08-02-2013 08:13 AM - edited 03-11-2019 07:20 PM
Hello all,
I worked with you a few days back on a site-to-site using to 5505 ASA's in a lab before deploying, with your help that is working.
We are moving to deploy into production with some different settings, as the customers site remains the same but we will move from using the local interface nameif inside to our DMZ - first thing is will this work through site-to-site?
We have the ASA on our end configured to use site-to-site through our DMZ interface, we created the ACL, then the NAT, we can't ping anything on their local subnet or they ping our local subnet.
I really need you help to show what I missed or failed to implement
Thank you
Solved! Go to Solution.
08-02-2013 09:32 AM
Sure - both ASA rebooted, we still can't ping or use anything like RDP to local network, sending both configs
ASA1
ASA Version 8.4(5)
!
hostname PCS-lab-EW-VPN
domain-name sccul.org
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 209.177.212.103 255.255.255.0
!
interface Vlan3
nameif EWVPN
security-level 98
ip address 172.16.17.1 255.255.255.0
!
boot system disk0:/asa845-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 4.2.2.1
domain-name sccul.org
object network obj_any
subnet 0.0.0.0 0.0.0.0
description PAT_inside_Outside_on_TW_Circuit
object network net-local
subnet 10.10.10.0 255.255.255.0
object network net-remote
subnet 172.16.5.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip object net-local object net-remote
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu EWVPN 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static net-local net-local destination static net-remote net-remote
!
object network obj_any
nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 209.177.212.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 10.10.10.0 255.255.255.0 inside
http 172.16.1.0 255.255.255.0 EWVPN
http 70.61.194.0 255.255.255.240 outside
http 209.177.212.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside-map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 70.61.194.178
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.10.10.0 255.255.255.0 inside
telnet timeout 60
ssh 10.10.10.0 255.255.255.0 inside
ssh 209.177.212.0 255.255.255.0 outside
ssh 172.16.1.0 255.255.255.0 EWVPN
ssh timeout 60
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 208.87.104.40 source outside
ntp server 64.113.32.9 source outside
ntp server 50.22.155.163 source outside
webvpn
username ssisson password 1U3WSDowu/mxWWcx encrypted privilege 15
username admin1 password mNquohzwaXofLKzA encrypted privilege 15
tunnel-group 70.61.194.178 type ipsec-l2l
tunnel-group 70.61.194.178 ipsec-attributes
ikev1 pre-shared-key cisco123
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:6865776390ce5bf69108b5f69386eb65
: end
ASA2
ASA Version 8.4(5)
!
hostname PCS-EW-VPN
domain-name sccul.org
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.248 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 70.61.194.178 255.255.255.240
!
interface Vlan3
nameif EWVPN
security-level 98
ip address 172.16.5.1 255.255.255.0
!
boot system disk0:/asa845-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 4.2.2.1
domain-name sccul.org
object network obj_any
subnet 0.0.0.0 0.0.0.0
description PAT_inside_Outside_on_TW_Circuit
object network net-local
subnet 172.16.5.0 255.255.255.0
object network net-remote
subnet 10.10.10.0 255.255.255.0
access-list EWVPN_access-in extended permit ip any any
access-list outside_1_cryptomap extended permit ip object net-local object net-remote
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu EWVPN 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (EWVPN,outside) source static net-local net-local destination static net-remote net-remote
!
object network obj_any
nat (inside,outside) dynamic interface
!
nat (EWVPN,outside) after-auto source dynamic any interface
route outside 0.0.0.0 0.0.0.0 70.61.194.177 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 172.16.5.0 255.255.255.0 EWVPN
http 70.61.194.0 255.255.255.240 outside
http 209.177.212.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 209.177.212.103
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 60
ssh 192.168.1.0 255.255.255.0 inside
ssh 209.177.212.0 255.255.255.0 outside
ssh 172.16.5.0 255.255.255.0 EWVPN
ssh timeout 60
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 208.87.104.40 source outside
ntp server 64.113.32.9 source outside
ntp server 50.22.155.163 source outside
webvpn
username ssisson password 1U3WSDowu/mxWWcx encrypted privilege 15
username admin1 password mNquohzwaXofLKzA encrypted privilege 15
tunnel-group 209.177.212.103 type ipsec-l2l
tunnel-group 209.177.212.103 ipsec-attributes
ikev1 pre-shared-key cisco123
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:bccba008500a803d23f0933a87c0a791
: end
Thank you
08-02-2013 09:37 AM
Hi,
PCS-EW-VPN ASA is missing a "crypto map" related command
Add this
crypto map outside_map 1 match address outside_1_cryptomap
- Jouni
08-02-2013 09:41 AM
If that doesn't solve it, please provide which license is installed on your ASAs
08-02-2013 09:49 AM
Applied the crypto map outside_map 1 match address outside_1_cryptomap to PCS-EW_VPN ASA still not able to ping.
License on both ASA's
Maximum Physical Interfaces : 8 perpetual
VLANs : 20 DMZ Unrestricted
Dual ISPs : Enabled perpetual
VLAN Trunk Ports : 8 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Standby perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 25 perpetual
Total VPN Peers : 25 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has an ASA 5505 Security Plus license.
Thank you
08-02-2013 09:54 AM
Hi,
Can you issue the "packet-tracer" command again on that same ASA unit (twice)
Could you also tell us between which devices are you attempting to ICMP? This cant be done from the ASA directly atleast so I assume that you are ICMP between hosts? Have you confirmed that those hosts are attached to the correct ports and have the correct IP addresses and gateways if you have change the INSIDE -> DMZ for this setup on the other ASA?
I cant see no problem with the configurations at the moment. They should enable the L2L VPN negotiation to go through. But as you saw, you didnt have the configuration above on the other ASA that defines the local and remote networks on the L2L VPN connection so I think the ASDM might have removed that during some configurations.
You can naturally add the following commands on both ASAs for ICMP
fixup protocol icmp
fixup protocol icmp error
Those are old format commands but should convert to "inspect" command
Alternatively you can add them in the following way
policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
Can the ASAs ping eachothers WAN interfaces at the moment?
When you issue the "packet-tracer" command or have a continuous ICMP from some host behind the "EWVPN" interface or "inside" on the other ASA, what can you see with the command
show crypto ikev1 sa
Try to issue it several times during testing to see what it shows
You could also use the command
show crypto ipsec sa
To view if the Phase2 has gone through and if packets have gone through the L2L VPN in either direction.
There is always a chance that something else than the ASA is stopping the ICMP traffic.
- Jouni
08-02-2013 10:22 AM
Hello
I'm trying to ping from local subnet and not the ASA firewall - from laptops on each local network - one in the DMX 172.16.5.2 to remote lan 10.10.10.10
Packet-trace from both ASA's run twice on both
ASA1
PCS-EW-VPN(config)# packet-trace input EWVPN tcp 172.16.5.2 21 10.10.10.10 21
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (EWVPN,outside) source static net-local net-local destination static net-remote net-remote
Additional Information:
NAT divert to egress interface outside
Untranslate 10.10.10.10/21 to 10.10.10.10/21
Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 3
Type: INSPECT
Subtype: inspect-ftp
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (EWVPN,outside) source static net-local net-local destination static net-remote net-remote
Additional Information:
Static translate 172.16.5.2/21 to 172.16.5.2/21
Phase: 5
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Result:
input-interface: EWVPN
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
ASA2
PCS-lab-EW-VPN# packet-trace input inside tcp 10.10.10.10 21 172.16.5.2 21
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static net-local net-local destination static net-remote net-remote
Additional Information:
NAT divert to egress interface outside
Untranslate 172.16.5.2/21 to 172.16.5.2/21
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: INSPECT
Subtype: inspect-ftp
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static net-local net-local destination static net-remote net-remote
Additional Information:
Static translate 10.10.10.10/21 to 10.10.10.10/21
Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static net-local net-local destination static net-remote net-remote
Additional Information:
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 674, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
08-02-2013 10:29 AM
Jouni,
Please let me know if this standard config for Site-To-Site is correct, let me know if something else is needed
this is what I used on each ASA
confirm you can ping both external IP addresses from the ASA's
config t
crypto isakmp enable outside
object network net-local
subnet w.x.y.z 255.255.255.0
object network net-remote
subnet w.x.y.z 255.255.255.0
exit
access-list outside_1_cryptomap permit ip object net-local object net-remote
tunnel-group w.x.y.z type ipsecL2L
tunnel-group w.x.y.z ipsec-attributes
pre-shared-key cisco123
isakmp keepalive threshold 10 retry 2
exit
crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encrypt 3des
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 2
crypto isakmp policy 10 lifetime 86400
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer w.x.y.z
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
Nat (inside,outside) 1 source static net-local net-local destination static net-remote net-remote
route outside 0 0 your default gateway
thanks
08-02-2013 10:29 AM
Hi,
The ASA PCS-lab-EW-VPN with the "packet-tracer" is not even matching to the VPN Phase
Either we are still talking about a configuration error or some wierd bug
Can you issue the command "show run" on this ASA and share the configuration again.
This just doesnt make any sense.
- Jouni
08-02-2013 10:35 AM
Sure thing
ASA1
ASA Version 8.4(5)
!
hostname PCS-lab-EW-VPN
domain-name sccul.org
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 209.177.212.103 255.255.255.0
!
interface Vlan3
nameif EWVPN
security-level 98
ip address 172.16.17.1 255.255.255.0
!
boot system disk0:/asa845-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 4.2.2.1
domain-name sccul.org
object network obj_any
subnet 0.0.0.0 0.0.0.0
description PAT_inside_Outside_on_TW_Circuit
object network net-local
subnet 10.10.10.0 255.255.255.0
object network net-remote
subnet 172.16.5.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip object net-local object net-remote
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu EWVPN 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static net-local net-local destination static net-remote net-remote
!
object network obj_any
nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 209.177.212.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 10.10.10.0 255.255.255.0 inside
http 172.16.1.0 255.255.255.0 EWVPN
http 70.61.194.0 255.255.255.240 outside
http 209.177.212.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside-map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 70.61.194.178
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.10.10.0 255.255.255.0 inside
telnet timeout 60
ssh 10.10.10.0 255.255.255.0 inside
ssh 209.177.212.0 255.255.255.0 outside
ssh 172.16.1.0 255.255.255.0 EWVPN
ssh timeout 60
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 208.87.104.40 source outside
ntp server 64.113.32.9 source outside
ntp server 50.22.155.163 source outside
webvpn
username ssisson password 1U3WSDowu/mxWWcx encrypted privilege 15
username admin1 password mNquohzwaXofLKzA encrypted privilege 15
tunnel-group 70.61.194.178 type ipsec-l2l
tunnel-group 70.61.194.178 ipsec-attributes
ikev1 pre-shared-key cisco123
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:6865776390ce5bf69108b5f69386eb65
: end
08-02-2013 10:38 AM
Hi,
Typo in the configuration
Remove
crypto map outside-map 1 match address outside_1_cryptomap
Add
crypto map outside_map 1 match address outside_1_cryptomap
Current one has - in the "outside-map" while it should have _ , as in "outside_map"
The typo in the Crypto Map name basically attached the L2L VPN ACL to a different Crypto Map which was not used. This is why on the other ASA the traffic is not matching to any VPN configuration.
- Jouni
08-02-2013 10:42 AM
Do you see that we have confetti falling from the sky and the birds are sing – that’s it my friend, nice job
08-02-2013 10:45 AM
Please help me as I'm working on a script for configuring Site-To-site as listed below, to remove Typos like the one you found. Please let me know if anything lese is needed.
confirm you can ping both external IP addresses from the ASA's
config t
crypto isakmp enable outside
object network net-local
subnet w.x.y.z 255.255.255.0
object network net-remote
subnet w.x.y.z 255.255.255.0
exit
access-list outside_1_cryptomap permit ip object net-local object net-remote
tunnel-group w.x.y.z type ipsecL2L
tunnel-group w.x.y.z ipsec-attributes
pre-shared-key cisco123
isakmp keepalive threshold 10 retry 2
exit
crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encrypt 3des
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 2
crypto isakmp policy 10 lifetime 86400
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer w.x.y.z
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
Nat (inside,outside) 1 source static net-local net-local destination static net-remote net-remote
route outside 0 0 your default gateway
08-02-2013 11:04 AM
The configuration depends on the software level
If I were to go by the newest software version then the above is missing some parameters or using old format commands (that might be accepted but naturally better to use the new format)
object network LOCAL-NAME
subnet w.x.y.z 255.255.255.0
object network REMOTE-NAME
subnet w.x.y.z 255.255.255.0
exit
access-list L2LVPN-NAME-ACL permit ip object LOCAL-NAME object REMOTE-NAME
tunnel-group w.x.y.z type ipsecL2L
tunnel-group w.x.y.z ipsec-attributes
ikev1 pre-shared-key cisco123
crypto ikev1 enable
crypto ikev1 policy x
authentication pre-share
encrypt 3des
hash sha
group 2
lifetime 86400
crypto ipsec transform-set ikev1 ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map CRYPTOMAP x match address L2LVPN-NAME-ACL
crypto map CRYPTOMAP x set pfs group1
crypto map CRYPTOMAP x set peer w.x.y.z
crypto map CRYPTOMAP x set ikev1 transform-set ESP-3DES-SHA
crypto map CRYPTOMAP interface
nat (sourceint,destinationint) 1 source static net-local net-local destination static net-remote net-remote
In the above what you have to notice is that some configurations are only needed once. There is no need to issue them again if for example you configure a new L2L VPN on an ASA that already has a L2L VPN connection.
Those are for example these commands
crypto ikev1 enable
crypto map CRYPTOMAP interface
crypto ikev1 policy x
authentication pre-share
encrypt 3des
hash sha
group 2
lifetime 86400
The above commands are global commands/settings that dont need to be issued again. Once they are on the device there is no need to modify them. Naturally you might need some other parameters for the "ikev1 policy" with some other remote location. In that case you use another priority number and add that to the configuration.
For example
crypto ikev1 policy 20
authentication pre-share
encrypt aes-256
hash sha
group 2
lifetime 28800
Both the original and this new one can be there at the same time.
Also you will have to notice that each L2L VPN ACL needs a different name otherwise the configuration will get messed up and possibly affect the existing VPNs.
object network LOCAL-NAME-2
subnet w.x.y.z 255.255.255.0
object network REMOTE-NAME-2
subnet w.x.y.z 255.255.255.0
exit
access-list L2LVPN-NAME-ACL-2 permit ip object LOCAL-NAME-2 object REMOTE-NAME-2
Also the "crypto map" lines will need their own priority number for a new connection
For example
crypto map CRYPTOMAP 2 match address L2LVPN-NAME-ACL2
crypto map CRYPTOMAP 2 set pfs group1
crypto map CRYPTOMAP 2 set peer w.x.y.z
crypto map CRYPTOMAP 2 set ikev1 transform-set ESP-3DES-SHA
And finally you will need to check that the source and destination interfaces on the "nat" configuration match the interface where the actual source and destination network for the L2L VPN are located at.
nat (sourceint,destinationint) 1 source static LOCAL-NAME-2 LOCAL-NAME-2 destination static REMOTE-NAME-2 REMOTE-NAME-2
Notice that both in the ACL and the Object configuration I have added the "NAME". I would suggest you replace this with something that gives a descriptive name to which L2L VPN connection this object or ACL is related to. It will become a lot easier to troubleshoot later when the ACL and Object names arent cryptic themselves
Hope this made any sense.
Please do remember to mark a reply as the correct answer if it answered your question.
- Jouni
08-02-2013 10:47 AM
Hi.
Good to hear
Took some time but finally got it working
Please do remember to mark a reply as the correct answer.
- Jouni
08-02-2013 10:50 AM
Yes Sir - you are the best
Please confirm this site-to-site config I'm creating to prevent typos - do I need anything else in this script
confirm you can ping both external IP addresses from the ASA's
config t
crypto isakmp enable outside
object network net-local
subnet w.x.y.z 255.255.255.0
object network net-remote
subnet w.x.y.z 255.255.255.0
exit
access-list outside_1_cryptomap permit ip object net-local object net-remote
tunnel-group w.x.y.z type ipsecL2L
tunnel-group w.x.y.z ipsec-attributes
pre-shared-key cisco123
isakmp keepalive threshold 10 retry 2
exit
crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encrypt 3des
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 2
crypto isakmp policy 10 lifetime 86400
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer w.x.y.z
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
Nat (inside,outside) 1 source static net-local net-local destination static net-remote net-remote
route outside 0 0 your default gateway
Thank you Sir
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: