Solved: Site-To-Site VPN

Stephen Sisson · ‎07-31-2013

Hello everyone,

We need some with site to site vpn from our current location to another customer’s site

we configured both sites ASA firewalls and see traffic in the logs, not able to connect - maybe we missed something, we need your help

Sending both ASA config files created during setup

I also set the route outside 0 0 to default gateway on both ASA's, able to ping each other

Thank you

Jouni Forss · ‎07-31-2013

Hi,

Is this from some Lab setup or is it a live environment?

Are both devices used as the edge device between LAN and WAN on the sites?

Can you provide the output of the following command from both units

show run crypto ikev1

- Jouni

View solution in original post

Jouni Forss · ‎07-31-2013

Also,

Have you configured any NAT configurations for this L2L VPN connection?

You can view the configurations with

show run nat

- Jouni

View solution in original post

Jouni Forss · ‎07-31-2013

Hi,

Seems the ASA named PCS-lab-EW-VPN might have a problem related to NAT configuration

Change this

nat (inside,any) after-auto source static Network-NET-Local Network-NET-Local destination static Network-NET-Remote Network-NET-Remote no-proxy-arp

To this

nat (inside,any) source static Network-NET-Local Network-NET-Local destination static Network-NET-Remote Network-NET-Remote no-proxy-arp

And then try again. We just removed the "after-auto" parameter.

The reason is that the original NAT configuration is configured very low priority because of "after-auto" parameter. So if you have some Dynamic PAT rule for Internet traffic on that ASA then the traffic that is supposed to go to the L2L VPN Connection might now be getting NATed by the rule meant for Internet traffic.

If this doesnt help we will need to look at other configurations and do some testing.

- Jouni

View solution in original post

Marius Gunnerud · ‎08-01-2013

Are you pinging from PCs connected to each ASA or are you pinging from one ASA to an interface on the other?

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎08-01-2013

Have you run the packet tracer to test the connection on both ASAs? It could help in pinpointing where the problem is.

Also could you post the full configuration of both ASAs?

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎08-01-2013

Without seeing your configurations it is difficult to say what is missing.

But what you need is:

- The ASAs must be able to reach eachother

- Phase 1 parameters (encryption, DH, authentication method, hash)

- Phase 2 parameters (PFS (optional), transform-set, crypto ACL)

- NAT Exempt

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Jouni Forss · ‎08-01-2013

Hi,

The ASA with PCS-EW-VPN name has the wrong ACL atleast

access-list outside_cryptomap extended permit ip object Network-NET-Local object Network-NET-Local

It mentions the local network as the source and destination

Do the following changesa and test again

access-list outside_cryptomap extended permit ip object Network-NET-Local object Network-NET-Remote

no access-list outside_cryptomap extended permit ip object Network-NET-Local object Network-NET-Local

- Jouni

View solution in original post

Jouni Forss · ‎08-01-2013

Hi,

I am not sure what Video is in question. I probably have not seen it. If I would have to guess then I think the Video probably presumes that you got a working network setup with the ASA or Router and then want to add the L2L VPN Connection and therefore doesnt provide the basic configurations like interface, ACL and routing.

The ACL I mentioned in your configuration above basically tells the ASA what traffic it should send through the L2L VPN connection. So you want to tunnel traffic between these 2 LAN network so naturally you configure them as source and destination depending on which side ASA you are doing configuration one.

The important thing to notice with NAT is that its done before any VPN negotiation takes place. So the hosts connecting through the ASA that want to connect to a remote network behind a L2L VPN must have a NAT rule that matches the L2L VPN ACL I mentioned earlier. In other words we need to tell the ASA that you should NOT do any NAT when the source and destination network are these network defined in the L2L VPN ACL.

The NAT0 / NAT Exempt type configuration is usually needed to tell the ASA that dont NAT the traffic between these 2 LAN network. The only exception is I guess a situation where you use an ASA purely as VPN device and not user traffic to Internet flow through it. In such a setup you can actually leave an ASA without any NAT configurations.

I am not sure if I made any sense in the above. I guess the easier way to explain would be to have specific questions about some aspects of the configurations.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

- Jouni

View solution in original post

Jouni Forss · ‎07-31-2013

Hi,

Is this from some Lab setup or is it a live environment?

Are both devices used as the edge device between LAN and WAN on the sites?

Can you provide the output of the following command from both units

show run crypto ikev1

- Jouni

Jouni Forss · ‎07-31-2013

Also,

Have you configured any NAT configurations for this L2L VPN connection?

You can view the configurations with

show run nat

- Jouni

Stephen Sisson · ‎07-31-2013

I'm working them in the lab to confirm this works before we install to production, with this failing it proves my point for this lab, the need for Cisco

see out put from each ASA

ASA1

PCS-EW-VPN(config)# show run crypto ikev1

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

PCS-EW-VPN(config)# show run nat

nat (inside,outside) source static Network-NET-Local Network-NET-Local destination static Network-NET-Remote Network-NET-Remote no-proxy-arp

PCS-lab-EW-VPN(config)# show run crypto ikev1

crypto ikev1 enable outside

crypto ikev1 policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

PCS-lab-EW-VPN(config)# show run nat

!

nat (inside,any) after-auto source static Network-NET-Local Network-NET-Local destination static Network-NET-Remote Network-NET-Remote no-proxy-arp

PCS-EW-VPN(config)# show run crypto ikev1
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

ASA1

PCS-EW-VPN(config)# show run nat
nat (inside,outside) source static Network-NET-Local Network-NET-Local destination static Network-NET-Remote Network-NET-Remote no-proxy-arp

ASA2

PCS-lab-EW-VPN(config)# show run crypto ikev1
crypto ikev1 enable outside
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

ASA2

PCS-lab-EW-VPN(config)# show run nat
!
nat (inside,any) after-auto source static Network-NET-Local Network-NET-Local destination static Network-NET-Remote Network-NET-Remote no-proxy-arp

Thank you

Jouni Forss · ‎07-31-2013

Hi,

Seems the ASA named PCS-lab-EW-VPN might have a problem related to NAT configuration

Change this

nat (inside,any) after-auto source static Network-NET-Local Network-NET-Local destination static Network-NET-Remote Network-NET-Remote no-proxy-arp

To this

nat (inside,any) source static Network-NET-Local Network-NET-Local destination static Network-NET-Remote Network-NET-Remote no-proxy-arp

And then try again. We just removed the "after-auto" parameter.

The reason is that the original NAT configuration is configured very low priority because of "after-auto" parameter. So if you have some Dynamic PAT rule for Internet traffic on that ASA then the traffic that is supposed to go to the L2L VPN Connection might now be getting NATed by the rule meant for Internet traffic.

If this doesnt help we will need to look at other configurations and do some testing.

- Jouni

Stephen Sisson · ‎07-31-2013

I had to leave early and will try first thing in the morning

Thanks Jouni

Stephen Sisson · ‎08-01-2013

Good morning Jouni,

I removed the NAT for PCS-lab-EW-VPN then applied the new NAT you sent

nat (inside,any) source static Network-NET-Local Network-NET-Local destination static Network-NET-Remote Network-NET-Remote no-proxy-arp

We still have the same issue - no ping to local network, seeing some error messages in the Log file.

Should I remove the NAT on PCS-EW-VPN, then apply the NAT you sent me?

Thank you

Marius Gunnerud · ‎08-01-2013

Are you pinging from PCs connected to each ASA or are you pinging from one ASA to an interface on the other?

--
Please remember to select a correct answer and rate helpful posts

Stephen Sisson · ‎08-01-2013

Hi there

I have one laptop setup on each LAN and doing the ping from the laptops

Marius Gunnerud · ‎08-01-2013

Have you run the packet tracer to test the connection on both ASAs? It could help in pinpointing where the problem is.

Also could you post the full configuration of both ASAs?

--
Please remember to select a correct answer and rate helpful posts

Stephen Sisson · ‎08-01-2013

Hi

I watched the Cisco video Configuring Site to Site VPN between Cisco ASA and Cisco Router - showing step-by-step on doing this, but I see no rout outside in this video or anything for the NAT, can there be something else left out that we really need to make this work.

Thank you

Marius Gunnerud · ‎08-01-2013

Without seeing your configurations it is difficult to say what is missing.

But what you need is:

- The ASAs must be able to reach eachother

- Phase 1 parameters (encryption, DH, authentication method, hash)

- Phase 2 parameters (PFS (optional), transform-set, crypto ACL)

- NAT Exempt

--
Please remember to select a correct answer and rate helpful posts

Stephen Sisson · ‎08-01-2013

Hi

I have used the tracroute on both ASA's with PCS-Lab-EW-VPN failing at VPN, on the other ASA PCS-EW-VPN the traceroute completes with all check marks green, looks like we have a problem on PCS-Lab-EW-VPN.

I'm sending you both configs

Thank you

Jouni Forss · ‎08-01-2013

Hi,

The ASA with PCS-EW-VPN name has the wrong ACL atleast

access-list outside_cryptomap extended permit ip object Network-NET-Local object Network-NET-Local

It mentions the local network as the source and destination

Do the following changesa and test again

access-list outside_cryptomap extended permit ip object Network-NET-Local object Network-NET-Remote

no access-list outside_cryptomap extended permit ip object Network-NET-Local object Network-NET-Local

- Jouni

Stephen Sisson · ‎08-01-2013

Hi,

May I say the tracerout worked on that one ok - should i do this on PCS-EW-VPN ASA? or PCS-Lab-EW-VPN ASA?

thanks