Solved: Re: VPN on ASA5510

lawsuites · ‎10-12-2010

We have 2 locations with ASA5510 and would like to configure VPN tunnel for data. Right now we have mpls that we like get rid of.

I see in our configuration there is already VPN tunnel configured but it's not working. Because we stoped mpls and data between both sides stop working.

Following is he configs from one of ASA5510, please let me know if you see VPN configured...i am new to firewall...

Please help...

ASA Version 8.0(3)
!
hostname home
domain-name none.com
names

name 10.10.10.10 Exchange2010
name 1.1.1.1.1 Exchange2010outside
dns-guard
!
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address Exchange2010outside 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.10.10.2255.255.255.0
!
interface Ethernet0/2
nameif mpls
security-level 100
ip address 10.10.10.2 255.255.255.240
!
interface Ethernet0/3
nameif temp
security-level 0
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
management-only
!

ftp mode passive
dns server-group DefaultDNS
domain-name none.com
same-security-traffic permit inter-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit icmp any any source-quench
access-list 101 extended permit icmp any any unreachable
access-list 101 extended permit icmp any any time-exceeded
access-list 101 extended permit tcp any interface outside eq 3390
access-list 101 extended permit tcp any interface outside eq 3391
access-list 101 extended permit tcp any interface outside eq 3392
access-list 101 extended permit tcp any interface outside eq 3393
access-list 101 extended permit tcp any interface outside eq 3394
access-list 101 extended permit tcp any interface outside eq 3395
access-list 101 extended permit tcp any interface outside eq 3396
access-list 101 extended permit tcp any interface outside eq 3397
access-list 101 extended permit tcp any interface outside eq 3398
access-list 101 extended permit tcp any interface outside eq 3399
access-list 101 remark OWA 2010
access-list 101 extended permit tcp any host Exchange2010outside eq 3389
access-list 101 extended permit tcp any host Exchange2010outside eq www
access-list 101 extended permit tcp host 64.92.220.155 host Exchange2010outside
eq smtp
access-list 101 extended permit tcp host 64.92.220.156 host Exchange2010outside
eq smtp
access-list 101 extended permit tcp host 64.92.220.157 host Exchange2010outside
eq smtp
access-list 101 extended permit tcp host 64.92.220.158 host Exchange2010outside
eq smtp
access-list 101 extended permit tcp host 64.92.220.159 host Exchange2010outside
eq smtp
access-list 101 extended permit tcp host 64.92.220.160 host Exchange2010outside
eq smtp
access-list 101 extended permit tcp host 64.92.220.161 host Exchange2010outside
eq smtp
access-list 101 extended permit tcp host 64.92.220.162 host Exchange2010outside
eq smtp
access-list 101 extended permit tcp host 64.92.220.163 host Exchange2010outside
eq smtp
access-list 101 extended permit tcp host 64.92.220.164 host Exchange2010outside
eq smtp
access-list 101 extended permit tcp host 64.92.220.165 host Exchange2010outside
eq smtp
access-list 101 extended permit tcp host 64.92.220.166 host Exchange2010outside
eq smtp
access-list 101 extended permit tcp host 208.82.145.85 host Exchange2010outside
eq smtp
access-list 101 extended permit tcp host 208.82.145.86 host Exchange2010outside
eq smtp
access-list 101 extended permit tcp host 208.82.145.87 host Exchange2010outside
eq smtp
access-list 101 extended permit tcp host 208.82.145.88 host Exchange2010outside
eq smtp
access-list 101 extended permit tcp host 208.82.145.89 host Exchange2010outside
eq smtp
access-list 101 extended permit tcp host 208.82.145.90 host Exchange2010outside
eq smtp
access-list 101 extended permit tcp host 208.82.145.91 host Exchange2010outside
eq smtp
access-list 101 extended permit tcp host 208.82.145.92 host Exchange2010outside
eq smtp
access-list 101 extended permit tcp host 208.78.240.245 host Exchange2010outside
eq smtp
access-list 101 extended permit tcp host 208.78.240.246 host Exchange2010outside
eq smtp
access-list 101 extended permit tcp host 208.78.240.247 host Exchange2010outside
eq smtp
access-list 101 extended permit tcp host 208.78.240.248 host Exchange2010outside
eq smtp
access-list 101 extended permit tcp host 208.78.240.249 host Exchange2010outside
eq smtp
access-list 101 extended permit tcp host 208.78.240.250 host Exchange2010outside
eq smtp
access-list 101 extended permit tcp host 208.78.240.251 host Exchange2010outside
eq smtp
access-list 101 extended permit tcp host 208.78.240.252 host Exchange2010outside
eq smtp
access-list 101 extended permit tcp 64.18.0.0 255.255.240.0 host Exchange2010out
side eq smtp
access-list 101 extended permit tcp any host Exchange2010outside eq https
access-list 101 extended permit object-group TCPUDP any host Exchange2010 eq www

access-list Home-Remote extended permit ip 10.10.10.0 255.255.255.0 10.10.11.0 255.255
.255.0
access-list Home-Remote extended permit ip 10.10.10.0 255.255.255.0 10.10.12.0 255.255
.255.0
access-list Home-Remote extended permit ip 10.10.10.0 255.255.255.0 10.10.13.0 255.255
.255.0
access-list Home-Remote extended permit ip 10.10.10.0 255.255.255.0 10.10.14.0 255.255
.255.0
access-list cap extended permit tcp any eq 3391 any
access-list cap extended permit tcp any eq 3394 any
access-list home-remoteNONAT extended permit ip 10.10.10.0 255.255.255.0 10.10.11.0 25
5.255.255.0
access-list home-remoteNONAT extended permit ip 10.10.10.0 255.255.255.0 10.10.12.0 25
5.255.255.0
access-list Home-RemoteNONAT extended permit ip 10.10.10.0 255.255.255.0 10.10.13.0 25
5.255.255.0
access-list Home-RemoteNONAT extended permit ip 10.10.10.0 255.255.255.0 10.10.14.0 25
5.255.255.0
access-list cap1 extended permit tcp any any eq smtp
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu mpls 1500
mtu temp 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list Home-RemoteNONAT
nat (inside) 1 10.10.1.0 255.255.255.0 tcp 50 20
nat (inside) 1 10.10.2.0 255.255.255.0 tcp 50 20
nat (inside) 1 10.10.3.0 255.255.255.0 tcp 50 20
nat (inside) 1 10.10.4.0 255.255.255.0 tcp 50 20
nat (inside) 1 10.10.5.0 255.255.255.0 tcp 50 20
nat (inside) 1 10.10.6.0 255.255.255.0 tcp 50 20
nat (inside) 1 10.10.7.0 255.255.255.0 tcp 50 20
nat (inside) 1 10.10.8.0 255.255.255.0 tcp 50 20
nat (inside) 1 10.10.9.0 255.255.255.0 tcp 50 20
nat (inside) 1 10.10.10.0 255.255.255.0 tcp 50 20

static (inside,outside) tcp interface smtp Exchange2010 smtp netmask 255.255.255

.255
static (inside,outside) tcp interface https Exchange2010 https netmask 255.255.2
55.255

access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 111.111.11.111 1 (side note 111.111.11.111 believe is isp gateway)
route inside 10.10.4.0 255.255.255.0 10.10.4.1 1
route inside 10.10.5.0 255.255.255.0 10.10.5.1 1
route inside 10.10.6.0 255.255.255.0 10.10.6.1 1
route inside 10.10.7.0 255.255.255.0 10.10.7.1 1
route inside 10.10.8.0 255.255.255.0 10.10.8.1 1
route inside 10.10.9.0 255.255.255.0 10.10.9.1 1
route mpls 10.10.11.0 255.255.255.0 10.10.20.1 1
route mpls 10.10.12.0 255.255.255.0 10.10.20.1 1
route mpls 10.10.13.0 255.255.255.0 10.10.20.1 1
route mpls 10.10.14.0 255.255.255.0 10.10.20.1 1
route mpls 10.10.21.0 255.255.255.0 10.10.20.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 outside
http 10.10.11.0 255.255.255.0 inside
http 10.10.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set Home_Tunnel esp-aes-256 esp-sha-hmac
crypto map maptoREMOTE 10 match address Home-Remote
crypto map maptoREMOTE 10 set transform-set Home_Tunnel
crypto map maptoREMOTE interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 11
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800
crypto isakmp policy 30
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 30
telnet 10.10.10.0 255.255.255.0 inside
telnet 10.10.11.0 255.255.255.0 inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
threat-detection basic-threat
threat-detection statistics
username admin password id6XqXzHqVdjWpuR encrypted privilege 15
tunnel-group 38.1.1.1 type ipsec-l2l ( side note this is remote asa ip address)
tunnel-group 38.1.1.1 ipsec-attributes (side note this is remote asa ip address)
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
class-map pptp-port
match port tcp eq pptp
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
policy-map pptp_policy
class pptp-port
inspect pptp
policy-map pptp-policy
class pptp-port
inspect pptp
!
service-policy global_policy global
service-policy pptp_policy interface outside
prompt hostname context

Rudresh Veerappaji · ‎10-13-2010

Hi Gurpreet,

Yes, following vpn configuration will work:

crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer 64.1.1.1

tunnel-group 64.1.1.1 type ipsec-l2l
tunnel-group 64.1.1.1 ipsec-attributes
pre-shared-key *

--Now in the above config, we are missing the access-list defining the interesting traffic, for this you need to identify the interesting traffic (probably) by checking the remote vpn end point configuration, and apply this here. We also need to apply the crypto map to the interface. So the complete vpn config should look like this:

crypto map outside_map 20 match address

crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer 64.1.1.1

tunnel-group 64.1.1.1 type ipsec-l2l

tunnel-group 64.1.1.1 ipsec-attributes

pre-shared-key

crypto map outside_map interface outside

Cheers,

Rudresh V

View solution in original post

Rudresh Veerappaji · ‎10-12-2010

Hi Gurpreet,

From the configuration, i see that there is a vpn configuration for a site to site tunnel, but it is incomplete. the missing statement are marked in RED:

crypto ipsec transform-set Home_Tunnel esp-aes-256 esp-sha-hmac

crypto map maptoREMOTE 10 set peer
crypto map maptoREMOTE 10 match address Home-Remote
crypto map maptoREMOTE 10 set transform-set Home_Tunnel
crypto map maptoREMOTE interface outside

--Now i see a tunnel group configuration with ip address 38.1.1.1, so most probably this is the ip address of your remote peer. So please verify if this is the ip address of your remote site, and then apply this ip address in the above config set to complete the vpn configuration. So following is probably is what needs ot be addred

crypto map maptoREMOTE 10 set peer 38.1.1.1

But as i said, apply the set peer only after you are sure this ip address is that of your intended remote site. Rest of the vpn config seems fine.

Let me know if this helps,

Cheers,

Rudresh V

lawsuites · ‎10-12-2010

Thanks Rudresh,

I have made that change. Now i am checking my remote asa configs and see tunnel is ponting to our old ISP(home isp) ip address and that need be changed:

following are lines i am seeing pointing to old ip address that need to be changed. I don't want to make mistake please advise how should i chagne them. Also if you see anything else need to changed in there. Again thank you very much.

crypto map outside_map 20 set peer 64.1.1.1

tunnel-group 64.1.1.1 type ipsec-l2l
tunnel-group 64.1.1.1 ipsec-attributes

sh runm
: Saved
:
ASA Version 8.0(4)
!
hostname ASA-home
domain-name none.com

names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 38.1.1.1255.255.255.224
!
interface Ethernet0/1
speed 1000
duplex full
nameif inside
security-level 100
ip address 10.10.11.250 255.255.255.0
!
interface Ethernet0/2
nameif mpls
security-level 100
ip address 10.10.1.1255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
security-level 100
no ip address
management-only
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name none.com
same-security-traffic permit inter-interface
access-list 100 extended permit tcp any host 38.1.1.2eq www
access-list 100 extended permit tcp any host 38.1.1.2eq https
access-list 100 extended permit tcp any host 38.1.1.2eq 3389
access-list 100 extended permit tcp any host 38.1.1.2range 3230 3235
access-list 100 extended permit tcp any host 38.1.1.2eq h323
access-list 100 extended permit udp any host 38.1.1.2range 3230 3253
access-list vpn extended permit ip 10.10.10.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list vpn extended permit ip 10.10.11.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list remote-homeNONAT extended permit ip 10.10.11.0 255.255.255.0 10.10.10.0 255.255.255.
0
access-list remote-homeNONAT extended permit ip 10.10.12.0 255.255.255.0 10.10.10.0 255.255.255.
0
access-list remote-homeNONAT extended permit ip 10.10.13.0 255.255.255.0 10.10.10.0 255.255.255.
0
access-list remote-homeNONAT extended permit ip 10.10.14.0 255.255.255.0 10.10.10.0 255.255.255.
0
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit icmp any any source-quench
access-list 101 extended permit icmp any any unreachable
access-list 101 extended permit icmp any any time-exceeded
access-list remote-home extended permit ip 10.10.11.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list remote-home extended permit ip 10.10.12.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list remote-home extended permit ip 10.10.13.0 255.255.255.0 10.10.10.0 255.255.255.0
access-listremote-home extended permit ip 10.10.14.0 255.255.255.0 10.10.10.0 255.255.255.0
no pager
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu mpls 1500
ip local pool Remote-Pool 192.168.10.1-192.168.10.25 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list remote-homeNONAT
nat (inside) 1 10.10.11.0 255.255.255.0 tcp 50 20
nat (inside) 1 10.10.12.0 255.255.255.0 tcp 50 20
nat (inside) 1 10.10.13.0 255.255.255.0 tcp 50 20
nat (inside) 1 10.10.14.0 255.255.255.0 tcp 50 20
static (inside,outside) 38.1.1.2 10.10.1.15 netmask 255.255.255.255
static (inside,outside) 10.10.11.154 38.1.1.3netmask 255.255.255.255
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 38.1.1.0 1
route mpls 10.10.1.0 255.255.255.0 10.10.21.1 1
route mpls 10.10.2.0 255.255.255.0 10.10.21.1 1
route mpls 10.10.3.0 255.255.255.0 10.10.21.1 1
route mpls 10.10.4.0 255.255.255.0 10.10.21.1 1
route mpls 10.10.5.0 255.255.255.0 10.10.21.1 1
route mpls 10.10.6.0 255.255.255.0 10.10.21.1 1
route mpls 10.10.7.0 255.255.255.0 10.10.21.1 1
route mpls 10.10.8.0 255.255.255.0 10.10.21.1 1
route mpls 10.10.9.0 255.255.255.0 10.10.21.1 1
route mpls 10.10.10.0 255.255.255.0 10.10.21.1 1
route inside 10.10.12.0 255.255.255.0 10.10.12.1 1
route inside 10.10.13.0 255.255.255.0 10.10.13.1 1
route inside 10.10.14.0 255.255.255.0 10.10.14.1 1
route mpls 10.10.20.0 255.255.255.0 10.10.21.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.10.11.0 255.255.255.0 inside
http 10.10.10.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set NJ_Tunnel esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 10 set security-association lifetime seconds 28800
crypto dynamic-map dynmap 10 set security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime secon
ds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilob
ytes 4608000
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer 64.1.1.1
crypto map outside_map 20 set security-association lifetime seconds 28800
crypto map outside_map 20 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map maptohome 10 match address remote-home
crypto map maptohome 10 set transform-set remote_home
crypto map maptohome 10 set security-association lifetime seconds 28800
crypto map maptohome 10 set security-association lifetime kilobytes 4608000
crypto map maptohome interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 11
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800
crypto isakmp policy 30
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 30
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 10.10.10.0 255.255.255.0 inside
telnet 10.10.11.0 255.255.255.0 inside
telnet 10.10.12.0 255.255.255.0 inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username admin password id6XqXzHqVdjWpuR encrypted privilege 15
tunnel-group Supp0Rt type remote-access
tunnel-group Supp0Rt general-attributes
address-pool Remote-Pool
tunnel-group Supp0Rt ipsec-attributes
pre-shared-key *
tunnel-group 64.1.1.1 type ipsec-l2l
tunnel-group 64.1.1.1 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
!
service-policy global_policy global
prompt hostname context

: end

Rudresh Veerappaji · ‎10-13-2010

Hi Gurpreet,

Yes, following vpn configuration will work:

crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer 64.1.1.1

tunnel-group 64.1.1.1 type ipsec-l2l
tunnel-group 64.1.1.1 ipsec-attributes
pre-shared-key *

--Now in the above config, we are missing the access-list defining the interesting traffic, for this you need to identify the interesting traffic (probably) by checking the remote vpn end point configuration, and apply this here. We also need to apply the crypto map to the interface. So the complete vpn config should look like this:

crypto map outside_map 20 match address

crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer 64.1.1.1

tunnel-group 64.1.1.1 type ipsec-l2l

tunnel-group 64.1.1.1 ipsec-attributes

pre-shared-key

crypto map outside_map interface outside

Cheers,

Rudresh V

lawsuites · ‎10-18-2010

Thank you very much, Rudres. Its working now.