Help! site to site vpn asa5505 config not working.

Unanswered Question

Hello everyone!


I just bought three ASA5505 for a friends that wants to have point to point VPN tunnels through the internet for his small buisness at various locations. But I cant get that darn VPN connections to work,  I have tried to configure them both with ASDM guides and CLI (I prefer CLI since ASDM seams to be very buggy) but i must have overlooked something. Maybee its just a typo in the config or something more serious like a faulty cable or something. Is it right to use a crossover cable between the two outside interface when testing or should i use a straight through? does the asa have autonegotiate on cables? So if anyone would care to look through my configs below with a fresh pair of eyes and point out my faults that would be super.


And try to be "explainatory" in ur answeres since im not that advanced in ACLs/cass maps and policys etc.


Lets start with the main idea and work us through:


--------------------------------------------------------------------


Site 1 \


Internet -> HQ


Site 2 /



site 1
Inside = static 192.168.5.1/24
Outside = PPPOE dynamic ip from ISP.


Site 2
Inside = static 192.168.10.1/24
Outside = PPPOE dynamic ip from ISP.


HQ
Inside = static 192.168.15.1/24
Outside = static ip.


--------------------------------------------------------------------


anyways here are the configurations for site 1 and 2:


--------------------------------------------------------------------


Site 1:
ASA Version 8.2(1)
!
hostname Site1
names
name 192.168.5.0 Site1
name 192.168.10.0 Site2
name 192.168.15.0 HQ
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.5.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
! pppoe client vpdn group site1
! ip address pppoe setroute
ip address 172.16.5.1 255.255.255.0
!
! ---- This IP is just for testing locally -----
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
access-list outside_1_cryptomap extended permit ip site1 255.255.255.0 Site2 255.255.255.0
access-list inside_nat0_outbound extended permit ip site1 255.255.255.0 Site2 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1492
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 172.16.10.1
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group site1 request dialout pppoe
vpdn group site1 localname "username"
vpdn group site1 ppp authentication pap
vpdn username "username" password "password" store-local
dhcpd auto_config outside
!
dhcpd address 192.168.5.5-192.168.5.36 inside
dhcpd enable inside
!


threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 172.16.10.1 type ipsec-l2l
tunnel-group 172.16.10.1 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context


--------------------------------------------------------------------


Site 2:
ASA Version 8.2(1)
!
hostname Site 2
names
name 192.168.5.0 Site1
name 192.168.10.0 Site2
name 192.168.15.0 HQ
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
!pppoe client vpdn group site1
!ip address pppoe setroute
ip address 172.16.10.1 255.255.255.0
!
! ---- This IP is just for testing locally -----
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
access-list outside_1_cryptomap extended permit ip site2 255.255.255.0 site1 255.255.255.0
access-list inside_nat0_outbound extended permit ip site2 255.255.255.0 site1 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1492
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 172.16.5.1
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group site2 request dialout pppoe
vpdn group site2 localname "username"
vpdn group site2 ppp authentication pap
vpdn username "username" password "password"
dhcpd auto_config outside
!
dhcpd address 192.168.10.5-192.168.10.36 inside
dhcpd enable inside
!


threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 172.16.5.1 type ipsec-l2l
tunnel-group 172.16.5.1 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context


--------------------------------------------------------------------



Best regards!
Ola

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Nagaraja Thanthry Wed, 08/11/2010 - 09:53
User Badges:
  • Cisco Employee,

Hello,


If you are using test IP's, you are missing default routes.


Regards,


NT

Nagaraja Thanthry Wed, 08/11/2010 - 09:57
User Badges:
  • Cisco Employee,

Hello,


Also, you cannot establish seamless VPN between two devices which are

getting DHCP addresses. Every time the address changes, VPN tunnel will go

down and you have to manually reconfigure peer address.


Regards,


NT

Hello.


thanks for your fast reply.


I have tried to get two of the asa 5505 to talk to eachother with both static routes like:

#route outside 0.0.0.0 0.0.0.0 "ip address of the oposit routers outside interface"


and i even implementing rip v2 into the network but i cant get the smalest ping to get trough..


(config)#router rip

(config-router)#net "internal network"

(config-router)#net "external network"


setup:

ASA1 > straight through cable > switch < straight through cable < ASA2


I know that we will lose the VPN connection when the IP adress is changed but we are looking into getting static IP addresses at those locations. I Just need to get this things to work now, thats prio one.


best regards

Ola

Nagaraja Thanthry Wed, 08/11/2010 - 12:43
User Badges:
  • Cisco Employee,

Hello,


Is the switch L3? If not, the two outside interfaces are on different

subnets. If the switch is L3, have you configured the two ASA's on different

VLANs? If they are on the same VLAN, can you configure the devices in the

same subnet i.e. 172.16.5.1/16 and 172.16.10.1/16?


Regards,


NT

Hello.


The switch is a normal L2.

I know that they are on diferent subnets. Thats why I try to get routing working so they can find eachother like they do if they are using the internet for connection.


I cant figure out why i cant get any routes using rip v2. It should be just to turn it one like i typed in my previous post.


This is all for testing and setting up the site to site vpn tunnel to the HQ in order to get a working config to "copy" for the other devices. Since i cant be at two places far apart from eachother at once im testing it here at my desk with very little progress


Regards

Ola

Nagaraja Thanthry Wed, 08/11/2010 - 13:40
User Badges:
  • Cisco Employee,

Hello,


For the routing to work, you need to specify the next hop. But if the next

hop is on a different subnet, you will not be able to talk to it. Putting

them on the same subnet will still workout for you as the communication will

still take place through VPN. Since all you are trying to see is if the

tunnel is established or not, those two devices being on the same subnet or

on different subnet would not make any difference.


Regards,


NT

Hello again.


I tested today to put them on the same subnet 172.16.0.0 /16 and then i can ping the other outside interface, but i still cant reach the internal interface of 192.168.15.1 /24


When i have configured the tunnel it doesn't show with "sh isakmp sa".


I tried to implement RIP v2 also to try to get the ping across but that didnt help. Now im all out of ideas


anyone that got a working "base" config that i can take a look at? it would really help a lot.


Regards


Ola

Actions

This Discussion