Site to Site VPN connection

Unanswered Question
Aug 3rd, 2010
User Badges:

Hi All,

I have a VPN to a partner,but i have a carrier which is linking us together.Its suppose to be private and not passing through the internet.

The partner provided me the underlisted.

Remote/Peer ID - 172.16.25.1

Remote Hosts Subnet -172.16.25.0/24


My own ID is 192.168.50.1

Local Host subnet - 10.22.0.0


I need to know what is wrong in my configs

And i have the configs on my device pasted below.

I am presently using the host-10.22.32.20 as a test.



ASA Version 7.0(8)


!

hostname asa

domain-name default.domain.invalid

enable password 8Ry2YjIyt7RuyrRXU24 encrypted

passwd 2KFQnbNstyuIdI.2KYOU encrypted

names

dns-guard

!

interface Ethernet0/0

nameif trust

security-level 10

ip address 10.22.0.10 255.255.0.0

!

interface Ethernet0/1

nameif vpnout

security-level 0

ip address 192.168.22.1 255.255.255.0

!

interface Ethernet0/2

nameif untrust

security-level 0

ip address 60.50.x.x 255.255.255.248

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

dns domain-lookup untrust

dns name-server 60.50.x.1

dns name-server 60.50.x.2

access-list trust_pnat_inbound extended permit ip host 10.22.32.20 172.16.16.0 255.255.255.0

access-list trust_pnat_inbound_V1 extended permit ip host 10.22.16.51 172.16.25.0 255.255.255.0

access-list trust_pnat_inbound_V2 extended permit ip host 10.22.16.52 172.16.25.0 255.255.255.0

access-list trust_pnat_inbound_V3 extended permit ip host 10.22.16.53 172.16.25.0 255.255.255.0

access-list trust_pnat_inbound_V4 extended permit ip host 10.22.16.54 172.16.25.0 255.255.255.0

access-list trust_nat0_outbound extended permit ip host 10.22.32.20 172.16.25.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu trust 1500

mtu vpnout 1500

mtu untrust 1500

mtu management 1500

asdm image disk0:/asdm-508.bin

no asdm history enable

arp timeout 14400

nat-control

global (vpnout) 1 interface

nat (trust) 0 access-list trust_nat0_outbound

static (trust,vpnout) 192.168.22.55  access-list trust_pnat_inbound

static (trust,vpnout) 192.168.22.51  access-list trust_pnat_inbound_V1

static (trust,vpnout) 192.168.22.52  access-list trust_pnat_inbound_V2

static (trust,vpnout) 192.168.22.53  access-list trust_pnat_inbound_V3

static (trust,vpnout) 192.168.22.54  access-list trust_pnat_inbound_V4

route vpnout 172.16.25.0 255.255.255.0 192.168.22.2 1

route untrust 0.0.0.0 0.0.0.0 60.50.x.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

username ciscoretw password ZBZ8GNEdruirJsjFvsR encrypted

aaa authentication telnet console LOCAL

aaa authentication ssh console LOCAL

http server enable

http 10.22.0.0 255.255.0.0 trust

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set MySet esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map MyMap 5 match address trust_pnat_inbound

crypto map MyMap 5 set peer 172.16.25.1

crypto map MyMap 5 set transform-set MySet

crypto map MyMap 5 set security-association lifetime seconds 84600

crypto map MyMap 5 set security-association lifetime kilobytes 4608000

crypto map MyMap interface vpnout

isakmp identity auto

isakmp enable vpnout

isakmp policy 5 authentication pre-share

isakmp policy 5 encryption 3des

isakmp policy 5 hash sha

isakmp policy 5 group 2

isakmp policy 5 lifetime 86400

isakmp nat-traversal  3600

isakmp disconnect-notify

tunnel-group 172.16.25.1 type ipsec-l2l

tunnel-group 172.16.25.1 ipsec-attributes

pre-shared-key *

telnet timeout 5

ssh timeout 10

ssh version 2

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd enable management

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect dns maximum-length 512

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

Cryptochecksum:20b93ce676451dd2395f76dd4b6a2719

: end




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jitendriya Athavale Tue, 08/03/2010 - 05:46
User Badges:
  • Cisco Employee,

i do not see any access-list entry permitting traffic since you are trying to est this vpn on

the least security zone that is 0


try adding the following command


sysopt connection permit-vpn


also please verify whether you need this internal network to be marked as unsecure with security level 0 as for a interface with sec 0 all traffic is denied by default

adewale.ojo Wed, 08/04/2010 - 00:34
User Badges:

Hi.Thanks for the reply.

I had to reconfigure the device,but still no headway.

Maybe we can work with this new config.

The config is pasted below.

I intend natting my internal(Trust) address which is on the 10.22.x.x network to the 192.168.22.x(vpnout) network.

So the remote end should be talking to the 192.168.22.x address.

Checking my config can you help me see if i am fine with this?

Also,do i need another access list from the one i have created.

Do a check through.



ASA Version 7.0(8)
!
hostname asa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RuyrRXU24 encrypted
passwd 2KFQnbNstyuIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
nameif trust
security-level 40
ip address 10.22.0.10 255.255.0.0
!
interface Ethernet0/1
nameif vpnout
security-level 50
ip address 192.168.22.1 255.255.255.0
!
interface Ethernet0/2
nameif untrust
security-level 0
ip address 60.50.x.x 255.255.255.248
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
dns domain-lookup untrust
dns name-server 60.50.x.1
dns name-server 60.50.x.2
access-list TRUST_VPNOUT extended permit ip host 10.22.32.20 172.16.25.0 255.255.
255.0
access-list TRUST_VPNOUT extended permit ip host 10.22.16.51 172.16.25.0 255.255.
255.0
access-list TRUST_VPNOUT extended permit ip host 10.22.16.52 172.16.25.0 255.255.
255.0
access-list TRUST_VPNOUT extended permit ip host 10.22.16.53 172.16.25.0 255.255.
255.0
access-list TRUST_VPNOUT extended permit ip host 10.22.16.54 172.16.25.0 255.255.
255.0


pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu trust 1500
mtu vpnout 1500
mtu untrust 1500
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (vpnout) 1 192.168.22.51-192.168.22.55 netmask 255.255.255.0
nat (trust) 1 access-list TRUST_VPNOUT
static (trust,vpnout) 192.168.22.55 10.22.32.20 netmask 255.255.255.255
static (trust,vpnout) 192.168.22.51 10.22.16.51 netmask 255.255.255.255
static (trust,vpnout) 192.168.22.52 10.22.16.52 netmask 255.255.255.255
static (trust,vpnout) 192.168.22.53 10.22.16.53 netmask 255.255.255.255
static (trust,vpnout) 192.168.22.54 10.22.16.54 netmask 255.255.255.255
access-group trust_access_in in interface trust
route vpnout 172.16.25.0 255.255.255.0 192.168.22.49 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username cisco password ZBZ8GNEdrJsjFvsR encrypted
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.22.0 255.255.255.0 management
http 10.22.0.0 255.255.0.0 trust
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set MySet esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map MyMap 5 match address TRUST_VPNOUT
crypto map MyMap 5 set peer 172.16.25.1
crypto map MyMap 5 set transform-set MySet
crypto map MyMap 5 set security-association lifetime seconds 84600
crypto map MyMap 5 set security-association lifetime kilobytes 4608000
crypto map MyMap interface vpnout
isakmp identity auto
isakmp enable vpnout
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption 3des
isakmp policy 50 hash md5
isakmp policy 50 group 2
isakmp policy 50 lifetime 86400
isakmp nat-traversal  3600
isakmp disconnect-notify
tunnel-group 172.16.25.1 type ipsec-l2l
tunnel-group 172.16.25.1 ipsec-attributes
pre-shared-key *
telnet 10.22.0.0 255.255.0.0 trust
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
Cryptochecksum:8d407308e1edf944032i447d6a84091902
: end


Thanks in advance

Jitendriya Athavale Wed, 08/04/2010 - 03:48
User Badges:
  • Cisco Employee,

here's the thing


the traffic that you need to encrypt needs to be specified in the acl under crypto map, which you have done it perfectly


now where this thing fails is right in the nat rules


if you want the traffic to match the acl in the crypto map then you will need to donat exemption for this traffic


try this


nat (trust) 0 access-list TRUST_VPNOUT

Actions

This Discussion