cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
950
Views
0
Helpful
5
Replies

VPN consulting

mcrespima
Level 1
Level 1

Hello everybody, I'm quite new with ASA configurations, and I am having some problems with a VPN configuration. I've configure a VPN wich

unexpectedly goes down. the strange is that the other side of the tunnel still have connectivity. another strange things is that in the MONITORING--VPN--IPsec Site to Site connections I can see always the link up.

Has anybody any idea what can I do to resolve this issue?

Thanks and regards.

5 Replies 5

Vishnu Sharma
Level 1
Level 1

Hi Marco,

My understanding says that you see tunnel coming up on your side however you are not able to access resources on the other side of the VPN tunnel and the users on the other side are able to access resources from the remote end to your end. Could you please check if the remote side is doing any natting or not. It would be great if you could share the configuration of both the ends so that we can verify if there is any configuration mismatch or not.

Thanks,

Vishnu Sharma

Hi Vishnu, thanks very much for your response. Maybe I did not explain well the issue.

I configured the tunnel and its working fine. I can access to my resources at the other side of the tunnel and the persons in the other side, can access my resources in this side, but suddenly the tunnel stop working and I lost communication with the far end. I realize that because my system monitoring advertise me that I have no communication with my switches on the far end.

A friend told me about keep alives configurations, but I'm not sure.

Because of that I do not think it could be a configuration problem, or at least I think that. do you think that could be a misconfiguration?

No problem if you need the show run output.

Hi,

Can you post the sh run

Hi Marco,

Could you please share what do you do to bring the tunnel back up and working. Do you clear the tunnel to bring it back up again or do you reload the device. Please share these details. Also the show run would be very helpful in diagnosing the problem.

Thanks,

Vishnu Sharma

Vishnu, Hi, sorry for my delay, to bring the tunnel back I just go to MONITORING--->VPN---> I filter by IPsec Site-to-Site and then I select the Connection Profile for my tunnel and then I press the Logout button (in the ASDM Interface) and after a couple of seconds the tunnels starts to works again.

my config in the far end ASA is:

REMOTESITE# sho run

: Saved

:

ASA Version 8.2(5)

!

hostname REMOTESITE

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

no nameif

no security-level

no ip address

!

interface Ethernet0/0.10

description Internet Inside

vlan 10

nameif InternetInside

security-level 50

ip address PRIVATE IP ADDRESS

!

interface Ethernet0/0.130

vlan 130

nameif inside

security-level 100

ip address PRIVATE IP ADDRESS

interface Ethernet0/1

no nameif

no security-level

no ip address

!

interface Ethernet0/1.19

vlan 19

nameif outside

security-level 0

ip address PUBLIC IP ADDRESS

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

ftp mode passive

object-group network RemoteSite

network-object 10.32.0.0 255.255.0.0

object-group network LocalSite

network-object 10.30.0.0 255.255.0.0

network-object host 10.2.3.240

network-object host 10.2.3.230

network-object host 10.2.3.233

network-object host 10.2.3.243

network-object host 10.2.3.248

access-list inside_access_in extended permit ip object-group RemoteSite any

access-list inside_nat_outbound extended permit ip object-group RemoteSite any

access-list outside_1_cryptomap extended permit ip object-group RemoteSite object-group LocalSite

access-list outside_1_cryptomap extended permit ip object-group LocalSite object-group RemoteSite

access-list inside_nat0_outbound extended permit ip object-group RemoteSite object-group LocalSite

access-list inside_nat0_outbound extended permit ip object-group RemoteSite 192.168.150.0 255.255.255.0

access-list InternetInside_nat_outbound extended permit ip 172.16.1.32 255.255.255.224 any

access-list VPN-RemoteSite_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0

access-list VPN-RemoteSite_splitTunnelAcl standard permit 192.168.0.0 255.255.0.0

access-list VPN-RemoteSite_splitTunnelAcl standard permit 172.16.0.0 255.240.0.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu management 1500

mtu InternetInside 1500

ip local pool RemoteSite-VPN 192.168.150.10-192.168.150.200 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-645.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 access-list inside_nat_outbound

nat (InternetInside) 1 access-list InternetInside_nat_outbound

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 204.181.54.177 1

route outside 10.2.3.230 255.255.255.255 204.181.54.177 1

route outside 10.2.3.233 255.255.255.255 204.181.54.177 1

route outside 10.2.3.240 255.255.255.255 204.181.54.177 1

route outside 10.2.3.243 255.255.255.255 204.181.54.177 1

route outside 10.2.3.248 255.255.255.255 204.181.54.177 1

route outside 10.30.0.0 255.255.0.0 204.181.54.177 1

route inside 10.32.0.0 255.255.0.0 10.32.2.130 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server tac-auth protocol tacacs+

aaa-server tac-auth (inside) host 10.30.5.43

timeout 5

key *****

aaa-server tac-auth (inside) host 10.30.120.43

timeout 5

key *****

aaa authentication enable console tac-auth LOCAL

aaa authentication http console tac-auth LOCAL

aaa authentication serial console tac-auth LOCAL

aaa authentication ssh console tac-auth LOCAL

aaa authentication telnet console tac-auth LOCAL

aaa authorization command tac-auth LOCAL

aaa accounting enable console tac-auth

aaa accounting telnet console tac-auth

aaa accounting ssh console tac-auth

aaa accounting serial console tac-auth

aaa accounting command privilege 15 tac-auth

aaa local authentication attempts max-fail 10

http server enable

http 192.168.1.0 255.255.255.0 management

http 0.0.0.0 0.0.0.0 inside

http LocalSitePUBLICIP outside

http LocalSitePUBLICIP outside

http LocalSitePUBLICIP outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer LocalSitePUBLICIP

crypto map outside_map 1 set transform-set ESP-AES-128-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

subject-name CN=ciscoasa

proxy-ldc-issuer

crl configure

crypto ca certificate chain ASDM_TrustPoint0

certificate 63f6c54f

    30820234 3082019d a0030201 02020463 f6c54f30 0d06092a 864886f7 0d010105

    0500302c 3111300f 06035504 03130863 6973636f 61736131 17301506 092a8648

    86f70d01 09021608 63697363 6f617361 301e170d 31323035 33313038 33373235

    5a170d32 32303532 39303833 3732355a 302c3111 300f0603 55040313 08636973

    636f6173 61311730 1506092a 864886f7 0d010902 16086369 73636f61 73613081

    9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100b7 f802ade8

    d40ba8e6 a32d4e57 0c1dce0c 970d7f62 afb83546 aa2eeb4a 798cee09 b6ed1217

    356d486c 2cb43ce2 0754ee4f a49be90a 65a4c586 b61dd4e0 68b587fa e9f546ea

    a54a9ec6 f2f316ad 7e2bdb7d 4e0b0630 2efa0d29 7350bce1 dbe67e89 ba2c2193

    67918b03 02c6f9b3 3cca9bc9 e97a1c61 3603c1c6 6097285a 5e7b4302 03010001

    a3633061 300f0603 551d1301 01ff0405 30030101 ff300e06 03551d0f 0101ff04

    04030201 86301f06 03551d23 04183016 8014d665 a29f0fd4 b60293fe c2cc6f9d

    c6c3a617 c942301d 0603551d 0e041604 14d665a2 9f0fd4b6 0293fec2 cc6f9dc6

    c3a617c9 42300d06 092a8648 86f70d01 01050500 03818100 0d3b6049 08f662e4

    e07f1113 8194da6a a221c29e d850b7b4 d5fdb695 c24c066c f272856c b5cd9712

    6a8839f3 037cdce1 3d4a326d f8d40768 c31bf450 18fab62b f36a383e b40827ee

    ab3c8290 17928639 ace48926 2a018b85 cabf73b0 e98f92b2 b7973add d194d9d2

    b144a1be ef4cb498 8c381d1e cade9141 ec80cea8 e787c65d

  quit

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 50

authentication pre-share

encryption aes

hash sha

group 5

lifetime 86400

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh PUBLIC IP ADDRESS outside

ssh PUBLIC IP ADDRESS outside

ssh PUBLIC IP ADDRESS outside

ssh timeout 5

console timeout 0

management-access inside

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy VPN-RemoteSite_2 internal

group-policy VPN-RemoteSite_2 attributes

dns-server value 8.8.8.8 8.8.4.4

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VPN-RemoteSite_splitTunnelAcl

default-domain none

group-policy VPN-RemoteSite internal

group-policy VPN-RemoteSite attributes

vpn-filter value outside_1_cryptomap

vpn-tunnel-protocol IPSec

group-policy VPN-RemoteSite_1 internal

group-policy VPN-RemoteSite_1 attributes

dns-server value 8.8.8.8 8.8.4.4

vpn-tunnel-protocol IPSec

default-domain none

username admin password 2QP3zeqDx2bZ8oiO encrypted privilege 15

username vpn-RemoteSite password YllBSswY7sUORmMr encrypted privilege 0

username vpn-RemoteSite attributes

vpn-group-policy VPN-RemoteSite_1

tunnel-group LocalSitePUBLICIP type ipsec-l2l

tunnel-group LocalSitePUBLICIP general-attributes

default-group-policy VPN-RemoteSite

tunnel-group LocalSitePUBLICIP ipsec-attributes

pre-shared-key *****

isakmp keepalive threshold 10 retry 10

tunnel-group VPN-RemoteSite type remote-access

tunnel-group VPN-RemoteSite general-attributes

address-pool RemoteSite-VPN

default-group-policy VPN-RemoteSite_2

tunnel-group VPN-RemoteSite ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

privilege cmd level 3 mode exec command perfmon

privilege cmd level 3 mode exec command ping

privilege cmd level 3 mode exec command who

privilege cmd level 3 mode exec command logging

privilege cmd level 3 mode exec command failover

privilege cmd level 3 mode exec command packet-tracer

privilege show level 5 mode exec command import

privilege show level 5 mode exec command running-config

privilege show level 3 mode exec command reload

privilege show level 3 mode exec command mode

privilege show level 3 mode exec command firewall

privilege show level 3 mode exec command asp

privilege show level 3 mode exec command cpu

privilege show level 3 mode exec command interface

privilege show level 3 mode exec command clock

privilege show level 3 mode exec command dns-hosts

privilege show level 3 mode exec command access-list

privilege show level 3 mode exec command logging

privilege show level 3 mode exec command vlan

privilege show level 3 mode exec command ip

privilege show level 3 mode exec command ipv6

privilege show level 3 mode exec command failover

privilege show level 3 mode exec command asdm

privilege show level 3 mode exec command arp

privilege show level 3 mode exec command route

privilege show level 3 mode exec command ospf

privilege show level 3 mode exec command aaa-server

privilege show level 3 mode exec command aaa

privilege show level 3 mode exec command eigrp

privilege show level 3 mode exec command crypto

privilege show level 3 mode exec command vpn-sessiondb

privilege show level 3 mode exec command ssh

privilege show level 3 mode exec command dhcpd

privilege show level 3 mode exec command vpn

privilege show level 3 mode exec command blocks

privilege show level 3 mode exec command wccp

privilege show level 3 mode exec command dynamic-filter

privilege show level 3 mode exec command webvpn

privilege show level 3 mode exec command module

privilege show level 3 mode exec command uauth

privilege show level 3 mode exec command compression

privilege show level 3 mode configure command interface

privilege show level 3 mode configure command clock

privilege show level 3 mode configure command access-list

privilege show level 3 mode configure command logging

privilege show level 3 mode configure command ip

privilege show level 3 mode configure command failover

privilege show level 5 mode configure command asdm

privilege show level 3 mode configure command arp

privilege show level 3 mode configure command route

privilege show level 3 mode configure command aaa-server

privilege show level 3 mode configure command aaa

privilege show level 3 mode configure command crypto

privilege show level 3 mode configure command ssh

privilege show level 3 mode configure command dhcpd

privilege show level 5 mode configure command privilege

privilege clear level 3 mode exec command dns-hosts

privilege clear level 3 mode exec command logging

privilege clear level 3 mode exec command arp

privilege clear level 3 mode exec command aaa-server

privilege clear level 3 mode exec command crypto

privilege clear level 3 mode exec command dynamic-filter

privilege cmd level 3 mode configure command failover

privilege clear level 3 mode configure command logging

privilege clear level 3 mode configure command arp

privilege clear level 3 mode configure command crypto

privilege clear level 3 mode configure command aaa-server

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:00cfcfa94733b8335dd7a34b36b3a18a

: end

REMOTESITE#

for my ASA in the local side I think it could be more difficult because in that device I have all the company config.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: