cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
589
Views
5
Helpful
10
Replies

Site to site VPN

Polite .
Level 1
Level 1

I am interested in setting up a site-to-site VPN between 2 locations.

Site 1 has an ASA5505

Site 2 has a n ASA5512

10 Replies 10

Marvin Rhoads
Hall of Fame
Hall of Fame

OK - what's your question?

Site 1 - ASA5505

Site 2 - ASA5512

access data from either site

There are many many step by step configuration guides available.

Here's one:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/119141-configure-asa-00.html

I followed your documentation but without any success 

I followed the GUI screenshots

Hello,

I spent two days trying to setup a site-to-site VPN between

an ASA 5520 ver 8.2 and a Cisco Router. Let notice that the ASA has two

outside interfaces and connect to a same public network but but one

is connected to checkpoint (outside which holds public IPs and NAT) which route all traffic excepted VPN traffic routed by the second one (vpnif). If someone could help me I really appreciate.

Below configs:

FW#

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 10.0.0.1 255.255.255.240
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.0.1.1 255.255.255.0

!
interface GigabitEthernet0/2
nameif dmz
security-level 50
ip address 10.0.3.1 255.255.255.240
!
interface GigabitEthernet0/3
nameif vpnif
security-level 0
ip address 52.x.x.30 255.255.255.248


object-group network LOCAL-NETWORK
network-object 10.100.2.0 255.255.255.0
object-group network REMOTE-NETWORK
network-object 10.100.100.0 255.255.255.224

access-list VPN_L2LACL extended permit ip object-group LOCAL-NETWORK object-group REMOTE-NETWORK

access-list NONAT extended permit ip 10.100.2.0 255.255.255.0 10.100.100.0 255.255.255.224


nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface


route outside 0.0.0.0 0.0.0.0 10.0.0.2 1
route vpnif 151.x.x.66 255.255.255.255 52.x.x.25 1


crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp disconnect-notify


crypto ipsec transform-set STRONG_SET esp-aes esp-sha-hmac

crypto map outside1_map 1 match address VPN_L2LACL
crypto map outside1_map 1 set pfs
crypto map outside1_map 1 set peer 151.x.x.66
crypto map outside1_map 1 set transform-set STRONG_SET
crypto map outside1_map 1 set security-association lifetime seconds 28800
crypto map outside1_map 1 set security-association lifetime kilobytes 1024000
crypto map outside1_map 1 set reverse-route
crypto map outside1_map interface vpnif
crypto isakmp enable vpnif


tunnel-group 151.x.x.66 type ipsec-l2l
tunnel-group 151.x.x.66 ipsec-attributes
pre-shared-key mykey

ROUTER#

crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key mykey address 52.x.x.30 no-xauth
crypto isakmp keepalive 10 3


crypto ipsec transform-set strong esp-aes esp-sha-hmac
crypto ipsec df-bit clear
!
crypto map vpn-map 10 ipsec-isakmp
set peer 52.x.x.30
set security-association lifetime kilobytes 1024000
set security-association lifetime seconds 28800
set transform-set strong
set pfs group2
match address 102
reverse-route
qos pre-classify


interface GigabitEthernet0/0
description *** INTERNET CONNEXION ***
ip address 151.x.x.66 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map vpn-map
!
interface GigabitEthernet0/1
description *** LAN ***
ip address 10.100.100.1 255.255.255.224
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto

ip nat inside source route-map NONAT interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 151.x.x.65 permanent
!
!
access-list 100 remark NAT EXEMPTION access-list
access-list 100 deny ip 10.100.10.0 0.0.0.31 10.100.2.0 0.0.0.255
access-list 100 permit ip 10.100.100.0 0.0.0.31 any
access-list 102 permit ip 10.100.100.0 0.0.0.31 10.100.20.0 0.0.0.255
!
!
!
!
route-map NONAT permit 10
match ip address 100

----------Packet-tracer output. I think there is an issue on NAT and default route.

FW# packet-tracer input inside tcp 10.100.2.4 80 10.100.100.10 80

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 3
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect http
service-policy global_policy global
Additional Information:

Phase: 4
Type: IDS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
nat-control
match ip inside 10.100.2.0 255.255.255.0 outside 10.100.100.0 255.255.255.224
NAT exempt
translate_hits = 3, untranslate_hits = 0
Additional Information:

Phase: 8
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
nat-control
match ip inside any outside any
dynamic translation to pool 1 (10.0.0.2 [Interface PAT])
translate_hits = 2329217, untranslate_hits = 12424
Additional Information:

Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
nat-control
match ip inside any outside any
dynamic translation to pool 1 (10.0.0.2 [Interface PAT])
translate_hits = 2329230, untranslate_hits = 12424
Additional Information:

Phase: 10
Type: IDS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 14290161, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

FW#

The configs look pretty much OK at first glance.

Your packet-tracer indicates the ASA end is fine. I see it reports translate hits for the outgoing traffic but no untranslate hits for incoming (from the far end router).

Can you confirm that the far end subnet (10.100.100.0/27) is using the router as its gateway for the ASA end subnet (10.100.2.0/24)? If the return traffic is not coming back to the router, that would cause what we see here.

Also, please share the output of:

show crypto isakmp sa
show crypto ipsec sa

...on the ASA when you have introduced test traffic and caused the VPN to establish. We would expect "MM ACTIVE" in the first command output and to see the subnet associations in the second command output. 

Thanks for your response,

I think the issue will be solved if I find a way to get out the exampted NAT traffic through 

vpnif interface rather than the outside one.

For that case, the Phase1 of packet-tracer will be

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 151.x.x.66 255.255.255.255 vpnif  

and the tunnel will be up.

I see what you mean. We would expect the packet-tracer traffic to use vpnif based on matching the crypto map which is bound to that interface.

In newer ASA code (8.3+), we would add "route-lookup" to the nat statement.

Since you appear to have 8.2 or older code, try adding a route for the remote network via the vpnif interface. i.e.:

route vpnif 10.100.100.0 255.255.255.224 52.x.x.25 1

I added the router and things worked well.

I removed crypto isakmp keepalive on the router and pfs on both devices

because I got the MM_NO_STATE - ACTIVE (Deleted) on router.

I'm happy now.

Thanks so much for your support,

I got another issue.

The network 10.100.2.0/24 belongs to VoIP servers, I've been able to configure an IP Phone successfully, It has registered to CUCM and rings but voice doesn't pass through the VPN Tunnel.

Do you have an idea to solve this issue? I added inspect sip in the default global policy but the issue is still there.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: