Site-to-Site VPN between 5510 and 5505

Answered Question
Oct 14th, 2008

Am trying to get a site-to-site VPN up and running between a satellite office and our main office. I have the settings in place but am trying to determine if it is my settings or the DSL provider, Verizon.

They have a 5505 with a static IP connected through cable modem. From their 5505 I can ping the outside IP address of my 5510 no problem. All the settings are correct on both sides; they reflect the same settings and yet the Static VPN does not come up.

Is there some sort of CLI command I must issue to bring it up?

Also, I am wondering if perhaps my 2821 is stopping any VPN traffic in as it does have to be re-NAT'ed to get to the 192.168.250.0/23 and the 192.168.252.0/24 subnets.

This is simply about getting traffic from their 192.168.40.0 subnet into our 192.168.250.0/23 VOIP subnet.

Am attaching a basic diagram. I can provide the configs for nearly everything

I have this problem too.
0 votes
Correct Answer by singhsaju about 8 years 1 month ago

Hello,

you have two instances of crypto map sequence with similar settings(except tranform set) . Get rid of following crypto map sequences:

On Satellite ASA:

no crypto map outside_map 2 match address outside_cryptomap

no crypto map outside_map 2 set pfs

no crypto map outside_map 2 set peer smivpn.sorensonmedia.com

no crypto map outside_map 2 set transform-set ESP-3DES-MD5

no crypto map outside_map 2 set security-association lifetime seconds 28800

no crypto map outside_map 2 set security-association lifetime kilobytes 4608000

no crypto map outside_map 2 set reverse-route

On Corporate ASA:

no crypto map outside_map 1 match address outside_1_cryptomap_1

no crypto map outside_map 1 set pfs

no crypto map outside_map 1 set peer cda.asa5505

no crypto map outside_map 1 set transform-set ESP-3DES-SHA

no crypto map outside_map 1 set security-association lifetime seconds 28800

no crypto map outside_map 1 set security-association lifetime kilobytes 4608000

no crypto map outside_map 1 set reverse-route

Then check and capture debugs.

HTH

Saju

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
kerryjcox Tue, 10/14/2008 - 12:09

Sure thing. Thanks for your time.

The satellite config is for the remote location and the corporate config is for the main office.

singhsaju Tue, 10/14/2008 - 12:56

Can you make Crypto ACL as simple ACLs(no object groups ) and then check.

Corporate ASA

no access-list outside_1_cryptomap

access-list outside_1_cryptomap extended permit ip 192.168.252.0 255.255.255.0 192.168.40.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.250.0 255.255.254.0 192.168.40.0 255.255.255.0

Satellite ASA

no access-list outside_2_cryptomap_1

access-list outside_2_cryptomap_1 extended permit ip 192.168.40.0 255.255.255.0 192.168.252.0 255.255.255.0

access-list outside_2_cryptomap_1 extended permit ip 192.168.40.0 255.255.255.0 192.168.250.0 255.255.254.0

Also try removing PFS from both sides . First make the basic tunnel come up , later on you can add PFS etc.

HTH

Saju

Pls rate helpful posts

kerryjcox Tue, 10/14/2008 - 13:15

I did as you suggested and changed the access-lists on both corporate and satellite. I am still unable to ping inside addresses. Traceroute is unable to route. The PtP VPN is not coming up.

At corporate:

cisco# ping 192.168.40.101

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.40.101, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

At satellite:

cisco# ping 192.168.250.11

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.250.11, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

Here is the latest set of configs, plus the 2821 router config that sits between the ASA5510 and the 192.168.250.0/24 and 192.168.252.0/24 subnets.

Thanks in advance.

singhsaju Wed, 10/15/2008 - 05:45

Add following route on Corporate ASA:

Corporate ASA

route inside 192.168.250.0 255.255.254.0 172.17.10.2

Enable debugs: "debug crypto isakmp " and "debug crypto ipsec" on both ASA , initiate ipsec traffic and capture debugs and post them .

HTH

Saju

kerryjcox Wed, 10/15/2008 - 11:45

I am making some progress here. I followed the instructions on the following page: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080950890.shtml

I was never able to get much debug output as the remote VPNs kept showing up.

So, here is a screenshot of the syslog output from the ASDM on the satellite firewall. It is nearly there.

Here are the latest running-configs from both corporate and satellite.

Thanks.

singhsaju Wed, 10/15/2008 - 12:18

Hello,

you have two instances of crypto map sequence with similar settings(except tranform set) . Get rid of following crypto map sequences:

On Satellite ASA:

no crypto map outside_map 2 match address outside_cryptomap

no crypto map outside_map 2 set pfs

no crypto map outside_map 2 set peer smivpn.sorensonmedia.com

no crypto map outside_map 2 set transform-set ESP-3DES-MD5

no crypto map outside_map 2 set security-association lifetime seconds 28800

no crypto map outside_map 2 set security-association lifetime kilobytes 4608000

no crypto map outside_map 2 set reverse-route

On Corporate ASA:

no crypto map outside_map 1 match address outside_1_cryptomap_1

no crypto map outside_map 1 set pfs

no crypto map outside_map 1 set peer cda.asa5505

no crypto map outside_map 1 set transform-set ESP-3DES-SHA

no crypto map outside_map 1 set security-association lifetime seconds 28800

no crypto map outside_map 1 set security-association lifetime kilobytes 4608000

no crypto map outside_map 1 set reverse-route

Then check and capture debugs.

HTH

Saju

Correct Answer
singhsaju Wed, 10/15/2008 - 12:29

Hello,

you have two instances of crypto map sequence with similar settings(except tranform set) . Get rid of following crypto map sequences:

On Satellite ASA:

no crypto map outside_map 2 match address outside_cryptomap

no crypto map outside_map 2 set pfs

no crypto map outside_map 2 set peer smivpn.sorensonmedia.com

no crypto map outside_map 2 set transform-set ESP-3DES-MD5

no crypto map outside_map 2 set security-association lifetime seconds 28800

no crypto map outside_map 2 set security-association lifetime kilobytes 4608000

no crypto map outside_map 2 set reverse-route

On Corporate ASA:

no crypto map outside_map 1 match address outside_1_cryptomap_1

no crypto map outside_map 1 set pfs

no crypto map outside_map 1 set peer cda.asa5505

no crypto map outside_map 1 set transform-set ESP-3DES-SHA

no crypto map outside_map 1 set security-association lifetime seconds 28800

no crypto map outside_map 1 set security-association lifetime kilobytes 4608000

no crypto map outside_map 1 set reverse-route

Then check and capture debugs.

HTH

Saju

kerryjcox Wed, 10/15/2008 - 13:46

There are actually 2 crypto maps on the satellite VPN. You'll notice that the one went to sdihq.com and the other to sorensonmedia.com. sdihq.com is the former parent company. We want this satellite office to be part of us now. sdihq.com is in place as a backup measure. But we want the phones to come directly to us and NOT to route to them and then down to us, as per the network image.

I am making the changes as appropriate and will post debug here shortly.

kerryjcox Wed, 10/15/2008 - 14:22

I think I am actually making headway. I started afresh on both ASA devices.

Here is the debug output from both. I will attach the latest configs for both in a follow-up posting.

Any recommendations as to what both are spewing out would be appreciated.

kerryjcox Wed, 10/15/2008 - 14:52

I think I solved it. I have a static VPN connection between the 2 firewalls.

I had to carefully compare the results of "sho run crypto" and then fix the satellite to match corporate's.

After searching through the forums I found the right commands.

Thanks all.

Actions

This Discussion