Re: Help with new site to site VPN

thellco01 · ‎12-18-2008

I am trying to setup site to site VPN on 2 new asa's 5510 and 5505. The host is on a T1 and the remote is on Verizon static DSL. Both circuits are up and working. I am useing the GUI wizard to setup the site to site connections. When I try to ping through, the ping fails and no tunnel is opened. Here is the log file from the ping.

6 Dec 18 2008 04:36:40 302021 10.50.0.5 74.9.142.210 Teardown ICMP connection for faddr 10.50.0.5/0 gaddr 74.9.142.210/4388 laddr 74.9.142.210/4388

6 Dec 18 2008 04:37:20 302013 10.11.0.241 10.11.0.242 Built inbound TCP connection 34050 for Inside:10.11.0.241/2620 (10.11.0.241/2620) to identity:10.11.0.242/443 (10.11.0.242/443)

6 Dec 18 2008 04:37:20 725001 10.11.0.241 Starting SSL handshake with client Inside:10.11.0.241/2620 for TLSv1 session.

6 Dec 18 2008 04:37:20 725003 10.11.0.241 SSL client Inside:10.11.0.241/2620 request to resume previous session.

6 Dec 18 2008 04:37:20 725002 10.11.0.241 Device completed SSL handshake with client Inside:10.11.0.241/2620

6 Dec 18 2008 04:37:20 605005 10.11.0.241 10.11.0.242 Login permitted from 10.11.0.241/2620 to Inside:10.11.0.242/https for user "enable_15"

6 Dec 18 2008 04:37:20 302020 10.50.0.5 74.9.142.210 Built outbound ICMP connection for faddr 10.50.0.5/0 gaddr 74.9.142.210/4388 laddr 74.9.142.210/4388

6 Dec 18 2008 04:37:20 302020 74.9.140.161 74.9.142.210 Built inbound ICMP connection for faddr 74.9.140.161/0 gaddr 74.9.142.210/0 laddr 74.9.142.210/0

6 Dec 18 2008 04:37:20 302021 74.9.140.161 74.9.142.210 Teardown ICMP connection for faddr 74.9.140.161/0 gaddr 74.9.142.210/0 laddr 74.9.142.210/0

Configs in next post

thellco01 · ‎12-18-2008

Site A

: Saved

:

ASA Version 7.2(4)18

!

hostname Paetec

domain-name Paetec.thelandlcompany.com

enable password nRkrK2UDMhbxbMqH encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

dns-guard

!

interface Ethernet0/0

nameif Outside

security-level 0

ip address 74.9.142.210 255.255.255.240

!

interface Ethernet0/1

nameif Inside

security-level 100

ip address 10.11.0.242 255.255.0.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa724-18-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name Paetec.thelandlcompany.com

access-list Inside_nat0_outbound extended permit ip 10.11.0.0 255.255.0.0 10.50.0.0 255.255.0.0

access-list Outside_1_cryptomap extended permit ip 10.11.0.0 255.255.0.0 10.50.0.0 255.255.0.0

pager lines 24

logging enable

logging asdm informational

mtu Outside 1500

mtu Inside 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-52450.bin

no asdm history enable

arp timeout 14400

global (Outside) 101 interface

nat (Inside) 0 access-list Inside_nat0_outbound

nat (Inside) 101 0.0.0.0 0.0.0.0

nat (management) 101 0.0.0.0 0.0.0.0

no threat-detection statistics tcp-intercept

route Outside 0.0.0.0 0.0.0.0 74.9.142.209 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

http server enable

http 192.168.1.0 255.255.255.0 management

http 10.11.0.0 255.255.0.0 Inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map Outside_map 1 match address Outside_1_cryptomap

crypto map Outside_map 1 set peer 162.83.93.74

crypto map Outside_map 1 set transform-set ESP-3DES-SHA

crypto map Outside_map interface Outside

crypto isakmp enable Outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 10.11.0.0 255.255.0.0 Inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

tunnel-group 162.83.93.74 type ipsec-l2l

tunnel-group 162.83.93.74 ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:c280c048fbd9093b13cb15fcbe557316

: end

asdm image disk0:/asdm-52450.bin

no asdm history enable

thellco01 · ‎12-18-2008

Site B

: Saved

:

ASA Version 7.2(4)

!

hostname Culpeper

domain-name Culpeper.thelandlcompany.com

enable password nRkrK2UDMhbxbMqH encrypted

passwd Lowik8FFent8v7l9 encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 10.50.0.5 255.255.0.0

!

interface Vlan2

nameif outside

security-level 0

ip address 162.83.93.74 255.255.255.0

!

interface Vlan3

no forward interface Vlan1

nameif dmz

security-level 50

ip address 10.32.0.10 255.255.0.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

switchport access vlan 3

!

ftp mode passive

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

domain-name Culpeper.thelandlcompany.com

access-list inside_nat0_outbound extended permit ip 10.50.0.0 255.255.0.0 10.11.0.0 255.255.0.0

access-list outside_1_cryptomap extended permit ip 10.50.0.0 255.255.0.0 10.11.0.0 255.255.0.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

ip local pool Cul 10.50.0.10-10.50.0.30 mask 255.255.0.0

icmp unreachable rate-limit 1 burst-size 1

icmp deny any outside

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 162.83.93.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http 10.11.0.0 255.255.0.0 dmz

http 10.32.0.0 255.255.0.0 dmz

http 10.50.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer 74.9.142.210

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

telnet 10.50.0.0 255.255.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

tunnel-group 74.9.142.210 type ipsec-l2l

tunnel-group 74.9.142.210 ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:2005003b9cea63c18a605e291f62f63f

: end

asdm image disk0:/asdm-524.bin

no asdm history enable

Thanks in advance for any help

Richard Burts · ‎12-22-2008

Justin

I have looked at what you posted and I believe that there is a small problem in your config which should be addressed. The ASA5505 host B in its crypto map does a set pfs which the ASA5510 host A does not do. I suggest that you get the crypto maps to be mirror images of each other. (either remove the set pfs from B or add set pfs to A).

But I believe that the biggest problem is in how you are trying to start the tunnel. In the output in the first post you are attempting to ping the remote to start the tunnel. But the ping is sourced from the outside interface of the ASA. This is shown in this output:

faddr 10.50.0.5/0 gaddr 74.9.142.210/4388 laddr 74.9.142.210/4388

where the local address is clearly 74.9.142.210 which is the outside interface address. Since the crypto map only matches traffic with source address in 10.11.x.x/16 this ping does not start the tunnel. I suggest that either you get the ping sourced from the inside interface address or modify the crypto map access list to include traffic to the remote sourced from the outside address.

HTH

Rick

HTH

Rick