05-12-2010 09:06 AM
Hello all,
I am attempting to set up a site to site vpn between a ASA 5505 and a ISR 871. I used the instructions I found on this website:
ASA 5505
6. crypto isakmp policy 5
7. authentication pre-share
8. encryption aes
9. hash sha
10. group 2
11. lifetime 86400
14. crypto isakmp enable OUTSIDE
17. tunnel-group 22.22.22.22 type ipsec-l2l
18. tunnel-group 22.22.22.22 ipsec-attributes
19. pre-shared-key secretkey
23. access-list ACL-ISR-871 permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
24.
25. crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac
28. crypto map MAP-OUTSIDE 20 set peer 22.22.22.22
30. crypto map MAP-OUTSIDE 20 match address ACL-ISR-871
32. crypto map MAP-OUTSIDE 20 set transform-set ESP-AES128-SHA
33. crypto map MAP-OUTSIDE 20 set security-association lifetime kilobytes 10000 **********
36. crypto map MAP-OUTSIDE interface OUTSIDE
40. route OUTSIDE 192.168.10.0 255.255.255.0 11.11.11.11
42. access-list ACL-INSIDE-NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
43. nat (INSIDE) 0 access-list ACL-INSIDE-NONAT
ISR 871
7. crypto isakmp policy 5
8. encr aes
9. hash sha
10. authentication pre-share
11. group 2
13. crypto isakmp key secretkey address 11.11.11.11
15. ip access-list extended ACL-VPN
16. permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
17.
18. crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
19.
20. crypto map VPN-TUNNEL 1 ipsec-isakmp
21. set peer 11.11.11.11
22. set transform-set AES-SHA
23. match address ACL-VPN
24.
25. interface FastEthernet4
26. crypto map VPN-TUNNEL
27. ip nat outside
28.
29. interface Vlan2
30. ip nat inside
36. ip route 192.168.1.0 255.255.255.0 22.22.22.22
39. ip access-list extended ACL-NAT
40. deny ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
41. permit ip any any
42.
43. ip nat inside source list ACL-NAT interface Fa4 overload
The 5505 inside is 192.168.1.1/24
The 5505 outside is 11.11.11.11 (substituted for real address)
The 871 inside is 192.168.10.1/25
The 871 outside is 22.22.22.22 (substituted for real address)
The problem is I can ping the inside if of the ASA from the 871 location but cannot access anything else on the 192.168.1.0 network.
Any ideas?
Thank you.
05-12-2010 09:15 AM
Hi,
Try the following:
Enable the command: management-access inside on the ASA
From the ASA do the following:
ping inside 192.168.10.1
See if you get the replies.
1. If you don't get the replies, please post the output of the commands:
sh cry isa sa
sh cry ips sa
2. If you do get replies, you should check that the default gateway for both LANs are the respective inside IP addresses of the ASA and router.
Federico.
05-12-2010 09:48 AM
So are you saying the default gw of the ASA should be the inside address of the 871? That doesn't sound right. I thought you could have only one default gateway and that is set on the outside interfaces?
05-12-2010 11:26 AM
That's not what I'm saying.
I'm saying that the internal LAN behind the ASA should have its default gateway set to the inside IP of the ASA (or if there's another L3 device in between, the local LAN should have a route to the remote network pointing to the inside IP of the ASA).
Also, the local LAN on the router side, should have its default gateway set to the LAN side of the router.
You are correct, the ASA should have a single default gateway.
Do you get the outputs requested?
Federico.
05-24-2010 05:50 PM
Sorry for the late reply. I think I see my error in the ASA config. I have the route statement going to the 192.168.10.0 network via the outside address of the firewall. It should be the outside interface's default gateway. Correct?
I have this:
route outside 192.168.10.0 255.255.255.0 173.161.233.249 1
It should be:
route outside 192.168.10.0 255.255.255.0 173.161.233.250 1
The outside interface is in a /30 network.
05-25-2010 08:03 AM
Well that didn't work. Now I dont know what it could be. I'll post the configs here.
05-25-2010 08:06 AM
Here is the result from "ip crypto isakmp sa"
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
173.161.233.249 173.15.182.9 QM_IDLE 2001 0 ACTIVE
05-25-2010 08:08 AM
Here is the result from
#sh cry ips sa
interface: FastEthernet4
Crypto map tag: VPN-TUNNEL, local addr 173.15.182.9
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer 173.161.233.249 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 6, #pkts encrypt: 6, #pkts digest: 6
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 173.15.182.9, remote crypto endpt.: 173.161.233.249
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
current outbound spi: 0xD4B5869B(3568666267)
inbound esp sas:
spi: 0xD809ADD7(3624512983)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: Motorola SEC 1.0:1, crypto map: VPN-TUNNEL
sa timing: remaining key lifetime (k/sec): (9876/2750)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xD4B5869B(3568666267)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: Motorola SEC 1.0:2, crypto map: VPN-TUNNEL
sa timing: remaining key lifetime (k/sec): (9875/2750)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
05-25-2010 08:25 AM
Here is the ISR config
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname *****
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login default local
!
!
aaa session-id common
!
!
dot11 syslog
ip cef
!
!
!
!
ip domain name *****
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw http timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
!
multilink bundle-name authenticated
!
!
username
!
!
crypto isakmp policy 5
encr aes
authentication pre-share
group 2
crypto isakmp key ******** address 173.161.233.249
!
!
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
!
crypto map VPN-TUNNEL 1 ipsec-isakmp
set peer 173.161.233.249
set transform-set AES-SHA
match address ACL-VPN
!
archive
log config
hidekeys
!
!
ip ssh time-out 60
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description Internet
ip address 173.15.182.9 255.255.255.252
ip nat outside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
crypto map VPN-TUNNEL
!
interface Vlan1
description Internal LAN
ip address 192.168.10.1 255.255.255.0
no ip proxy-arp
ip nat inside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 173.15.182.10
ip route 192.168.1.0 255.255.255.0 173.15.182.10
!
!
no ip http server
no ip http secure-server
ip nat inside source list ACL-NAT interface FastEthernet4 overload
!
ip access-list extended ACL-NAT
deny ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip any any
ip access-list extended ACL-VPN
permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
!
access-list 101 permit tcp 173.15.182.8 0.0.0.3 any
access-list 101 permit udp 173.15.182.8 0.0.0.3 any
access-list 101 permit icmp 173.15.182.8 0.0.0.3 any
access-list 101 deny ip any any
access-list 111 deny ip 127.0.0.0 0.255.255.255 any
access-list 111 deny ip 173.15.182.8 0.0.0.3 any
access-list 111 permit icmp any 173.15.182.8 0.0.0.3 administratively-prohibited
access-list 111 permit icmp any 173.15.182.8 0.0.0.3 echo
access-list 111 permit icmp any 173.15.182.8 0.0.0.3 echo-reply
access-list 111 permit icmp any 173.15.182.8 0.0.0.3 packet-too-big
access-list 111 permit icmp any 173.15.182.8 0.0.0.3 time-exceeded
access-list 111 permit icmp any 173.15.182.8 0.0.0.3 traceroute
access-list 111 permit icmp any 173.15.182.8 0.0.0.3 unreachable
access-list 111 permit tcp any eq 22 0.0.0.1 255.255.255.252
access-list 111 deny ip any any
no cdp run
!
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
transport input ssh
!
scheduler max-task-time 5000
end
05-25-2010 08:31 AM
Here is the ASA config
ASA Version 7.2(4)
!
hostname ****
domain-name ****
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 173.161.233.249 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name *****
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 19 2.168.2.0 255.255.255.224
access-list inside_nat0_outbound extended permit ip any 192.168.2.0 255.255.255. 224
access-list inside_nat0_outbound extended permit ip interface inside host 173.15 .182.9
access-list ACL-ISR-871 extended permit ip 192.168.1.0 255.255.255.0 192.168.10. 0 255.255.255.0
access-list ACL-INSIDE-NONAT extended permit ip 192.168.1.0 255.255.255.0 192.16 8.10.0 255.255.255.0
access-list outside_access_in extended permit tcp any 173.161.233.248 255.255.25 5.252 eq ssh
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool pool1 192.168.2.10-192.168.2.20 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list ACL-INSIDE-NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 173.161.233.250 1
route outside 192.168.10.0 255.255.255.0 173.161.233.250 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group5
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map MAP-OUTSIDE 20 match address ACL-ISR-871
crypto map MAP-OUTSIDE 20 set peer 173.15.182.9
crypto map MAP-OUTSIDE 20 set transform-set ESP-AES128-SHA
crypto map MAP-OUTSIDE 20 set security-association lifetime kilobytes 10000
crypto map MAP-OUTSIDE interface outside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
telnet timeout 5
ssh scopy enable
ssh 192.168.1.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd dns 192.168.1.50 interface inside
dhcpd enable inside
!
username user1 password ***** encrypted privilege 15
username user1 attributes
vpn-group-policy DfltGrpPolicy
username user2 password **** encrypted privilege 5
username user2 attributes
vpn-group-policy DfltGrpPolicy
username user3 password ***** encrypted privilege 15
username user3 attributes
vpn-group-policy DfltGrpPolicy
tunnel-group 173.15.182.9 type ipsec-l2l
tunnel-group 173.15.182.9 ipsec-attributes
pre-shared-key *
!
!
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command uauth
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
Cryptochecksum:b94e1e454aedfa492fff355967a8e4d8
: end
05-25-2010 11:00 AM
On the ASA you need to add:
access-list ACL-INSIDE-NONAT permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
Let me know if it works.
Federico.
05-25-2010 11:22 AM
That entry is already there. Someone told me to remove the static routes from each device except for the default route. I did that and reloaded each side and it works now! Now I have to start enabling firewall rules on the ISR side. Thanks for all you help!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide