Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1828
Views
0
Helpful
1
Replies

VPN site to site 5515X

lecarbajalp
Level 1
Level 1

‎07-12-2012 07:59 AM

I have a problem trying to connect a VPN site to site between a FWASA 5515X - ASA5510

this is the configuratiof of my 5515X

hostname FW5515X-1

domain-name cngfinancial.com

enable password yjBYwn.g8xmd24FA encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

interface GigabitEthernet0/0

shutdown

nameif Outside

security-level 0

ip address 190.81.23.44 255.255.255.248

!

interface GigabitEthernet0/1

nameif Inside

security-level 100

ip address 10.10.1.1 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

management-only

!

boot system disk0:/asa861-smp-k8.bin

ftp mode passive

clock timezone PEST -3

dns server-group DefaultDNS

domain-name cngfinancial.com

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group network USNetwork

network-object 192.168.0.0 255.255.0.0

access-list outside_1_cryptomap extended permit ip 10.10.0.0 255.255.0.0 object-group USNetwork

access-list inside_access_in extended permit ip any any

pager lines 30

logging enable

logging timestamp

logging asdm informational

mtu Outside 1500

mtu Inside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any Inside

asdm image disk0:/asdm-66114.bin

no asdm history enable

arp timeout 14400

nat (Inside,Outside) source static ANetwork ANetwork destination static USNetwork USNetwork

!

!

nat (Inside,Outside) after-auto source dynamic ANetwork interface

access-group outside_access_in in interface Outside

access-group inside_access_in in interface Inside

route Outside 0.0.0.0 0.0.0.0 190.81.47.25 1

route Inside 10.10.0.0 255.255.255.0 10.10.1.3 1

route Inside 10.10.1.0 255.255.255.0 10.10.1.3 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:10:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ (Inside) host 10.1.11.63

key *****

user-identity default-domain LOCAL

aaa authentication serial console LOCAL

aaa authentication http console TACACS+ LOCAL

aaa authentication ssh console TACACS+ LOCAL

http server enable

http 0.0.0.0 0.0.0.0 Inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto dynamic-map dinomap 90 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer 47.115.124.10

crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA

crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto map outside_map 1 set nat-t-disable

crypto map outside_map 1 set reverse-route

crypto map outside_map 90 ipsec-isakmp dynamic dinomap

crypto map outside_map interface Outside

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev1 enable Outside

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 Inside

ssh timeout 60

ssh version 2

console timeout 0

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 10.1.11.12 prefer

ntp server 10.10.0.12 prefer

webvpn

username admin password 07pI6YSftwy6DP1a encrypted

tunnel-group 47.115.124.10 type ipsec-l2l

tunnel-group 47.115.124.10 ipsec-attributes

ikev1 pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

The configuration in the 5510 its the old one that i been using with a firewall 5505

Regards,

Labels:
0 Helpful
1 Reply 1

mvsheik123
Level 7
Level 7

‎07-13-2012 01:29 PM

Hi Luis,

Two things...

1. Inter g0/0 is shutdown (did by purpose?)

2.route Outside 0.0.0.0 0.0.0.0 190.81.47.25 1 --> out side ip not part of the G0/0 ip range (190.81.23.44 255.255.255.248)

  Traffic may not be hitting internet.

There may be more, but want to check on these first.

hth

MS

0 Helpful
Customers Also Viewed These Support Documents