11-06-2013 05:28 AM
Have an ASA 5510 9.1(2) and ASA 5505 9.1(2)
The 5510 is located in the main office and the 5505 is located at a remote facility. I want to create a tunnel that will allow the main office to access the subnets at the remote facility while allowing the devices at the remote facility to access the devices at the main office. Example below.
5510
10.2.0.0/16
/\
||
\/
5505
172.16.0.0/16
10.166.0.0/16
Currently, I have one of the interfaces on the 5510 configured for a vlan for our wifi. Another interface is configured for our backup ISP. That setup works fantastic. When I run the site to site vpn wizard according to this video "https://supportforums.cisco.com/videos/5933" but I'm confused with a couple of the settings.
Do I enable nat exempt? Do I do this on both devices or just one and if so which one?
Do I need to setup static routes to access these different subnets?
There is a router involved but it's for the primary ISP. It's currently set to forward any packets destined for the 2 subnets at the remote facility to the 5510. So the packets do get forwarded but seem to die once they hit the 5510.
Solved! Go to Solution.
11-06-2013 08:03 AM
Hi,
Ok, so here should be the changes you need.
What we are essentially doing on both of the units is remove some configurations that are either not needed or are wrong.
ASA might give some notifications from removing one of the "crypto map" commands but you dont need to worry about it. It probably complains about a incomplete "crypto map" entry or something to that direction.
Seems to me that the L2L VPN ACL is wrong on both units and also the NAT. Also the ASA5510 seems to have a duplicate configuration for the same L2L VPN which I suggest removing below.
ASA5510
LOCAL: 10.2.0.0/16
REMOTE: 10.166.0.0/16
REMOVE CONFIGURATIONS
no crypto map tw_map 3 match address tw_cryptomap_1
no crypto map tw_map 3 set peer 69.x.x.x
no crypto map tw_map 3 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
no crypto map tw_map 3 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
no crypto map tw_map 1 match address tw_cryptomap
no access-list tw_cryptomap extended permit ip 10.2.0.0 255.255.0.0 any4
no access-list tw_cryptomap_1 extended permit ip 10.2.0.0 255.255.0.0 any4
no nat (private,tw) source static NETWORK_OBJ_10.2.0.0_16 NETWORK_OBJ_10.2.0.0_16 no-proxy-arp route-lookup
ADD CONFIGURATIONS
------------------
access-list L2LVPN-ACL remark Encryption Domain for L2L VPN
access-list L2LVPN-ACL permit ip 10.2.0.0 255.255.0.0 10.166.0.0 255.255.0.0
crypto map tw_map 1 match address L2LVPN-ACL
object network LAN
subnet 10.2.0.0 255.255.0.0
object network REMOTE-LAN
subnet 10.166.0.0 255.255.0.0
nat (private,tw) source static LAN LAN destination static REMOTE-LAN REMOTE-LAN
ASA5505
LOCAL: 10.166.0.0/16
REMOTE: 10.2.0.0/16
REMOVE CONFIGURATIONS
no crypto map outside_map 1 match address outside_cryptomap
no access-list outside_cryptomap extended permit ip 10.166.0.0 255.255.0.0 any4
no nat (outside,outside) source static NETWORK_OBJ_10.166.0.0_16 NETWORK_OBJ_10.166.0.0_16 no-proxy-arp route-lookup
ADD CONFIGURATIONS
access-list L2LVPN-ACL remark Encryption Domain for L2L VPN
access-list L2LVPN-ACL permit ip 10.166.0.0 255.255.0.0 10.2.0.0 255.255.0.0
rypto map outside_map 1 match address L2LVPN-ACL
object network LAN
subnet 10.166.0.0 255.255.0.0
object network REMOTE-LAN
subnet 10.2.0.0 255.255.0.0
nat (inside,outside) source static LAN LAN destination static REMOTE-LAN REMOTE-LAN
Let me know if this works for you. Hope it helps
Please do remember to mark a reply as the correct answer if it answered your question.
If there is still problems after these configurations then lets look at the situation again.
- Jouni
11-06-2013 05:38 AM
Hi,
NAT0 / NAT Exempt configurations are required on both ASAs forming the L2L VPN connection. That is unless you want to specifically NAT the LANs to something else though this is not usual.
The NAT0 ACL will match the ACL used in the L2L VPN configuration. They should be identical. If you have source networks on either side behind different interfaces then you naturally need to configure NAT0 configurations for each interface separately.
You wont have to setup any routes related to the L2L VPN in a normal setup. You do mention you have 2 ISP links. To utilize both ISP links in the L2L VPN you would need to have the remote end configured with both ISP peer IP addresses. The ASA with 2 ISPs would also need to have the "crypto map" attached to both of the ISP interfaces. But again its fine running the L2L VPN from the primary ISP only if that is your wish.
If you are having problems getting the L2L VPN to work then please provide us with the CLI format configurations of both units while changing the actual public IP addresses and removing any sensitive information.
Hope this helps
- Jouni
11-06-2013 05:43 AM
Thank you for your response. That helps with those questions. Another that I should ask is about the local and remote network that I have to select when going through the wizard. I select the 10.2.0.0/16 on the 5510 for local and on the remote I choose any4. On the 5505, I set both to be any4. Is that correct or do I need to add in the other 2 subnets of the remote site to the 5510 and select those as well when running the wizard or am I thinking this wrong?
11-06-2013 05:45 AM
Hi,
You should only use the specific networks as local/networks.
I would avoid using "any4" in any configurations, especially in the remote section. This is because it means the ASA will try to send ALL traffic through the L2L VPN. This might break all Internet traffic for user for example.
In a typical setup you wont want to tunnel all traffic naturally.
- Jouni
11-06-2013 05:48 AM
So you're saying that I should add in the subnets as networks on the 5505 and use those for the local setting in the wizard? Do I need to add those subnets to the 5510? Do I select those for the remote setting in the wizard?
11-06-2013 06:23 AM
Hi,
I dont use ASDM or the Wizards much myself.
But in BOTH of the ASAs you configure the L2L VPN and mention their local/remote networks specifically.
If you have already configured the L2L VPN on both ASAs then can you provide the CLI (Command Line Interface) format configurations of both units (minus sensitive infomation like public IP addresses) and I can look what changes will be needed. This would probably be the easiest way to make the changes needed.
- Jouni
11-06-2013 06:42 AM
The 5510
: Saved
:
ASA Version 9.1(2)
!
hostname dalasa
enable password encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd encrypted
names
!
interface Ethernet0/0
nameif tw
security-level 0
ip address 64.x.x.x 255.255.255.248
!
interface Ethernet0/1
nameif private
security-level 100
ip address 10.2.1.252 255.255.0.0
!
interface Ethernet0/2
no nameif
no security-level
no ip address
!
interface Ethernet0/2.10
vlan 10
nameif wlan
security-level 50
ip address 172.16.0.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
boot system disk0:/asa912-k8.bin
ftp mode passive
dns domain-lookup tw
dns domain-lookup private
dns domain-lookup wlan
dns domain-lookup management
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 4.2.2.4
object network obj-10.2.0.0
subnet 10.2.0.0 255.255.0.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-172.16.0.0
subnet 172.16.0.0 255.255.255.0
object network NETWORK_OBJ_10.2.0.0_16
subnet 10.2.0.0 255.255.0.0
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
access-list private_access_in extended permit object-group DM_INLINE_PROTOCOL_1 10.2.0.0 255.255.0.0 any4
access-list wlan_access_in remark block traffic from wlan to private net
access-list wlan_access_in extended deny ip any object obj-10.2.0.0
access-list wlan_access_in extended permit object-group DM_INLINE_PROTOCOL_2 172.16.0.0 255.255.255.0 any4
access-list tw_cryptomap extended permit ip 10.2.0.0 255.255.0.0 any4
access-list tw_cryptomap_1 extended permit ip 10.2.0.0 255.255.0.0 any4
pager lines 24
logging enable
logging timestamp
logging buffered debugging
logging asdm informational
logging host private 10.x.x.x
mtu tw 1500
mtu private 1500
mtu wlan 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (private,tw) source static NETWORK_OBJ_10.2.0.0_16 NETWORK_OBJ_10.2.0.0_16 no-proxy-arp route-lookup
!
object network obj-10.2.0.0
nat (private,tw) dynamic interface
object network obj_any
nat (management,tw) dynamic interface
object network obj-172.16.0.0
nat (any,tw) dynamic interface
access-group private_access_in in interface private
access-group wlan_access_in in interface wlan
route tw 0.0.0.0 0.0.0.0 64.x.x.x 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map tw_map 1 match address tw_cryptomap
crypto map tw_map 1 set peer 69.x.x.x
crypto map tw_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map tw_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map tw_map 3 match address tw_cryptomap_1
crypto map tw_map 3 set peer 69.x.x.x
crypto map tw_map 3 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map tw_map 3 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map tw_map interface tw
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable tw
crypto ikev1 enable tw
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 172.16.0.2-172.16.0.254 wlan
dhcpd dns 8.8.8.8 4.2.2.4 interface wlan
dhcpd enable wlan
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy GroupPolicy_69.x.x.x internal
group-policy GroupPolicy_69.x.x.x attributes
vpn-tunnel-protocol ikev1 ikev2
tunnel-group 69.x.x.x type ipsec-l2l
tunnel-group 69.x.x.x general-attributes
default-group-policy GroupPolicy_69.x.x.x
tunnel-group 69.x.x.x ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
: end
asdm image disk0:/asdm-713.bin
no asdm history enable
The 5505
: Saved
:
ASA Version 9.1(2)
!
hostname remote-site
domain-name example.com
enable password encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 10.166.1.10 255.255.0.0
!
interface Vlan2
description ISP Blended Circuit
nameif outside
security-level 0
ip address 69.x.x.x 255.255.255.192
!
interface Vlan5
shutdown
no nameif
security-level 50
ip address dhcp
!
boot system disk0:/asa912-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name example.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network ISPblend-ISP
host 66.x.x.x
description ISP router
object network NETWORK_OBJ_10.166.0.0_16
subnet 10.166.0.0 255.255.0.0
access-list inside_access_in remark default out
access-list inside_access_in extended permit ip any any
access-list outside_cryptomap extended permit ip 10.166.0.0 255.255.0.0 any4
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (outside,outside) source static NETWORK_OBJ_10.166.0.0_16 NETWORK_OBJ_10.166.0.0_16 no-proxy-arp route-lookup
!
object network obj_any
nat (inside,outside) dynamic interface
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 69.x.x.x 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.166.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp inside
sysopt noproxyarp outside
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 64.x.x.x
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 10.166.0.0 255.255.0.0 inside
telnet timeout 5
ssh 10.166.0.0 255.255.0.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 65.55.56.206 source outside prefer
group-policy GroupPolicy_64.x.x.x internal
group-policy GroupPolicy_64.x.x.x attributes
vpn-tunnel-protocol ikev1 ikev2
username admin password encrypted privilege 15
tunnel-group 64.x.x.x type ipsec-l2l
tunnel-group 64.x.x.x general-attributes
default-group-policy GroupPolicy_64.x.x.x
tunnel-group 64.x.x.x ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
: end
asdm image disk0:/asdm-713.bin
no asdm history enable
11-06-2013 08:03 AM
Hi,
Ok, so here should be the changes you need.
What we are essentially doing on both of the units is remove some configurations that are either not needed or are wrong.
ASA might give some notifications from removing one of the "crypto map" commands but you dont need to worry about it. It probably complains about a incomplete "crypto map" entry or something to that direction.
Seems to me that the L2L VPN ACL is wrong on both units and also the NAT. Also the ASA5510 seems to have a duplicate configuration for the same L2L VPN which I suggest removing below.
ASA5510
LOCAL: 10.2.0.0/16
REMOTE: 10.166.0.0/16
REMOVE CONFIGURATIONS
no crypto map tw_map 3 match address tw_cryptomap_1
no crypto map tw_map 3 set peer 69.x.x.x
no crypto map tw_map 3 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
no crypto map tw_map 3 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
no crypto map tw_map 1 match address tw_cryptomap
no access-list tw_cryptomap extended permit ip 10.2.0.0 255.255.0.0 any4
no access-list tw_cryptomap_1 extended permit ip 10.2.0.0 255.255.0.0 any4
no nat (private,tw) source static NETWORK_OBJ_10.2.0.0_16 NETWORK_OBJ_10.2.0.0_16 no-proxy-arp route-lookup
ADD CONFIGURATIONS
------------------
access-list L2LVPN-ACL remark Encryption Domain for L2L VPN
access-list L2LVPN-ACL permit ip 10.2.0.0 255.255.0.0 10.166.0.0 255.255.0.0
crypto map tw_map 1 match address L2LVPN-ACL
object network LAN
subnet 10.2.0.0 255.255.0.0
object network REMOTE-LAN
subnet 10.166.0.0 255.255.0.0
nat (private,tw) source static LAN LAN destination static REMOTE-LAN REMOTE-LAN
ASA5505
LOCAL: 10.166.0.0/16
REMOTE: 10.2.0.0/16
REMOVE CONFIGURATIONS
no crypto map outside_map 1 match address outside_cryptomap
no access-list outside_cryptomap extended permit ip 10.166.0.0 255.255.0.0 any4
no nat (outside,outside) source static NETWORK_OBJ_10.166.0.0_16 NETWORK_OBJ_10.166.0.0_16 no-proxy-arp route-lookup
ADD CONFIGURATIONS
access-list L2LVPN-ACL remark Encryption Domain for L2L VPN
access-list L2LVPN-ACL permit ip 10.166.0.0 255.255.0.0 10.2.0.0 255.255.0.0
rypto map outside_map 1 match address L2LVPN-ACL
object network LAN
subnet 10.166.0.0 255.255.0.0
object network REMOTE-LAN
subnet 10.2.0.0 255.255.0.0
nat (inside,outside) source static LAN LAN destination static REMOTE-LAN REMOTE-LAN
Let me know if this works for you. Hope it helps
Please do remember to mark a reply as the correct answer if it answered your question.
If there is still problems after these configurations then lets look at the situation again.
- Jouni
11-06-2013 08:28 AM
You're amazing!!! Thank you so much for your help! I've been struggling with this for a while now. I also now see what I was missing. Just shows that I still have a LONG way to go. Thanks again!!
11-06-2013 08:38 AM
Hi,
Great to hear its working now
Dont hesitate to post here again if you run into some problems
- Jouni
11-06-2013 09:17 AM
So then if I wanted to enable access to the following subnets at the remote office. Do I add them to the access list on the 5510 along with creating a second network object?
192.168.99.0/24
192.168.100.0/24
Add to the 5510
access-list L2LVPN-ACL permit ip 10.2.0.0 255.255.0.0 10.166.0.0 255.255.0.0 192.168.99.0 255.255.255.0 192.168.100.0 255.255.255.0
object network REMOTE-LAN2
subnet 192.168.99.0 255.255.255.0
nat (private,tw) source static LAN LAN destination static REMOTE-LAN2 REMOTE-LAN2
object network REMOTE-LAN3
subnet 192.168.100.0 255.255.255.0
nat (private,tw) source static LAN LAN destination static REMOTE-LAN3 REMOTE-LAN3
Add to the 5505
access-list L2LVPN-ACL permit ip 10.166.0.0 255.255.0.0 192.168.99.0 255.255.255.0 192.168.100.0 255.255.255.0 10.2.0.0 255.255.0.0
object network LAN2
subnet 192.168.99.0 255.255.255.0
object network LAN3
subnet 192.168.100.0 255.255.255.0
Not sure if I need to add in the nat line on the 5505. Does this look correct?
11-06-2013 09:23 AM
Hi,
I am not sure at which ASA the networks 192.168.99.0/24 and 192.168.100.0/24 are located at and behind which interfaces. I can't see any mention of them in the earlier configurations.
- Jouni
11-06-2013 09:26 AM
Those 2 subnets are located in the remote office behind the 5505. I forgot about those since they are rarely used but would be really nice to be able to access from the main office.
11-06-2013 09:33 AM
Hi,
There are no routes configured for those networks on the ASA5505 and there are no interfaces with those subnets on the ASA5505.
If I were to presume that these networks are located behind "inside" interface of that ASA5505 then these would be the correct configurations
ASA5510
access-list L2LVPN-ACL permit ip 10.2.0.0 255.255.0.0 192.168.99.0 255.255.255.0
access-list L2LVPN-ACL permit ip 10.2.0.0 255.255.0.0 192.168.100.0 255.255.255.0
object network REMOTE-LAN-2
subnet 192.168.99.0 255.255.255.0
object network REMOTE-LAN-3
subnet 192.168.100.0 255.255.255.0
nat (private,tw) source static LAN LAN destination static REMOTE-LAN-2 REMOTE-LAN-2
nat (private,tw) source static LAN LAN destination static REMOTE-LAN-3 REMOTE-LAN-3
ASA5505
access-list L2LVPN-ACL permit ip 192.168.99.0 255.255.255.0 10.2.0.0 255.255.0.0
access-list L2LVPN-ACL permit ip 192.168.100.0 255.255.255.0 10.2.0.0 255.255.0.0
object network LAN-2
subnet 192.168.99.0 255.255.255.0
object network LAN-3
subnet 192.168.100.0 255.255.255.0
nat (inside,outside) source static LAN-2 LAN-2 destination static REMOTE-LAN REMOTE-LAN
nat (inside,outside) source static LAN-3 LAN-3 destination static REMOTE-LAN REMOTE-LAN
If the networks are not behind the "inside" interface of ASA5505 then the "nat" configuration needs to be changed.
If there is some router behind the ASA5505 then you will have to have "route" commands for those networks. I am just wondering as I dont see them in the configuration at all.
- Jouni
11-06-2013 09:44 AM
You're correct. They are behind the inside interface on the 5505. There is a router at the remote site and I'll have to add in the static routes. I'll report back when that's done and if the config additions you suggested worked, I'll mark it as the right answer. Thanks again for all of your help!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: