06-11-2012 01:04 PM
Hello everybody, I'm quite new with ASA configurations, and I am having some problems with a VPN configuration. I've configure a VPN wich
unexpectedly goes down. the strange is that the other side of the tunnel still have connectivity. another strange things is that in the MONITORING--VPN--IPsec Site to Site connections I can see always the link up.
Has anybody any idea what can I do to resolve this issue?
Thanks and regards.
06-11-2012 02:04 PM
Hi Marco,
My understanding says that you see tunnel coming up on your side however you are not able to access resources on the other side of the VPN tunnel and the users on the other side are able to access resources from the remote end to your end. Could you please check if the remote side is doing any natting or not. It would be great if you could share the configuration of both the ends so that we can verify if there is any configuration mismatch or not.
Thanks,
Vishnu Sharma
06-11-2012 07:45 PM
Hi Vishnu, thanks very much for your response. Maybe I did not explain well the issue.
I configured the tunnel and its working fine. I can access to my resources at the other side of the tunnel and the persons in the other side, can access my resources in this side, but suddenly the tunnel stop working and I lost communication with the far end. I realize that because my system monitoring advertise me that I have no communication with my switches on the far end.
A friend told me about keep alives configurations, but I'm not sure.
Because of that I do not think it could be a configuration problem, or at least I think that. do you think that could be a misconfiguration?
No problem if you need the show run output.
06-12-2012 02:31 AM
Hi,
Can you post the sh run
06-12-2012 06:07 AM
Hi Marco,
Could you please share what do you do to bring the tunnel back up and working. Do you clear the tunnel to bring it back up again or do you reload the device. Please share these details. Also the show run would be very helpful in diagnosing the problem.
Thanks,
Vishnu Sharma
06-12-2012 08:28 AM
Vishnu, Hi, sorry for my delay, to bring the tunnel back I just go to MONITORING--->VPN---> I filter by IPsec Site-to-Site and then I select the Connection Profile for my tunnel and then I press the Logout button (in the ASDM Interface) and after a couple of seconds the tunnels starts to works again.
my config in the far end ASA is:
REMOTESITE# sho run
: Saved
:
ASA Version 8.2(5)
!
hostname REMOTESITE
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
no nameif
no security-level
no ip address
!
interface Ethernet0/0.10
description Internet Inside
vlan 10
nameif InternetInside
security-level 50
ip address PRIVATE IP ADDRESS
!
interface Ethernet0/0.130
vlan 130
nameif inside
security-level 100
ip address PRIVATE IP ADDRESS
interface Ethernet0/1
no nameif
no security-level
no ip address
!
interface Ethernet0/1.19
vlan 19
nameif outside
security-level 0
ip address PUBLIC IP ADDRESS
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
ftp mode passive
object-group network RemoteSite
network-object 10.32.0.0 255.255.0.0
object-group network LocalSite
network-object 10.30.0.0 255.255.0.0
network-object host 10.2.3.240
network-object host 10.2.3.230
network-object host 10.2.3.233
network-object host 10.2.3.243
network-object host 10.2.3.248
access-list inside_access_in extended permit ip object-group RemoteSite any
access-list inside_nat_outbound extended permit ip object-group RemoteSite any
access-list outside_1_cryptomap extended permit ip object-group RemoteSite object-group LocalSite
access-list outside_1_cryptomap extended permit ip object-group LocalSite object-group RemoteSite
access-list inside_nat0_outbound extended permit ip object-group RemoteSite object-group LocalSite
access-list inside_nat0_outbound extended permit ip object-group RemoteSite 192.168.150.0 255.255.255.0
access-list InternetInside_nat_outbound extended permit ip 172.16.1.32 255.255.255.224 any
access-list VPN-RemoteSite_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
access-list VPN-RemoteSite_splitTunnelAcl standard permit 192.168.0.0 255.255.0.0
access-list VPN-RemoteSite_splitTunnelAcl standard permit 172.16.0.0 255.240.0.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu management 1500
mtu InternetInside 1500
ip local pool RemoteSite-VPN 192.168.150.10-192.168.150.200 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 access-list inside_nat_outbound
nat (InternetInside) 1 access-list InternetInside_nat_outbound
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 204.181.54.177 1
route outside 10.2.3.230 255.255.255.255 204.181.54.177 1
route outside 10.2.3.233 255.255.255.255 204.181.54.177 1
route outside 10.2.3.240 255.255.255.255 204.181.54.177 1
route outside 10.2.3.243 255.255.255.255 204.181.54.177 1
route outside 10.2.3.248 255.255.255.255 204.181.54.177 1
route outside 10.30.0.0 255.255.0.0 204.181.54.177 1
route inside 10.32.0.0 255.255.0.0 10.32.2.130 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server tac-auth protocol tacacs+
aaa-server tac-auth (inside) host 10.30.5.43
timeout 5
key *****
aaa-server tac-auth (inside) host 10.30.120.43
timeout 5
key *****
aaa authentication enable console tac-auth LOCAL
aaa authentication http console tac-auth LOCAL
aaa authentication serial console tac-auth LOCAL
aaa authentication ssh console tac-auth LOCAL
aaa authentication telnet console tac-auth LOCAL
aaa authorization command tac-auth LOCAL
aaa accounting enable console tac-auth
aaa accounting telnet console tac-auth
aaa accounting ssh console tac-auth
aaa accounting serial console tac-auth
aaa accounting command privilege 15 tac-auth
aaa local authentication attempts max-fail 10
http server enable
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 inside
http LocalSitePUBLICIP outside
http LocalSitePUBLICIP outside
http LocalSitePUBLICIP outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer LocalSitePUBLICIP
crypto map outside_map 1 set transform-set ESP-AES-128-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=ciscoasa
proxy-ldc-issuer
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 63f6c54f
30820234 3082019d a0030201 02020463 f6c54f30 0d06092a 864886f7 0d010105
0500302c 3111300f 06035504 03130863 6973636f 61736131 17301506 092a8648
86f70d01 09021608 63697363 6f617361 301e170d 31323035 33313038 33373235
5a170d32 32303532 39303833 3732355a 302c3111 300f0603 55040313 08636973
636f6173 61311730 1506092a 864886f7 0d010902 16086369 73636f61 73613081
9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100b7 f802ade8
d40ba8e6 a32d4e57 0c1dce0c 970d7f62 afb83546 aa2eeb4a 798cee09 b6ed1217
356d486c 2cb43ce2 0754ee4f a49be90a 65a4c586 b61dd4e0 68b587fa e9f546ea
a54a9ec6 f2f316ad 7e2bdb7d 4e0b0630 2efa0d29 7350bce1 dbe67e89 ba2c2193
67918b03 02c6f9b3 3cca9bc9 e97a1c61 3603c1c6 6097285a 5e7b4302 03010001
a3633061 300f0603 551d1301 01ff0405 30030101 ff300e06 03551d0f 0101ff04
04030201 86301f06 03551d23 04183016 8014d665 a29f0fd4 b60293fe c2cc6f9d
c6c3a617 c942301d 0603551d 0e041604 14d665a2 9f0fd4b6 0293fec2 cc6f9dc6
c3a617c9 42300d06 092a8648 86f70d01 01050500 03818100 0d3b6049 08f662e4
e07f1113 8194da6a a221c29e d850b7b4 d5fdb695 c24c066c f272856c b5cd9712
6a8839f3 037cdce1 3d4a326d f8d40768 c31bf450 18fab62b f36a383e b40827ee
ab3c8290 17928639 ace48926 2a018b85 cabf73b0 e98f92b2 b7973add d194d9d2
b144a1be ef4cb498 8c381d1e cade9141 ec80cea8 e787c65d
quit
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh PUBLIC IP ADDRESS outside
ssh PUBLIC IP ADDRESS outside
ssh PUBLIC IP ADDRESS outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy VPN-RemoteSite_2 internal
group-policy VPN-RemoteSite_2 attributes
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN-RemoteSite_splitTunnelAcl
default-domain none
group-policy VPN-RemoteSite internal
group-policy VPN-RemoteSite attributes
vpn-filter value outside_1_cryptomap
vpn-tunnel-protocol IPSec
group-policy VPN-RemoteSite_1 internal
group-policy VPN-RemoteSite_1 attributes
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol IPSec
default-domain none
username admin password 2QP3zeqDx2bZ8oiO encrypted privilege 15
username vpn-RemoteSite password YllBSswY7sUORmMr encrypted privilege 0
username vpn-RemoteSite attributes
vpn-group-policy VPN-RemoteSite_1
tunnel-group LocalSitePUBLICIP type ipsec-l2l
tunnel-group LocalSitePUBLICIP general-attributes
default-group-policy VPN-RemoteSite
tunnel-group LocalSitePUBLICIP ipsec-attributes
pre-shared-key *****
isakmp keepalive threshold 10 retry 10
tunnel-group VPN-RemoteSite type remote-access
tunnel-group VPN-RemoteSite general-attributes
address-pool RemoteSite-VPN
default-group-policy VPN-RemoteSite_2
tunnel-group VPN-RemoteSite ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:00cfcfa94733b8335dd7a34b36b3a18a
: end
REMOTESITE#
for my ASA in the local side I think it could be more difficult because in that device I have all the company config.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: