×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Adding another 5505 to the Network.......

Answered Question
Mar 5th, 2014
User Badges:

Hello all I could use some help before I scream


I have at my main office 5510.  I have 4 remote offices with 5505.  These 4 office connect L2L VPN to my main office with NO problems and have for a couple years.
We recently added a 5th office with yet another 5505.  So I am doing the same thing having the new office VPN to the main office.  But for the life of me I cannot seem to get it to connect.  I have used the same set up on the NEW office as I did all the old office but for whatever reason I cannot establish a tunnel / connection.


Here are the results from a couple commands:


Result of the command: "show crypto isakmp sa"

There are no isakmp sas


Result of the command: "show crypto ipsec sa"

There are no ipsec sas


I am kinda lost as to what to do now....... 


Thanks for any help.

Correct Answer by jjohnston1127 about 3 years 5 months ago

One thing that initially alerts me is the ACLs for the encryption domain and nat exemption.  Is the remote site really at 192.198.10.0/24 or is it 192.168.10.0/24?


access-list 106 extended permit ip 192.168.90.0 255.255.255.0 192.198.10.0 255.255.255.0

access-list nonat extended permit ip 192.168.90.0 255.255.255.0 192.198.10.0 255.255.255.0 



Other than that, the configuration, to me, looks good assuming you have the same ISAKMP and IPSEC configuration on the 5510 side.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
jjohnston1127 Wed, 03/05/2014 - 12:07
User Badges:
  • Silver, 250 points or more

I would imagine you have a phase 1 mismatch or you have not configured the tunnel-group on the 5510 for the new site.  Hard to say w/o the configurations.


Please post the relevant configuration from the new ASA 5505 and post your ASA 5510 configuration.

toddyboman Wed, 03/05/2014 - 12:24
User Badges:

Here is the 5505


: Saved
:
ASA Version 8.2(5) 
!
hostname ********
enable password mrNAzLB3WoDGll7l encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 switchport access vlan 12
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.90.1 255.255.255.0 
!
interface Vlan12
 nameif outside
 security-level 0
 pppoe client vpdn group AT&T
 ip address pppoe setroute 
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network outbound
access-list 106 extended permit ip 192.168.90.0 255.255.255.0 192.198.10.0 255.255.255.0 
access-list nonat extended permit ip 192.168.90.0 255.255.255.0 192.198.10.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1492
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.90.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set MM esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 90 match address 106
crypto map outside_map 90 set peer 222.222.222.22 
crypto map outside_map 90 set transform-set MM
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 43200
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group ATT request dialout pppoe
vpdn group ATT localname [email protected]
vpdn group ATT ppp authentication pap
vpdn username [email protected] password ***** 
dhcpd dns 208.67.222.222 208.67.220.220
dhcpd auto_config outside
!
dhcpd address 192.168.90.5-192.168.90.254 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
tunnel-group 222.222.222.22 type ipsec-l2l
tunnel-group 222.222.222.22 ipsec-attributes
 pre-shared-key ****
tunnel-group 77.77.777.777 type ipsec-l2l
tunnel-group 77.77.777.777 ipsec-attributes
 pre-shared-key ****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:748218d8f392a0ead093b8ebd225d599
: end
no asdm history enable






5510

: Saved

:

ASA Version 8.0(5)

!

hostname MC

enable password mrNAzLB3WoDGll7l encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

pppoe client vpdn group cl

ip address pppoe setroute

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.10.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.2.5 255.255.255.0

management-only

!

boot system disk0:/asa805-k8.bin

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list inside_mpc extended permit tcp any any inactive

access-list nonat extended permit ip 192.168.10.0 255.255.255.0 192.168.30.0 255.255.255.0

access-list nonat extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list nonat extended permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list nonat extended permit ip 192.168.10.0 255.255.255.0 192.168.40.0 255.255.255.0

access-list nonat extended permit ip 192.168.10.0 255.255.255.0 192.168.90.0 255.255.255.0

access-list 101 extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list 100 extended permit ip 192.168.10.0 255.255.255.0 192.168.30.0 255.255.255.0

access-list 102 extended permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list 105 extended permit ip 192.168.10.0 255.255.255.0 192.168.40.0 255.255.255.0

access-list 106 extended permit ip 192.168.10.0 255.255.255.0 192.168.90.0 255.255.255.0

pager lines 24

logging enable

logging buffered debugging

logging asdm informational

logging from-address [email protected]

logging recipient-address [email protected] level alerts

logging debug-trace

mtu outside 1492

mtu inside 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-631.bin

asdm history enable

arp timeout 14400

global (outside) 101 interface

nat (inside) 0 access-list nonat

nat (inside) 101 0.0.0.0 0.0.0.0

route outside 192.168.1.0 255.255.255.0 209.142.191.13 1

route outside 192.168.20.0 255.255.255.0 209.142.191.13 1

route outside 192.168.30.0 255.255.255.0 209.142.191.13 1

route outside 192.168.40.0 255.255.255.0 209.142.191.13 1

route outside 192.168.90.0 255.255.255.0 209.142.191.13 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 192.168.10.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set KV esp-3des esp-sha-hmac

crypto ipsec transform-set Macon esp-3des esp-sha-hmac

crypto ipsec transform-set Shelby esp-3des esp-sha-hmac

crypto ipsec transform-set Han esp-3des esp-sha-hmac

crypto ipsec transform-set Moberly esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 10 match address 102

crypto map outside_map 10 set peer 10.10.10.10

crypto map outside_map 10 set transform-set Shelby

crypto map outside_map 20 match address 101

crypto map outside_map 20 set peer 20.20.20.20

crypto map outside_map 20 set transform-set Macon

crypto map outside_map 30 match address 100

crypto map outside_map 30 set peer 30.30.30.30

crypto map outside_map 30 set transform-set KV

crypto map outside_map 40 match address 105

crypto map outside_map 40 set peer 40.40.40.40

crypto map outside_map 40 set transform-set Han

crypto map outside_map 90 match address 106

crypto map outside_map 90 set peer 222.222.222.222

crypto map outside_map 90 set transform-set Moberly

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

vpdn group cl request dialout pppoe

vpdn group cl localname xxxxxxxx

vpdn group cl ppp authentication pap

vpdn username xxxxxxxx password ********* store-local

dhcpd dns 208.67.222.222 208.67.220.220

!

dhcpd address 192.168.10.3-192.168.10.50 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

username admin password vx8BkOWfWwvYuBKw encrypted

tunnel-group DefaultL2LGroup ipsec-attributes

pre-shared-key *

tunnel-group 20.20.20.20 type ipsec-l2l

tunnel-group 20.20.20.20 ipsec-attributes

pre-shared-key *

tunnel-group 30.30.30.30 type ipsec-l2l

tunnel-group 30.30.30.30ipsec-attributes

pre-shared-key *

tunnel-group 40.40.40.40 type ipsec-l2l

tunnel-group 40.40.40.40 ipsec-attributes

pre-shared-key *

tunnel-group 10.10.10.10 type ipsec-l2l

tunnel-group 10.10.10.10 ipsec-attributes

pre-shared-key *

tunnel-group 222.222.222.222 type ipsec-l2l

tunnel-group 222.222.222.222 ipsec-attributes

pre-shared-key *

tunnel-group 77.77.777.777 type ipsec-l2l

!

class-map type regex match-any domainblocklist1

match regex domainlist1

class-map type inspect http match-all BlockDomainsClass

match request header host regex class domainblocklist1

class-map type regex match-any URLBlockList

match regex urlist4

class-map type inspect http match-all BlockURLsCLass

match request uri regex class URLBlockList

class-map inspection_default

match default-inspection-traffic

class-map type inspect http match-all AppHeaderClass

match request header regex applicationheader regex applicationheader

class-map httptraffic

match access-list inside_mpc

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map type inspect http http_inspection_policy

parameters

  protocol-violation action drop-connection

match request method connect

  drop-connection log

class AppHeaderClass

  drop-connection log

class BlockDomainsClass

  reset log

class BlockURLsCLass

  reset log

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect icmp

policy-map inside-policy

class httptraffic

  inspect http http_inspection_policy

!

service-policy global_policy global

service-policy inside-policy interface inside

prompt hostname context

Cryptochecksum:ab762e380a0b975c824ad0037acf0f72

: end

asdm image disk0:/asdm-631.bin

asdm history enable

Correct Answer
jjohnston1127 Wed, 03/05/2014 - 12:32
User Badges:
  • Silver, 250 points or more

One thing that initially alerts me is the ACLs for the encryption domain and nat exemption.  Is the remote site really at 192.198.10.0/24 or is it 192.168.10.0/24?


access-list 106 extended permit ip 192.168.90.0 255.255.255.0 192.198.10.0 255.255.255.0

access-list nonat extended permit ip 192.168.90.0 255.255.255.0 192.198.10.0 255.255.255.0 



Other than that, the configuration, to me, looks good assuming you have the same ISAKMP and IPSEC configuration on the 5510 side.

toddyboman Wed, 03/05/2014 - 13:58
User Badges:

Good Grief... Don't I feel dumb.  I will make that change tonight and HOPEFULLLY that will fix it.


I will let you know.


Thanks!!!!!

toddyboman Wed, 03/05/2014 - 20:59
User Badges:

So glad this was simple fix.....but feel so dumb to have over looked something so simple.


Thanks for the help!

jjohnston1127 Wed, 03/05/2014 - 21:02
User Badges:
  • Silver, 250 points or more

Hey,  typos happen! I've had my fair share over the years. Glad it was something simple rather than hours of troubleshooting.


Take care.

Actions

This Discussion