05-12-2010 10:26 AM - edited 03-11-2019 10:44 AM
I am trying to establish a site-to-site VPN connection between a ASA5510 and a ASA5505.Everything seems to be working on the ASAs themselves but I am unable to get the VPN connection going. I created the connection profiles the same at both ends but I must be missing something. I need another pair of eyes to look over my configurations and see what I am missing. Thanks for any help.
Jason
5510 Config:
Result of the command: "show config"
: Saved
: Written by enable_15 at 11:05:58.939 GMT Wed May 12 2010
!
ASA Version 8.2(2)
!
hostname ciscoasa
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif Outside-Untrust
security-level 0
ip address 165.127.126.132 255.255.255.192
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 172.18.0.1 255.255.248.0
!
interface Ethernet0/2
nameif DMZ2
security-level 50
ip address 172.17.0.1 255.255.255.224
!
interface Ethernet0/3
nameif DMZ1
security-level 50
ip address 172.16.0.1 255.255.255.224
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone GMT 0
access-list Inside-Trust_access_in extended permit icmp any any inactive
access-list Outside-Untrust_access_in extended permit icmp any any unreachable
access-list Outside-Untrust_access_in extended permit icmp any any traceroute
access-list Outside-Untrust_access_in extended permit icmp any any timestamp-request
access-list Outside-Untrust_access_in extended permit icmp any any timestamp-reply
access-list inside_1_cryptomap extended permit ip 172.18.0.0 255.255.248.0 10.1.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.18.0.0 255.255.248.0 host 10.0.0.0
access-list inside_nat0_outbound extended permit ip 172.18.0.0 255.255.248.0 host 10.1.1.0
access-list inside_nat0_outbound extended permit ip 172.18.0.0 255.255.248.0 10.1.1.0 255.255.255.0
access-list inside_access_in extended permit tcp host 172.18.0.10 host 172.18.0.1
access-list inside_access_in extended permit tcp host 172.18.0.1 host 172.18.0.10
access-list inside_access_in extended permit udp host 172.18.0.1 host 172.18.0.10 eq syslog
pager lines 24
logging enable
logging timestamp
logging trap warnings
logging asdm informational
logging host inside 172.18.0.10
logging permit-hostdown
mtu Outside-Untrust 1500
mtu inside 1500
mtu DMZ2 1500
mtu DMZ1 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
global (Outside-Untrust) 101 165.127.126.133-165.127.126.190 netmask 255.255.0.0
nat (inside) 0 access-list inside_nat0_outbound
static (Outside-Untrust,Outside-Untrust) 165.127.126.133 10.0.0.0 netmask 255.255.255.255
access-group Outside-Untrust_access_in in interface Outside-Untrust
access-group inside_access_in in interface inside
route Outside-Untrust 0.0.0.0 0.0.0.0 10.100.110.101 1
route management 172.18.0.3 255.255.255.255 172.18.0.2 1
route Outside-Untrust 0.0.0.0 0.0.0.0 165.127.126.129 tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http server idle-timeout 30
http 192.168.1.0 255.255.255.0 management
http 192.168.1.9 255.255.255.255 management
http 172.18.0.10 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map inside_map 1 match address inside_1_cryptomap
crypto map inside_map 1 set pfs group1
crypto map inside_map 1 set peer 165.127.235.132
crypto map inside_map 1 set transform-set ESP-3DES-SHA
crypto map inside_map interface inside
crypto isakmp enable Outside-Untrust
crypto isakmp enable inside
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 30
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
tftp-server management 192.168.1.9 c:\AS5510_Updates
webvpn
username jgiambro nopassword privilege 15
tunnel-group 165.127.235.132 type ipsec-l2l
tunnel-group 165.127.235.132 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
mount ASA5510_backup_configs type cifs
server 192.168.1.2
share \\ASA5510-backup_configs
domain ITS18600
status enable
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:7dd93df22df8c648afecc700b4d3040a
5505 Config:
Result of the command: "show config"
: Saved
: Written by enable_15 at 08:34:13.408 UTC Wed May 12 2010
!
ASA Version 8.2(1)
!
hostname asa5505
domain-name dphe.local
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Vlan21
nameif Outside
security-level 0
ip address 165.127.235.132 255.255.255.192
!
interface Ethernet0/0
switchport access vlan 21
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa821-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name dphe.local
access-list Outside-Untrusted_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 host 172.18.0.0
access-list inside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 host 172.18.0.0
access-list Outside_access_in extended permit icmp any any unreachable
access-list Outside_access_in extended permit icmp any any traceroute
access-list Outside_access_in extended permit icmp any any timestamp-reply
access-list Outside_access_in extended permit icmp any any timestamp-request
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 host 172.18.0.0
access-list inside_access_in extended permit tcp host 10.1.1.3 host 10.1.1.1
pager lines 24
logging enable
logging asdm informational
logging host Outside 172.18.0.10
logging permit-hostdown
mtu inside 1500
mtu Outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_nat0_outbound
static (Outside,Outside) 165.127.235.140 10.0.0.0 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group Outside_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 10.100.110.102 1
route Outside 0.0.0.0 0.0.0.0 165.127.235.129 tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.1.1.3 255.255.255.255 inside
http 10.0.1.3 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map Outside-Untrusted_map 1 match address Outside-Untrusted_1_cryptomap
crypto map Outside-Untrusted_map 1 set pfs group1
crypto map Outside-Untrusted_map 1 set peer 165.127.126.132
crypto map Outside-Untrusted_map 1 set transform-set ESP-3DES-SHA
crypto map inside_map 1 match address inside_1_cryptomap
crypto map inside_map 1 set pfs group1
crypto map inside_map 1 set peer 165.127.126.132
crypto map inside_map 1 set transform-set ESP-3DES-SHA
crypto map inside_map interface inside
crypto isakmp enable inside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 10.1.1.3 255.255.255.255 inside
telnet timeout 5
ssh 10.1.1.3 255.255.255.255 inside
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 165.127.126.132 type ipsec-l2l
tunnel-group 165.127.126.132 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:c7dea44f64a0339f8459c83461e21f5e
05-14-2010 11:46 AM
OK I understand now. How are you trying to mimic the Internet? Can you ping the outside interface from one ASA to the other?
Your outside IP addresses are on different subnets, if you do not have a router between the firewalls to route between the outside subnets then it will not work. Let me know if this is the case.
05-14-2010 11:52 AM
Yeah I can ping between the two firewalls and between the two hosts behind the firewalls. We are using two Cisco 3560 switches that are using different vlans so we can mimic a local switch and a "router" since they are layer 3 switches.
Jason
05-14-2010 11:57 AM
How can you ping between the two hosts behind the firewalls? Is the switch routing traffic for the 10 and 172 networks? Sorry maybe I misinterpreted what you said.
05-14-2010 12:04 PM
05-14-2010 12:45 PM
Are there any routes or vlan interfaces on the switches that will allow 10.1.1.0/24 to be able to reach 172.18.0.0/21 without going through the firewall?
05-17-2010 08:32 AM
The only routes other then the connected ones are the static route on each switch that routes to the other switch:
.235 network switch
3560-T2>
3560-T2>en
Password:
3560-T2#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 10.100.110.101 to network 0.0.0.0
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.1.1.0/24 is directly connected, Vlan2
C 10.100.110.100/30 is directly connected, GigabitEthernet0/1
165.127.0.0/26 is subnetted, 1 subnets
C 165.127.235.128 is directly connected, Vlan3
S* 0.0.0.0/0 [1/0] via 10.100.110.101
3560-T2#
.126 network switch
3560-T1>
3560-T1>en
Password:
3560-T1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 10.100.110.102 to network 0.0.0.0
172.17.0.0/27 is subnetted, 1 subnets
C 172.17.0.0 is directly connected, Vlan5
172.16.0.0/27 is subnetted, 1 subnets
C 172.16.0.0 is directly connected, Vlan3
172.18.0.0/21 is subnetted, 1 subnets
C 172.18.0.0 is directly connected, Vlan2
10.0.0.0/24 is subnetted, 1 subnets
C 10.100.110.0 is directly connected, GigabitEthernet0/1
165.127.0.0/26 is subnetted, 1 subnets
C 165.127.126.128 is directly connected, Vlan4
S* 0.0.0.0/0 [1/0] via 10.100.110.102
3560-T1#
Is there something wrong with this switch setup?
Jason
05-17-2010 08:55 AM
Your setup is not a problem as long as the gateways for the hosts you are testing with are on the firewall and not on the switch, if the gateways are on the switch then the traffic will never pass through the firewall.
05-17-2010 09:02 AM
Thanks for pointing this out.
My hosts do use the switch as the gateway (the same are our production environment). To get the traffic to go through the firewall should I remove the static routes I have between the two switches? This does explain alot. I should not have been able to ping between the hosts.
Jason
05-17-2010 09:13 AM
Well you have two choices change the gateway of the switches to point to the firewall or since the firewalls for both networks are on the same VLAN as the hosts then change the hosts gateway you are testing with to that of the firewall address. This should allow the traffic to go through the firewall.
05-19-2010 01:06 PM
I will change the gateway on the switches but I am not sure which interface on the switch to make that change on. Would it be the inside interface on the switch and set the ip for the inside interface of the firewall?
05-19-2010 07:38 PM
What I was reffering to was changing the default route on the switches, change it so that it points to the respective firewall that is connected to each switch.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide