Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Cisco Support Community site will be in read only mode on Dec14, 2017 from 12:01am PST to 11:30am for standard maintenance. Sorry for the inconvenience.

New Member

Cisco ASA 5505 Site to Site VPN

Hello All,

First time posting to the forums. I've been working with Cisco ASA 5505 for a number of months and recently I purchased a 2nd ASA with the goal of setting up Site to Site VPN tunnel. It look so simple from the number of videos that I have watched on the internet. But when I have done it suprise suprise it didn't work for me ... I have deleted the tunnels a number of times and attempted to recreate them. I am using the VPN wizard in the ADM to create the tunnel. Both the asa are 5505 and have the same same firmware etc.

I would appreciate any help that can be directed towards this issue please.  Slowly losing my mind

Please see details below:

Both ADM are 7.1

IOS

ASA 1

aved

:

ASA Version 9.0(1)

!

hostname PAYBACK

enable password HSMurh79NVmatjY0 encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd 2KFQnbNIdI.2KYOU encrypted

names

ip local pool VPN1 192.168.50.1-192.168.50.254 mask 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

speed 100

duplex full

!

interface Ethernet0/1

description Trunk link to SW1

switchport trunk allowed vlan 1,10,20,30,40

switchport trunk native vlan 1

switchport mode trunk

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

no nameif

no security-level

no ip address

!

interface Vlan2

nameif outside

security-level 0

ip address 92.51.193.158 255.255.255.252

!

interface Vlan10

nameif inside

security-level 100

ip address 192.168.10.1 255.255.255.0

!

interface Vlan20

nameif servers

security-level 100

ip address 192.168.20.1 255.255.255.0

!

interface Vlan30

nameif printers

security-level 100

ip address 192.168.30.1 255.255.255.0

!

interface Vlan40

nameif wireless

security-level 100

ip address 192.168.40.1 255.255.255.0

!

banner login line Welcome to Payback Loyalty Systems

boot system disk0:/asa901-k8.bin

ftp mode passive

clock summer-time GMT/IDT recurring last Sun Mar 1:00 last Sun Oct 2:00

dns domain-lookup outside

dns domain-lookup inside

dns domain-lookup servers

dns domain-lookup printers

dns domain-lookup wireless

dns server-group DefaultDNS

name-server 83.147.160.2

name-server 83.147.160.130

same-security-traffic permit inter-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network ftp_server

object network Internal_Report_Server

host 192.168.20.21

description Automated Report Server Internal Address

object network Report_Server

host 89.234.126.9

description Automated Report Server

object service RDP

service tcp destination eq 3389

description RDP to Server

object network Host_QA_Server

host 89.234.126.10

description QA Host External Address

object network Internal_Host_QA

host 192.168.20.22

description Host of VM machine for QA

object network Internal_QA_Web_Server

host 192.168.20.23

description Web Server in QA environment

object network Web_Server_QA_VM

host 89.234.126.11

description Web server in QA environment

object service SQL_Server

service tcp destination eq 1433

object network Demo_Server

host 89.234.126.12

description Server set up to Demo Product

object network Internal_Demo_Server

host 192.168.20.24

description Internal IP Address of Demo Server

object network NETWORK_OBJ_192.168.20.0_24

subnet 192.168.20.0 255.255.255.0

object network NETWORK_OBJ_192.168.50.0_26

subnet 192.168.50.0 255.255.255.192

object network NETWORK_OBJ_192.168.0.0_16

subnet 192.168.0.0 255.255.0.0

object service MSSQL

service tcp destination eq 1434

description MSSQL port

object network VPN-network

subnet 192.168.50.0 255.255.255.0

object network NETWORK_OBJ_192.168.50.0_24

subnet 192.168.50.0 255.255.255.0

object service TS

service tcp destination eq 4400

object service TS_Return

service tcp source eq 4400

object network External_QA_3

host 89.234.126.13

object network Internal_QA_3

host 192.168.20.25

object network Dev_WebServer

host 192.168.20.27

object network External_Dev_Web

host 89.234.126.14

object network CIX_Subnet

subnet 192.168.100.0 255.255.255.0

object network NETWORK_OBJ_192.168.10.0_24

subnet 192.168.10.0 255.255.255.0

object network NETWORK_OBJ_84.39.233.50

host 84.39.233.50

object network NETWORK_OBJ_92.51.193.158

host 92.51.193.158

object network NETWORK_OBJ_192.168.100.0_24

subnet 192.168.100.0 255.255.255.0

object network NETWORK_OBJ_192.168.1.0_24

subnet 192.168.1.0 255.255.255.0

object-group service DM_INLINE_SERVICE_1

service-object tcp destination eq ftp

service-object tcp destination eq netbios-ssn

service-object tcp destination eq smtp

service-object object TS

object-group network Payback_Internal

network-object 192.168.10.0 255.255.255.0

network-object 192.168.20.0 255.255.255.0

network-object 192.168.40.0 255.255.255.0

object-group service DM_INLINE_SERVICE_3

service-object tcp destination eq www

service-object tcp destination eq https

service-object object TS

service-object object TS_Return

object-group service DM_INLINE_SERVICE_4

service-object object RDP

service-object tcp destination eq www

service-object tcp destination eq https

object-group service DM_INLINE_SERVICE_5

service-object object MSSQL

service-object object RDP

service-object object TS

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service DM_INLINE_SERVICE_6

service-object object TS

service-object object TS_Return

service-object tcp destination eq www

service-object tcp destination eq https

access-list outside_access_in remark This rule is allowing from internet to interal server.

access-list outside_access_in remark Allowed:

access-list outside_access_in remark FTP

access-list outside_access_in remark RDP

access-list outside_access_in remark SMTP

access-list outside_access_in remark Net Bios

access-list outside_access_in remark SQL

access-list outside_access_in remark TS - 4400

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any4 object Internal_Report_Server

access-list outside_access_in remark Access rule to internal host QA

access-list outside_access_in remark Allowed:

access-list outside_access_in remark HTTP

access-list outside_access_in remark RDP

access-list outside_access_in extended permit tcp any4 object Internal_Host_QA eq www

access-list outside_access_in remark Access to INternal Web Server:

access-list outside_access_in remark Allowed:

access-list outside_access_in remark HTTP

access-list outside_access_in remark RDP

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 any4 object Internal_QA_Web_Server

access-list outside_access_in remark Rule for allowing access to Demo server

access-list outside_access_in remark Allowed:

access-list outside_access_in remark RDP

access-list outside_access_in remark MSSQL

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 any4 object Internal_Demo_Server

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_5 any object Internal_QA_3

access-list outside_access_in remark Access for Development WebServer

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_6 any object Dev_WebServer

access-list AnyConnect_Client_Local_Print extended deny ip any4 any4

access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd

access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol

access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631

access-list AnyConnect_Client_Local_Print remark Windows' printing port

access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100

access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol

access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353

access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol

access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355

access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol

access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137

access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns

access-list Payback_VPN_splitTunnelAcl standard permit 192.168.20.0 255.255.255.0

access-list outside_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0

pager lines 24

logging enable

logging console informational

logging asdm informational

logging from-address

gordon.collins@paybackloyalty.com

logging recipient-address

gordon.collins@paybackloyalty.com

level alerts

mtu outside 1500

mtu inside 1500

mtu servers 1500

mtu printers 1500

mtu wireless 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-711-52.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,outside) source dynamic any interface

nat (wireless,outside) source dynamic any interface

nat (servers,outside) source dynamic any interface

nat (servers,outside) source static Internal_Report_Server Report_Server

nat (servers,outside) source static Internal_Host_QA Host_QA_Server

nat (servers,outside) source static Internal_QA_Web_Server Web_Server_QA_VM

nat (servers,outside) source static Internal_Demo_Server Demo_Server

nat (servers,outside) source static NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 destination static NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 no-proxy-arp route-lookup

nat (servers,outside) source static Internal_QA_3 External_QA_3

nat (servers,outside) source static Dev_WebServer External_Dev_Web

nat (inside,outside) source static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup

nat (inside,outside) source static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 destination static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 no-proxy-arp route-lookup

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 92.51.193.157 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.10.0 255.255.255.0 inside
http 192.168.40.0 255.255.255.0 wireless
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 84.39.233.50
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 77.75.100.208 255.255.255.240 outside
ssh 192.168.10.0 255.255.255.0 inside
ssh 192.168.40.0 255.255.255.0 wireless
ssh timeout 5
console timeout 0

dhcpd dns 192.168.0.1
dhcpd auto_config outside
!
dhcpd address 192.168.10.21-192.168.10.240 inside
dhcpd dns 192.168.20.21 83.147.160.2 interface inside
dhcpd option 15 ascii paybackloyalty.com interface inside
dhcpd enable inside
!
dhcpd address 192.168.40.21-192.168.40.240 wireless
dhcpd dns 192.168.20.21 83.147.160.2 interface wireless
dhcpd update dns interface wireless
dhcpd option 15 ascii paybackloyalty.com interface wireless
dhcpd enable wireless
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy Payback_VPN internal
group-policy Payback_VPN attributes
vpn-simultaneous-logins 10
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Payback_VPN_splitTunnelAcl
group-policy DfltGrpPolicy attributes
dns-server value 83.147.160.2 83.147.160.130
vpn-tunnel-protocol ikev1 ikev2 ssl-clientless
group-policy GroupPolicy_84.39.233.50 internal
group-policy GroupPolicy_84.39.233.50 attributes
vpn-tunnel-protocol ikev1 ikev2
username Noelle password XB/IpvYaATP.2QYm encrypted
username Noelle attributes
vpn-group-policy Payback_VPN
service-type remote-access
username Eanna password vXILR9ZZQIsd1Naw encrypted privilege 0
username Eanna attributes
vpn-group-policy Payback_VPN
service-type remote-access
username Michael password qpbleUqUEchRrgQX encrypted
username Michael attributes
vpn-group-policy Payback_VPN
service-type remote-access
username Danny password .7fEXdzESUk6S/cC encrypted privilege 0
username Danny attributes
vpn-group-policy Payback_VPN
service-type remote-access
username Aileen password tytrelqvV5VRX2pz encrypted privilege 0
username Aileen attributes
vpn-group-policy Payback_VPN
service-type remote-access
username Aidan password aDu6YH0V5XaxpEPg encrypted privilege 0
username Aidan attributes
vpn-group-policy Payback_VPN
service-type remote-access
username gordon password 6e6Djaz3W/XH59zX encrypted privilege 15
username shane.c password iqGMoWOnfO6YKXbw encrypted
username shane.c attributes
vpn-group-policy Payback_VPN
service-type remote-access
username Shane password uYePLcrFadO9pBZx encrypted
username Shane attributes
vpn-group-policy Payback_VPN
service-type remote-access
username James password TdYPv1pvld/hPM0d encrypted
username James attributes
vpn-group-policy Payback_VPN
service-type remote-access
username mark password yruxpddqfyNb.qFn encrypted
username mark attributes
service-type admin
username Mary password XND5FTEiyu1L1zFD encrypted
username Mary attributes
vpn-group-policy Payback_VPN
service-type remote-access
username Massimo password vs65MMo4rM0l4rVu encrypted privilege 0
username Massimo attributes
vpn-group-policy Payback_VPN
service-type remote-access
tunnel-group Payback_VPN type remote-access
tunnel-group Payback_VPN general-attributes
address-pool VPN1
default-group-policy Payback_VPN
tunnel-group Payback_VPN ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 84.39.233.50 type ipsec-l2l
tunnel-group 84.39.233.50 general-attributes
default-group-policy GroupPolicy_84.39.233.50
tunnel-group 84.39.233.50 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map global-class
match default-inspection-traffic
!
!
policy-map global-policy
class global-class
  inspect dns
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect pptp
  inspect rsh
  inspect rtsp
  inspect sip
  inspect snmp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
  inspect icmp error
  inspect icmp
!
service-policy global-policy global
smtp-server 192.168.20.21
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d06974501eb0327a5ed229c8445f4fe1

ASA 2

ASA Version 9.0(1)

!

hostname Payback-CIX

enable password HSMurh79NVmatjY0 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

speed 100

duplex full

!

interface Ethernet0/1

description This port connects to VLAN 100

switchport access vlan 100

!

interface Ethernet0/2

!

interface Ethernet0/3

switchport access vlan 100

!

interface Ethernet0/4

switchport access vlan 100

!

interface Ethernet0/5

switchport access vlan 100

!

interface Ethernet0/6

switchport access vlan 100

!

interface Ethernet0/7

switchport access vlan 100

!

interface Vlan2

nameif outside

security-level 0

ip address 84.39.233.50 255.255.255.240

!

interface Vlan100

nameif inside

security-level 100

ip address 192.168.100.1 255.255.255.0

!

banner login line Welcome to Payback Loyalty - CIX

ftp mode passive

clock summer-time gmt/idt recurring last Sun Mar 1:00 last Sun Oct 2:00

dns domain-lookup outside

dns domain-lookup inside

dns server-group defaultDNS

name-server 8.8.8.8

name-server 8.8.4.4

same-security-traffic permit inter-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network CIX-Host-1

host 192.168.100.2

description This is the host machine of the VM servers

object network External_CIX-Host-1

host 84.39.233.51

description This is the external IP address of the host server for the VM server

object service RDP

service tcp source range 1 65535 destination eq 3389

object network Payback_Office

host 92.51.193.158

object service MSQL

service tcp destination eq 1433

object network Development_OLTP

host 192.168.100.10

description VM for Eiresoft

object network External_Development_OLTP

host 84.39.233.52

description This is the external IP address for the VM for Eiresoft

object network Eiresoft

host 146.66.160.70

description DBA Contractor

object network External_TMC_Web

host 84.39.233.53

description Public Address of TMC Webserver

object network TMC_Webserver

host 192.168.100.19

description Internal Address of TMC Webserver

object network External_TMC_OLTP

host 84.39.233.54

description Targets OLTP external IP

object network TMC_OLTP

host 192.168.100.18

description Targets interal IP address

object network External_OLTP_Failover

host 84.39.233.55

description Public IP of OLTP Failover

object network OLTP_Failover

host 192.168.100.60

description Server for OLTP failover

object network Servers

subnet 192.168.20.0 255.255.255.0

object network Wired

subnet 192.168.10.0 255.255.255.0

object network Wireless

subnet 192.168.40.0 255.255.255.0

object network NETWORK_OBJ_192.168.100.0_24

subnet 192.168.100.0 255.255.255.0

object network NETWORK_OBJ_192.168.10.0_24

subnet 192.168.10.0 255.255.255.0

object network Eiresoft_2nd

host 137.117.217.29

description Eiresoft 2nd IP

object network Dev_Test_Webserver

host 192.168.100.12

description Dev Test Webserver Internal Address

object network External_Dev_Test_Webserver

host 84.39.233.56

description This is the PB Dev Test Webserver

object network NETWORK_OBJ_192.168.1.0_24

subnet 192.168.1.0 255.255.255.0

object-group service DM_INLINE_SERVICE_1

service-object object MSQL

service-object object RDP

object-group service DM_INLINE_SERVICE_2

service-object object MSQL

service-object object RDP

object-group service DM_INLINE_SERVICE_3

service-object object MSQL

service-object object RDP

object-group service DM_INLINE_SERVICE_4

service-object object MSQL

service-object object RDP

service-object tcp destination eq ftp

object-group service DM_INLINE_SERVICE_5

service-object object MSQL

service-object object RDP

service-object tcp destination eq ftp

object-group service DM_INLINE_SERVICE_6

service-object object MSQL

service-object object RDP

object-group network Payback_Intrernal

network-object object Servers

network-object object Wired

network-object object Wireless

object-group service DM_INLINE_SERVICE_7

service-object object MSQL

service-object object RDP

object-group service DM_INLINE_SERVICE_8

service-object object MSQL

service-object object RDP

object-group service DM_INLINE_SERVICE_9

service-object object MSQL

service-object object RDP

object-group service DM_INLINE_SERVICE_10

service-object object MSQL

service-object object RDP

service-object tcp destination eq ftp

object-group service DM_INLINE_SERVICE_11

service-object object RDP

service-object tcp destination eq ftp

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 object Payback_Office object CIX-Host-1

access-list outside_access_in remark Development OLTP from Payback Office

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 object Payback_Office object Development_OLTP

access-list outside_access_in remark Access for Eiresoft

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 object Eiresoft object Development_OLTP

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 object Payback_Office object TMC_Webserver

access-list outside_access_in remark Access to OLTP for target from Payback Office

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_5 object Payback_Office object TMC_OLTP

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_6 object Payback_Office object OLTP_Failover

access-list outside_access_in remark This is allowing access from Eiresoft to the OLTP Failover server

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_7 object Eiresoft object OLTP_Failover

access-list outside_access_in remark Access for the 2nd IP from Eiresoft

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_8 object Eiresoft_2nd object Development_OLTP

access-list outside_access_in remark Access from the 2nd Eiresoft IP

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_9 object Eiresoft_2nd object OLTP_Failover

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_10 object Payback_Office object Dev_Test_Webserver

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_11 object Payback_Office object External_TMC_OLTP

access-list outside_cryptomap extended permit ip 192.168.100.0 255.255.255.0 192.168.10.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,outside) source dynamic any interface

nat (inside,outside) source static CIX-Host-1 External_CIX-Host-1

nat (inside,outside) source static Development_OLTP External_Development_OLTP

nat (inside,outside) source static TMC_Webserver External_TMC_Web

nat (inside,outside) source static TMC_OLTP External_TMC_OLTP

nat (inside,outside) source static OLTP_Failover External_OLTP_Failover

nat (inside,outside) source static Dev_Test_Webserver External_Dev_Test_Webserver

nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 destination static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 no-proxy-arp route-lookup

nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 84.39.233.49 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 92.51.193.156 255.255.255.252 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport

crypto ipsec ikev2 ipsec-proposal DES

 

protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 92.51.193.158
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 77.75.100.208 255.255.255.240 outside
ssh 92.51.193.156 255.255.255.252 outside
ssh timeout 5
console timeout 0

dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy GroupPolicy_92.51.193.158 internal
group-policy GroupPolicy_92.51.193.158 attributes
vpn-tunnel-protocol ikev1 ikev2
username gordon password 6e6Djaz3W/XH59zX encrypted privilege 15
tunnel-group 92.51.193.158 type ipsec-l2l
tunnel-group 92.51.193.158 general-attributes
default-group-policy GroupPolicy_92.51.193.158
tunnel-group 92.51.193.158 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:83b2069fa311e6037163ae74f9b2bec2
: end

Everyone's tags (8)
1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Re: Cisco ASA 5505 Site to Site VPN

Hi,

Well there is some clear problems that I can see on a quick glance. These are not related to the actual VPN configurations but rather the NAT configurations.

All of your above CLI format NAT configuration are configured as Manual NAT / Twice NAT in Section 1. This means that all NAT configurations of the device have been added to the same section of the NAT configurations and the ordering of the NAT rules inside that Section is causing the problem for the L2L VPN connection for certain.

Here are some suggestions on what to change

ASA1

Minimal Changes

object network LAN

subnet 192.168.10.0 255.255.255.0

object network REMOTE-LAN

subnet 192.168.100.0 255.255.255.0

nat (inside,outside) 1 source static LAN LAN destination static REMOTE-LAN REMOTE-LAN

no nat (inside,outside) source static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 destination static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 no-proxy-arp route-lookup

What the above does is first create "object" that contain the local LAN and remote LAN networks. It then creates a new NAT0 rule and adds it to the top of the NAT rules. (line number 1). This is essentially atleast one of the problems preventing the VPN from operating or the traffic flowing through it.

Finally we remove the old rule that the ASDM generated. It would do the same thing if it was moved to the top but I generally find creating the "object" with descriptive names easier on the eyes in the long run.

Further suggestions

These changes are not required with regards to the L2L VPN. These are just suggestions how to clean up some of the NAT configurations.

object-group network PAT-SOURCE

description Internal PAT source networks

network-object 192.168.10.0 255.255.255.0

network-object 192.168.20.0 255.255.255.0

network-object 192.168.40.0 255.255.255.0

nat (any,outside) after-auto source dynamic PAT-SOURCE interface

no nat (inside,outside) source dynamic any interface

no nat (wireless,outside) source dynamic any interface

no nat (servers,outside) source dynamic any interface

The above configuration creates an "object-group" that lists all the internal networks you have Dynamic PAT configured so far. It then uses the "object-group" in a single "nat" command to handle the Dynamic PAT for all the internal networks (except printers which didnt have anything to begin with). We then remove the old Dynamic PAT configurations.

The reason the "nat" command contains "after-auto" is that it moves this "nat" configuration to the bottom of the NAT rules. Because of this its less likely to cause problems in the future.

object network SERVERS

subnet 192.168.20.0 255.255.255.0

object network VPN-POOL

subnet 192.168.50.0 255.255.255.0

nat (servers,outside) 2 source static SERVERS SERVERS destination static VPN-POOL VPN-POOL

no nat (servers,outside) source static NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 destination static NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 no-proxy-arp route-lookup

The above configuration is supposed to create a NAT0 configuration for traffic between Server network and the VPN Client pool. To my understanding the old configuration that we remove is not in use because the traffic would have matched the Dynamic PAT rule of the Server so far rather then this rule which is later in the NAT configurations and would not be processed.

no nat (inside,outside) source static  NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 destination  static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24  no-proxy-arp route-lookup

To me it seems that network 192.168.1.0/24 is not configured anywhere in your network. Therefore the above "nat" configuration would seem useless and could be removed. If I have missed  something and its in use then naturally do not remove it.

ASA2

Minimal Changes

object network LAN

subnet 192.168.100.0 255.255.255.0

object network REMOTE-LAN

subnet 192.168.10.0 255.255.255.0

nat (inside,outside) 1 source static LAN LAN destination static REMOTE-LAN REMOTE-LAN

no nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 destination static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 no-proxy-arp route-lookup

What the above does is first create "object" that  contain the local LAN and remote LAN networks. It then creates a new  NAT0 rule and adds it to the top of the NAT rules. (line number 1). This  is essentially atleast one of the problems preventing the VPN from  operating or the traffic flowing through it.

Finally we remove the old rule that the ASDM  generated.

Further suggestions

object-group network PAT-SOURCE

network-object 192.168.100.0 255.255.255.0

nat (any,outside) after-auto source dynamic PAT-SOURCE interface

no nat (inside,outside) source dynamic any interface

The above configuration is meant to do the same as with the other ASA. Though since this network contains only a single subnet it doesnt clean up the existing "nat" configurations that much. But the ordering of the "nat" configurations is changed to avoid further problems with the NAT order.

no nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup

To me it seems that network 192.168.1.0/24 is not configured anywhere in your network. Therefore the above "nat" configuration would seem useless and could be removed. If I have missed  something and its in use then naturally do not remove it.

I would suggest trying the changes for the NAT0 configurations related to the L2L VPN first and testing the traffic. If that gets the connectivity working then you could consider changing other NAT configurations. There are some other things that could be changed too with regards to the servers Static NAT but that probably better left for some other time.

Hope this made any sense and helped

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

4 REPLIES
Super Bronze

Re: Cisco ASA 5505 Site to Site VPN

Hi,

Well there is some clear problems that I can see on a quick glance. These are not related to the actual VPN configurations but rather the NAT configurations.

All of your above CLI format NAT configuration are configured as Manual NAT / Twice NAT in Section 1. This means that all NAT configurations of the device have been added to the same section of the NAT configurations and the ordering of the NAT rules inside that Section is causing the problem for the L2L VPN connection for certain.

Here are some suggestions on what to change

ASA1

Minimal Changes

object network LAN

subnet 192.168.10.0 255.255.255.0

object network REMOTE-LAN

subnet 192.168.100.0 255.255.255.0

nat (inside,outside) 1 source static LAN LAN destination static REMOTE-LAN REMOTE-LAN

no nat (inside,outside) source static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 destination static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 no-proxy-arp route-lookup

What the above does is first create "object" that contain the local LAN and remote LAN networks. It then creates a new NAT0 rule and adds it to the top of the NAT rules. (line number 1). This is essentially atleast one of the problems preventing the VPN from operating or the traffic flowing through it.

Finally we remove the old rule that the ASDM generated. It would do the same thing if it was moved to the top but I generally find creating the "object" with descriptive names easier on the eyes in the long run.

Further suggestions

These changes are not required with regards to the L2L VPN. These are just suggestions how to clean up some of the NAT configurations.

object-group network PAT-SOURCE

description Internal PAT source networks

network-object 192.168.10.0 255.255.255.0

network-object 192.168.20.0 255.255.255.0

network-object 192.168.40.0 255.255.255.0

nat (any,outside) after-auto source dynamic PAT-SOURCE interface

no nat (inside,outside) source dynamic any interface

no nat (wireless,outside) source dynamic any interface

no nat (servers,outside) source dynamic any interface

The above configuration creates an "object-group" that lists all the internal networks you have Dynamic PAT configured so far. It then uses the "object-group" in a single "nat" command to handle the Dynamic PAT for all the internal networks (except printers which didnt have anything to begin with). We then remove the old Dynamic PAT configurations.

The reason the "nat" command contains "after-auto" is that it moves this "nat" configuration to the bottom of the NAT rules. Because of this its less likely to cause problems in the future.

object network SERVERS

subnet 192.168.20.0 255.255.255.0

object network VPN-POOL

subnet 192.168.50.0 255.255.255.0

nat (servers,outside) 2 source static SERVERS SERVERS destination static VPN-POOL VPN-POOL

no nat (servers,outside) source static NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 destination static NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 no-proxy-arp route-lookup

The above configuration is supposed to create a NAT0 configuration for traffic between Server network and the VPN Client pool. To my understanding the old configuration that we remove is not in use because the traffic would have matched the Dynamic PAT rule of the Server so far rather then this rule which is later in the NAT configurations and would not be processed.

no nat (inside,outside) source static  NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 destination  static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24  no-proxy-arp route-lookup

To me it seems that network 192.168.1.0/24 is not configured anywhere in your network. Therefore the above "nat" configuration would seem useless and could be removed. If I have missed  something and its in use then naturally do not remove it.

ASA2

Minimal Changes

object network LAN

subnet 192.168.100.0 255.255.255.0

object network REMOTE-LAN

subnet 192.168.10.0 255.255.255.0

nat (inside,outside) 1 source static LAN LAN destination static REMOTE-LAN REMOTE-LAN

no nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 destination static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 no-proxy-arp route-lookup

What the above does is first create "object" that  contain the local LAN and remote LAN networks. It then creates a new  NAT0 rule and adds it to the top of the NAT rules. (line number 1). This  is essentially atleast one of the problems preventing the VPN from  operating or the traffic flowing through it.

Finally we remove the old rule that the ASDM  generated.

Further suggestions

object-group network PAT-SOURCE

network-object 192.168.100.0 255.255.255.0

nat (any,outside) after-auto source dynamic PAT-SOURCE interface

no nat (inside,outside) source dynamic any interface

The above configuration is meant to do the same as with the other ASA. Though since this network contains only a single subnet it doesnt clean up the existing "nat" configurations that much. But the ordering of the "nat" configurations is changed to avoid further problems with the NAT order.

no nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup

To me it seems that network 192.168.1.0/24 is not configured anywhere in your network. Therefore the above "nat" configuration would seem useless and could be removed. If I have missed  something and its in use then naturally do not remove it.

I would suggest trying the changes for the NAT0 configurations related to the L2L VPN first and testing the traffic. If that gets the connectivity working then you could consider changing other NAT configurations. There are some other things that could be changed too with regards to the servers Static NAT but that probably better left for some other time.

Hope this made any sense and helped

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

New Member

Re: Cisco ASA 5505 Site to Site VPN

Hi,

Thanks for the help to date

I now have the Site to Site working but there is one little issue I have. If I try to RD to a server through the tunnel it will not allow connection on the first attempt however if I ping that host and then attempt to RD it will allow the connection. It looks like the host is asleep until it receives traffic through the tunnel. Is this thje correct behaviour.

See below the details:

ASA1:


hostname PAYBACK
enable password HSMurh79NVmatjY0 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
ip local pool VPN1 192.168.50.1-192.168.50.254 mask 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
!
interface Ethernet0/1
description Trunk link to SW1
switchport trunk allowed vlan 1,10,20,30,40
switchport trunk native vlan 1
switchport mode trunk
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
no nameif
no security-level
no ip address
!
interface Vlan2
nameif outside
security-level 0
ip address XX.XX.XX.XX 255.255.255.252
!
interface Vlan10
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Vlan20
nameif servers
security-level 100
ip address 192.168.20.1 255.255.255.0
!
interface Vlan30
nameif printers
security-level 100
ip address 192.168.30.1 255.255.255.0
!
interface Vlan40
nameif wireless
security-level 100
ip address 192.168.40.1 255.255.255.0
!
banner login line Welcome to Payback Loyalty Systems
boot system disk0:/asa901-k8.bin
ftp mode passive
clock summer-time GMT/IDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup servers
dns domain-lookup printers
dns domain-lookup wireless
dns server-group DefaultDNS
name-server 83.147.160.2
name-server 83.147.160.130
same-security-traffic permit inter-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network ftp_server
object network Internal_Report_Server
host 192.168.20.21
description Automated Report Server Internal Address
object network Report_Server
host 89.234.126.9
description Automated Report Server
object service RDP
service tcp destination eq 3389
description RDP to Server
object network Host_QA_Server
host 89.234.126.10
description QA Host External Address
object network Internal_Host_QA
host 192.168.20.22
description Host of VM machine for QA
object network Internal_QA_Web_Server
host 192.168.20.23
description Web Server in QA environment
object network Web_Server_QA_VM
host 89.234.126.11
description Web server in QA environment
object service SQL_Server
service tcp destination eq 1433
object network Demo_Server
host 89.234.126.12
description Server set up to Demo Product
object network Internal_Demo_Server
host 192.168.20.24
description Internal IP Address of Demo Server
object network NETWORK_OBJ_192.168.20.0_24
subnet 192.168.20.0 255.255.255.0
object network NETWORK_OBJ_192.168.50.0_26
subnet 192.168.50.0 255.255.255.192
object network NETWORK_OBJ_192.168.0.0_16
subnet 192.168.0.0 255.255.0.0
object service MSSQL
service tcp destination eq 1434
description MSSQL port
object network VPN-network
subnet 192.168.50.0 255.255.255.0
object network NETWORK_OBJ_192.168.50.0_24
subnet 192.168.50.0 255.255.255.0
object service TS
service tcp destination eq 4400
object service TS_Return
service tcp source eq 4400
object network External_QA_3
host 89.234.126.13
object network Internal_QA_3
host 192.168.20.25
object network Dev_WebServer
host 192.168.20.27
object network External_Dev_Web
host 89.234.126.14
object network NETWORK_OBJ_192.168.100.0_24
subnet 192.168.100.0 255.255.255.0
object network Wireless
subnet 192.168.40.0 255.255.255.0
description Wireless network
object network Servers
subnet 192.168.20.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
service-object tcp destination eq ftp
service-object tcp destination eq netbios-ssn
service-object tcp destination eq smtp
service-object object TS
service-object object SQL_Server
object-group service DM_INLINE_SERVICE_3
service-object tcp destination eq www
service-object tcp destination eq https
service-object object TS
service-object object TS_Return
object-group service DM_INLINE_SERVICE_4
service-object object RDP
service-object tcp destination eq www
service-object tcp destination eq https
object-group service DM_INLINE_SERVICE_5
service-object object MSSQL
service-object object RDP
service-object object TS
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_SERVICE_6
service-object object TS
service-object object TS_Return
service-object tcp destination eq www
service-object tcp destination eq https
object-group network DM_INLINE_NETWORK_1
network-object 192.168.10.0 255.255.255.0
network-object 192.168.20.0 255.255.255.0
network-object 192.168.40.0 255.255.255.0
object-group network Payback_Internal
network-object 192.168.10.0 255.255.255.0
network-object 192.168.20.0 255.255.255.0
network-object 192.168.40.0 255.255.255.0
access-list outside_access_in remark This rule is allowing from internet to interal server.
access-list outside_access_in remark Allowed:
access-list outside_access_in remark FTP
access-list outside_access_in remark RDP
access-list outside_access_in remark SMTP
access-list outside_access_in remark Net Bios
access-list outside_access_in remark SQL
access-list outside_access_in remark TS - 4400
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any4 object Internal_Report_Server
access-list outside_access_in remark Access rule to internal host QA
access-list outside_access_in remark Allowed:
access-list outside_access_in remark HTTP
access-list outside_access_in remark RDP
access-list outside_access_in extended permit tcp any4 object Internal_Host_QA eq www
access-list outside_access_in remark Access to INternal Web Server:
access-list outside_access_in remark Allowed:
access-list outside_access_in remark HTTP
access-list outside_access_in remark RDP
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 any4 object Internal_QA_Web_Server
access-list outside_access_in remark Rule for allowing access to Demo server
access-list outside_access_in remark Allowed:
access-list outside_access_in remark RDP
access-list outside_access_in remark MSSQL
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 any4 object Internal_Demo_Server
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_5 any object Internal_QA_3
access-list outside_access_in remark Access for Development WebServer
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_6 any object Dev_WebServer
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
access-list Payback_VPN_splitTunnelAcl standard permit 192.168.20.0 255.255.255.0
access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 192.168.100.0 255.255.255.0
pager lines 24
logging enable
logging console informational
logging asdm informational
logging from-address gordon.collins@paybackloyalty.com
logging recipient-address gordon.collins@paybackloyalty.com level alerts
mtu outside 1500
mtu inside 1500
mtu servers 1500
mtu printers 1500
mtu wireless 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711-52.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 no-proxy-arp route-lookup
nat (wireless,outside) source static Wireless Wireless destination static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 no-proxy-arp route-lookup
nat (servers,outside) source static Servers Servers destination static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 no-proxy-arp route-lookup
nat (inside,outside) source dynamic any interface
nat (wireless,outside) source dynamic any interface
nat (servers,outside) source dynamic any interface
nat (servers,outside) source static Internal_Report_Server Report_Server
nat (servers,outside) source static Internal_Host_QA Host_QA_Server
nat (servers,outside) source static Internal_QA_Web_Server Web_Server_QA_VM
nat (servers,outside) source static Internal_Demo_Server Demo_Server
nat (servers,outside) source static NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 destination static NETWORK_OBJ_192.168.50.0_24 NETWORK_OBJ_192.168.50.0_24 no-proxy-arp route-lookup
nat (servers,outside) source static Internal_QA_3 External_QA_3
nat (servers,outside) source static Dev_WebServer External_Dev_Web
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 92.51.193.157 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer XX.XX.XX.XX
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto map servers_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map servers_map interface servers
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 enable inside client-services port 443
crypto ikev1 enable outside
crypto ikev1 enable inside
crypto ikev1 enable servers
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.10.0 255.255.255.0 inside
ssh timeout 5
console timeout 0

dhcpd dns 192.168.0.1
dhcpd auto_config outside
!
dhcpd address 192.168.10.21-192.168.10.240 inside
dhcpd dns 192.168.20.21 83.147.160.2 interface inside
dhcpd option 15 ascii paybackloyalty.com interface inside
dhcpd enable inside
!
dhcpd address 192.168.40.21-192.168.40.240 wireless
dhcpd dns 192.168.20.21 83.147.160.2 interface wireless
dhcpd update dns interface wireless
dhcpd option 15 ascii paybackloyalty.com interface wireless
dhcpd enable wireless
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy Payback_VPN internal
group-policy Payback_VPN attributes
vpn-simultaneous-logins 10
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Payback_VPN_splitTunnelAcl
group-policy DfltGrpPolicy attributes
dns-server value 83.147.160.2 83.147.160.130
vpn-tunnel-protocol ikev1 ikev2 ssl-clientless
group-policy GroupPolicy_84.39.233.50 internal
group-policy GroupPolicy_84.39.233.50 attributes
vpn-tunnel-protocol ikev1 ikev2
username Noelle password XB/IpvYaATP.2QYm encrypted
username Noelle attributes
vpn-group-policy Payback_VPN
service-type remote-access
username Eanna password vXILR9ZZQIsd1Naw encrypted privilege 0
username Eanna attributes
vpn-group-policy Payback_VPN
service-type remote-access
username Michael password qpbleUqUEchRrgQX encrypted
username Michael attributes
vpn-group-policy Payback_VPN
service-type remote-access
username Danny password .7fEXdzESUk6S/cC encrypted privilege 0
username Danny attributes
vpn-group-policy Payback_VPN
service-type remote-access
username niamh password MlFlIlEiy8vismE0 encrypted
username niamh attributes
service-type admin
username Aileen password tytrelqvV5VRX2pz encrypted privilege 0
username Aileen attributes
vpn-group-policy Payback_VPN
service-type remote-access
username Aidan password aDu6YH0V5XaxpEPg encrypted privilege 0
username Aidan attributes
vpn-group-policy Payback_VPN
service-type remote-access
username gordon password 6e6Djaz3W/XH59zX encrypted privilege 15
username shane.c password iqGMoWOnfO6YKXbw encrypted
username shane.c attributes
vpn-group-policy Payback_VPN
service-type remote-access
username Shane password yQeVtvLLKqapoUje encrypted privilege 0
username Shane attributes
vpn-group-policy Payback_VPN
service-type remote-access
username James password TdYPv1pvld/hPM0d encrypted
username James attributes
vpn-group-policy Payback_VPN
service-type remote-access
username mark password yruxpddqfyNb.qFn encrypted
username mark attributes
service-type admin
username Mary password XND5FTEiyu1L1zFD encrypted
username Mary attributes
vpn-group-policy Payback_VPN
service-type remote-access
username Massimo password vs65MMo4rM0l4rVu encrypted privilege 0
username Massimo attributes
vpn-group-policy Payback_VPN
service-type remote-access
tunnel-group Payback_VPN type remote-access
tunnel-group Payback_VPN general-attributes
address-pool VPN1
default-group-policy Payback_VPN
tunnel-group Payback_VPN ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 84.39.233.50 type ipsec-l2l
tunnel-group 84.39.233.50 general-attributes
default-group-policy GroupPolicy_84.39.233.50
tunnel-group 84.39.233.50 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map global-class
match default-inspection-traffic
!
!
policy-map global-policy
class global-class
  inspect dns
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect pptp
  inspect rsh
  inspect rtsp
  inspect sip
  inspect snmp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
  inspect icmp error
  inspect icmp
!
service-policy global-policy global
smtp-server 192.168.20.21
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:83fa7ce1d93375645205f6e79b526381

ASA2:


ASA Version 9.0(1)
!
hostname Payback-CIX
enable password HSMurh79NVmatjY0 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
!
interface Ethernet0/1
description This port connects to VLAN 100
switchport access vlan 100
!
interface Ethernet0/2
!
interface Ethernet0/3
switchport access vlan 100
!
interface Ethernet0/4
switchport access vlan 100
!
interface Ethernet0/5
switchport access vlan 100
!
interface Ethernet0/6
switchport access vlan 100
!
interface Ethernet0/7
switchport access vlan 100
!
interface Vlan2
nameif outside
security-level 0
ip address X.X.X.X 255.255.255.240
!
interface Vlan100
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
!
banner login line Welcome to Payback Loyalty - CIX
ftp mode passive
clock timezone GMT 0
clock summer-time gmt/idt recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup outside
dns domain-lookup inside
dns server-group defaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
same-security-traffic permit inter-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network CIX-Host-1
host 192.168.100.2
description This is the host machine of the VM servers
object network External_CIX-Host-1
host 84.39.233.51
description This is the external IP address of the host server for the VM server
object service RDP
service tcp source range 1 65535 destination eq 3389
object network Payback_Office
host 92.51.193.158
object service MSQL
service tcp destination eq 1433
object network Development_OLTP
host 192.168.100.10
description VM for Eiresoft
object network External_Development_OLTP
host 84.39.233.52
description This is the external IP address for the VM for Eiresoft
object network External_TMC_Web
host 84.39.233.53
description Public Address of TMC Webserver
object network TMC_Webserver
host 192.168.100.19
description Internal Address of TMC Webserver
object network External_TMC_OLTP
host 84.39.233.54
description Targets OLTP external IP
object network TMC_OLTP
host 192.168.100.18
description Targets interal IP address
object network External_OLTP_Failover
host 84.39.233.55
description Public IP of OLTP Failover
object network OLTP_Failover
host 192.168.100.60
description Server for OLTP failover
object network Servers
subnet 192.168.20.0 255.255.255.0
object network Wired
subnet 192.168.10.0 255.255.255.0
object network Wireless
subnet 192.168.40.0 255.255.255.0
object network NETWORK_OBJ_192.168.100.0_24
subnet 192.168.100.0 255.255.255.0
object network NETWORK_OBJ_192.168.10.0_24
subnet 192.168.10.0 255.255.255.0
object network Eiresoft_2nd
host 137.117.217.29
description Eiresoft 2nd IP
object network Dev_Test_Webserver
host 192.168.100.12
description Dev Test Webserver Internal Address
object network External_Dev_Test_Webserver
host 84.39.233.56
description This is the PB Dev Test Webserver
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object network LAN
subnet 192.168.100.0 255.255.255.0
object network REMOTE-LAN
subnet 192.168.10.0 255.255.255.0
object network TargetMC
host 83.71.194.145
description This is Target Location that will be accessing the Webserver
object network Rackspace_OLTP
host 162.13.34.56
description This is the IP address of production OLTP
object service DB
service tcp destination eq 5022
object network Topaz_Target_VM
host 82.198.151.168
description This is Topaz IP that will be accessing Targets VM
object service DB_2
service tcp destination eq 5023
object network EireSoft_NEW_IP
host 146.66.161.3
description Eiresoft latest IP form ISP DHCP
object-group service DM_INLINE_SERVICE_1
service-object object MSQL
service-object object RDP
service-object icmp echo
service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_2
service-object object MSQL
service-object object RDP
object-group service DM_INLINE_SERVICE_4
service-object object MSQL
service-object object RDP
service-object tcp destination eq ftp
service-object tcp destination eq www
object-group service DM_INLINE_SERVICE_5
service-object object MSQL
service-object object RDP
service-object tcp destination eq ftp
object-group service DM_INLINE_SERVICE_6
service-object object MSQL
service-object object RDP
object-group network Payback_Intrernal
network-object object Servers
network-object object Wired
network-object object Wireless
object-group service DM_INLINE_SERVICE_8
service-object object MSQL
service-object object RDP
object-group service DM_INLINE_SERVICE_9
service-object object MSQL
service-object object RDP
object-group service DM_INLINE_SERVICE_10
service-object object MSQL
service-object object RDP
service-object tcp destination eq ftp
service-object icmp echo
service-object icmp echo-reply
service-object object DB
object-group service DM_INLINE_SERVICE_11
service-object object RDP
service-object tcp destination eq ftp
object-group service DM_INLINE_SERVICE_12
service-object object MSQL
service-object icmp echo
service-object icmp echo-reply
service-object object DB
service-object object DB_2
object-group service DM_INLINE_SERVICE_13
service-object object MSQL
service-object object RDP
object-group service DM_INLINE_SERVICE_14
service-object object MSQL
service-object object RDP
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 object Payback_Office object CIX-Host-1
access-list outside_access_in remark Development OLTP from Payback Office
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 object Payback_Office object Development_OLTP
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 object Payback_Office object TMC_Webserver
access-list outside_access_in remark Access to OLTP for target from Payback Office
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_5 object Payback_Office object TMC_OLTP
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_6 object Payback_Office object OLTP_Failover
access-list outside_access_in remark Access for the 2nd IP from Eiresoft
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_8 object Eiresoft_2nd object Development_OLTP
access-list outside_access_in remark Access from the 2nd Eiresoft IP
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_9 object Eiresoft_2nd object OLTP_Failover
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_10 object Payback_Office object Dev_Test_Webserver
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_11 object Payback_Office object External_TMC_OLTP
access-list outside_access_in remark Access rules from Traget to CIX for testing
access-list outside_access_in extended permit tcp object TargetMC object TMC_Webserver eq www
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_12 object Rackspace_OLTP object OLTP_Failover
access-list outside_access_in remark Topaz access to Target VM
access-list outside_access_in extended permit tcp object Topaz_Target_VM object TMC_Webserver eq www
access-list outside_access_in remark Opened up for Target for the weekend. Closing on Monday 20th
access-list outside_access_in extended permit tcp any object TMC_Webserver eq www
access-list outside_access_in remark Access for Eiresoft after their ISP changed their IP Address
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_13 object EireSoft_NEW_IP object Development_OLTP
access-list outside_access_in remark Eiresoft Access after ISP changed their IP Address
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_14 object EireSoft_NEW_IP object OLTP_Failover
access-list outside_cryptomap extended permit ip 192.168.100.0 255.255.255.0 object-group Payback_Intrernal
pager lines 24
logging enable
logging console debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 destination static Payback_Intrernal Payback_Intrernal no-proxy-arp route-lookup
nat (inside,outside) source static CIX-Host-1 External_CIX-Host-1
nat (inside,outside) source static Development_OLTP External_Development_OLTP
nat (inside,outside) source static TMC_Webserver External_TMC_Web
nat (inside,outside) source static TMC_OLTP External_TMC_OLTP
nat (inside,outside) source static OLTP_Failover External_OLTP_Failover
nat (inside,outside) source static Dev_Test_Webserver External_Dev_Test_Webserver
nat (inside,outside) source dynamic LAN interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 84.39.233.49 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http X.X.X.X 255.255.255.252 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer X.X.X.X
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh X.X.X.X  255.255.255.240 outside
ssh X.X.X.X 255.255.255.252 outside
ssh 192.168.40.0 255.255.255.0 outside
ssh timeout 5
console timeout 0

dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy GroupPolicy_92.51.193.158 internal
group-policy GroupPolicy_92.51.193.158 attributes
vpn-tunnel-protocol ikev1 ikev2
username gordon password 6e6Djaz3W/XH59zX encrypted privilege 15
tunnel-group 92.51.193.158 type ipsec-l2l
tunnel-group 92.51.193.158 general-attributes
default-group-policy GroupPolicy_92.51.193.158
tunnel-group 92.51.193.158 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:78a7b9ccec2fa048306092eb29a2b769

Super Bronze

Cisco ASA 5505 Site to Site VPN

Hi,

Doesn't really sound like any typical problem that I would personally encounter in my work.

Naturally in a situation where the L2L VPN is down and then you generate traffic towards a remote host the first packets of connection attempt might get lost/dropped at the local ASA but the connection attempt should consist of multiple attempts to send the initial TCP SYN so it doesnt make sense that L2L VPN wouldnt negotiate up before the host stops trying the connection.

I guess I would personally initially check the logs during the attempt and see what happens.

Then I would probably take traffic capture on the ASA closest to the host to which you connect with RDP and confirm if the connection attempt fails simply because the server doesnt reply to the initial TCP connection attempt (before the ICMP).

That might help to narrow down the problem and see if the problem is related to the actual server rather than the VPN connection.

- Jouni

New Member

Cisco ASA 5505 Site to Site VPN

Hi,

Thanks for the reply. This is something I can try. It maybe related to the server as I just tested the opposite direction and the problem doesn't exist

- GC

465
Views
0
Helpful
4
Replies
CreatePlease to create content