Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Site-to-Site VPN connectivity problem

I am trying to establish a site-to-site VPN connection between a ASA5510 and a ASA5505.Everything seems to be working on the ASAs themselves but I am unable to get the VPN connection going. I created the connection profiles the same at both ends but I must be missing something. I need another pair of eyes to look over my configurations and see what I am missing. Thanks for any help.

Jason

5510 Config:

Result of the command: "show config"

: Saved

: Written by enable_15 at 11:05:58.939 GMT Wed May 12 2010

!

ASA Version 8.2(2)

!

hostname ciscoasa

enable password 2KFQnbNIdI.2KYOU encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif Outside-Untrust

security-level 0

ip address 165.127.126.132 255.255.255.192

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 172.18.0.1 255.255.248.0

!

interface Ethernet0/2

nameif DMZ2

security-level 50

ip address 172.17.0.1 255.255.255.224

!

interface Ethernet0/3

nameif DMZ1

security-level 50

ip address 172.16.0.1 255.255.255.224

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa822-k8.bin

ftp mode passive

clock timezone GMT 0

access-list Inside-Trust_access_in extended permit icmp any any inactive

access-list Outside-Untrust_access_in extended permit icmp any any unreachable

access-list Outside-Untrust_access_in extended permit icmp any any traceroute

access-list Outside-Untrust_access_in extended permit icmp any any timestamp-request

access-list Outside-Untrust_access_in extended permit icmp any any timestamp-reply

access-list inside_1_cryptomap extended permit ip 172.18.0.0 255.255.248.0 10.1.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.18.0.0 255.255.248.0 host 10.0.0.0

access-list inside_nat0_outbound extended permit ip 172.18.0.0 255.255.248.0 host 10.1.1.0

access-list inside_nat0_outbound extended permit ip 172.18.0.0 255.255.248.0 10.1.1.0 255.255.255.0

access-list inside_access_in extended permit tcp host 172.18.0.10 host 172.18.0.1

access-list inside_access_in extended permit tcp host 172.18.0.1 host 172.18.0.10

access-list inside_access_in extended permit udp host 172.18.0.1 host 172.18.0.10 eq syslog

pager lines 24

logging enable

logging timestamp

logging trap warnings

logging asdm informational

logging host inside 172.18.0.10

logging permit-hostdown

mtu Outside-Untrust 1500

mtu inside 1500

mtu DMZ2 1500

mtu DMZ1 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-631.bin

no asdm history enable

arp timeout 14400

global (Outside-Untrust) 101 165.127.126.133-165.127.126.190 netmask 255.255.0.0

nat (inside) 0 access-list inside_nat0_outbound

static (Outside-Untrust,Outside-Untrust) 165.127.126.133 10.0.0.0 netmask 255.255.255.255

access-group Outside-Untrust_access_in in interface Outside-Untrust

access-group inside_access_in in interface inside

route Outside-Untrust 0.0.0.0 0.0.0.0 10.100.110.101 1

route management 172.18.0.3 255.255.255.255 172.18.0.2 1

route Outside-Untrust 0.0.0.0 0.0.0.0 165.127.126.129 tunneled

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http server idle-timeout 30

http 192.168.1.0 255.255.255.0 management

http 192.168.1.9 255.255.255.255 management

http 172.18.0.10 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map inside_map 1 match address inside_1_cryptomap

crypto map inside_map 1 set pfs group1

crypto map inside_map 1 set peer 165.127.235.132

crypto map inside_map 1 set transform-set ESP-3DES-SHA

crypto map inside_map interface inside

crypto isakmp enable Outside-Untrust

crypto isakmp enable inside

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

telnet timeout 30

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

tftp-server management 192.168.1.9 c:\AS5510_Updates

webvpn

username jgiambro nopassword privilege 15

tunnel-group 165.127.235.132 type ipsec-l2l

tunnel-group 165.127.235.132 ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

mount ASA5510_backup_configs type cifs

server 192.168.1.2

share \\ASA5510-backup_configs

domain ITS18600

status enable

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:7dd93df22df8c648afecc700b4d3040a

5505 Config:

Result of the command: "show config"

: Saved

: Written by enable_15 at 08:34:13.408 UTC Wed May 12 2010

!

ASA Version 8.2(1)

!

hostname asa5505

domain-name dphe.local

enable password 2KFQnbNIdI.2KYOU encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 10.1.1.1 255.255.255.0

!

interface Vlan21

nameif Outside

security-level 0

ip address 165.127.235.132 255.255.255.192

!

interface Ethernet0/0

switchport access vlan 21

!

interface Ethernet0/1

!

interface Ethernet0/2

shutdown

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system disk0:/asa821-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name dphe.local

access-list Outside-Untrusted_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 host 172.18.0.0

access-list inside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 host 172.18.0.0

access-list Outside_access_in extended permit icmp any any unreachable

access-list Outside_access_in extended permit icmp any any traceroute

access-list Outside_access_in extended permit icmp any any timestamp-reply

access-list Outside_access_in extended permit icmp any any timestamp-request

access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 host 172.18.0.0

access-list inside_access_in extended permit tcp host 10.1.1.3 host 10.1.1.1

pager lines 24

logging enable

logging asdm informational

logging host Outside 172.18.0.10

logging permit-hostdown

mtu inside 1500

mtu Outside 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

asdm image disk0:/asdm-621.bin

no asdm history enable

arp timeout 14400

nat (inside) 0 access-list inside_nat0_outbound

static (Outside,Outside) 165.127.235.140 10.0.0.0 netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group Outside_access_in in interface Outside

route Outside 0.0.0.0 0.0.0.0 10.100.110.102 1

route Outside 0.0.0.0 0.0.0.0 165.127.235.129 tunneled

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 10.1.1.3 255.255.255.255 inside

http 10.0.1.3 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map Outside-Untrusted_map 1 match address Outside-Untrusted_1_cryptomap

crypto map Outside-Untrusted_map 1 set pfs group1

crypto map Outside-Untrusted_map 1 set peer 165.127.126.132

crypto map Outside-Untrusted_map 1 set transform-set ESP-3DES-SHA

crypto map inside_map 1 match address inside_1_cryptomap

crypto map inside_map 1 set pfs group1

crypto map inside_map 1 set peer 165.127.126.132

crypto map inside_map 1 set transform-set ESP-3DES-SHA

crypto map inside_map interface inside

crypto isakmp enable inside

crypto isakmp enable Outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

telnet 10.1.1.3 255.255.255.255 inside

telnet timeout 5

ssh 10.1.1.3 255.255.255.255 inside

ssh timeout 5

console timeout 0

management-access inside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

tunnel-group 165.127.126.132 type ipsec-l2l

tunnel-group 165.127.126.132 ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:c7dea44f64a0339f8459c83461e21f5e

25 REPLIES

Re: Site-to-Site VPN connectivity problem

Hi Jason,

What does the following commands report on both sides:

show crypto ipsec sa

show crypto isa sa

This will assist in troubleshooting this and also if I am remembering correctly you may want your crypto maps mapped to the outside Interface.

Thanks,

Kimberly

Thanks and Cheers! Kimberly Please remember to rate helpful posts.
New Member

Re: Site-to-Site VPN connectivity problem

Hi Kimberly

Thank you for responding.

I ran the show crypto ipsec sa command and the show crypto isa sa command on both firewalls and got the same output on both:

"There is no ipsec sas"

"There is no isakmp sas"

I also verified the crypto maps on both firewalls were mapped to the outside interface.

Just so you know, I setup the connection profiles using the IP sec wizard we used in training.

Jason

Re: Site-to-Site VPN connectivity problem

Jason you are welcome for the response. 

In oder to get a site to site VPN working you will need to have an SA for both IPSEC and ISAKMP (SA = Security Association).  I am not a huge fan of the ASDM gui and do most of my work on the command line.  What it honestly sounds like is you are missing something in your configuration and need to get the security assocation setup.  I will pour over your configurations and see if I can find the missing component, but when it is working and you run those two commands your out put should look very simular to the following:

This is from my ASA, this is not quite a S2S VPN but you get the point:

PDC-5540# sh crypto isa sa

   Active SA: 2
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

1   IKE Peer: 71.194.x.x
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_ACTIVE
2   IKE Peer: 99.147.x.x
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_ACTIVE

PDC-5540# sh crypto ipsec sa
interface: Outside
    Crypto map tag: Outside_dyn_map, seq num: 20, local addr: 65.116.x.x

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.41.x.x/255.255.255.255/0/0)
      current_peer: 71.194.x.x, username: murrayc
      dynamic allocated peer ip: 10.41.x.x

      #pkts encaps: 3260, #pkts encrypt: 3260, #pkts digest: 3260
      #pkts decaps: 3580, #pkts decrypt: 3580, #pkts verify: 3580
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 3260, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 65.116.x.x/11000, remote crypto endpt.: 71.194.x.x/1082
      path mtu 1500, ipsec overhead 94, media mtu 1500
      current outbound spi: 166E1E5E

    inbound esp sas:
      spi: 0x13AE577C (330192764)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={RA, Tunnel,  TCP-Encaps, }
         slot: 0, conn_id: 2109440, crypto-map: Outside_dyn_map
         sa timing: remaining key lifetime (sec): 26114
         IV size: 8 bytes
         replay detection support: Y
Anti replay bitmap:
        0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x166E1E5E (376315486)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={RA, Tunnel,  TCP-Encaps, }
         slot: 0, conn_id: 2109440, crypto-map: Outside_dyn_map
         sa timing: remaining key lifetime (sec): 26112
         IV size: 8 bytes
         replay detection support: Y
Anti replay bitmap:
        0x00000000 0x00000001

I will double check your configs and see if I can find something to assist you further.

Kimberly

Thanks and Cheers! Kimberly Please remember to rate helpful posts.

Re: Site-to-Site VPN connectivity problem

Hi Jason,

I am seeing possibly a few problems with your setup.

1. Are your clients able to browse the Internet? because I see the nat global but I don't see a coressponding nat inside. For example you have the following:

global (Outside-Untrust) 101 but I don't see a

nat (inside) 101 0.0.0.0 0.0.0.0

Can you explain how they are able to browse?

2. Your cryptomap acl and nat 0 acls are incorrect on the 5505, you have a network going to a host on one side and a network going to a network on the other. Remeber these acls have to mirror each other so do the following:

5505

no access-list Outside-Untrusted_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 host 172.18.0.0

access-list Outside-Untrusted_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 172.18.0.0 255.255.248.0

no access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 host 172.18.0.0

access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 172.18.0.0 255.255.248.0

5510

(for neatness sake)

no access-list inside_nat0_outbound extended permit ip 172.18.0.0 255.255.248.0 host 10.0.0.0
no access-list inside_nat0_outbound extended permit ip 172.18.0.0 255.255.248.0 host 10.1.1.0

3. You seem to have two crypto maps with the same parameters on the 5505, however the one you have applied is on the inside interface but it should be applied to the Outside interface on both firewalls. You also have isakmp enabled on the inside interface. The crypto map must always be applied the Internet facing interface and isakmp should only be enabled on this interface as well (unless you have a different setup and are doing it over a WAN link), so you need to do the following on both firewalls:

5505

no crypto map inside_map interface inside

no crypto isakmp enable inside

crypto map Outside-Untrusted_map interface Outside

5510

no crypto map inside_map interface inside

no crypto isakmp enable inside

crypto map inside_map interface Outside-Untrust

4. You also have an acl applied to the inside interface that will cause the tunnel to never be established you need to permit the traffic that will traverse the tunnel. Do the following:

5505

access-list inside_access_in extended permit  ip 10.1.1.0 255.255.255.0 172.18.0.0 255.255.248.0

5510

access-list inside_access_in extended permit  ip 172.18.0.0 255.255.248.0 10.1.1.0 255.255.255.0

Your other parameters seem to be OK. Give these changes a try and let me know if it works.

New Member

Re: Site-to-Site VPN connectivity problem

Thank you Kimberly and KWillacey

Kwillacey-I made all the changes you recommended, but I ran into a few problems. I get a warning on both firewalls that said the Crypto map needed entries. And the connection profiles were now gone. I rebuilt the crypto map entries without using the wizard so I am not sure I did those right. I rebuilt the connection profiles using the wizard. Hopefully I did not duplicate anything. I also added a NAT rule for inside traffic ( good catch, thanks ).

Kimberly-thank you for your help, I changed the ACL from host to network.

It is alot cleaner now but still not working so I obviously missed something. I made alot of changes to clean up the mistakes kwillacey pointed out so I will repost the configs. Thanks again for your time guys you have been a great help!

Jason

ASA5510

ASA Version 8.2(2)

!

hostname ciscoasa

enable password 2KFQnbNIdI.2KYOU encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif Outside-Untrust

security-level 0

ip address 165.127.126.132 255.255.255.192

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 172.18.0.1 255.255.248.0

!

interface Ethernet0/2

nameif DMZ2

security-level 50

ip address 172.17.0.1 255.255.255.224

!

interface Ethernet0/3

nameif DMZ1

security-level 50

ip address 172.16.0.1 255.255.255.224

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa822-k8.bin

ftp mode passive

clock timezone GMT 0

access-list Inside-Trust_access_in extended permit icmp any any inactive

access-list Outside-Untrust_access_in extended permit icmp any any unreachable

access-list Outside-Untrust_access_in extended permit icmp any any traceroute

access-list Outside-Untrust_access_in extended permit icmp any any timestamp-request

access-list Outside-Untrust_access_in extended permit icmp any any timestamp-reply

access-list Outside-Untrust_1_cryptomap extended permit ip 172.18.0.0 255.255.248.0 10.1.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.18.0.0 255.255.248.0 10.1.1.0 255.255.255.0

access-list inside_access_in extended permit tcp host 172.18.0.10 host 172.18.0.1

access-list inside_access_in extended permit tcp host 172.18.0.1 host 172.18.0.10

access-list inside_access_in extended permit udp host 172.18.0.1 host 172.18.0.10 eq syslog

access-list inside_access_in extended permit ip 172.18.0.0 255.255.248.0 10.1.1.0 255.255.255.0

access-list Outside-Untrust_cryptomap_1 extended permit ip 172.18.0.0 255.255.248.0 10.1.1.0 255.255.255.0

pager lines 24

logging enable

logging timestamp

logging trap warnings

logging asdm informational

logging host inside 172.18.0.10

logging permit-hostdown

mtu Outside-Untrust 1500

mtu inside 1500

mtu DMZ2 1500

mtu DMZ1 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-631.bin

no asdm history enable

arp timeout 14400

global (Outside-Untrust) 101 165.127.126.133-165.127.126.190 netmask 255.255.0.0

nat (inside) 0 access-list inside_nat0_outbound

static (Outside-Untrust,Outside-Untrust) 165.127.126.133 10.0.0.0 netmask 255.255.255.255

static (inside,inside) 165.127.126.133 0.0.0.0 netmask 255.255.255.255

access-group Outside-Untrust_access_in in interface Outside-Untrust

access-group inside_access_in in interface inside

route Outside-Untrust 0.0.0.0 0.0.0.0 10.100.110.101 1

route management 172.18.0.3 255.255.255.255 172.18.0.2 1

route Outside-Untrust 0.0.0.0 0.0.0.0 165.127.126.129 tunneled

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http server idle-timeout 30

http 192.168.1.0 255.255.255.0 management

http 192.168.1.9 255.255.255.255 management

http 172.18.0.10 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map Outside-Untrust_map 1 match address Outside-Untrust_1_cryptomap

crypto map Outside-Untrust_map 1 set pfs group1

crypto map Outside-Untrust_map 1 set peer 165.127.235.132

crypto map Outside-Untrust_map 1 set transform-set ESP-3DES-SHA

crypto map inside_map 1 match address Outside-Untrust_cryptomap_1

crypto map inside_map 1 set peer 165.127.235.132

crypto map inside_map 1 set transform-set ESP-AES-128-SHA

crypto map inside_map interface Outside-Untrust

crypto isakmp enable Outside-Untrust

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 50

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 30

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

tftp-server management 192.168.1.9 c:\AS5510_Updates

webvpn

username jgiambro nopassword privilege 15

tunnel-group 165.127.235.132 type ipsec-l2l

tunnel-group 165.127.235.132 ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

mount ASA5510_backup_configs type cifs

server 192.168.1.2

share \\ASA5510-backup_configs

domain ITS18600

username jgiambro

password *****

status enable

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:c9dd99906ac8345298b9e8914dd52d7b

: end

ASA5505
Result of the command: "show running-config"
: Saved
:
ASA Version 8.2(1)
!
hostname asa5505
domain-name dphe.local
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Vlan21
nameif Outside
security-level 0
ip address 165.127.235.132 255.255.255.192
!
interface Ethernet0/0
switchport access vlan 21
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa821-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name dphe.local
access-list Outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 172.18.0.0 255.255.248.0
access-list outside-untrusted_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 172.18.0.0 255.255.248.0
access-list Outside_access_in extended permit icmp any any unreachable
access-list Outside_access_in extended permit icmp any any traceroute
access-list Outside_access_in extended permit icmp any any timestamp-reply
access-list Outside_access_in extended permit icmp any any timestamp-request
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 172.18.0.0 255.255.248.0
access-list inside_access_in extended permit tcp host 10.1.1.3 host 10.1.1.1
access-list inside_access_in extended permit ip 10.1.1.0 255.255.255.0 172.18.0.0 255.255.248.0
access-list Outside_cryptomap_1 extended permit ip 10.1.1.0 255.255.255.0 172.18.0.0 255.255.248.0
pager lines 24
logging enable
logging asdm informational
logging host Outside 172.18.0.10
logging permit-hostdown
mtu inside 1500
mtu Outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_nat0_outbound
static (Outside,Outside) 165.127.235.140 10.0.0.0 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group Outside_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 10.100.110.102 1
route Outside 0.0.0.0 0.0.0.0 165.127.235.129 tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.1.1.3 255.255.255.255 inside
http 10.0.1.3 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map Outside_map 1 match address Outside_1_cryptomap
crypto map Outside_map 1 set pfs group1
crypto map Outside_map 1 set peer 165.127.126.132
crypto map Outside_map 1 set transform-set ESP-3DES-SHA
crypto map Outside-Untrusted_map 1 match address Outside_cryptomap_1
crypto map Outside-Untrusted_map 1 set peer 165.127.126.132
crypto map Outside-Untrusted_map 1 set transform-set ESP-AES-128-SHA
crypto map Outside-Untrusted_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.1.1.3 255.255.255.255 inside
telnet timeout 5
ssh 10.1.1.3 255.255.255.255 inside
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 165.127.126.132 type ipsec-l2l
tunnel-group 165.127.126.132 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:8d3f45814f3a7bc9e0c467368cf301c3
: end

Re: Site-to-Site VPN connectivity problem

Hi Jason,

You don't need to worry about that error you got it happens whenever you remove an entry from the crypto map it's just a warning, as long as you put it back you should be fine.

You still have not indicated if your clients are able to browse the Internet if not you may want to remove the following static nat entries and add the following

5510

no static (Outside-Untrust,Outside-Untrust) 165.127.126.133 10.0.0.0 netmask 255.255.255.255

no static (inside,inside) 165.127.126.133 0.0.0.0 netmask 255.255.255.255

nat (inside) 101 0.0.0.0 0.0.0.0

5505

no static (Outside,Outside) 165.127.235.140 10.0.0.0 netmask 255.255.255.255

nat (inside) 101 0.0.0.0 0.0.0.0

global (Outside) 101 interface

Your routing also looks a bit off so try the following:

5510

no route Outside-Untrust 0.0.0.0 0.0.0.0 10.100.110.101 1

no route Outside-Untrust 0.0.0.0 0.0.0.0 165.127.126.129 tunneled

route Outside-Untrust 0.0.0.0 0.0.0.0 165.127.126.129

5505

no route Outside 0.0.0.0 0.0.0.0 10.100.110.102 1
no route Outside 0.0.0.0 0.0.0.0 165.127.235.129 tunneled
route Outside 0.0.0.0 0.0.0.0 165.127.235.129

Everything else seems fine to me, ensure when you are testing you ping from one network to the other and do a "show crypto isakmp sa" to see if the tunnel is trying to be established.

Also check out this example it may help

http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_example09186a0080950890.shtml

Let me know how it goes

Re: Site-to-Site VPN connectivity problem

Jason,

In your access-lists on your remote 5505 config, you are specifying the host subnet as a single host:

access-list Outside-Untrusted_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 host 172.18.0.0

This shouldn't be a single host but a subnet that matches your host side configuration:  172.18.0.0 255.255.248.0

When looking at this configurations with the command line, make sure your access lists match.  Except for the placement of the IP Addresses should be flipped.

access-list inside_1_cryptomap extended permit ip 172.18.0.0 255.255.248.0 10.1.1.0 255.255.255.0

The configuration on the 5505 doesn't really match the configuration of the 5510 and this is why I think for starters why you are not getting a security assocation.

Thanks and please let me know how this goes or if you need more assistance.

Kimberly

Thanks and Cheers! Kimberly Please remember to rate helpful posts.

Re: Site-to-Site VPN connectivity problem

Hi Jason,

I just saw this post I had no idea it existed follow the link

https://supportforums.cisco.com/message/3071600#3071600

Re: Site-to-Site VPN connectivity problem

You have 2 different Crypto maps applied

crypto map Outside-Untrusted_map 1 match address Outside-Untrusted_1_cryptomap

crypto map Outside-Untrusted_map 1 set pfs group1

crypto map Outside-Untrusted_map 1 set peer 165.127.126.132

crypto map Outside-Untrusted_map 1 set transform-set ESP-3DES-SHA

crypto map inside_map 1 match address inside_1_cryptomap

crypto map inside_map 1 set pfs group1

crypto map inside_map 1 set peer 165.127.126.132

crypto map inside_map 1 set transform-set ESP-3DES-SHA

crypto map inside_map interface inside

Remember that only one can be applied in an interface. You can have one crypto map with several reference numbers.

Eliminate the one that is not applied in the interface. Check out the ACL in both ends they MUST be ACL mirrors.

Please do a debug crypto ipsec and a debug crypto isakmp  -- SAs

Generate some traffic and send us the debugs outputs.

Thanks.

New Member

Re: Site-to-Site VPN connectivity problem

Diego

Applied the debug commands on the 5510, sent some traffic, and immediately got this:

7|May 13   2010|13:48:01|725012|172.18.0.10|1559|||Device chooses cipher : RC4-SHA for   the SSL session with client inside:172.18.0.10/15597|May 13   2010|13:48:01|725011|||||Cipher[15] : EXP-EDH-DSS-DES-CBC-SHA7|May 13   2010|13:48:01|725011|||||Cipher[14] : EXP-EDH-RSA-DES-CBC-SHA7|May 13   2010|13:48:01|725011|||||Cipher[13] : EXP-DES-CBC-SHA7|May 13   2010|13:48:01|725011|||||Cipher[12] : EXP-RC4-MD57|May 13   2010|13:48:01|725011|||||Cipher[11] : EDH-DSS-DES-CBC-SHA7|May 13   2010|13:48:01|725011|||||Cipher[10] : EDH-RSA-DES-CBC-SHA7|May 13   2010|13:48:01|725011|||||Cipher[9] : DES-CBC-SHA7|May 13   2010|13:48:01|725011|||||Cipher[8] : EDH-DSS-DES-CBC3-SHA7|May 13   2010|13:48:01|725011|||||Cipher[7] : EDH-RSA-DES-CBC3-SHA7|May 13   2010|13:48:01|725011|||||Cipher[6] : DES-CBC3-SHA7|May 13   2010|13:48:01|725011|||||Cipher[5] : DHE-DSS-AES128-SHA7|May 13   2010|13:48:01|725011|||||Cipher[4] : DHE-RSA-AES128-SHA7|May 13   2010|13:48:01|725011|||||Cipher[3] : AES128-SHA7|May 13   2010|13:48:01|725011|||||Cipher[2] : RC4-SHA7|May 13   2010|13:48:01|725011|||||Cipher[1] : RC4-MD57|May 13   2010|13:48:01|725008|172.18.0.10|1559|||SSL client inside:172.18.0.10/1559   proposes the following 15 cipher(s).7|May 13   2010|13:48:01|725011|||||Cipher[4] : DES-CBC3-SHA7|May 13   2010|13:48:01|725011|||||Cipher[3] : AES256-SHA7|May 13   2010|13:48:01|725011|||||Cipher[2] : AES128-SHA7|May 13   2010|13:48:01|725011|||||Cipher[1] : RC4-SHA

7|May 13 2010|13:48:01|725010|||||Device   supports the following 4 cipher(s).

Did the same thing on the 5505 and all I got was this:

6|May 13   2010|13:56:33|725007|10.1.1.3|1344|||SSL session with client   inside:10.1.1.3/1344 terminated.7|May 13   2010|13:56:33|609002|165.127.126.132||||Teardown local-host   Outside:165.127.126.132 duration 0:00:007|May 13   2010|13:56:33|609002|165.127.235.132||||Teardown local-host   identity:165.127.235.132 duration 0:00:006|May 13   2010|13:56:33|302021|165.127.126.132|0|165.127.235.132|4388|Teardown ICMP   connection for faddr 165.127.126.132/0 gaddr 165.127.235.132/4388 laddr   165.127.235.132/43887|May 13   2010|13:56:33|710005|10.1.1.3|1344|10.1.1.1|443|TCP request discarded from   10.1.1.3/1344 to inside:10.1.1.1/4436|May 13   2010|13:56:33|106015|10.1.1.3|1344|10.1.1.1|443|Deny TCP (no connection) from   10.1.1.3/1344 to 10.1.1.1/443 flags FIN ACK  on interface inside6|May 13   2010|13:56:33|302014|10.1.1.3|1344|10.1.1.1|443|Teardown TCP connection 3171   for inside:10.1.1.3/1344 to identity:10.1.1.1/443 duration 0:00:00 bytes 481   TCP Reset-O5|May 13 2010|13:56:33|111008|||||User   'enable_15' executed the 'ping Outside 165.127.126.132' command.6|May 13   2010|13:56:33|302020|165.127.235.132|4388|165.127.126.132|0|Built outbound   ICMP connection for faddr 165.127.126.132/0 gaddr 165.127.235.132/4388 laddr   165.127.235.132/43887|May 13   2010|13:56:33|609001|165.127.126.132||||Built local-host   Outside:165.127.126.1327|May 13   2010|13:56:33|609001|165.127.235.132||||Built local-host   identity:165.127.235.1326|May 13   2010|13:56:33|605005|10.1.1.3|1344|10.1.1.1|https|Login permitted from   10.1.1.3/1344 to inside:10.1.1.1/https for user "enable_15"6|May 13   2010|13:56:33|725002|10.1.1.3|1344|||Device completed SSL handshake with   client inside:10.1.1.3/13446|May 13   2010|13:56:33|725003|10.1.1.3|1344|||SSL client inside:10.1.1.3/1344 request   to resume previous session.6|May 13   2010|13:56:33|725001|10.1.1.3|1344|||Starting SSL handshake with client   inside:10.1.1.3/1344 for TLSv1 session.

6|May 13   2010|13:56:33|302013|10.1.1.3|1344|10.1.1.1|443|Built inbound TCP connection   3171 for inside:10.1.1.3/1344 (10.1.1.3/1344) to identity:10.1.1.1/443   (10.1.1.1/443)

May small brain is telling me the problem is with the 5505. The 5510 is trying to establish the VPN but for some reason the 5505 won't do it.

Re: Site-to-Site VPN connectivity problem

Can you send us the debug crypto ipsec and debug crypto isakmp. Try to generate some traffic to check output.

I don't know if you are doing the right debugs.

Check this out

IPsec Troubleshooting: Understanding and Using debug Commands

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml#dbg_ci

Send us the current config as well.

New Member

Re: Site-to-Site VPN connectivity problem

Diego

Thanks for the article. When I try to run the debug commands I don't get any output.It seems like debug just gets enabled and I can see some output in the log but not much. Definitely not the output you are looking for. I also double checked the ACLs on both firewalls to make sure they were as close as possible. Alot of cleanup and tweaks have been done to make the setup better (thanks to everyone who has responded) but the VPN just won't establish. When I run the the show crypto isakmp sa and show crypto ip sec sa I still get "There is no isakmp sas" and "There is noisakmp sas" response.

I have attached the two running configs. Thank you for your help.

Jason

Re: Site-to-Site VPN connectivity problem

Hi Jason,

I think I see your problem, because everything else looks fine to me, but answer me this are you able to browse? how are you trying to establish the tunnel?

On the 5510 you are NOT natting to the address that the 5505 is expecting as the peer address, so I would suggest you remove the nat pool and nat to the interface, so try the following:

no global (Outside) 101 165.127.126.133-165.127.126.190 netmask 255.255.0.0

global (Outside) 101 interface

Let me know if that works.

New Member

Re: Site-to-Site VPN connectivity problem

Kwillacey

I applied the commands you suggested but there is no change.

I can't really test browsing because this is in a lab environment. I have setup this lab to test before our deployment to a production environment. I have a host at either end of the connection behind the firewalls so I can do things like ping, traceroute, and connect to the drives of the pc hosts. I apprciate your help very much.

Jason

Re: Site-to-Site VPN connectivity problem

OK I understand now. How are you trying to mimic the Internet? Can you ping the outside interface from one ASA to the other?

Your outside IP addresses are on different subnets, if you do not have a router between the firewalls to route between the outside subnets then it will not work. Let me know if this is the case.

New Member

Re: Site-to-Site VPN connectivity problem

Yeah I can ping between the two firewalls and between the two hosts behind the firewalls. We are using two Cisco 3560 switches that are using different vlans so we can mimic a local switch and a "router" since they are layer 3 switches.

Jason

Re: Site-to-Site VPN connectivity problem

How can you ping between the two hosts behind the firewalls? Is the switch routing traffic for the 10 and 172 networks? Sorry maybe I misinterpreted what you said.

New Member

Re: Site-to-Site VPN connectivity problem

I have allowed it through the ACLs that are permitted. Maybe this Visio will help.

Re: Site-to-Site VPN connectivity problem

Are there any routes or vlan interfaces on the switches that will allow 10.1.1.0/24 to be able to reach 172.18.0.0/21 without going through the firewall?

New Member

Re: Site-to-Site VPN connectivity problem

The only routes other then the connected ones are the static route on each switch that routes to the other switch:

.235 network switch

3560-T2>

3560-T2>en

Password:

3560-T2#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.100.110.101 to network 0.0.0.0

     10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C       10.1.1.0/24 is directly connected, Vlan2

C       10.100.110.100/30 is directly connected, GigabitEthernet0/1

     165.127.0.0/26 is subnetted, 1 subnets

C       165.127.235.128 is directly connected, Vlan3

S*   0.0.0.0/0 [1/0] via 10.100.110.101

3560-T2#

.126 network switch

3560-T1>       

3560-T1>en         

Password:

3560-T1#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.100.110.102 to network 0.0.0.0

     172.17.0.0/27 is subnetted, 1 subnets

C       172.17.0.0 is directly connected, Vlan5

     172.16.0.0/27 is subnetted, 1 subnets

C       172.16.0.0 is directly connected, Vlan3

     172.18.0.0/21 is subnetted, 1 subnets

C       172.18.0.0 is directly connected, Vlan2

     10.0.0.0/24 is subnetted, 1 subnets

C       10.100.110.0 is directly connected, GigabitEthernet0/1

     165.127.0.0/26 is subnetted, 1 subnets

C       165.127.126.128 is directly connected, Vlan4

S*   0.0.0.0/0 [1/0] via 10.100.110.102

3560-T1#

Is there something wrong with this switch setup?

Jason

Re: Site-to-Site VPN connectivity problem

Your setup is not a problem as long as the gateways for the hosts you are testing with are on the firewall and not on the switch, if the gateways are on the switch then the traffic will never pass through the firewall.

New Member

Re: Site-to-Site VPN connectivity problem

Thanks for pointing this out.

My hosts do use the switch as the gateway (the same are our production environment). To get the traffic to go through the firewall should I remove the static routes I have between the two switches? This does explain alot. I should not have been able to ping between the hosts.

Jason

Re: Site-to-Site VPN connectivity problem

Well you have two choices change the gateway of the switches to point to the firewall or since the firewalls for both networks are on the same VLAN as the hosts then change the hosts gateway you are testing with to that of the firewall address. This should allow the traffic to go through the firewall.

New Member

Re: Site-to-Site VPN connectivity problem

I will change the gateway on the switches but I am not sure which interface on the switch to make that change on. Would it be the inside interface on the switch and set the ip for the inside interface of the firewall?

Re: Site-to-Site VPN connectivity problem

What I was reffering to was changing the default route on the switches, change it so that it points to the respective firewall that is connected to each switch.

2275
Views
0
Helpful
25
Replies
CreatePlease to create content