07-15-2008 01:43 AM - edited 03-11-2019 06:14 AM
Hi,
How do I verify that the site-to-site VPN connection I just configured is ok?
When I log into the ADSM the number of VPN connections i zero. Is a site-to-site VPN connection only active when traffic is sent between two host on does it "stay on" all the time?
I used the following configuration:
Asa 5505# 1
hostname(config)# isakmp policy 1 authentication pre-share
hostname(config)# isakmp policy 1 encryption 3des
hostname(config)# isakmp policy 1 hash sha
hostname(config)# isakmp policy 1 group 2
hostname(config)# isakmp policy 1 lifetime 43200
hostname(config)# isakmp enable outside
hostname(config)# crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
hostname(config)# access-list l2l_list extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0
hostname(config)# tunnel-group 10.10.10.1 type ipsec-l2l
hostname(config)# tunnel-group 10.10.10.1 ipsec-attributes
hostname(config-ipsec)# pre-shared-key blabla
hostname(config)# exit
hostname(config)# crypto map abcmap 1 match address l2l_list
hostname(config)# crypto map abcmap 1 set peer 10.10.10.1
hostname(config)# crypto map abcmap 1 set transform-set FirstSet
hostname(config)# crypto map abcmap interface outside
hostname(config)# write memory
Asa 5505# 2
hostname(config)# isakmp policy 1 authentication pre-share
hostname(config)# isakmp policy 1 encryption 3des
hostname(config)# isakmp policy 1 hash sha
hostname(config)# isakmp policy 1 group 2
hostname(config)# isakmp policy 1 lifetime 43200
hostname(config)# isakmp enable outside
hostname(config)# crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
hostname(config)# access-list l2l_list extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0
hostname(config)# tunnel-group 10.10.10.2 type ipsec-l2l
hostname(config)# tunnel-group 10.10.10.2 ipsec-attributes
hostname(config-ipsec)# pre-shared-key blabla
hostname(config)# exit
hostname(config)# crypto map abcmap 1 match address l2l_list
hostname(config)# crypto map abcmap 1 set peer 10.10.10.2
hostname(config)# crypto map abcmap 1 set transform-set FirstSet
hostname(config)# crypto map abcmap interface outside
hostname(config)# write memory
Thanx!
07-15-2008 03:53 AM
Suppose this is the setup :
Then initiate a continous ping from PC1(192.168.100.0/24) to PC2(192.168.1.0/24), then you will see the establishing of a IPSEC tunnel , provided your config is correct.
And then if you issue the command "show crypto isakmp sa" on the ASA box you should see that the Active SA's in the output
Active SA: 1
- And then give the command "show crypto ipsec sa"
You will see something like this in the output, which says the no. of packets getting encrypted, encapsulated, etc.
#pkts encaps: 20, #pkts encrypt: 20, #pkts digest: 20
#pkts decaps: 20, #pkts decrypt: 20, #pkts verify: 20
07-15-2008 03:55 AM
If using ASDM, go to
VPN Statistics > Global IKE/IPSec Statistics
You will see the Active tunnels.
07-15-2008 04:09 AM
Do I need to specify antoher ACL to allow icmp traffic or will my VPN automatically allow all kinds of traffic between the two networks?
07-15-2008 05:12 AM
It's working now. Some much needed routing was missing from both the asa's. Puh,, thanx a lot for helping me
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: