cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2205
Views
0
Helpful
25
Replies

ASA to ASA Site to Site VPN

backpage1
Level 1
Level 1

Have an ASA 5510 9.1(2) and ASA 5505 9.1(2)

The 5510 is located in the main office and the 5505 is located at a remote facility.  I want to create a tunnel that will allow the main office to access the subnets at the remote facility while allowing the devices at the remote facility to access the devices at the main office.  Example below.

5510

10.2.0.0/16

     /\

     ||

     \/

5505

172.16.0.0/16

10.166.0.0/16

Currently, I have one of the interfaces on the 5510 configured for a vlan for our wifi.  Another interface is configured for our backup ISP.  That setup works fantastic.  When I run the site to site vpn wizard according to this video "https://supportforums.cisco.com/videos/5933" but I'm confused with a couple of the settings.

Do I enable nat exempt?  Do I do this on both devices or just one and if so which one?

Do I need to setup static routes to access these different subnets?

There is a router involved but it's for the primary ISP.  It's currently set to forward any packets destined for the 2 subnets at the remote facility to the 5510.  So the packets do get forwarded but seem to die once they hit the 5510.

1 Accepted Solution

Accepted Solutions

Hi,

Ok, so here should be the changes you need.

What we are essentially doing on both of the units is remove some configurations that are either not needed or are wrong.

ASA might give some notifications from removing one of the "crypto map" commands but you dont need to worry about it. It probably complains about a incomplete "crypto map" entry or something to that direction.

Seems to me that the L2L VPN ACL is wrong on both units and also the NAT. Also the ASA5510 seems to have a duplicate configuration for the same L2L VPN which I suggest removing below.

ASA5510

LOCAL: 10.2.0.0/16

REMOTE: 10.166.0.0/16

REMOVE CONFIGURATIONS

no crypto map tw_map 3 match address tw_cryptomap_1

no crypto map tw_map 3 set peer 69.x.x.x

no crypto map tw_map 3 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

no crypto map tw_map 3 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256

no crypto map tw_map 1 match address tw_cryptomap

no access-list tw_cryptomap extended permit ip 10.2.0.0 255.255.0.0 any4

no access-list tw_cryptomap_1 extended permit ip 10.2.0.0 255.255.0.0 any4

no nat (private,tw) source static NETWORK_OBJ_10.2.0.0_16 NETWORK_OBJ_10.2.0.0_16 no-proxy-arp route-lookup

ADD CONFIGURATIONS

------------------

access-list L2LVPN-ACL remark Encryption Domain for L2L VPN

access-list L2LVPN-ACL permit ip 10.2.0.0 255.255.0.0 10.166.0.0 255.255.0.0

crypto map tw_map 1 match address L2LVPN-ACL

object network LAN

subnet 10.2.0.0 255.255.0.0

object network REMOTE-LAN

subnet 10.166.0.0 255.255.0.0

nat (private,tw) source static LAN LAN destination static REMOTE-LAN REMOTE-LAN

ASA5505

LOCAL: 10.166.0.0/16

REMOTE: 10.2.0.0/16

REMOVE CONFIGURATIONS

no crypto map outside_map 1 match address outside_cryptomap

no access-list outside_cryptomap extended permit ip 10.166.0.0 255.255.0.0 any4

no nat (outside,outside) source static NETWORK_OBJ_10.166.0.0_16 NETWORK_OBJ_10.166.0.0_16 no-proxy-arp route-lookup

ADD CONFIGURATIONS

access-list L2LVPN-ACL remark Encryption Domain for L2L VPN

access-list L2LVPN-ACL permit ip 10.166.0.0 255.255.0.0 10.2.0.0 255.255.0.0

rypto map outside_map 1 match address L2LVPN-ACL

object network LAN

subnet 10.166.0.0 255.255.0.0

object network REMOTE-LAN

subnet 10.2.0.0 255.255.0.0

nat (inside,outside) source static LAN LAN destination static REMOTE-LAN REMOTE-LAN

Let me know if this works for you. Hope it helps

Please do remember to mark a reply as the correct answer if it answered your question.

If there is still problems after these configurations then lets look at the situation again.

- Jouni

View solution in original post

25 Replies 25

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

NAT0 / NAT Exempt configurations are required on both ASAs forming the L2L VPN connection. That is unless you want to specifically NAT the LANs to something else though this is not usual.

The NAT0 ACL will match the ACL used in the L2L VPN configuration. They should be identical. If you have source networks on either side behind different interfaces then you naturally need to configure NAT0 configurations for each interface separately.

You wont have to setup any routes related to the L2L VPN in a normal setup. You do mention you have 2 ISP links. To utilize both ISP links in the L2L VPN you would need to have the remote end configured with both ISP peer IP addresses. The ASA with 2 ISPs would also need to have the "crypto map" attached to both of the ISP interfaces. But again its fine running the L2L VPN from the primary ISP only if that is your wish.

If you are having problems getting the L2L VPN to work then please provide us with the CLI format configurations of both units while changing the actual public IP addresses and removing any sensitive information.

Hope this helps

- Jouni

Thank you for your response.  That helps with those questions.  Another that I should ask is about the local and remote network that I have to select when going through the wizard.  I select the 10.2.0.0/16 on the 5510 for local and on the remote I choose any4.  On the 5505, I set both to be any4.  Is that correct or do I need to add in the other 2 subnets of the remote site to the 5510 and select those as well when running the wizard or am I thinking this wrong?

Hi,

You should only use the specific networks as local/networks.

I would avoid using "any4" in any configurations, especially in the remote section. This is because it means the ASA will try to send ALL traffic through the L2L VPN. This might break all Internet traffic for user for example.

In a typical setup you wont want to tunnel all traffic naturally.

- Jouni

So you're saying that I should add in the subnets as networks on the 5505 and use those for the local setting in the wizard?  Do I need to add those subnets to the 5510?  Do I select those for the remote setting in the wizard?

Hi,

I dont use ASDM or the Wizards much myself.

But in BOTH of the ASAs you configure the L2L VPN and mention their local/remote networks specifically.

If you have already configured the L2L VPN on both ASAs then can you provide the CLI (Command Line Interface) format configurations of both units (minus sensitive infomation like public IP addresses) and I can look what changes will be needed. This would probably be the easiest way to make the changes needed.

- Jouni

The 5510

: Saved

:

ASA Version 9.1(2)

!

hostname dalasa

enable password encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd encrypted

names

!

interface Ethernet0/0

nameif tw

security-level 0

ip address 64.x.x.x 255.255.255.248

!

interface Ethernet0/1

nameif private

security-level 100

ip address 10.2.1.252 255.255.0.0

!

interface Ethernet0/2

no nameif

no security-level

no ip address

!

interface Ethernet0/2.10

vlan 10

nameif wlan

security-level 50

ip address 172.16.0.1 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

management-only

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

!

boot system disk0:/asa912-k8.bin

ftp mode passive

dns domain-lookup tw

dns domain-lookup private

dns domain-lookup wlan

dns domain-lookup management

dns server-group DefaultDNS

name-server 8.8.8.8

name-server 4.2.2.4

object network obj-10.2.0.0

subnet 10.2.0.0 255.255.0.0

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network obj-172.16.0.0

subnet 172.16.0.0 255.255.255.0

object network NETWORK_OBJ_10.2.0.0_16

subnet 10.2.0.0 255.255.0.0

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object ip

protocol-object icmp

object-group protocol DM_INLINE_PROTOCOL_2

protocol-object ip

protocol-object icmp

access-list private_access_in extended permit object-group DM_INLINE_PROTOCOL_1 10.2.0.0 255.255.0.0 any4

access-list wlan_access_in remark block traffic from wlan to private net

access-list wlan_access_in extended deny ip any object obj-10.2.0.0

access-list wlan_access_in extended permit object-group DM_INLINE_PROTOCOL_2 172.16.0.0 255.255.255.0 any4

access-list tw_cryptomap extended permit ip 10.2.0.0 255.255.0.0 any4

access-list tw_cryptomap_1 extended permit ip 10.2.0.0 255.255.0.0 any4

pager lines 24

logging enable

logging timestamp

logging buffered debugging

logging asdm informational

logging host private 10.x.x.x

mtu tw 1500

mtu private 1500

mtu wlan 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-713.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (private,tw) source static NETWORK_OBJ_10.2.0.0_16 NETWORK_OBJ_10.2.0.0_16 no-proxy-arp route-lookup

!

object network obj-10.2.0.0

nat (private,tw) dynamic interface

object network obj_any

nat (management,tw) dynamic interface

object network obj-172.16.0.0

nat (any,tw) dynamic interface

access-group private_access_in in interface private

access-group wlan_access_in in interface wlan

route tw 0.0.0.0 0.0.0.0 64.x.x.x 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto ipsec security-association pmtu-aging infinite

crypto map tw_map 1 match address tw_cryptomap

crypto map tw_map 1 set peer 69.x.x.x

crypto map tw_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map tw_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256

crypto map tw_map 3 match address tw_cryptomap_1

crypto map tw_map 3 set peer 69.x.x.x

crypto map tw_map 3 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map tw_map 3 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256

crypto map tw_map interface tw

crypto ca trustpool policy

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable tw

crypto ikev1 enable tw

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd address 172.16.0.2-172.16.0.254 wlan

dhcpd dns 8.8.8.8 4.2.2.4 interface wlan

dhcpd enable wlan

!

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

group-policy GroupPolicy_69.x.x.x internal

group-policy GroupPolicy_69.x.x.x attributes

vpn-tunnel-protocol ikev1 ikev2

tunnel-group 69.x.x.x type ipsec-l2l

tunnel-group 69.x.x.x general-attributes

default-group-policy GroupPolicy_69.x.x.x

tunnel-group 69.x.x.x ipsec-attributes

ikev1 pre-shared-key *****

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

: end

asdm image disk0:/asdm-713.bin

no asdm history enable

The 5505

: Saved

:

ASA Version 9.1(2)

!

hostname remote-site

domain-name example.com

enable password encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 10.166.1.10 255.255.0.0

!

interface Vlan2

description ISP Blended Circuit

nameif outside

security-level 0

ip address 69.x.x.x 255.255.255.192

!

interface Vlan5

shutdown

no nameif

security-level 50

ip address dhcp

!

boot system disk0:/asa912-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name example.com

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network ISPblend-ISP

host 66.x.x.x

description ISP router

object network NETWORK_OBJ_10.166.0.0_16

subnet 10.166.0.0 255.255.0.0

access-list inside_access_in remark default out

access-list inside_access_in extended permit ip any any

access-list outside_cryptomap extended permit ip 10.166.0.0 255.255.0.0 any4

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-713.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (outside,outside) source static NETWORK_OBJ_10.166.0.0_16 NETWORK_OBJ_10.166.0.0_16 no-proxy-arp route-lookup

!

object network obj_any

nat (inside,outside) dynamic interface

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 69.x.x.x 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

http 10.166.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt noproxyarp inside

sysopt noproxyarp outside

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto ipsec security-association pmtu-aging infinite

crypto map outside_map 1 match address outside_cryptomap

crypto map outside_map 1 set peer 64.x.x.x

crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256

crypto map outside_map interface outside

crypto ca trustpool policy

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable outside

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet 10.166.0.0 255.255.0.0 inside

telnet timeout 5

ssh 10.166.0.0 255.255.0.0 inside

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 65.55.56.206 source outside prefer

group-policy GroupPolicy_64.x.x.x internal

group-policy GroupPolicy_64.x.x.x attributes

vpn-tunnel-protocol ikev1 ikev2

username admin password encrypted privilege 15

tunnel-group 64.x.x.x type ipsec-l2l

tunnel-group 64.x.x.x general-attributes

default-group-policy GroupPolicy_64.x.x.x

tunnel-group 64.x.x.x ipsec-attributes

ikev1 pre-shared-key *****

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

: end

asdm image disk0:/asdm-713.bin

no asdm history enable

Hi,

Ok, so here should be the changes you need.

What we are essentially doing on both of the units is remove some configurations that are either not needed or are wrong.

ASA might give some notifications from removing one of the "crypto map" commands but you dont need to worry about it. It probably complains about a incomplete "crypto map" entry or something to that direction.

Seems to me that the L2L VPN ACL is wrong on both units and also the NAT. Also the ASA5510 seems to have a duplicate configuration for the same L2L VPN which I suggest removing below.

ASA5510

LOCAL: 10.2.0.0/16

REMOTE: 10.166.0.0/16

REMOVE CONFIGURATIONS

no crypto map tw_map 3 match address tw_cryptomap_1

no crypto map tw_map 3 set peer 69.x.x.x

no crypto map tw_map 3 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

no crypto map tw_map 3 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256

no crypto map tw_map 1 match address tw_cryptomap

no access-list tw_cryptomap extended permit ip 10.2.0.0 255.255.0.0 any4

no access-list tw_cryptomap_1 extended permit ip 10.2.0.0 255.255.0.0 any4

no nat (private,tw) source static NETWORK_OBJ_10.2.0.0_16 NETWORK_OBJ_10.2.0.0_16 no-proxy-arp route-lookup

ADD CONFIGURATIONS

------------------

access-list L2LVPN-ACL remark Encryption Domain for L2L VPN

access-list L2LVPN-ACL permit ip 10.2.0.0 255.255.0.0 10.166.0.0 255.255.0.0

crypto map tw_map 1 match address L2LVPN-ACL

object network LAN

subnet 10.2.0.0 255.255.0.0

object network REMOTE-LAN

subnet 10.166.0.0 255.255.0.0

nat (private,tw) source static LAN LAN destination static REMOTE-LAN REMOTE-LAN

ASA5505

LOCAL: 10.166.0.0/16

REMOTE: 10.2.0.0/16

REMOVE CONFIGURATIONS

no crypto map outside_map 1 match address outside_cryptomap

no access-list outside_cryptomap extended permit ip 10.166.0.0 255.255.0.0 any4

no nat (outside,outside) source static NETWORK_OBJ_10.166.0.0_16 NETWORK_OBJ_10.166.0.0_16 no-proxy-arp route-lookup

ADD CONFIGURATIONS

access-list L2LVPN-ACL remark Encryption Domain for L2L VPN

access-list L2LVPN-ACL permit ip 10.166.0.0 255.255.0.0 10.2.0.0 255.255.0.0

rypto map outside_map 1 match address L2LVPN-ACL

object network LAN

subnet 10.166.0.0 255.255.0.0

object network REMOTE-LAN

subnet 10.2.0.0 255.255.0.0

nat (inside,outside) source static LAN LAN destination static REMOTE-LAN REMOTE-LAN

Let me know if this works for you. Hope it helps

Please do remember to mark a reply as the correct answer if it answered your question.

If there is still problems after these configurations then lets look at the situation again.

- Jouni

You're amazing!!!  Thank you so much for your help!  I've been struggling with this for a while now.  I also now see what I was missing.  Just shows that I still have a LONG way to go.  Thanks again!!

Hi,

Great to hear its working now

Dont hesitate to post here again if you run into some problems

- Jouni

So then if I wanted to enable access to the following subnets at the remote office.  Do I add them to the access list on the 5510 along with creating a second network object?

192.168.99.0/24

192.168.100.0/24

Add to the 5510

access-list L2LVPN-ACL permit ip 10.2.0.0 255.255.0.0 10.166.0.0 255.255.0.0 192.168.99.0 255.255.255.0 192.168.100.0 255.255.255.0

object network REMOTE-LAN2

subnet 192.168.99.0 255.255.255.0

nat (private,tw) source static LAN LAN destination static REMOTE-LAN2 REMOTE-LAN2

object network REMOTE-LAN3

subnet 192.168.100.0 255.255.255.0

nat (private,tw) source static LAN LAN destination static REMOTE-LAN3 REMOTE-LAN3

Add to the 5505

access-list  L2LVPN-ACL permit ip 10.166.0.0 255.255.0.0  192.168.99.0 255.255.255.0 192.168.100.0 255.255.255.0 10.2.0.0 255.255.0.0

object network LAN2

subnet 192.168.99.0 255.255.255.0

object network LAN3

subnet 192.168.100.0 255.255.255.0


Not sure if I need to add in the nat line on the 5505.  Does this look correct?

Hi,

I am not sure at which ASA the networks 192.168.99.0/24 and 192.168.100.0/24 are located at and behind which interfaces. I can't see any mention of them in the earlier configurations.

- Jouni

Those 2 subnets are located in the remote office behind the 5505.  I forgot about those since they are rarely used but would be really nice to be able to access from the main office.

Hi,

There are no routes configured for those networks on the ASA5505 and there are no interfaces with those subnets on the ASA5505.

If I were to presume that these networks are located behind "inside" interface of that ASA5505 then these would be the correct configurations

ASA5510

access-list L2LVPN-ACL permit ip 10.2.0.0 255.255.0.0 192.168.99.0 255.255.255.0

access-list L2LVPN-ACL permit ip 10.2.0.0 255.255.0.0 192.168.100.0 255.255.255.0

object network REMOTE-LAN-2

subnet 192.168.99.0 255.255.255.0

object network REMOTE-LAN-3

subnet 192.168.100.0 255.255.255.0

nat (private,tw) source static LAN LAN destination static REMOTE-LAN-2 REMOTE-LAN-2

nat (private,tw) source static LAN LAN destination static REMOTE-LAN-3 REMOTE-LAN-3

ASA5505

access-list L2LVPN-ACL permit ip 192.168.99.0 255.255.255.0 10.2.0.0 255.255.0.0

access-list L2LVPN-ACL permit ip 192.168.100.0 255.255.255.0 10.2.0.0 255.255.0.0

object network LAN-2

subnet 192.168.99.0 255.255.255.0

object network LAN-3

subnet 192.168.100.0 255.255.255.0

nat (inside,outside) source static LAN-2 LAN-2 destination static REMOTE-LAN REMOTE-LAN

nat (inside,outside) source static LAN-3 LAN-3 destination static REMOTE-LAN REMOTE-LAN

If the networks are not behind the "inside" interface of ASA5505 then the "nat" configuration needs to be changed.

If there is some router behind the ASA5505 then you will have to have "route" commands for those networks. I am just wondering as I dont see them in the configuration at all.

- Jouni

You're correct.  They are behind the inside interface on the 5505.  There is a router at the remote site and I'll have to add in the static routes.  I'll report back when that's done and if the config additions you suggested worked, I'll mark it as the right answer.  Thanks again for all of your help!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: