Site-to-site VPN setup on ASA 5505s

securisnetworks · ‎05-27-2011

Hello,

I've been struggling to get a site-to-site VPN going as I am new to Cisco firewalls (but not firewalls in general). Before going too deep in the config, can someone confirm whether it's possible to restore a backup config from one ASA to another ASA and simply modify some settings? Or is a backup config unique to a device and that might mess up my site-to-site VPN config?

thanks in advance!

Nicolas Fournier · ‎05-27-2011

Hi David,

As long as both ASA are the same model, it should work.

This is confirmed in the configuration guide:

You can restore components, images, and configurations using backups made from the same ASA type. You must start with a basic configuration that allows ASDM access.

http://www.cisco.com/en/US/partner/docs/security/asa/asa84/asdm64/configuration_guide/admin_swconfig.html#wp1301321

Just keep in mind that you might loose ASDM access after the restore as it will change the IP address assigned to the Firewall interfaces to the ones of the backed up device.

Hope this help.

Regards,

Nicolas

securisnetworks · ‎05-27-2011

Thanks very much for validating that for me. I have appended the exact Phase 1 error message I am getting below, as well as the two device configs.

The setup is quite simple, which is two ASA 5505's with the two outside interfaces connected to a switch. I have tried with the ASDM VPN wizard, manually with the ASDM and even with the Cisco Security Manager VPN wizard and have the same errors. I left all the defaults at this point to simply troublueshooting.

Is there anything obviously missing from the device configs??

thanks!

David

____

Error Msg

_______________

Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2

%ASA-5-713257: Phase var1 failure: Mismatched attribute types for

class var2: Rcv'd: var3 Cfg'd: var4

An adaptive security appliance has acted as the responder in a LAN-to-LAN connection. It indicates that the adaptive security appliance crypto configuration

does not match the configuration of the initiator. The message specifies during which phase the mismatch occurred, and which attributes both the responder

and the initiator had that were different.

• var1—The phase during which the mismatch occurred

• var2—The class to which the attributes that do not match belong

• var3—The attribute received from the initiator

• var4—The attribute configured

_______

Configs

_______

Result of the command: "show run"

: Saved

:

ASA Version 8.4(1)

!

hostname TCDERFW01

enable password * encrypted

passwd * encrypted

names

!

interface Vlan1

description LAN

nameif inside

security-level 100

ip address 10.1.1.1 255.255.255.0

!

interface Vlan2

description WAN

nameif outside

security-level 0

ip address 69.x.x.179 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system disk0:/asa841-k8.bin

no ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

object network obj_any

subnet 0.0.0.0 0.0.0.0

description D Server

object network D-LAN

subnet 10.1.1.0 255.255.255.0

description D-LAN-Network

object network OpenDNS1

host 208.67.222.222

description Open DNS Server 1

object network OpenDNS2

host 208.67.220.220

description Open DNS Server 2

object network M_LAN

subnet 10.0.0.0 255.255.255.0

description M Network

object network A_69.x.x.177

object-group service Web_Browsing tcp

description Internet Browsing Protocols

port-object eq ftp

port-object eq www

port-object eq https

object-group network OpenDNS_Servers

network-object object OpenDNS1

network-object object OpenDNS2

access-list inside_access_in extended permit udp object D-LAN object-group OpenDNS_Servers eq domain

access-list inside_access_in extended permit tcp object D-LAN any object-group Web_Browsing

access-list outside_cryptomap extended permit ip object D-LAN object M_LAN

pager lines 24

logging enable

logging timestamp

logging asdm informational

logging flash-bufferwrap

mtu inside 1500

mtu outside 1500

ip verify reverse-path interface inside

ip verify reverse-path interface outside

icmp unreachable rate-limit 1 burst-size 1

icmp permit any echo inside

icmp deny any outside

asdm image disk0:/asdm-641.bin

asdm history enable

arp timeout 14400

!

object network M_LAN

nat (any,outside) dynamic interface

!

nat (inside,outside) after-auto source dynamic any interface

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 69.x.x.177 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authorization command LOCAL

aaa local authentication attempts max-fail 15

http server enable

http server idle-timeout 30

http 10.0.0.0 255.255.255.0 inside

http 10.1.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

auth-prompt prompt Identify and authenticate.

auth-prompt accept Go ahead.

auth-prompt reject Sorry, no.

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal CSM_IP_1

protocol esp encryption 3des

protocol esp integrity sha-1

crypto map outside_map 1 match address outside_cryptomap

crypto map outside_map 1 set peer 69.x.x.181

crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA

ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 set ikev2 ipsec-proposal AES 3DES CSM_IP_1 AES256 AES192 DES

crypto map outside_map interface outside

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

subject-name CN=TCMTLFW01

crl configure

crypto ca trustpoint ASDM_TrustPoint1

enrollment self

subject-name CN=TCDERFW01

crl configure

crypto ca server

shutdown

cdp-url http://TCMTLFW01/+CSCOCA+/asa_ca.crl

issuer-name CN=TCMTLFW01

smtp from-address admin@TCMTLFW01.null

crypto ca certificate chain ASDM_TrustPoint1

certificate e2f7dc4d

308201d3 3082013c a0030201 020204e2 f7dc4d30 0d06092a 864886f7 0d010105

0500302e 31123010 06035504 03130954 43444552 46573031 31183016 06092a86

4886f70d 01090216 09544344 45524657 3031301e 170d3131 30353235 31323537

32365a17 0d323130 35323231 32353732 365a302e 31123010 06035504 03130954

43444552 46573031 31183016 06092a86 4886f70d 01090216 09544344 45524657

30313081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100b8

8050bf7a 43ee4d78 3658ecce da611625 0e0e1798 29addd50 0229a206 2fc414fd

4a4e72bb 8caa19a2 6d593ac5 99378ec0 3e00406c 6972f5e2 1ebf39ac f6b5580b

150e0878 1c9ea6b9 5d302a86 cd1dc3c2 e5f862c4 fc11c2f1 dc62ece8 163d4b9d

c4c444af 33e4c0a6 11f16903 0d34eaea 92976d46 c0306fb8 183c5775 4ecfad02

03010001 300d0609 2a864886 f70d0101 05050003 81810081 ce558ff3 c1359282

dbdaabf1 3d596687 d206e104 122be9d0 1b3e886f 1f9d3227 11bb9e8b b62a868b

b141b062 523676c1 616e7870 99d96471 8a8534f2 1fd87c94 79d4e5be 1a3e9fa5

d71a0e86 568df98c 1337d3bc 633720ed 68a57c21 9e411291 58ccd8ca c045c450

d6c36934 c8e62d3a 9d192821 e1234c42 9df43022 fa94d3

quit

crypto ikev2 policy 20

encryption aes

integrity sha

group 5

prf sha

lifetime seconds 86400

crypto ikev2 enable outside

crypto ikev1 enable outside

crypto ikev1 policy 5

authentication pre-share

encryption 3des

hash sha

group 5

lifetime 86400

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh scopy enable

ssh 10.0.0.0 255.255.255.0 inside

ssh 10.1.1.0 255.255.255.0 inside

ssh timeout 15

ssh version 2

console timeout 0

dhcpd auto_config outside

!

dhcpd address 10.1.1.100-10.1.1.110 inside

dhcpd dns 208.67.222.222 208.67.220.220 interface inside

!

threat-detection basic-threat

threat-detection scanning-threat shun duration 60

threat-detection statistics host

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 192.5.41.41 source outside prefer

ntp server 192.5.41.40 source outside

ssl encryption aes128-sha1 aes256-sha1 3des-sha1

webvpn

group-policy DfltGrpPolicy attributes

vpn-idle-timeout none

vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec

group-policy GroupPolicy_69.x.x181 internal

group-policy GroupPolicy_69.x.x.181 attributes

vpn-tunnel-protocol ikev1 ikev2

username xx password * encrypted privilege 15

username yy password * encrypted privilege 15

username zz password * encrypted privilege 15

tunnel-group DefaultL2LGroup ipsec-attributes

ikev1 pre-shared-key *****

ikev2 remote-authentication pre-shared-key "*****"

ikev2 local-authentication pre-shared-key "*****"

tunnel-group 69.x.x.181 type ipsec-l2l

tunnel-group 69.x.x.181 general-attributes

default-group-policy GroupPolicy_69.x.x.181

tunnel-group 69.x.x.181 ipsec-attributes

ikev1 pre-shared-key *****

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:7850d462ce9bb061d424988b0f2e9420

: end

Result of the command: "show run"

: Saved

:

ASA Version 8.4(1)

!

hostname TCMTLFW01

enable password * encrypted

passwd * encrypted

names

!

interface Vlan1

description LAN

nameif inside

security-level 100

ip address 10.0.0.1 255.255.255.0

!

interface Vlan2

description WAN

nameif outside

security-level 0

ip address 69.x.x.181 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system disk0:/asa841-k8.bin

no ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network TCDERPUM01

host 10.1.1.10

description D Server

object network D-LAN

subnet 10.1.1.0 255.255.255.0

description D-LAN-Network

object network OpenDNS1

host 208.67.222.222

description Open DNS Server 1

object network OpenDNS2

host 208.67.220.220

description Open DNS Server 2

object network M_LAN

subnet 10.0.0.0 255.255.255.0

description M Network

object-group service Web_Browsing tcp

description Internet Browsing Protocols

port-object eq ftp

port-object eq www

port-object eq https

object-group network OpenDNS_Servers

network-object object OpenDNS1

network-object object OpenDNS2

access-list inside_access_in extended permit udp object M_LAN object-group OpenDNS_Servers eq domain

access-list inside_access_in extended permit tcp object M_LAN any object-group Web_Browsing

access-list outside_cryptomap extended permit ip object M_LAN object D-LAN

pager lines 24

logging enable

logging timestamp

logging asdm informational

logging flash-bufferwrap

mtu inside 1500

mtu outside 1500

ip verify reverse-path interface inside

ip verify reverse-path interface outside

icmp unreachable rate-limit 1 burst-size 1

icmp permit any echo inside

icmp deny any outside

asdm image disk0:/asdm-641.bin

asdm history enable

arp timeout 14400

!

object network M_LAN

nat (any,outside) dynamic interface

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 69.165.219.177 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authorization command LOCAL

aaa local authentication attempts max-fail 15

http server enable

http server idle-timeout 30

http 10.0.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart