Solved: Remote Access ASA to ASA VPN

riddle721 · ‎03-02-2012

This is my first post on this site. Hello to everyone!

I have not really set up ASAs nor VPNs on Cisco devices before. I'm currently attempting to configure a remote access VPN between ASA devices, a 5505 and a 5510. The 5510 is meant to be the server and the 5505 is meant to be the easyvpn client. The reason I am opting for remote access as opposed to site to site is that I have many 5505s at remote sites that I will need to configure in the future, and they will be moving around a bit (I would prefer not to have to keep up with the site-to-site configs). The 5510 will not be moving. Both ASA devices are able to ping out to 8.8.8.8 as well as ping each other's public facing IP.

Neither ASA can ping the other ASA's private IP (this part makes sense), and I am unable to SSH from a client on the 5510 side to the 5505's internal (192) interface. I am wondering if anyone more experienced in ASA remote VPNs than myself is able to see anything wrong with my configuration? I have pasted sterilized configs from both ASAs below.

Thanks very much for any assistance!

ASA 5510 (Server)

ASA Version 8.0(4)

!

hostname ASA5510

domain-name <domain>

enable password <password> encrypted

passwd <password> encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 48.110.3.220 255.255.255.192

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.191.252 255.255.252.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

dns server-group DefaultDNS

domain-name <domain>

same-security-traffic permit intra-interface

access-list NONAT_VPN extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list VPN_REMOTE_IPS remark EZ VPN REMOTE IP RANGES

access-list VPN_REMOTE_IPS extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0

pager lines 24

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-613.bin

no asdm history enable

arp timeout 14400

nat (inside) 0 access-list NONAT_VPN

route outside 0.0.0.0 0.0.0.0 48.110.3.193 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 192.168.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set TestVPN esp-aes-192 esp-sha-hmac

crypto ipsec security-association lifetime seconds 86400

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map DYNAMIC-MAP 5 set transform-set TestVPN

crypto dynamic-map DYNAMIC-MAP 5 set security-association lifetime seconds 86400

crypto dynamic-map DYNAMIC-MAP 5 set security-association lifetime kilobytes 4608000

crypto map outside_map 1 set security-association lifetime seconds 86400

crypto map outside_map 1 set security-association lifetime kilobytes 4608000

crypto map S2S-VPN 100 set security-association lifetime seconds 86400

crypto map S2S-VPN 100 set security-association lifetime kilobytes 4608000

crypto map OUTSIDE_MAP 65530 ipsec-isakmp dynamic DYNAMIC-MAP

crypto map OUTSIDE_MAP interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 1

ssh 192.168.0.0 255.255.0.0 inside

ssh timeout 15

console timeout 30

management-access inside

priority-queue outside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

group-policy EZVPN_GP internal

group-policy EZVPN_GP attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VPN_REMOTE_IPS

nem enable

username <sticks> password <SamplePassword> encrypted privilege 3

username <stones> password <SampleAdminPassword> encrypted privilege 15

tunnel-group EZVPN_TUNNEL type remote-access

tunnel-group EZVPN_TUNNEL general-attributes

default-group-policy EZVPN_GP

tunnel-group EZVPN_TUNNEL ipsec-attributes

pre-shared-key <VPNPassword>

!

class-map inspection_default

match default-inspection-traffic

class-map VOICE-CLASS

match dscp ef

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map PRIORITY_POLICY

class VOICE-CLASS

priority

policy-map QOS-TRAFFIC-OUT

class class-default

shape average 154088000

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:10156ad7ab988ae7ed66c4b6d0b4712e

: end

ASA 5505 (Client)

ASA Version 8.2(5)

!

hostname ASA5505

enable password <password> encrypted

passwd <password> encrypted

names

!

interface Ethernet0/0

!

interface Ethernet0/1

switchport access vlan 2

!

interface Ethernet0/2

shutdown

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.19.1 255.255.255.192

!

interface Vlan2

nameif outside

security-level 0

ip address 174.161.76.217 255.255.255.248

!

ftp mode passive

pager lines 24

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

route outside 0.0.0.0 0.0.0.0 174.161.76.222 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 192.168.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

no crypto isakmp nat-traversal

telnet timeout 5

ssh 192.168.0.0 255.255.0.0 inside

ssh 48.110.3.220 255.255.255.255 outside

ssh timeout 5

console timeout 0

management-access inside

vpnclient server 48.110.3.220

vpnclient mode network-extension-mode

vpnclient vpngroup EZVPN_TUNNEL password <VPNPassword>

vpnclient username <sticks> password <SamplePassword>

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username <stones> password <SampleAdminPassword> encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http

https://tools.cisco.com/its/service/odd ... DCEService

destination address email

callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:bd465cea07c060a409a2eade03b487dc

: end

rizwanr74 · ‎03-02-2012

Please follow this link to create Dynamic Remote L2L tunnel Server on ASA5510.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807ea936.shtml

Here is a link for you to create Site to Site vpn tunnel and this tunnel can be client to above Dynamic L2L tunnel Server.

http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080a9a7a3.shtml

Hope that helps.

If you have a question, please ask.

thanks

Rizwan Rafeek

View solution in original post

riddle721 · ‎03-02-2012

A guy on another forum spotted an oversight of mine. I never enabled vpnclient on the 5505. So, consider this answered!

rizwanr74 · ‎03-02-2012

Please follow this link to create Dynamic Remote L2L tunnel Server on ASA5510.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807ea936.shtml

Here is a link for you to create Site to Site vpn tunnel and this tunnel can be client to above Dynamic L2L tunnel Server.

http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080a9a7a3.shtml

Hope that helps.

If you have a question, please ask.

thanks

Rizwan Rafeek

Pinesh Amin · ‎03-03-2012

Rizwan,

I apologize..i have deleted my post. Thank you for your help..