Announcements
Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our beta test area to get started.

New Member

ASA to ASA VPN

Ok, I got Newbie error here but I do not see it.

I am trying to get a second site doing a VPN tunel to the orginal Site1

Site1 VPN is working for VPN cleint users but I am not getting a IPSec Tunnel up between sites

Site2 VPN is not accepting clients either... but does have internet

I have attached santized cfg's for both site.

I have been using the ADSM. But can set up the console easily on Site2.

Thanks in Advance for any assistance or suggestions

  • VPN
3 REPLIES
Bronze

Re: ASA to ASA VPN



Hi,



I have reviewed the configuration and found that both ASAs have set-route command on outside, which makes me think that your ISP is assinging Dynamic IP addresss. But this should not be true as you have mentioned that the RA clients work fine on Site 1 ASA.. To my understanding though the ISP device is assinging a dynamic ip but it remains static in nature (does not change), please correct me if am wrong. On Site B, the remote client may not be working because the IP assigned to its outside is dynamic in nature and hence keeps changing. For remote client set up , VPN server should have a static ip address where clients can connect to. aCan you please reply with nature of public ip address on both ASAs? Also, do let me know what IP address is it if its static so that i can verify the configuration.


You can also refer to the following sample configuration document. These documents are pretty straight.


Scenario: Site-to-Site VPN Configuration (With Static IP address on both sites)
www.cisco.com/en/US/docs/security/asa/asa72/getting_started/asa5550/quick/guide/sitvpn_n.html

Scenario: Remote-Access VPN Configuration
www.cisco.com/en/US/docs/security/asa/asa72/getting_started/asa5550/quick/guide/remvpn_n.html

PIX/ASA 7.x PIX-to-PIX Dynamic-to-Static IPsec with NAT and VPN Client Configuration Example
www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml


*Last document is exempting NAT*



HTH....



Regards


M

Mohit Paul CCIE-Security 35496 P.S Please do rate this post if you find it helpful to make it easier for others seeking answers to similar queries
New Member

Re: ASA to ASA VPN

Actually Both Site have Dynamic IP address but will keep the the same IP.

Site1 Is cable modem

Site2 is ADSL

Both Sites ISP's keep the same IP to a MAC Address so unless hardware is change (Either modem or Firewall) the IP's acts as static.

I did double check that IP's have not shifted.

I can send you the live IP's by email if you wish.

Bronze

Re: ASA to ASA VPN

Hello,

The crypto ACL on site1 appears to be setup incorrectly. Site1 is defined at 192.168.2.0/24, yet the crypto ACL shows 192.168.10.0 to be both the source and destination:

object-group network DM_INLINE_NETWORK_1
network-object 0.0.0.0 0.0.0.0
network-object host 192.168.10.0

access-list outside_1_cryptoSite2 extended permit ip host 192.168.10.0 object-group DM_INLINE_NETWORK_1

You'll need to change the source from a host entry to the 192.168.2.0/24 network. The destination will need to be changed from a host entry to the 192.168.10.0/24 network. You'll also want to remove 0.0.0.0/0 from the object group, otherwise you'll be defining *all* traffic (once you fix the source network) as interesting traffic.

In addition to that, the crypto maps for both firewalls show PFS to be enabled, but one is group1 and the other is group2 (default). You'll want these to match.

You've got these two entries within the site2 NAT exemption ACL, but they will not be effective at all and can probably be removed once things are working correctly:

access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.10.0 255.255.255.192
access-list inside_nat0_outbound extended permit ip Site1 255.255.255.0 192.168.10.0 255.255.255.192

The NAT exemption ACL on the site1 fw is missing an entry for communication between 192.168.2.0/24 (source) and 192.168.10.0/24 (destination). This will need to be added also.

See what you can do to correct those things and give it a shot. Since traffic is not being considered as 'interesting' that could likely be why you're not seeing any logs.

James

596
Views
0
Helpful
3
Replies