Solved: asa5505 ipsec tunnel problem

oshechodanov · ‎07-15-2007

I have 2 asa5505. I want to create ipsec tunnel. Do as write this http://www.cisco.com/en/US/docs/security/asa/asa72/getting_started/asa5500/quick/guide/sitvpn_b.html#wp1038592

But tunnel does not establish

ciscoasa(config)# show crypto isakmp sa

There are no isakmp sas

ciscoasa(config)# show crypto ipsec sa

There are no ipsec sas

First ASA config

ASA Version 7.2(2)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password xxx

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.52.254 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 209.x.x.236 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd xxx

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

access-list outside_20_cryptomap extended permit ip 192.168.52.0 255.255.255.0 host 209.x.x.226

pager lines 24

logging enable

logging asdm informational

logging debug-trace

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

route inside 0.0.0.0 0.0.0.0 192.168.52.240 1

route outside 192.168.1.0 255.255.255.0 209.168.200.226 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 0.0.0.0 0.0.0.0 outside

http 0.0.0.0 0.0.0.0 inside

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 20 match address outside_20_cryptomap

crypto map outside_map 20 set pfs

crypto map outside_map 20 set peer 209.165.200.226

crypto map outside_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group 209.x.x.226 type ipsec-l2l

tunnel-group 209.x.x.226 ipsec-attributes

pre-shared-key *

telnet 0.0.0.0 0.0.0.0 inside

telnet 0.0.0.0 0.0.0.0 outside

telnet timeout 1440

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:xxx

: end

acomiskey · ‎07-16-2007

You may remove the following line as it is not needed.

no access-list outside_20_cryptomap extended permit icmp 192.168.52.0 255.255.255.0 192.168.1.0 255.255.255.0

As mattiaseriksson said you need to add nat exemption. One comment to his statement is you should not reuse the crypto acl for your nat exemption. It is always good practice to create a separate acl.

access-list nat0 extended permit ip 192.168.52.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list nat0

access-list nat0 extended permit ip 192.168.1.0 255.255.255.0 192.168.52.0 255.255.255.0

nat (inside) 0 access-list nat0

View solution in original post

oshechodanov · ‎07-15-2007

secon asa config

ASA Version 7.2(2)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 209.165.200.226 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

access-list outside_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 host 209.165.200.236

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 192.168.52.0 255.255.255.0 209.168.200.236 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 0.0.0.0 0.0.0.0 outside

http 0.0.0.0 0.0.0.0 inside

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 20 match address outside_20_cryptomap

crypto map outside_map 20 set pfs

crypto map outside_map 20 set peer 209.165.200.236

crypto map outside_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group 209.165.200.236 type ipsec-l2l

tunnel-group 209.165.200.236 ipsec-attributes

pre-shared-key *

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:56cb3d2d69c8d5ea880bb964ffa21899

: end

mattiaseriksson · ‎07-16-2007

Hi, the access-lists you call outside_20_cryptomap is used to identify the packets that the IPSec connection permits and protects.

Both firewalls crypto maps must contain compatible crypto ACLs, which usually means that they have to be mirrored.

In your case they should look like this:

Firewall 1:

access-list outside_20_cryptomap extended permit ip 192.168.52.0 255.255.255.0 192.168.1.0 255.255.255.0

Firewall 2:

access-list outside_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.52.0 255.255.255.0

mattiaseriksson · ‎07-16-2007

And in ASDM VPN wizard you refer to, the error was on the 'Hosts And Networks' page. There you should input the 192.168.52.0 as the local (source) network and 192.168.1.0 as remote (destination) network in firewall 1. In firewall 2 the networks should be reversed.

You also did not check the option to Exempt ASA side network from NAT. You need to do that on both sides as well.

oshechodanov · ‎07-16-2007

I do this, but tunnel does not work

mattiaseriksson · ‎07-16-2007

Can you attach the updated configurations for us to look at?

oshechodanov · ‎07-16-2007

Here new configurations

mattiaseriksson · ‎07-16-2007

I assume that you do not want to NAT the traffic between the sites, so you need to add this line:

nat (inside) 0 access-list outside_20_cryptomap to both sides.

acomiskey · ‎07-16-2007

You may remove the following line as it is not needed.

no access-list outside_20_cryptomap extended permit icmp 192.168.52.0 255.255.255.0 192.168.1.0 255.255.255.0

As mattiaseriksson said you need to add nat exemption. One comment to his statement is you should not reuse the crypto acl for your nat exemption. It is always good practice to create a separate acl.

access-list nat0 extended permit ip 192.168.52.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list nat0

access-list nat0 extended permit ip 192.168.1.0 255.255.255.0 192.168.52.0 255.255.255.0

nat (inside) 0 access-list nat0

oshechodanov · ‎07-16-2007

I do all of advices. But tunnel does not work.

I dont understant why. Anybody has any ideas?

Help please!!!!

oshechodanov · ‎07-16-2007

Thanks for all. Problem solved