05-12-2010 10:26 AM - edited 03-11-2019 10:44 AM
I am trying to establish a site-to-site VPN connection between a ASA5510 and a ASA5505.Everything seems to be working on the ASAs themselves but I am unable to get the VPN connection going. I created the connection profiles the same at both ends but I must be missing something. I need another pair of eyes to look over my configurations and see what I am missing. Thanks for any help.
Jason
5510 Config:
Result of the command: "show config"
: Saved
: Written by enable_15 at 11:05:58.939 GMT Wed May 12 2010
!
ASA Version 8.2(2)
!
hostname ciscoasa
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif Outside-Untrust
security-level 0
ip address 165.127.126.132 255.255.255.192
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 172.18.0.1 255.255.248.0
!
interface Ethernet0/2
nameif DMZ2
security-level 50
ip address 172.17.0.1 255.255.255.224
!
interface Ethernet0/3
nameif DMZ1
security-level 50
ip address 172.16.0.1 255.255.255.224
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone GMT 0
access-list Inside-Trust_access_in extended permit icmp any any inactive
access-list Outside-Untrust_access_in extended permit icmp any any unreachable
access-list Outside-Untrust_access_in extended permit icmp any any traceroute
access-list Outside-Untrust_access_in extended permit icmp any any timestamp-request
access-list Outside-Untrust_access_in extended permit icmp any any timestamp-reply
access-list inside_1_cryptomap extended permit ip 172.18.0.0 255.255.248.0 10.1.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.18.0.0 255.255.248.0 host 10.0.0.0
access-list inside_nat0_outbound extended permit ip 172.18.0.0 255.255.248.0 host 10.1.1.0
access-list inside_nat0_outbound extended permit ip 172.18.0.0 255.255.248.0 10.1.1.0 255.255.255.0
access-list inside_access_in extended permit tcp host 172.18.0.10 host 172.18.0.1
access-list inside_access_in extended permit tcp host 172.18.0.1 host 172.18.0.10
access-list inside_access_in extended permit udp host 172.18.0.1 host 172.18.0.10 eq syslog
pager lines 24
logging enable
logging timestamp
logging trap warnings
logging asdm informational
logging host inside 172.18.0.10
logging permit-hostdown
mtu Outside-Untrust 1500
mtu inside 1500
mtu DMZ2 1500
mtu DMZ1 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
global (Outside-Untrust) 101 165.127.126.133-165.127.126.190 netmask 255.255.0.0
nat (inside) 0 access-list inside_nat0_outbound
static (Outside-Untrust,Outside-Untrust) 165.127.126.133 10.0.0.0 netmask 255.255.255.255
access-group Outside-Untrust_access_in in interface Outside-Untrust
access-group inside_access_in in interface inside
route Outside-Untrust 0.0.0.0 0.0.0.0 10.100.110.101 1
route management 172.18.0.3 255.255.255.255 172.18.0.2 1
route Outside-Untrust 0.0.0.0 0.0.0.0 165.127.126.129 tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http server idle-timeout 30
http 192.168.1.0 255.255.255.0 management
http 192.168.1.9 255.255.255.255 management
http 172.18.0.10 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map inside_map 1 match address inside_1_cryptomap
crypto map inside_map 1 set pfs group1
crypto map inside_map 1 set peer 165.127.235.132
crypto map inside_map 1 set transform-set ESP-3DES-SHA
crypto map inside_map interface inside
crypto isakmp enable Outside-Untrust
crypto isakmp enable inside
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 30
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
tftp-server management 192.168.1.9 c:\AS5510_Updates
webvpn
username jgiambro nopassword privilege 15
tunnel-group 165.127.235.132 type ipsec-l2l
tunnel-group 165.127.235.132 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
mount ASA5510_backup_configs type cifs
server 192.168.1.2
share \\ASA5510-backup_configs
domain ITS18600
status enable
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:7dd93df22df8c648afecc700b4d3040a
5505 Config:
Result of the command: "show config"
: Saved
: Written by enable_15 at 08:34:13.408 UTC Wed May 12 2010
!
ASA Version 8.2(1)
!
hostname asa5505
domain-name dphe.local
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Vlan21
nameif Outside
security-level 0
ip address 165.127.235.132 255.255.255.192
!
interface Ethernet0/0
switchport access vlan 21
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa821-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name dphe.local
access-list Outside-Untrusted_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 host 172.18.0.0
access-list inside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 host 172.18.0.0
access-list Outside_access_in extended permit icmp any any unreachable
access-list Outside_access_in extended permit icmp any any traceroute
access-list Outside_access_in extended permit icmp any any timestamp-reply
access-list Outside_access_in extended permit icmp any any timestamp-request
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 host 172.18.0.0
access-list inside_access_in extended permit tcp host 10.1.1.3 host 10.1.1.1
pager lines 24
logging enable
logging asdm informational
logging host Outside 172.18.0.10
logging permit-hostdown
mtu inside 1500
mtu Outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_nat0_outbound
static (Outside,Outside) 165.127.235.140 10.0.0.0 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group Outside_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 10.100.110.102 1
route Outside 0.0.0.0 0.0.0.0 165.127.235.129 tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.1.1.3 255.255.255.255 inside
http 10.0.1.3 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map Outside-Untrusted_map 1 match address Outside-Untrusted_1_cryptomap
crypto map Outside-Untrusted_map 1 set pfs group1
crypto map Outside-Untrusted_map 1 set peer 165.127.126.132
crypto map Outside-Untrusted_map 1 set transform-set ESP-3DES-SHA
crypto map inside_map 1 match address inside_1_cryptomap
crypto map inside_map 1 set pfs group1
crypto map inside_map 1 set peer 165.127.126.132
crypto map inside_map 1 set transform-set ESP-3DES-SHA
crypto map inside_map interface inside
crypto isakmp enable inside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 10.1.1.3 255.255.255.255 inside
telnet timeout 5
ssh 10.1.1.3 255.255.255.255 inside
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 165.127.126.132 type ipsec-l2l
tunnel-group 165.127.126.132 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:c7dea44f64a0339f8459c83461e21f5e
05-12-2010 01:21 PM
Hi Jason,
What does the following commands report on both sides:
show crypto ipsec sa
show crypto isa sa
This will assist in troubleshooting this and also if I am remembering correctly you may want your crypto maps mapped to the outside Interface.
Thanks,
Kimberly
05-13-2010 06:02 AM
Hi Kimberly
Thank you for responding.
I ran the show crypto ipsec sa command and the show crypto isa sa command on both firewalls and got the same output on both:
"There is no ipsec sas"
"There is no isakmp sas"
I also verified the crypto maps on both firewalls were mapped to the outside interface.
Just so you know, I setup the connection profiles using the IP sec wizard we used in training.
Jason
05-13-2010 07:26 AM
Jason you are welcome for the response.
In oder to get a site to site VPN working you will need to have an SA for both IPSEC and ISAKMP (SA = Security Association). I am not a huge fan of the ASDM gui and do most of my work on the command line. What it honestly sounds like is you are missing something in your configuration and need to get the security assocation setup. I will pour over your configurations and see if I can find the missing component, but when it is working and you run those two commands your out put should look very simular to the following:
This is from my ASA, this is not quite a S2S VPN but you get the point:
PDC-5540# sh crypto isa sa
Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2
1 IKE Peer: 71.194.x.x
Type : user Role : responder
Rekey : no State : AM_ACTIVE
2 IKE Peer: 99.147.x.x
Type : user Role : responder
Rekey : no State : AM_ACTIVE
PDC-5540# sh crypto ipsec sa
interface: Outside
Crypto map tag: Outside_dyn_map, seq num: 20, local addr: 65.116.x.x
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.41.x.x/255.255.255.255/0/0)
current_peer: 71.194.x.x, username: murrayc
dynamic allocated peer ip: 10.41.x.x
#pkts encaps: 3260, #pkts encrypt: 3260, #pkts digest: 3260
#pkts decaps: 3580, #pkts decrypt: 3580, #pkts verify: 3580
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 3260, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 65.116.x.x/11000, remote crypto endpt.: 71.194.x.x/1082
path mtu 1500, ipsec overhead 94, media mtu 1500
current outbound spi: 166E1E5E
inbound esp sas:
spi: 0x13AE577C (330192764)
transform: esp-3des esp-sha-hmac no compression
in use settings ={RA, Tunnel, TCP-Encaps, }
slot: 0, conn_id: 2109440, crypto-map: Outside_dyn_map
sa timing: remaining key lifetime (sec): 26114
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x166E1E5E (376315486)
transform: esp-3des esp-sha-hmac no compression
in use settings ={RA, Tunnel, TCP-Encaps, }
slot: 0, conn_id: 2109440, crypto-map: Outside_dyn_map
sa timing: remaining key lifetime (sec): 26112
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
I will double check your configs and see if I can find something to assist you further.
Kimberly
05-13-2010 08:14 AM
Hi Jason,
I am seeing possibly a few problems with your setup.
1. Are your clients able to browse the Internet? because I see the nat global but I don't see a coressponding nat inside. For example you have the following:
global (Outside-Untrust) 101 but I don't see a
nat (inside) 101 0.0.0.0 0.0.0.0
Can you explain how they are able to browse?
2. Your cryptomap acl and nat 0 acls are incorrect on the 5505, you have a network going to a host on one side and a network going to a network on the other. Remeber these acls have to mirror each other so do the following:
5505
no access-list Outside-Untrusted_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 host 172.18.0.0
access-list Outside-Untrusted_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 172.18.0.0 255.255.248.0
no access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 host 172.18.0.0
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 172.18.0.0 255.255.248.0
5510
(for neatness sake)
no access-list inside_nat0_outbound extended permit ip 172.18.0.0 255.255.248.0 host 10.0.0.0
no access-list inside_nat0_outbound extended permit ip 172.18.0.0 255.255.248.0 host 10.1.1.0
3. You seem to have two crypto maps with the same parameters on the 5505, however the one you have applied is on the inside interface but it should be applied to the Outside interface on both firewalls. You also have isakmp enabled on the inside interface. The crypto map must always be applied the Internet facing interface and isakmp should only be enabled on this interface as well (unless you have a different setup and are doing it over a WAN link), so you need to do the following on both firewalls:
5505
no crypto map inside_map interface inside
no crypto isakmp enable inside
crypto map Outside-Untrusted_map interface Outside
5510
no crypto map inside_map interface inside
no crypto isakmp enable inside
crypto map inside_map interface Outside-Untrust
4. You also have an acl applied to the inside interface that will cause the tunnel to never be established you need to permit the traffic that will traverse the tunnel. Do the following:
5505
access-list inside_access_in extended permit ip 10.1.1.0 255.255.255.0 172.18.0.0 255.255.248.0
5510
access-list inside_access_in extended permit ip 172.18.0.0 255.255.248.0 10.1.1.0 255.255.255.0
Your other parameters seem to be OK. Give these changes a try and let me know if it works.
05-13-2010 10:11 AM
Thank you Kimberly and KWillacey
Kwillacey-I made all the changes you recommended, but I ran into a few problems. I get a warning on both firewalls that said the Crypto map needed entries. And the connection profiles were now gone. I rebuilt the crypto map entries without using the wizard so I am not sure I did those right. I rebuilt the connection profiles using the wizard. Hopefully I did not duplicate anything. I also added a NAT rule for inside traffic ( good catch, thanks ).
Kimberly-thank you for your help, I changed the ACL from host to network.
It is alot cleaner now but still not working so I obviously missed something. I made alot of changes to clean up the mistakes kwillacey pointed out so I will repost the configs. Thanks again for your time guys you have been a great help!
Jason
ASA5510
ASA Version 8.2(2)
!
hostname ciscoasa
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif Outside-Untrust
security-level 0
ip address 165.127.126.132 255.255.255.192
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 172.18.0.1 255.255.248.0
!
interface Ethernet0/2
nameif DMZ2
security-level 50
ip address 172.17.0.1 255.255.255.224
!
interface Ethernet0/3
nameif DMZ1
security-level 50
ip address 172.16.0.1 255.255.255.224
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone GMT 0
access-list Inside-Trust_access_in extended permit icmp any any inactive
access-list Outside-Untrust_access_in extended permit icmp any any unreachable
access-list Outside-Untrust_access_in extended permit icmp any any traceroute
access-list Outside-Untrust_access_in extended permit icmp any any timestamp-request
access-list Outside-Untrust_access_in extended permit icmp any any timestamp-reply
access-list Outside-Untrust_1_cryptomap extended permit ip 172.18.0.0 255.255.248.0 10.1.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.18.0.0 255.255.248.0 10.1.1.0 255.255.255.0
access-list inside_access_in extended permit tcp host 172.18.0.10 host 172.18.0.1
access-list inside_access_in extended permit tcp host 172.18.0.1 host 172.18.0.10
access-list inside_access_in extended permit udp host 172.18.0.1 host 172.18.0.10 eq syslog
access-list inside_access_in extended permit ip 172.18.0.0 255.255.248.0 10.1.1.0 255.255.255.0
access-list Outside-Untrust_cryptomap_1 extended permit ip 172.18.0.0 255.255.248.0 10.1.1.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging trap warnings
logging asdm informational
logging host inside 172.18.0.10
logging permit-hostdown
mtu Outside-Untrust 1500
mtu inside 1500
mtu DMZ2 1500
mtu DMZ1 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
global (Outside-Untrust) 101 165.127.126.133-165.127.126.190 netmask 255.255.0.0
nat (inside) 0 access-list inside_nat0_outbound
static (Outside-Untrust,Outside-Untrust) 165.127.126.133 10.0.0.0 netmask 255.255.255.255
static (inside,inside) 165.127.126.133 0.0.0.0 netmask 255.255.255.255
access-group Outside-Untrust_access_in in interface Outside-Untrust
access-group inside_access_in in interface inside
route Outside-Untrust 0.0.0.0 0.0.0.0 10.100.110.101 1
route management 172.18.0.3 255.255.255.255 172.18.0.2 1
route Outside-Untrust 0.0.0.0 0.0.0.0 165.127.126.129 tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http server idle-timeout 30
http 192.168.1.0 255.255.255.0 management
http 192.168.1.9 255.255.255.255 management
http 172.18.0.10 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map Outside-Untrust_map 1 match address Outside-Untrust_1_cryptomap
crypto map Outside-Untrust_map 1 set pfs group1
crypto map Outside-Untrust_map 1 set peer 165.127.235.132
crypto map Outside-Untrust_map 1 set transform-set ESP-3DES-SHA
crypto map inside_map 1 match address Outside-Untrust_cryptomap_1
crypto map inside_map 1 set peer 165.127.235.132
crypto map inside_map 1 set transform-set ESP-AES-128-SHA
crypto map inside_map interface Outside-Untrust
crypto isakmp enable Outside-Untrust
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 30
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
tftp-server management 192.168.1.9 c:\AS5510_Updates
webvpn
username jgiambro nopassword privilege 15
tunnel-group 165.127.235.132 type ipsec-l2l
tunnel-group 165.127.235.132 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
mount ASA5510_backup_configs type cifs
server 192.168.1.2
share \\ASA5510-backup_configs
domain ITS18600
username jgiambro
password *****
status enable
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:c9dd99906ac8345298b9e8914dd52d7b
: end
05-13-2010 10:47 AM
Hi Jason,
You don't need to worry about that error you got it happens whenever you remove an entry from the crypto map it's just a warning, as long as you put it back you should be fine.
You still have not indicated if your clients are able to browse the Internet if not you may want to remove the following static nat entries and add the following
5510
no static (Outside-Untrust,Outside-Untrust) 165.127.126.133 10.0.0.0 netmask 255.255.255.255
no static (inside,inside) 165.127.126.133 0.0.0.0 netmask 255.255.255.255
nat (inside) 101 0.0.0.0 0.0.0.0
5505
no static (Outside,Outside) 165.127.235.140 10.0.0.0 netmask 255.255.255.255
nat (inside) 101 0.0.0.0 0.0.0.0
global (Outside) 101 interface
Your routing also looks a bit off so try the following:
5510
no route Outside-Untrust 0.0.0.0 0.0.0.0 10.100.110.101 1
no route Outside-Untrust 0.0.0.0 0.0.0.0 165.127.126.129 tunneled
route Outside-Untrust 0.0.0.0 0.0.0.0 165.127.126.129
5505
Everything else seems fine to me, ensure when you are testing you ping from one network to the other and do a "show crypto isakmp sa" to see if the tunnel is trying to be established.
Also check out this example it may help
Let me know how it goes
05-13-2010 07:44 AM
Jason,
In your access-lists on your remote 5505 config, you are specifying the host subnet as a single host:
access-list Outside-Untrusted_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 host 172.18.0.0
This shouldn't be a single host but a subnet that matches your host side configuration: 172.18.0.0 255.255.248.0
When looking at this configurations with the command line, make sure your access lists match. Except for the placement of the IP Addresses should be flipped.
access-list inside_1_cryptomap extended permit ip 172.18.0.0 255.255.248.0 10.1.1.0 255.255.255.0
The configuration on the 5505 doesn't really match the configuration of the 5510 and this is why I think for starters why you are not getting a security assocation.
Thanks and please let me know how this goes or if you need more assistance.
Kimberly
05-13-2010 11:03 AM
Hi Jason,
I just saw this post I had no idea it existed follow the link
05-13-2010 11:09 AM
You have 2 different Crypto maps applied
crypto map Outside-Untrusted_map 1 match address Outside-Untrusted_1_cryptomap
crypto map Outside-Untrusted_map 1 set pfs group1
crypto map Outside-Untrusted_map 1 set peer 165.127.126.132
crypto map Outside-Untrusted_map 1 set transform-set ESP-3DES-SHA
crypto map inside_map 1 match address inside_1_cryptomap
crypto map inside_map 1 set pfs group1
crypto map inside_map 1 set peer 165.127.126.132
crypto map inside_map 1 set transform-set ESP-3DES-SHA
crypto map inside_map interface inside
Remember that only one can be applied in an interface. You can have one crypto map with several reference numbers.
Eliminate the one that is not applied in the interface. Check out the ACL in both ends they MUST be ACL mirrors.
Please do a debug crypto ipsec and a debug crypto isakmp -- SAs
Generate some traffic and send us the debugs outputs.
Thanks.
05-13-2010 01:15 PM
Diego
Applied the debug commands on the 5510, sent some traffic, and immediately got this:
7|May 13 2010|13:48:01|725012|172.18.0.10|1559|||Device chooses cipher : RC4-SHA for the SSL session with client inside:172.18.0.10/15597|May 13 2010|13:48:01|725011|||||Cipher[15] : EXP-EDH-DSS-DES-CBC-SHA7|May 13 2010|13:48:01|725011|||||Cipher[14] : EXP-EDH-RSA-DES-CBC-SHA7|May 13 2010|13:48:01|725011|||||Cipher[13] : EXP-DES-CBC-SHA7|May 13 2010|13:48:01|725011|||||Cipher[12] : EXP-RC4-MD57|May 13 2010|13:48:01|725011|||||Cipher[11] : EDH-DSS-DES-CBC-SHA7|May 13 2010|13:48:01|725011|||||Cipher[10] : EDH-RSA-DES-CBC-SHA7|May 13 2010|13:48:01|725011|||||Cipher[9] : DES-CBC-SHA7|May 13 2010|13:48:01|725011|||||Cipher[8] : EDH-DSS-DES-CBC3-SHA7|May 13 2010|13:48:01|725011|||||Cipher[7] : EDH-RSA-DES-CBC3-SHA7|May 13 2010|13:48:01|725011|||||Cipher[6] : DES-CBC3-SHA7|May 13 2010|13:48:01|725011|||||Cipher[5] : DHE-DSS-AES128-SHA7|May 13 2010|13:48:01|725011|||||Cipher[4] : DHE-RSA-AES128-SHA7|May 13 2010|13:48:01|725011|||||Cipher[3] : AES128-SHA7|May 13 2010|13:48:01|725011|||||Cipher[2] : RC4-SHA7|May 13 2010|13:48:01|725011|||||Cipher[1] : RC4-MD57|May 13 2010|13:48:01|725008|172.18.0.10|1559|||SSL client inside:172.18.0.10/1559 proposes the following 15 cipher(s).7|May 13 2010|13:48:01|725011|||||Cipher[4] : DES-CBC3-SHA7|May 13 2010|13:48:01|725011|||||Cipher[3] : AES256-SHA7|May 13 2010|13:48:01|725011|||||Cipher[2] : AES128-SHA7|May 13 2010|13:48:01|725011|||||Cipher[1] : RC4-SHA
7|May 13 2010|13:48:01|725010|||||Device supports the following 4 cipher(s).
Did the same thing on the 5505 and all I got was this:
6|May 13 2010|13:56:33|725007|10.1.1.3|1344|||SSL session with client inside:10.1.1.3/1344 terminated.7|May 13 2010|13:56:33|609002|165.127.126.132||||Teardown local-host Outside:165.127.126.132 duration 0:00:007|May 13 2010|13:56:33|609002|165.127.235.132||||Teardown local-host identity:165.127.235.132 duration 0:00:006|May 13 2010|13:56:33|302021|165.127.126.132|0|165.127.235.132|4388|Teardown ICMP connection for faddr 165.127.126.132/0 gaddr 165.127.235.132/4388 laddr 165.127.235.132/43887|May 13 2010|13:56:33|710005|10.1.1.3|1344|10.1.1.1|443|TCP request discarded from 10.1.1.3/1344 to inside:10.1.1.1/4436|May 13 2010|13:56:33|106015|10.1.1.3|1344|10.1.1.1|443|Deny TCP (no connection) from 10.1.1.3/1344 to 10.1.1.1/443 flags FIN ACK on interface inside6|May 13 2010|13:56:33|302014|10.1.1.3|1344|10.1.1.1|443|Teardown TCP connection 3171 for inside:10.1.1.3/1344 to identity:10.1.1.1/443 duration 0:00:00 bytes 481 TCP Reset-O5|May 13 2010|13:56:33|111008|||||User 'enable_15' executed the 'ping Outside 165.127.126.132' command.6|May 13 2010|13:56:33|302020|165.127.235.132|4388|165.127.126.132|0|Built outbound ICMP connection for faddr 165.127.126.132/0 gaddr 165.127.235.132/4388 laddr 165.127.235.132/43887|May 13 2010|13:56:33|609001|165.127.126.132||||Built local-host Outside:165.127.126.1327|May 13 2010|13:56:33|609001|165.127.235.132||||Built local-host identity:165.127.235.1326|May 13 2010|13:56:33|605005|10.1.1.3|1344|10.1.1.1|https|Login permitted from 10.1.1.3/1344 to inside:10.1.1.1/https for user "enable_15"6|May 13 2010|13:56:33|725002|10.1.1.3|1344|||Device completed SSL handshake with client inside:10.1.1.3/13446|May 13 2010|13:56:33|725003|10.1.1.3|1344|||SSL client inside:10.1.1.3/1344 request to resume previous session.6|May 13 2010|13:56:33|725001|10.1.1.3|1344|||Starting SSL handshake with client inside:10.1.1.3/1344 for TLSv1 session.
6|May 13 2010|13:56:33|302013|10.1.1.3|1344|10.1.1.1|443|Built inbound TCP connection 3171 for inside:10.1.1.3/1344 (10.1.1.3/1344) to identity:10.1.1.1/443 (10.1.1.1/443)
May small brain is telling me the problem is with the 5505. The 5510 is trying to establish the VPN but for some reason the 5505 won't do it.
05-13-2010 01:22 PM
Can you send us the debug crypto ipsec and debug crypto isakmp. Try to generate some traffic to check output.
I don't know if you are doing the right debugs.
Check this out
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml#dbg_ci
Send us the current config as well.
05-14-2010 09:02 AM
Diego
Thanks for the article. When I try to run the debug commands I don't get any output.It seems like debug just gets enabled and I can see some output in the log but not much. Definitely not the output you are looking for. I also double checked the ACLs on both firewalls to make sure they were as close as possible. Alot of cleanup and tweaks have been done to make the setup better (thanks to everyone who has responded) but the VPN just won't establish. When I run the the show crypto isakmp sa and show crypto ip sec sa I still get "There is no isakmp sas" and "There is noisakmp sas" response.
I have attached the two running configs. Thank you for your help.
Jason
05-14-2010 09:19 AM
Hi Jason,
I think I see your problem, because everything else looks fine to me, but answer me this are you able to browse? how are you trying to establish the tunnel?
On the 5510 you are NOT natting to the address that the 5505 is expecting as the peer address, so I would suggest you remove the nat pool and nat to the interface, so try the following:
no global (Outside) 101 165.127.126.133-165.127.126.190 netmask 255.255.0.0
global (Outside) 101 interface
Let me know if that works.
05-14-2010 11:31 AM
Kwillacey
I applied the commands you suggested but there is no change.
I can't really test browsing because this is in a lab environment. I have setup this lab to test before our deployment to a production environment. I have a host at either end of the connection behind the firewalls so I can do things like ping, traceroute, and connect to the drives of the pc hosts. I apprciate your help very much.
Jason
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide