Site-to-site VPN with dual ASA 5510s

Unanswered Question
Sep 18th, 2008

Hi,

I have recently been asked to configure a VPN between two sites using an ASA 5510 at each end. I used the VPN Site-to-site wizard in ASDM on both devices and followed the instructions for the wizard to the letter. However I don't seem able to get any kind of VPN up and running. If anyone could point out where I'm going wrong then I would very much appreciate it.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
fraser_chapman Thu, 09/18/2008 - 01:59

Here is the sanitised running config of SiteA:

----------------------------

ASA Version 8.0(2)

!

hostname MCRASA

domain-name isal.local

enable password xxx

names

!

interface Ethernet0/0

description External WAN

nameif outside

security-level 0

ip address 81.*.*.82 255.255.255.240

!

interface Ethernet0/1

description Internal LAN

nameif inside

security-level 100

ip address 192.168.254.2 255.255.255.0

!

interface Ethernet0/2

description Demarcation zone

nameif dmz

security-level 50

ip address 10.30.30.1 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

description MCRASA management

nameif management

security-level 100

ip address 192.168.2.1 255.255.255.0

management-only

!

passwd xxx

ftp mode passive

dns server-group DefaultDNS

domain-name isal.local

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list outside_1_cryptomap extended permit ip 192.168.254.0 255.255.255.0 host 82.*.*.50

access-list inside_nat0_outbound extended permit ip 192.168.254.0 255.255.255.0 host 82.*.*.50

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu dmz 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-602.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 81.*.*.82 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 192.168.254.0 255.255.255.0 inside

http 192.168.2.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer 82.*.*.50

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp enable inside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 192.168.254.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

management-access management

dhcpd address 192.168.2.2-192.168.2.5 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

webvpn

csd image disk0:/securedesktop-asa-3.2.1.103-k9.pkg

username fraser password xxx encrypted privilege 15

username fraser attributes

memberof LOCAL

tunnel-group 82.*.*.50 type ipsec-l2l

tunnel-group 82.*.*.50 ipsec-attributes

pre-shared-key *

prompt hostname context

Cryptochecksum:xxx

fraser_chapman Thu, 09/18/2008 - 01:59

SiteB

----------------------------

ASA Version 8.0(2)

!

hostname LONASA

domain-name isal.local

enable password xxx

names

!

interface Ethernet0/0

description External WAN

nameif Outside

security-level 0

ip address 82.*.*.50 255.255.255.240

!

interface Ethernet0/1

description Internal LAN

nameif Inside

security-level 100

ip address 192.168.1.2 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

description LONASA management

nameif management

security-level 100

ip address 192.168.3.1 255.255.255.0

management-only

!

passwd xxx

boot system disk0:/asa802-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name isal.local

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group icmp-type DM_INLINE_ICMP_1

icmp-object echo-reply

icmp-object time-exceeded

access-list Outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 hos

t 81.105.169.81

access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 ho

st 81.105.169.81

pager lines 24

logging enable

logging asdm informational

mtu Outside 1500

mtu Inside 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-602.bin

no asdm history enable

arp timeout 14400

global (Outside) 101 interface

nat (Inside) 0 access-list Inside_nat0_outbound

nat (Inside) 101 0.0.0.0 0.0.0.0

route Outside 0.0.0.0 0.0.0.0 82.*.*.50 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 Inside

http 192.168.3.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map Outside_map 1 match address Outside_1_cryptomap

crypto map Outside_map 1 set pfs

crypto map Outside_map 1 set peer 81.*.*.82

crypto map Outside_map 1 set transform-set ESP-3DES-SHA

crypto map Outside_map interface Outside

crypto isakmp enable Outside

crypto isakmp enable Inside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.3.2-192.168.3.5 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

tunnel-group 81.*.*.82 type ipsec-l2l

tunnel-group 81.*.*.82 ipsec-attributes

pre-shared-key *

prompt hostname context

Cryptochecksum:xxx

singhsaju Fri, 09/19/2008 - 15:24

Make following changes to your access-lists

Site A

no access-list outside_1_cryptomap

no access-list Inside_nat0_outbound

access-list outside_1_cryptomap extended permit ip 192.168.254.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.254.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (Inside) 0 access-list Inside_nat0_outbound

crypto map Outside_map 1 match address outside_1_cryptomap

Site B

no access-list Outside_1_cryptomap

no access-list Inside_nat0_outbound

access-list Outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.254.0 255.255.255.0

access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.254.0 255.255.255.0

nat (Inside) 0 access-list Inside_nat0_outbound

crypto map Outside_map 1 match address Outside_1_cryptomap

Remove PFS from both sides if it still does not work after you make changes, enable debugs "debug crypto isakmp " , "debug crypto ipsec" and post debugs.

HTH

Saju

Pls rate helpful posts

Actions

This Discussion