12-12-2016 07:07 AM
I am interested in setting up a site-to-site VPN between 2 locations.
Site 1 has an ASA5505
Site 2 has a n ASA5512
12-12-2016 08:02 AM
OK - what's your question?
12-12-2016 08:15 AM
Site 1 - ASA5505
Site 2 - ASA5512
access data from either site
12-12-2016 08:24 AM
There are many many step by step configuration guides available.
Here's one:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/119141-configure-asa-00.html
12-12-2016 10:51 AM
I followed your documentation but without any success
I followed the GUI screenshots
12-12-2016 10:11 AM
Hello,
I spent two days trying to setup a site-to-site VPN between
an ASA 5520 ver 8.2 and a Cisco Router. Let notice that the ASA has two
outside interfaces and connect to a same public network but but one
is connected to checkpoint (outside which holds public IPs and NAT) which route all traffic excepted VPN traffic routed by the second one (vpnif). If someone could help me I really appreciate.
Below configs:
FW#
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 10.0.0.1 255.255.255.240
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.0.1.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif dmz
security-level 50
ip address 10.0.3.1 255.255.255.240
!
interface GigabitEthernet0/3
nameif vpnif
security-level 0
ip address 52.x.x.30 255.255.255.248
object-group network LOCAL-NETWORK
network-object 10.100.2.0 255.255.255.0
object-group network REMOTE-NETWORK
network-object 10.100.100.0 255.255.255.224
access-list VPN_L2LACL extended permit ip object-group LOCAL-NETWORK object-group REMOTE-NETWORK
access-list NONAT extended permit ip 10.100.2.0 255.255.255.0 10.100.100.0 255.255.255.224
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface
route outside 0.0.0.0 0.0.0.0 10.0.0.2 1
route vpnif 151.x.x.66 255.255.255.255 52.x.x.25 1
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp disconnect-notify
crypto ipsec transform-set STRONG_SET esp-aes esp-sha-hmac
crypto map outside1_map 1 match address VPN_L2LACL
crypto map outside1_map 1 set pfs
crypto map outside1_map 1 set peer 151.x.x.66
crypto map outside1_map 1 set transform-set STRONG_SET
crypto map outside1_map 1 set security-association lifetime seconds 28800
crypto map outside1_map 1 set security-association lifetime kilobytes 1024000
crypto map outside1_map 1 set reverse-route
crypto map outside1_map interface vpnif
crypto isakmp enable vpnif
tunnel-group 151.x.x.66 type ipsec-l2l
tunnel-group 151.x.x.66 ipsec-attributes
pre-shared-key mykey
ROUTER#
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key mykey address 52.x.x.30 no-xauth
crypto isakmp keepalive 10 3
crypto ipsec transform-set strong esp-aes esp-sha-hmac
crypto ipsec df-bit clear
!
crypto map vpn-map 10 ipsec-isakmp
set peer 52.x.x.30
set security-association lifetime kilobytes 1024000
set security-association lifetime seconds 28800
set transform-set strong
set pfs group2
match address 102
reverse-route
qos pre-classify
interface GigabitEthernet0/0
description *** INTERNET CONNEXION ***
ip address 151.x.x.66 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map vpn-map
!
interface GigabitEthernet0/1
description *** LAN ***
ip address 10.100.100.1 255.255.255.224
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
ip nat inside source route-map NONAT interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 151.x.x.65 permanent
!
!
access-list 100 remark NAT EXEMPTION access-list
access-list 100 deny ip 10.100.10.0 0.0.0.31 10.100.2.0 0.0.0.255
access-list 100 permit ip 10.100.100.0 0.0.0.31 any
access-list 102 permit ip 10.100.100.0 0.0.0.31 10.100.20.0 0.0.0.255
!
!
!
!
route-map NONAT permit 10
match ip address 100
----------Packet-tracer output. I think there is an issue on NAT and default route.
FW# packet-tracer input inside tcp 10.100.2.4 80 10.100.100.10 80
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 3
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect http
service-policy global_policy global
Additional Information:
Phase: 4
Type: IDS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
nat-control
match ip inside 10.100.2.0 255.255.255.0 outside 10.100.100.0 255.255.255.224
NAT exempt
translate_hits = 3, untranslate_hits = 0
Additional Information:
Phase: 8
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
nat-control
match ip inside any outside any
dynamic translation to pool 1 (10.0.0.2 [Interface PAT])
translate_hits = 2329217, untranslate_hits = 12424
Additional Information:
Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
nat-control
match ip inside any outside any
dynamic translation to pool 1 (10.0.0.2 [Interface PAT])
translate_hits = 2329230, untranslate_hits = 12424
Additional Information:
Phase: 10
Type: IDS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 14290161, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
FW#
12-12-2016 07:12 PM
The configs look pretty much OK at first glance.
Your packet-tracer indicates the ASA end is fine. I see it reports translate hits for the outgoing traffic but no untranslate hits for incoming (from the far end router).
Can you confirm that the far end subnet (10.100.100.0/27) is using the router as its gateway for the ASA end subnet (10.100.2.0/24)? If the return traffic is not coming back to the router, that would cause what we see here.
Also, please share the output of:
show crypto isakmp sa
show crypto ipsec sa
...on the ASA when you have introduced test traffic and caused the VPN to establish. We would expect "MM ACTIVE" in the first command output and to see the subnet associations in the second command output.
12-13-2016 04:36 PM
Thanks for your response,
I think the issue will be solved if I find a way to get out the exampted NAT traffic through
vpnif interface rather than the outside one.
For that case, the Phase1 of packet-tracer will be
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 151.x.x.66 255.255.255.255 vpnif
and the tunnel will be up.
12-13-2016 07:30 PM
I see what you mean. We would expect the packet-tracer traffic to use vpnif based on matching the crypto map which is bound to that interface.
In newer ASA code (8.3+), we would add "route-lookup" to the nat statement.
Since you appear to have 8.2 or older code, try adding a route for the remote network via the vpnif interface. i.e.:
route vpnif 10.100.100.0 255.255.255.224 52.x.x.25 1
12-15-2016 02:21 AM
I added the router and things worked well.
I removed crypto isakmp keepalive on the router and pfs on both devices
because I got the MM_NO_STATE - ACTIVE (Deleted) on router.
I'm happy now.
Thanks so much for your support,
12-15-2016 11:14 PM
I got another issue.
The network 10.100.2.0/24 belongs to VoIP servers, I've been able to configure an IP Phone successfully, It has registered to CUCM and rings but voice doesn't pass through the VPN Tunnel.
Do you have an idea to solve this issue? I added inspect sip in the default global policy but the issue is still there.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide