Hi Kimberly

Thank you for responding.

I ran the show crypto ipsec sa command and the show crypto isa sa command on both firewalls and got the same output on both:

"There is no ipsec sas"

"There is no isakmp sas"

I also verified the crypto maps on both firewalls were mapped to the outside interface.

Just so you know, I setup the connection profiles using the IP sec wizard we used in training.

Jason

Jason you are welcome for the response. 

In oder to get a site to site VPN working you will need to have an SA for both IPSEC and ISAKMP (SA = Security Association).  I am not a huge fan of the ASDM gui and do most of my work on the command line.  What it honestly sounds like is you are missing something in your configuration and need to get the security assocation setup.  I will pour over your configurations and see if I can find the missing component, but when it is working and you run those two commands your out put should look very simular to the following:

This is from my ASA, this is not quite a S2S VPN but you get the point:

PDC-5540# sh crypto isa sa

   Active SA: 2
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

1   IKE Peer: 71.194.x.x
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_ACTIVE
2   IKE Peer: 99.147.x.x
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_ACTIVE

PDC-5540# sh crypto ipsec sa
interface: Outside
    Crypto map tag: Outside_dyn_map, seq num: 20, local addr: 65.116.x.x

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.41.x.x/255.255.255.255/0/0)
      current_peer: 71.194.x.x, username: murrayc
      dynamic allocated peer ip: 10.41.x.x

      #pkts encaps: 3260, #pkts encrypt: 3260, #pkts digest: 3260
      #pkts decaps: 3580, #pkts decrypt: 3580, #pkts verify: 3580
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 3260, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 65.116.x.x/11000, remote crypto endpt.: 71.194.x.x/1082
      path mtu 1500, ipsec overhead 94, media mtu 1500
      current outbound spi: 166E1E5E

    inbound esp sas:
      spi: 0x13AE577C (330192764)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={RA, Tunnel,  TCP-Encaps, }
         slot: 0, conn_id: 2109440, crypto-map: Outside_dyn_map
         sa timing: remaining key lifetime (sec): 26114
         IV size: 8 bytes
         replay detection support: Y
Anti replay bitmap:
        0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x166E1E5E (376315486)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={RA, Tunnel,  TCP-Encaps, }
         slot: 0, conn_id: 2109440, crypto-map: Outside_dyn_map
         sa timing: remaining key lifetime (sec): 26112
         IV size: 8 bytes
         replay detection support: Y
Anti replay bitmap:
        0x00000000 0x00000001

I will double check your configs and see if I can find something to assist you further.

Kimberly

Hi Jason,

I am seeing possibly a few problems with your setup.

1. Are your clients able to browse the Internet? because I see the nat global but I don't see a coressponding nat inside. For example you have the following:

global (Outside-Untrust) 101 but I don't see a

nat (inside) 101 0.0.0.0 0.0.0.0

Can you explain how they are able to browse?

2. Your cryptomap acl and nat 0 acls are incorrect on the 5505, you have a network going to a host on one side and a network going to a network on the other. Remeber these acls have to mirror each other so do the following:

5505

no access-list Outside-Untrusted_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 host 172.18.0.0

access-list Outside-Untrusted_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 172.18.0.0 255.255.248.0

no access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 host 172.18.0.0

access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 172.18.0.0 255.255.248.0

5510

(for neatness sake)

no access-list inside_nat0_outbound extended permit ip 172.18.0.0 255.255.248.0 host 10.0.0.0
no access-list inside_nat0_outbound extended permit ip 172.18.0.0 255.255.248.0 host 10.1.1.0

3. You seem to have two crypto maps with the same parameters on the 5505, however the one you have applied is on the inside interface but it should be applied to the Outside interface on both firewalls. You also have isakmp enabled on the inside interface. The crypto map must always be applied the Internet facing interface and isakmp should only be enabled on this interface as well (unless you have a different setup and are doing it over a WAN link), so you need to do the following on both firewalls:

5505

no crypto map inside_map interface inside

no crypto isakmp enable inside

crypto map Outside-Untrusted_map interface Outside

5510

no crypto map inside_map interface inside

no crypto isakmp enable inside

crypto map inside_map interface Outside-Untrust

4. You also have an acl applied to the inside interface that will cause the tunnel to never be established you need to permit the traffic that will traverse the tunnel. Do the following:

5505

access-list inside_access_in extended permit  ip 10.1.1.0 255.255.255.0 172.18.0.0 255.255.248.0

5510

access-list inside_access_in extended permit  ip 172.18.0.0 255.255.248.0 10.1.1.0 255.255.255.0

Your other parameters seem to be OK. Give these changes a try and let me know if it works.

Thank you Kimberly and KWillacey

Kwillacey-I made all the changes you recommended, but I ran into a few problems. I get a warning on both firewalls that said the Crypto map needed entries. And the connection profiles were now gone. I rebuilt the crypto map entries without using the wizard so I am not sure I did those right. I rebuilt the connection profiles using the wizard. Hopefully I did not duplicate anything. I also added a NAT rule for inside traffic ( good catch, thanks ).

Kimberly-thank you for your help, I changed the ACL from host to network.

It is alot cleaner now but still not working so I obviously missed something. I made alot of changes to clean up the mistakes kwillacey pointed out so I will repost the configs. Thanks again for your time guys you have been a great help!

Jason

ASA5510

ASA Version 8.2(2)

!

hostname ciscoasa

enable password 2KFQnbNIdI.2KYOU encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif Outside-Untrust

security-level 0

ip address 165.127.126.132 255.255.255.192

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 172.18.0.1 255.255.248.0

!

interface Ethernet0/2

nameif DMZ2

security-level 50

ip address 172.17.0.1 255.255.255.224

!

interface Ethernet0/3

nameif DMZ1

security-level 50

ip address 172.16.0.1 255.255.255.224

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa822-k8.bin

ftp mode passive

clock timezone GMT 0

access-list Inside-Trust_access_in extended permit icmp any any inactive

access-list Outside-Untrust_access_in extended permit icmp any any unreachable

access-list Outside-Untrust_access_in extended permit icmp any any traceroute

access-list Outside-Untrust_access_in extended permit icmp any any timestamp-request

access-list Outside-Untrust_access_in extended permit icmp any any timestamp-reply

access-list Outside-Untrust_1_cryptomap extended permit ip 172.18.0.0 255.255.248.0 10.1.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.18.0.0 255.255.248.0 10.1.1.0 255.255.255.0

access-list inside_access_in extended permit tcp host 172.18.0.10 host 172.18.0.1

access-list inside_access_in extended permit tcp host 172.18.0.1 host 172.18.0.10

access-list inside_access_in extended permit udp host 172.18.0.1 host 172.18.0.10 eq syslog

access-list inside_access_in extended permit ip 172.18.0.0 255.255.248.0 10.1.1.0 255.255.255.0

access-list Outside-Untrust_cryptomap_1 extended permit ip 172.18.0.0 255.255.248.0 10.1.1.0 255.255.255.0

pager lines 24

logging enable

logging timestamp

logging trap warnings

logging asdm informational

logging host inside 172.18.0.10

logging permit-hostdown

mtu Outside-Untrust 1500

mtu inside 1500

mtu DMZ2 1500

mtu DMZ1 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-631.bin

no asdm history enable

arp timeout 14400

global (Outside-Untrust) 101 165.127.126.133-165.127.126.190 netmask 255.255.0.0

nat (inside) 0 access-list inside_nat0_outbound

static (Outside-Untrust,Outside-Untrust) 165.127.126.133 10.0.0.0 netmask 255.255.255.255

static (inside,inside) 165.127.126.133 0.0.0.0 netmask 255.255.255.255

access-group Outside-Untrust_access_in in interface Outside-Untrust

access-group inside_access_in in interface inside

route Outside-Untrust 0.0.0.0 0.0.0.0 10.100.110.101 1

route management 172.18.0.3 255.255.255.255 172.18.0.2 1

route Outside-Untrust 0.0.0.0 0.0.0.0 165.127.126.129 tunneled

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http server idle-timeout 30

http 192.168.1.0 255.255.255.0 management

http 192.168.1.9 255.255.255.255 management

http 172.18.0.10 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map Outside-Untrust_map 1 match address Outside-Untrust_1_cryptomap

crypto map Outside-Untrust_map 1 set pfs group1

crypto map Outside-Untrust_map 1 set peer 165.127.235.132

crypto map Outside-Untrust_map 1 set transform-set ESP-3DES-SHA

crypto map inside_map 1 match address Outside-Untrust_cryptomap_1

crypto map inside_map 1 set peer 165.127.235.132

crypto map inside_map 1 set transform-set ESP-AES-128-SHA

crypto map inside_map interface Outside-Untrust

crypto isakmp enable Outside-Untrust

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 50

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 30

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

tftp-server management 192.168.1.9 c:\AS5510_Updates

webvpn

username jgiambro nopassword privilege 15

tunnel-group 165.127.235.132 type ipsec-l2l

tunnel-group 165.127.235.132 ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

mount ASA5510_backup_configs type cifs

server 192.168.1.2

share \\ASA5510-backup_configs

domain ITS18600

username jgiambro

password *****

status enable

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:c9dd99906ac8345298b9e8914dd52d7b

: end

Hi Jason,

You don't need to worry about that error you got it happens whenever you remove an entry from the crypto map it's just a warning, as long as you put it back you should be fine.

You still have not indicated if your clients are able to browse the Internet if not you may want to remove the following static nat entries and add the following

5510

no static (Outside-Untrust,Outside-Untrust) 165.127.126.133 10.0.0.0 netmask 255.255.255.255

no static (inside,inside) 165.127.126.133 0.0.0.0 netmask 255.255.255.255

nat (inside) 101 0.0.0.0 0.0.0.0

5505

no static (Outside,Outside) 165.127.235.140 10.0.0.0 netmask 255.255.255.255

nat (inside) 101 0.0.0.0 0.0.0.0

global (Outside) 101 interface

Your routing also looks a bit off so try the following:

5510

no route Outside-Untrust 0.0.0.0 0.0.0.0 10.100.110.101 1

no route Outside-Untrust 0.0.0.0 0.0.0.0 165.127.126.129 tunneled

route Outside-Untrust 0.0.0.0 0.0.0.0 165.127.126.129

5505

Everything else seems fine to me, ensure when you are testing you ping from one network to the other and do a "show crypto isakmp sa" to see if the tunnel is trying to be established.

Also check out this example it may help

http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_example09186a0080950890.shtml

Let me know how it goes

Jason,

In your access-lists on your remote 5505 config, you are specifying the host subnet as a single host:

access-list Outside-Untrusted_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 host 172.18.0.0

This shouldn't be a single host but a subnet that matches your host side configuration:  172.18.0.0 255.255.248.0

When looking at this configurations with the command line, make sure your access lists match.  Except for the placement of the IP Addresses should be flipped.

access-list inside_1_cryptomap extended permit ip 172.18.0.0 255.255.248.0 10.1.1.0 255.255.255.0

The configuration on the 5505 doesn't really match the configuration of the 5510 and this is why I think for starters why you are not getting a security assocation.

Thanks and please let me know how this goes or if you need more assistance.

Kimberly

Hi Jason,

I just saw this post I had no idea it existed follow the link

https://supportforums.cisco.com/message/3071600#3071600

Diego

Applied the debug commands on the 5510, sent some traffic, and immediately got this:

7|May 13   2010|13:48:01|725012|172.18.0.10|1559|||Device chooses cipher : RC4-SHA for   the SSL session with client inside:172.18.0.10/15597|May 13   2010|13:48:01|725011|||||Cipher[15] : EXP-EDH-DSS-DES-CBC-SHA7|May 13   2010|13:48:01|725011|||||Cipher[14] : EXP-EDH-RSA-DES-CBC-SHA7|May 13   2010|13:48:01|725011|||||Cipher[13] : EXP-DES-CBC-SHA7|May 13   2010|13:48:01|725011|||||Cipher[12] : EXP-RC4-MD57|May 13   2010|13:48:01|725011|||||Cipher[11] : EDH-DSS-DES-CBC-SHA7|May 13   2010|13:48:01|725011|||||Cipher[10] : EDH-RSA-DES-CBC-SHA7|May 13   2010|13:48:01|725011|||||Cipher[9] : DES-CBC-SHA7|May 13   2010|13:48:01|725011|||||Cipher[8] : EDH-DSS-DES-CBC3-SHA7|May 13   2010|13:48:01|725011|||||Cipher[7] : EDH-RSA-DES-CBC3-SHA7|May 13   2010|13:48:01|725011|||||Cipher[6] : DES-CBC3-SHA7|May 13   2010|13:48:01|725011|||||Cipher[5] : DHE-DSS-AES128-SHA7|May 13   2010|13:48:01|725011|||||Cipher[4] : DHE-RSA-AES128-SHA7|May 13   2010|13:48:01|725011|||||Cipher[3] : AES128-SHA7|May 13   2010|13:48:01|725011|||||Cipher[2] : RC4-SHA7|May 13   2010|13:48:01|725011|||||Cipher[1] : RC4-MD57|May 13   2010|13:48:01|725008|172.18.0.10|1559|||SSL client inside:172.18.0.10/1559   proposes the following 15 cipher(s).7|May 13   2010|13:48:01|725011|||||Cipher[4] : DES-CBC3-SHA7|May 13   2010|13:48:01|725011|||||Cipher[3] : AES256-SHA7|May 13   2010|13:48:01|725011|||||Cipher[2] : AES128-SHA7|May 13   2010|13:48:01|725011|||||Cipher[1] : RC4-SHA

7|May 13 2010|13:48:01|725010|||||Device   supports the following 4 cipher(s).

Did the same thing on the 5505 and all I got was this:

6|May 13   2010|13:56:33|725007|10.1.1.3|1344|||SSL session with client   inside:10.1.1.3/1344 terminated.7|May 13   2010|13:56:33|609002|165.127.126.132||||Teardown local-host   Outside:165.127.126.132 duration 0:00:007|May 13   2010|13:56:33|609002|165.127.235.132||||Teardown local-host   identity:165.127.235.132 duration 0:00:006|May 13   2010|13:56:33|302021|165.127.126.132|0|165.127.235.132|4388|Teardown ICMP   connection for faddr 165.127.126.132/0 gaddr 165.127.235.132/4388 laddr   165.127.235.132/43887|May 13   2010|13:56:33|710005|10.1.1.3|1344|10.1.1.1|443|TCP request discarded from   10.1.1.3/1344 to inside:10.1.1.1/4436|May 13   2010|13:56:33|106015|10.1.1.3|1344|10.1.1.1|443|Deny TCP (no connection) from   10.1.1.3/1344 to 10.1.1.1/443 flags FIN ACK  on interface inside6|May 13   2010|13:56:33|302014|10.1.1.3|1344|10.1.1.1|443|Teardown TCP connection 3171   for inside:10.1.1.3/1344 to identity:10.1.1.1/443 duration 0:00:00 bytes 481   TCP Reset-O5|May 13 2010|13:56:33|111008|||||User   'enable_15' executed the 'ping Outside 165.127.126.132' command.6|May 13   2010|13:56:33|302020|165.127.235.132|4388|165.127.126.132|0|Built outbound   ICMP connection for faddr 165.127.126.132/0 gaddr 165.127.235.132/4388 laddr   165.127.235.132/43887|May 13   2010|13:56:33|609001|165.127.126.132||||Built local-host   Outside:165.127.126.1327|May 13   2010|13:56:33|609001|165.127.235.132||||Built local-host   identity:165.127.235.1326|May 13   2010|13:56:33|605005|10.1.1.3|1344|10.1.1.1|https|Login permitted from   10.1.1.3/1344 to inside:10.1.1.1/https for user "enable_15"6|May 13   2010|13:56:33|725002|10.1.1.3|1344|||Device completed SSL handshake with   client inside:10.1.1.3/13446|May 13   2010|13:56:33|725003|10.1.1.3|1344|||SSL client inside:10.1.1.3/1344 request   to resume previous session.6|May 13   2010|13:56:33|725001|10.1.1.3|1344|||Starting SSL handshake with client   inside:10.1.1.3/1344 for TLSv1 session.

6|May 13   2010|13:56:33|302013|10.1.1.3|1344|10.1.1.1|443|Built inbound TCP connection   3171 for inside:10.1.1.3/1344 (10.1.1.3/1344) to identity:10.1.1.1/443   (10.1.1.1/443)

May small brain is telling me the problem is with the 5505. The 5510 is trying to establish the VPN but for some reason the 5505 won't do it.

Can you send us the debug crypto ipsec and debug crypto isakmp. Try to generate some traffic to check output.

I don't know if you are doing the right debugs.

Check this out

IPsec Troubleshooting: Understanding and Using debug Commands

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml#dbg_ci

Send us the current config as well.

Diego

Thanks for the article. When I try to run the debug commands I don't get any output.It seems like debug just gets enabled and I can see some output in the log but not much. Definitely not the output you are looking for. I also double checked the ACLs on both firewalls to make sure they were as close as possible. Alot of cleanup and tweaks have been done to make the setup better (thanks to everyone who has responded) but the VPN just won't establish. When I run the the show crypto isakmp sa and show crypto ip sec sa I still get "There is no isakmp sas" and "There is noisakmp sas" response.

I have attached the two running configs. Thank you for your help.

Jason

Hi Jason,

I think I see your problem, because everything else looks fine to me, but answer me this are you able to browse? how are you trying to establish the tunnel?

On the 5510 you are NOT natting to the address that the 5505 is expecting as the peer address, so I would suggest you remove the nat pool and nat to the interface, so try the following:

no global (Outside) 101 165.127.126.133-165.127.126.190 netmask 255.255.0.0

global (Outside) 101 interface

Let me know if that works.

Kwillacey

I applied the commands you suggested but there is no change.

I can't really test browsing because this is in a lab environment. I have setup this lab to test before our deployment to a production environment. I have a host at either end of the connection behind the firewalls so I can do things like ping, traceroute, and connect to the drives of the pc hosts. I apprciate your help very much.

Jason