Site to site with asa 5505 and isr 871

Unanswered Question
May 12th, 2010
User Badges:

Hello all,

I am attempting to set up a site to site vpn between a ASA 5505 and a ISR 871. I used the instructions I found on this website:


ASA 5505



6. crypto isakmp policy 5

7. authentication pre-share

8. encryption aes

9. hash sha

10. group 2

11. lifetime 86400



14. crypto isakmp enable OUTSIDE



17. tunnel-group 22.22.22.22 type ipsec-l2l

18. tunnel-group 22.22.22.22 ipsec-attributes

19. pre-shared-key secretkey



23. access-list ACL-ISR-871 permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0

24.

25. crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac


28. crypto map MAP-OUTSIDE 20 set peer 22.22.22.22


30. crypto map MAP-OUTSIDE 20 match address ACL-ISR-871


32. crypto map MAP-OUTSIDE 20 set transform-set ESP-AES128-SHA

33. crypto map MAP-OUTSIDE 20 set security-association lifetime kilobytes 10000  **********


36. crypto map MAP-OUTSIDE interface OUTSIDE


40. route OUTSIDE 192.168.10.0 255.255.255.0 11.11.11.11


42. access-list ACL-INSIDE-NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0

43. nat (INSIDE) 0 access-list ACL-INSIDE-NONAT








ISR 871



7. crypto isakmp policy 5

8. encr aes

9. hash sha

10. authentication pre-share

11. group 2


13. crypto isakmp key secretkey address 11.11.11.11


15. ip access-list extended ACL-VPN

16. permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255

17.

18. crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac

19.

20. crypto map VPN-TUNNEL 1 ipsec-isakmp

21. set peer 11.11.11.11

22. set transform-set AES-SHA

23. match address ACL-VPN

24.

25. interface FastEthernet4

26. crypto map VPN-TUNNEL

27.   ip nat outside

28.

29. interface Vlan2

30. ip nat inside


36. ip route 192.168.1.0 255.255.255.0 22.22.22.22


39. ip access-list extended ACL-NAT

40. deny   ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255

41. permit ip any any

42.

43. ip nat inside source list ACL-NAT interface Fa4 overload


The 5505 inside is 192.168.1.1/24

The 5505 outside is 11.11.11.11 (substituted for real address)


The 871 inside is 192.168.10.1/25

The 871 outside is 22.22.22.22 (substituted for real address)


The problem is I can ping the inside if of the ASA from the 871 location but cannot access anything else on the 192.168.1.0 network.


Any ideas?


Thank you.




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Wed, 05/12/2010 - 09:15
User Badges:
  • Green, 3000 points or more

Hi,


Try the following:


Enable the command:  management-access inside    on the ASA


From the ASA do the following:

ping inside 192.168.10.1

See if you get the replies.


1. If you don't get the replies, please post the output of the commands:

sh cry isa sa

sh cry ips sa


2. If you do get replies, you should check that the default gateway for both LANs are the respective inside IP addresses of the ASA and router.


Federico.

tjd2112pcca Wed, 05/12/2010 - 09:48
User Badges:

So are you saying the default gw of the ASA should be the inside address of the 871? That doesn't sound right. I thought you could have only one default gateway and that is set on the outside interfaces?

Federico Coto F... Wed, 05/12/2010 - 11:26
User Badges:
  • Green, 3000 points or more

That's not what I'm saying.


I'm saying that the internal LAN behind the ASA should have its default gateway set to the inside IP of the ASA (or if there's another L3 device in between, the local LAN should have a route to the remote network pointing to the inside IP of the ASA).


Also, the local LAN on the router side, should have its default gateway set to the LAN side of the router.


You are correct, the ASA should have a single default gateway.


Do you get the outputs requested?


Federico.

tjd2112pcca Mon, 05/24/2010 - 17:50
User Badges:

Sorry for the late reply. I think I see my error in the ASA config. I have the route statement going to the 192.168.10.0 network via the outside address of the firewall. It should be the outside interface's default gateway. Correct?


I have this:

route outside 192.168.10.0 255.255.255.0 173.161.233.249 1


It should be:

route outside 192.168.10.0 255.255.255.0 173.161.233.250 1


The outside interface is in a /30 network.

tjd2112pcca Tue, 05/25/2010 - 08:03
User Badges:

Well that didn't work. Now I dont know what it could be. I'll post the configs here.

tjd2112pcca Tue, 05/25/2010 - 08:06
User Badges:

Here is the result from "ip crypto isakmp sa"


IPv4 Crypto ISAKMP SA
dst                          src             state          conn-id slot status
173.161.233.249 173.15.182.9    QM_IDLE           2001    0 ACTIVE

tjd2112pcca Tue, 05/25/2010 - 08:08
User Badges:

Here is the result from


#sh cry ips sa


interface: FastEthernet4
    Crypto map tag: VPN-TUNNEL, local addr 173.15.182.9


   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   current_peer 173.161.233.249 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 6, #pkts encrypt: 6, #pkts digest: 6
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0


     local crypto endpt.: 173.15.182.9, remote crypto endpt.: 173.161.233.249
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
     current outbound spi: 0xD4B5869B(3568666267)


     inbound esp sas:
      spi: 0xD809ADD7(3624512983)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 1, flow_id: Motorola SEC 1.0:1, crypto map: VPN-TUNNEL
        sa timing: remaining key lifetime (k/sec): (9876/2750)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:
      spi: 0xD4B5869B(3568666267)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2, flow_id: Motorola SEC 1.0:2, crypto map: VPN-TUNNEL
        sa timing: remaining key lifetime (k/sec): (9875/2750)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE


     outbound ah sas:


     outbound pcp sas:

tjd2112pcca Tue, 05/25/2010 - 08:25
User Badges:

Here is the ISR config


!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname *****
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login default local
!
!
aaa session-id common
!
!
dot11 syslog
ip cef
!
!
!
!
ip domain name *****
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw http timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
!
multilink bundle-name authenticated
!
!
username
!
!
crypto isakmp policy 5
encr aes
authentication pre-share
group 2
crypto isakmp key ******** address 173.161.233.249
!
!
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
!
crypto map VPN-TUNNEL 1 ipsec-isakmp
set peer 173.161.233.249
set transform-set AES-SHA
match address ACL-VPN
!
archive
log config
  hidekeys
!
!
ip ssh time-out 60
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description Internet
ip address 173.15.182.9 255.255.255.252
ip nat outside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
crypto map VPN-TUNNEL
!
interface Vlan1
description Internal LAN
ip address 192.168.10.1 255.255.255.0
no ip proxy-arp
ip nat inside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 173.15.182.10
ip route 192.168.1.0 255.255.255.0 173.15.182.10
!
!
no ip http server
no ip http secure-server
ip nat inside source list ACL-NAT interface FastEthernet4 overload
!
ip access-list extended ACL-NAT
deny   ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip any any
ip access-list extended ACL-VPN
permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
!
access-list 101 permit tcp 173.15.182.8 0.0.0.3 any
access-list 101 permit udp 173.15.182.8 0.0.0.3 any
access-list 101 permit icmp 173.15.182.8 0.0.0.3 any
access-list 101 deny   ip any any
access-list 111 deny   ip 127.0.0.0 0.255.255.255 any
access-list 111 deny   ip 173.15.182.8 0.0.0.3 any
access-list 111 permit icmp any 173.15.182.8 0.0.0.3 administratively-prohibited
access-list 111 permit icmp any 173.15.182.8 0.0.0.3 echo
access-list 111 permit icmp any 173.15.182.8 0.0.0.3 echo-reply
access-list 111 permit icmp any 173.15.182.8 0.0.0.3 packet-too-big
access-list 111 permit icmp any 173.15.182.8 0.0.0.3 time-exceeded
access-list 111 permit icmp any 173.15.182.8 0.0.0.3 traceroute
access-list 111 permit icmp any 173.15.182.8 0.0.0.3 unreachable
access-list 111 permit tcp any eq 22 0.0.0.1 255.255.255.252
access-list 111 deny   ip any any
no cdp run
!
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
transport input ssh
!
scheduler max-task-time 5000
end

tjd2112pcca Tue, 05/25/2010 - 08:31
User Badges:

Here is the ASA config


ASA Version 7.2(4)
!
hostname ****
domain-name ****


names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 173.161.233.249 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name *****
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 19                                                                                                 2.168.2.0 255.255.255.224
access-list inside_nat0_outbound extended permit ip any 192.168.2.0 255.255.255.                                                                                                 224
access-list inside_nat0_outbound extended permit ip interface inside host 173.15                                                                                                 .182.9
access-list ACL-ISR-871 extended permit ip 192.168.1.0 255.255.255.0 192.168.10.                                                                                                 0 255.255.255.0
access-list ACL-INSIDE-NONAT extended permit ip 192.168.1.0 255.255.255.0 192.16                                                                                                 8.10.0 255.255.255.0
access-list outside_access_in extended permit tcp any 173.161.233.248 255.255.25                                                                                                 5.252 eq ssh
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool pool1 192.168.2.10-192.168.2.20 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list ACL-INSIDE-NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 173.161.233.250 1
route outside 192.168.10.0 255.255.255.0 173.161.233.250 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group5
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map MAP-OUTSIDE 20 match address ACL-ISR-871
crypto map MAP-OUTSIDE 20 set peer 173.15.182.9
crypto map MAP-OUTSIDE 20 set transform-set ESP-AES128-SHA
crypto map MAP-OUTSIDE 20 set security-association lifetime kilobytes 10000
crypto map MAP-OUTSIDE interface outside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal  20
telnet timeout 5
ssh scopy enable
ssh 192.168.1.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd dns 192.168.1.50 interface inside
dhcpd enable inside
!


username user1 password ***** encrypted privilege 15
username user1 attributes
vpn-group-policy DfltGrpPolicy
username user2 password **** encrypted privilege 5
username user2 attributes
vpn-group-policy DfltGrpPolicy
username user3 password ***** encrypted privilege 15
username user3 attributes
vpn-group-policy DfltGrpPolicy
tunnel-group 173.15.182.9 type ipsec-l2l
tunnel-group 173.15.182.9 ipsec-attributes
pre-shared-key *
!
!
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command uauth
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
Cryptochecksum:b94e1e454aedfa492fff355967a8e4d8
: end

Federico Coto F... Tue, 05/25/2010 - 11:00
User Badges:
  • Green, 3000 points or more

On the ASA you need to add:


access-list ACL-INSIDE-NONAT permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0


Let me know if it works.


Federico.

tjd2112pcca Tue, 05/25/2010 - 11:22
User Badges:

That entry is already there. Someone told me to remove the static routes from each device except for the default route. I did that and reloaded each side and it works now! Now I have to start enabling firewall rules on the ISR side. Thanks for all you help!

Actions

This Discussion