Re: Site-to-Site VPN connectivity problem - Page 2

jason.giambrone · ‎05-12-2010

I am trying to establish a site-to-site VPN connection between a ASA5510 and a ASA5505.Everything seems to be working on the ASAs themselves but I am unable to get the VPN connection going. I created the connection profiles the same at both ends but I must be missing something. I need another pair of eyes to look over my configurations and see what I am missing. Thanks for any help.

Jason

5510 Config:

Result of the command: "show config"

: Saved

: Written by enable_15 at 11:05:58.939 GMT Wed May 12 2010

!

ASA Version 8.2(2)

!

hostname ciscoasa

enable password 2KFQnbNIdI.2KYOU encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif Outside-Untrust

security-level 0

ip address 165.127.126.132 255.255.255.192

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 172.18.0.1 255.255.248.0

!

interface Ethernet0/2

nameif DMZ2

security-level 50

ip address 172.17.0.1 255.255.255.224

!

interface Ethernet0/3

nameif DMZ1

security-level 50

ip address 172.16.0.1 255.255.255.224

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa822-k8.bin

ftp mode passive

clock timezone GMT 0

access-list Inside-Trust_access_in extended permit icmp any any inactive

access-list Outside-Untrust_access_in extended permit icmp any any unreachable

access-list Outside-Untrust_access_in extended permit icmp any any traceroute

access-list Outside-Untrust_access_in extended permit icmp any any timestamp-request

access-list Outside-Untrust_access_in extended permit icmp any any timestamp-reply

access-list inside_1_cryptomap extended permit ip 172.18.0.0 255.255.248.0 10.1.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.18.0.0 255.255.248.0 host 10.0.0.0

access-list inside_nat0_outbound extended permit ip 172.18.0.0 255.255.248.0 host 10.1.1.0

access-list inside_nat0_outbound extended permit ip 172.18.0.0 255.255.248.0 10.1.1.0 255.255.255.0

access-list inside_access_in extended permit tcp host 172.18.0.10 host 172.18.0.1

access-list inside_access_in extended permit tcp host 172.18.0.1 host 172.18.0.10

access-list inside_access_in extended permit udp host 172.18.0.1 host 172.18.0.10 eq syslog

pager lines 24

logging enable

logging timestamp

logging trap warnings

logging asdm informational

logging host inside 172.18.0.10

logging permit-hostdown

mtu Outside-Untrust 1500

mtu inside 1500

mtu DMZ2 1500

mtu DMZ1 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-631.bin

no asdm history enable

arp timeout 14400

global (Outside-Untrust) 101 165.127.126.133-165.127.126.190 netmask 255.255.0.0

nat (inside) 0 access-list inside_nat0_outbound

static (Outside-Untrust,Outside-Untrust) 165.127.126.133 10.0.0.0 netmask 255.255.255.255

access-group Outside-Untrust_access_in in interface Outside-Untrust

access-group inside_access_in in interface inside

route Outside-Untrust 0.0.0.0 0.0.0.0 10.100.110.101 1

route management 172.18.0.3 255.255.255.255 172.18.0.2 1

route Outside-Untrust 0.0.0.0 0.0.0.0 165.127.126.129 tunneled

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http server idle-timeout 30

http 192.168.1.0 255.255.255.0 management

http 192.168.1.9 255.255.255.255 management

http 172.18.0.10 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map inside_map 1 match address inside_1_cryptomap

crypto map inside_map 1 set pfs group1

crypto map inside_map 1 set peer 165.127.235.132

crypto map inside_map 1 set transform-set ESP-3DES-SHA

crypto map inside_map interface inside

crypto isakmp enable Outside-Untrust

crypto isakmp enable inside

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

telnet timeout 30

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

tftp-server management 192.168.1.9 c:\AS5510_Updates

webvpn

username jgiambro nopassword privilege 15

tunnel-group 165.127.235.132 type ipsec-l2l

tunnel-group 165.127.235.132 ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

mount ASA5510_backup_configs type cifs

server 192.168.1.2

share \\ASA5510-backup_configs

domain ITS18600

status enable

prompt hostname context

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:7dd93df22df8c648afecc700b4d3040a

5505 Config:

Result of the command: "show config"

: Saved

: Written by enable_15 at 08:34:13.408 UTC Wed May 12 2010

!

ASA Version 8.2(1)

!

hostname asa5505

domain-name dphe.local

enable password 2KFQnbNIdI.2KYOU encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 10.1.1.1 255.255.255.0

!

interface Vlan21

nameif Outside

security-level 0

ip address 165.127.235.132 255.255.255.192

!

interface Ethernet0/0

switchport access vlan 21

!

interface Ethernet0/1

!

interface Ethernet0/2

shutdown

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system disk0:/asa821-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name dphe.local

access-list Outside-Untrusted_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 host 172.18.0.0

access-list inside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 host 172.18.0.0

access-list Outside_access_in extended permit icmp any any unreachable

access-list Outside_access_in extended permit icmp any any traceroute

access-list Outside_access_in extended permit icmp any any timestamp-reply

access-list Outside_access_in extended permit icmp any any timestamp-request

access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 host 172.18.0.0

access-list inside_access_in extended permit tcp host 10.1.1.3 host 10.1.1.1

pager lines 24

logging enable

logging asdm informational

logging host Outside 172.18.0.10

logging permit-hostdown

mtu inside 1500

mtu Outside 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

asdm image disk0:/asdm-621.bin

no asdm history enable

arp timeout 14400

nat (inside) 0 access-list inside_nat0_outbound

static (Outside,Outside) 165.127.235.140 10.0.0.0 netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group Outside_access_in in interface Outside

route Outside 0.0.0.0 0.0.0.0 10.100.110.102 1

route Outside 0.0.0.0 0.0.0.0 165.127.235.129 tunneled

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 10.1.1.3 255.255.255.255 inside

http 10.0.1.3 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map Outside-Untrusted_map 1 match address Outside-Untrusted_1_cryptomap

crypto map Outside-Untrusted_map 1 set pfs group1

crypto map Outside-Untrusted_map 1 set peer 165.127.126.132

crypto map Outside-Untrusted_map 1 set transform-set ESP-3DES-SHA

crypto map inside_map 1 match address inside_1_cryptomap

crypto map inside_map 1 set pfs group1

crypto map inside_map 1 set peer 165.127.126.132

crypto map inside_map 1 set transform-set ESP-3DES-SHA

crypto map inside_map interface inside

crypto isakmp enable inside

crypto isakmp enable Outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

telnet 10.1.1.3 255.255.255.255 inside

telnet timeout 5

ssh 10.1.1.3 255.255.255.255 inside

ssh timeout 5

console timeout 0

management-access inside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

tunnel-group 165.127.126.132 type ipsec-l2l

tunnel-group 165.127.126.132 ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:c7dea44f64a0339f8459c83461e21f5e

Kelvin Willacey · ‎05-14-2010

OK I understand now. How are you trying to mimic the Internet? Can you ping the outside interface from one ASA to the other?

Your outside IP addresses are on different subnets, if you do not have a router between the firewalls to route between the outside subnets then it will not work. Let me know if this is the case.

jason.giambrone · ‎05-14-2010

Yeah I can ping between the two firewalls and between the two hosts behind the firewalls. We are using two Cisco 3560 switches that are using different vlans so we can mimic a local switch and a "router" since they are layer 3 switches.

Jason

Kelvin Willacey · ‎05-14-2010

How can you ping between the two hosts behind the firewalls? Is the switch routing traffic for the 10 and 172 networks? Sorry maybe I misinterpreted what you said.

jason.giambrone · ‎05-14-2010

I have allowed it through the ACLs that are permitted. Maybe this Visio will help.

Kelvin Willacey · ‎05-14-2010

Are there any routes or vlan interfaces on the switches that will allow 10.1.1.0/24 to be able to reach 172.18.0.0/21 without going through the firewall?

jason.giambrone · ‎05-17-2010

The only routes other then the connected ones are the static route on each switch that routes to the other switch:

.235 network switch

3560-T2>

3560-T2>en

Password:

3560-T2#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.100.110.101 to network 0.0.0.0

10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C 10.1.1.0/24 is directly connected, Vlan2

C 10.100.110.100/30 is directly connected, GigabitEthernet0/1

165.127.0.0/26 is subnetted, 1 subnets

C 165.127.235.128 is directly connected, Vlan3

S* 0.0.0.0/0 [1/0] via 10.100.110.101

3560-T2#

.126 network switch

3560-T1>

3560-T1>en

Password:

3560-T1#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.100.110.102 to network 0.0.0.0

172.17.0.0/27 is subnetted, 1 subnets

C 172.17.0.0 is directly connected, Vlan5

172.16.0.0/27 is subnetted, 1 subnets

C 172.16.0.0 is directly connected, Vlan3

172.18.0.0/21 is subnetted, 1 subnets

C 172.18.0.0 is directly connected, Vlan2

10.0.0.0/24 is subnetted, 1 subnets

C 10.100.110.0 is directly connected, GigabitEthernet0/1

165.127.0.0/26 is subnetted, 1 subnets

C 165.127.126.128 is directly connected, Vlan4

S* 0.0.0.0/0 [1/0] via 10.100.110.102

3560-T1#

Is there something wrong with this switch setup?

Jason

Kelvin Willacey · ‎05-17-2010

Your setup is not a problem as long as the gateways for the hosts you are testing with are on the firewall and not on the switch, if the gateways are on the switch then the traffic will never pass through the firewall.

jason.giambrone · ‎05-17-2010

Thanks for pointing this out.

My hosts do use the switch as the gateway (the same are our production environment). To get the traffic to go through the firewall should I remove the static routes I have between the two switches? This does explain alot. I should not have been able to ping between the hosts.

Jason

Kelvin Willacey · ‎05-17-2010

Well you have two choices change the gateway of the switches to point to the firewall or since the firewalls for both networks are on the same VLAN as the hosts then change the hosts gateway you are testing with to that of the firewall address. This should allow the traffic to go through the firewall.

jason.giambrone · ‎05-19-2010

I will change the gateway on the switches but I am not sure which interface on the switch to make that change on. Would it be the inside interface on the switch and set the ip for the inside interface of the firewall?

Kelvin Willacey · ‎05-19-2010

What I was reffering to was changing the default route on the switches, change it so that it points to the respective firewall that is connected to each switch.