site to site configuration issues ASA 5540

Chris Lane · ‎11-03-2021

Very newbie with building a site to site, our ASA has been administered years ago and left alone. I am new, copying a site to site configuration to a new one, but won't form tunnel

If we only worry about the tunnel for now and not routes should i only be concerned with this on both sides?

tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
ikev1 pre-shared-key (SAME ON BOTH)

OR do i need more

These ASAs already run Tunnels to different sites, so as stated im trying a NEW site from this one.

Thanks in advance

Chris

Rob Ingram · ‎11-03-2021

@Chris Lane You'll also need to create an access-list to define the interesting traffic and create a crypto map with a new sequence number, referencing the access-list and defining the peer IP address and crypto transform set etc.

You will need to ensure the peer uses the same ike and ipsec algorithms and their access-list mirrors yours.

Chris Lane · ‎11-03-2021

The access list is only to define allowed traffic back and forth.. But, im only interested in First creating a tunnel, no traffic, just the tunnel.

Do i need the Crypto-map?? i assumed the map was only to point to the ACL?

Chris Lane · ‎11-03-2021

I guess in a nutshell what is the bare minimum needed ONLY to create the tunnel, NO TRAFFIC, yet...

Rob Ingram · ‎11-03-2021

Create the crypto map, just don't define the peer ip address or don't reference the access-list in the crypto map, missing either and the tunnel will not be established.

Chris Lane · ‎11-03-2021

Hey Rob

Thanks for the quick replies, little confused by your response as you say "Create the crypto-map- DON"T DEFINE peer ip/ref ACL, "MISSING EITHER RESULTS IN NO TUNNEL"

crypto map OUTSIDE_MAP 1 match address <NAME>
crypto map OUTSIDE_MAP 1 set pfs
crypto map OUTSIDE_MAP 1 set peer x.x.x.x
crypto map OUTSIDE_MAP 1 set ikev1 transform-set ESP-3DES-SHA

Don't i have to set peer? at the very least?

Rob Ingram · ‎11-03-2021

Yes you do need a peer to establish a tunnel, you also need traffic that matches the acl to establish the tunnel....but your requirement is to not allow traffic. So if you don't want to permit traffic you'll never establish a tunnel. 2 ways to not send traffic over the tunnel (or even build the tunnel in the first place) is to not define either the acl or the peer.

Or perhaps you could create an inbound acl blocking traffic to the destination before it even reaches the ASA, the tunnel would still not be established (it needs traffic in order to build one).

Your requirement is slightly odd, usually people request help establishing a VPN tunnel. There are other ways I could suggest in not sending traffic over the VPN, the suggestions provided are the simpliest.

Chris Lane · ‎11-03-2021

Hmm, think i mis represented..

Of course i want to send traffic... End of day i have an ACL, a crypto map and a tunnel-group configured and i can't see a tunnel.

And i don't know how to debug ~ and new ~ hence my confusion

I was trying to really dumb it down and keep things super simple to establish tunnel then add routes..

I must be missing more configuration.

another thing i noticed was regarding the crypto-map OUTSIDE-MAP interface outside command.

When i add a NEW crypto-map OUTSIDE-map seq 5 for instance, 1,2,3,4 exist already, the command above, Stays above the new seq 5..

Meaning the command above once i add the 5th sequence below Stays ABOVE like so... instead of beneath! Does it matter and if so how to fix?

crypto-map OUTSIDE-MAP interface outside---------------------> this should be BELOW the new seq ?

crypto map OUTSIDE_map 5 match address TEST
crypto map OUTSIDE_map 5 set pfs
crypto map OUTSIDE_map 5 set peer x.x.x.x
crypto map OUTSIDE_map 5 set ikev1 transform-set ESP-3DES-SHA