Site-to-Site with SA520 & ASA5505

Unanswered Question
Feb 18th, 2010

I would like to VPN between SA520 and ASA5505 but I have a doubt about ASA configuration for Host/Network that I must specified on step 5 (with ASDM software), I have find on "Cisco ASA5505 getting started guide" on chapter 8:

Traffic flow to be protected by this tunnel:

(local) 209.165.200.0

(remote) 209.165.200.255

that is the public IP address, but on this link:

http://www.ciscosystems.net.mu/en/US/products/ps5855/products_configuration_example09186a0080a9a7a3.shtml#ASDM

in this step aren't specified the public IP address but the internal IP LAN:

Traffic flow to be protected by this tunnel:

(local) 10.10.10.0/24

(remote) 10.20.10.0/24

therefore in step 5 I must specify the public IP or the private LAN address ?

Thanks.

-

Salvatore.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Ivan Martinon Thu, 02/18/2010 - 09:09

Hi Salvatore,

The vpn definition tipically (unless desired otherwise) uses the private lan for protection, so what you will need on those fields are the private local lan and the private remote lan to be protected.

pixteam2007 Fri, 02/19/2010 - 09:25

Hi, I have an error message after completed succesfully the PHASE1:

GROUP: 92.x.y.z IP:92.x.y.z, QM FSM Error

GROUP: 92.x.y.z IP:92.x.y.z, Removing peer from correlator table failed, no match!

I have verified more times the configuration but I haven't find where is the problem.

Config on ASA is:

name 82.x.y.z FW description fw

name 89.x.y.z Company description Company

name 192.168.1.222 ip_ftp

name 92.x.y.z IP_PUB_CIS

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.10 255.255.255.0

!

interface Vlan2

no forward interface Vlan1

nameif outside

security-level 0

ip address FW 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

!

access-list inside_access_in remark Rules x uscita LAN

access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 any

access-list outside_access_in remark Accesso FTP

access-list outside_access_in extended permit tcp any host 82.89.44.36 object-group DM_INLINE_TCP_0

access-list outside_access_in remark Accesso alla config da Pix

access-list outside_access_in extended permit tcp host Company host FW object-group DM_INLINE_TCP_1

access-list lagi_interporto_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.1.64 255.255.255.224

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list outside_2_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list outside_3_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list outside_4_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool ip_lagi_interporto 192.168.1.70-192.168.1.80

ip verify reverse-path interface outside

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-621.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) 82.x.x.x ip_ftp netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 82.89.44.38 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

http Company 255.255.255.255 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer IP_PUB_CIS

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set pfs group1

crypto map outside_map 2 set peer IP_PUB_CIS

crypto map outside_map 2 set transform-set ESP-3DES-SHA

crypto map outside_map 3 match address outside_3_cryptomap

crypto map outside_map 3 set peer IP_PUB_CIS

crypto map outside_map 3 set transform-set ESP-3DES-SHA

crypto map outside_map 4 match address outside_4_cryptomap

crypto map outside_map 4 set pfs group1

crypto map outside_map 4 set peer IP_PUB_CIS

crypto map outside_map 4 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 193.204.114.232 source outside

webvpn

tunnel-group 92.x.y.z type ipsec-l2l

tunnel-group 92.x.y.z ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:e01987d2fbcc58218ec5cd10a43af345

: end

asdm image disk0:/asdm-621.bin

asdm location FW 255.255.255.255 inside

asdm location Company 255.255.255.255 inside

no asdm history enable

on SA520 I have:

Policy Name: 82.x.y.z

IKE SA Parameters

Encryption: 3DES

Authentication : SHA-1

Authentication Method: PSK

PSK: xxxx

Thanks.

-

Salvatore.

DH Group: 2

Ivan Martinon Fri, 02/19/2010 - 09:44

Salvatore,

Please enable debug crypto isakmp 50 and debug crypto ipsec 50 and post them here.

Actions

This Discussion