.0
route outside 10.0.0.0 255.0.0.0 192.168.5.1
Define Obejct Network:(For local and Remote):
==============================================
object network localnetwork
subnet 20.0.0.0 255.0.0.0
object network remotenetwork
subnet 10.0.0.0 255.0.0.0
Define access-list :
====================
access-list ASA2-Access-list extended permit ip object localnetwork object remotenetwork
access-list ASA2-Access-list extended permit icmp object localnetwork object remotenetwork
Define NAT:
==========
nat (inside,outside) source static localnetwork localnetwork destination static remotenetwork remotenetwork
Define ISAKMP POLICY:
====================
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
isakmp identity address
crypto ikev1 enable outside
Create the IPSEC transform-set:(encryption,hashing)
===================================================
crypto ipsec ikev1 transform-set ASA2-transform-set esp-aes-256 esp-sha-hmac
Create a TUNNEL group:
======================
tunnel-group 192.168.5.1 type ipsec-l2l
tunnel-group 192.168.5.1 ipsec-attributes
ikev1 pre-shared-key cisco123
Create a MAP and enable it:
===========================
crypto map ASA2VPN 1 match address ASA2-Access-list
crypto map ASA2VPN 1 set pfs
crypto map ASA2VPN 1 set peer 192.168.5.1
crypto map ASA2VPN 1 set ikev1 transform-set ASA2-transform-set
crypto map ASA2VPN 1 set security-association lifetime seconds 28800
crypto map ASA2VPN interface outside
Both ASA running on 5510(ASA 9.0(1))
Issue :
1.sh crypto ipsec sa
There are no ipsec sas
2. ASA-5510-32# packet-tracer input inside icmp 10.0.0.1 8 0 20.0.0.1
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 20.0.0.0 255.0.0.0 outside
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Please help me how to solve this issue...
