ASA to ASA VPN

Unanswered Question
Feb 28th, 2010
User Badges:

Ok, I got Newbie error here but I do not see it.


I am trying to get a second site doing a VPN tunel to the orginal Site1


Site1 VPN is working for VPN cleint users but I am not getting a IPSec Tunnel up between sites

Site2 VPN is not accepting clients either... but does have internet


I have attached santized cfg's for both site.


I have been using the ADSM. But can set up the console easily on Site2.



Thanks in Advance for any assistance or suggestions

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mopaul Sun, 02/28/2010 - 20:02
User Badges:
  • Bronze, 100 points or more



Hi,



I have reviewed the configuration and found that both ASAs have set-route command on outside, which makes me think that your ISP is assinging Dynamic IP addresss. But this should not be true as you have mentioned that the RA clients work fine on Site 1 ASA.. To my understanding though the ISP device is assinging a dynamic ip but it remains static in nature (does not change), please correct me if am wrong. On Site B, the remote client may not be working because the IP assigned to its outside is dynamic in nature and hence keeps changing. For remote client set up , VPN server should have a static ip address where clients can connect to. aCan you please reply with nature of public ip address on both ASAs? Also, do let me know what IP address is it if its static so that i can verify the configuration.



You can also refer to the following sample configuration document. These documents are pretty straight.



Scenario: Site-to-Site VPN Configuration (With Static IP address on both sites)
www.cisco.com/en/US/docs/security/asa/asa72/getting_started/asa5550/quick/guide/sitvpn_n.html


Scenario: Remote-Access VPN Configuration
www.cisco.com/en/US/docs/security/asa/asa72/getting_started/asa5550/quick/guide/remvpn_n.html


PIX/ASA 7.x PIX-to-PIX Dynamic-to-Static IPsec with NAT and VPN Client Configuration Example
www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml


*Last document is exempting NAT*



HTH....



Regards


M

marcuslupi Mon, 03/01/2010 - 06:22
User Badges:

Actually Both Site have Dynamic IP address but will keep the the same IP.

Site1 Is cable modem

Site2 is ADSL

Both Sites ISP's keep the same IP to a MAC Address so unless hardware is change (Either modem or Firewall) the IP's acts as static.


I did double check that IP's have not shifted.


I can send you the live IP's by email if you wish.

busterswt Mon, 03/01/2010 - 06:42
User Badges:
  • Bronze, 100 points or more

Hello,


The crypto ACL on site1 appears to be setup incorrectly. Site1 is defined at 192.168.2.0/24, yet the crypto ACL shows 192.168.10.0 to be both the source and destination:



object-group network DM_INLINE_NETWORK_1
network-object 0.0.0.0 0.0.0.0
network-object host 192.168.10.0


access-list outside_1_cryptoSite2 extended permit ip host 192.168.10.0 object-group DM_INLINE_NETWORK_1


You'll need to change the source from a host entry to the 192.168.2.0/24 network. The destination will need to be changed from a host entry to the 192.168.10.0/24 network. You'll also want to remove 0.0.0.0/0 from the object group, otherwise you'll be defining *all* traffic (once you fix the source network) as interesting traffic.


In addition to that, the crypto maps for both firewalls show PFS to be enabled, but one is group1 and the other is group2 (default). You'll want these to match.


You've got these two entries within the site2 NAT exemption ACL, but they will not be effective at all and can probably be removed once things are working correctly:


access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.10.0 255.255.255.192
access-list inside_nat0_outbound extended permit ip Site1 255.255.255.0 192.168.10.0 255.255.255.192


The NAT exemption ACL on the site1 fw is missing an entry for communication between 192.168.2.0/24 (source) and 192.168.10.0/24 (destination). This will need to be added also.


See what you can do to correct those things and give it a shot. Since traffic is not being considered as 'interesting' that could likely be why you're not seeing any logs.


James

Actions

This Discussion