Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA VPN not working

Hello,

I'm trying to setup a VPN to another ASA.  I can ping the outside fo the other ASA.  This VPN is just for a small site in a hub and spoke topology, my config is just for the spoke office so it basically this office need to send all it's traffic to the hub HQ where the servers are.  Can you see any reason why the VPN won't come up?

ciscoasa# sh run

: Saved

:

ASA Version 8.4(2)

!

hostname ciscoasa

enable password 8Ry2Yjyt7RRXU24 encrypted

passwd 2KFQnbIdI.2KYOU encrypted

names

!

interface GigabitEthernet0

nameif outside

security-level 0

ip address 90.174.83.202 255.255.255.252

!

interface GigabitEthernet1

nameif inside

security-level 100

ip address 10.101.61.1 255.255.255.0

!

interface GigabitEthernet2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet5

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

object network internal-10.101.61.0

subnet 10.101.61.0 255.255.255.0

object network Internal-0.0.0.0

subnet 0.0.0.0 0.0.0.0

object network Corp

subnet 10.100.1.0 255.255.255.0

access-list inside_access_in extended permit ip 10.101.61.0 255.255.255.0 any

access-list inside_access_in extended permit icmp any any

access-list outside_cryptomap extended permit ip 10.101.61.0 255.255.255.0 10.100.1.0 255.255.255.0

pager lines 24

logging enable

logging console errors

logging asdm informational

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-714.bin

no asdm history enable

arp timeout 14400

!

object network Internal-0.0.0.0

nat (inside,outside) dynamic interface

!

nat (inside,any) after-auto source static internal-10.101.61.0 internal-10.101.61.0 destination static Corp Corp no-proxy-arp

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 93.174.83.201 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication enable console LOCAL

aaa authentication ssh console LOCAL

aaa authorization command LOCAL

aaa authorization exec LOCAL

http server enable

http 10.101.61.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto map outside_map 1 match address outside_cryptomap

crypto map outside_map 1 set pfs group5

crypto map outside_map 1 set peer 80.171.156.66

crypto map outside_map 1 set ikev1 transform-set ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 set ikev2 ipsec-proposal DES

crypto map outside_map interface outside

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable outside

crypto ikev1 enable outside

crypto ikev1 policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 10.101.61.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

dhcpd address 10.101.61.10-10.101.61.254 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy GroupPolicy_80.171.156.66 internal

group-policy GroupPolicy_80.171.156.66 attributes

vpn-tunnel-protocol ikev1 ikev2

username *** password oiYa7C.IOflZak encrypted privilege 15

tunnel-group 80.171.156.66 type ipsec-l2l

tunnel-group 80.171.156.66 general-attributes

default-group-policy GroupPolicy_80.171.156.66

tunnel-group 80.171.156.66 ipsec-attributes

ikev1 pre-shared-key *****

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect sunrpc

  inspect tftp

  inspect ip-options

  inspect rtsp

  inspect pptp

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

crashinfo save disable

Cryptochecksum:fbebeccb487674e3d8d1c4cff0b27749

: end

ciscoasa#

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

ASA VPN not working

Hi,

One clear problem is the ordering of the NAT rules

object network Internal-0.0.0.0

nat (inside,outside) dynamic interface

!

nat (inside,any) after-auto source static internal-10.101.61.0 internal-10.101.61.0 destination static Corp Corp no-proxy-arp

In the above configuration the Dynamic PAT configuration overrides the NAT0 configuration meant for the L2L VPN

You need to do this change and test again if there are any other problems

no nat (inside,any) after-auto source static internal-10.101.61.0 internal-10.101.61.0 destination static Corp Corp no-proxy-arp

nat (inside,any) source static internal-10.101.61.0 internal-10.101.61.0 destination static Corp Corp no-proxy-arp

We remove the "after-auto" from the command so that the NAT0 rule is moved to the top of the NAT rules before the current Dynamic PAT rule for the LAN network.

Hope this helps

- Jouni

6 REPLIES
Super Bronze

ASA VPN not working

Hi,

One clear problem is the ordering of the NAT rules

object network Internal-0.0.0.0

nat (inside,outside) dynamic interface

!

nat (inside,any) after-auto source static internal-10.101.61.0 internal-10.101.61.0 destination static Corp Corp no-proxy-arp

In the above configuration the Dynamic PAT configuration overrides the NAT0 configuration meant for the L2L VPN

You need to do this change and test again if there are any other problems

no nat (inside,any) after-auto source static internal-10.101.61.0 internal-10.101.61.0 destination static Corp Corp no-proxy-arp

nat (inside,any) source static internal-10.101.61.0 internal-10.101.61.0 destination static Corp Corp no-proxy-arp

We remove the "after-auto" from the command so that the NAT0 rule is moved to the top of the NAT rules before the current Dynamic PAT rule for the LAN network.

Hope this helps

- Jouni

New Member

ASA VPN not working

You are a legend!  That worked.

So I had a NAT statement that got seen and used first?

Super Bronze

ASA VPN not working

Hi,

Yes, your Dynamic PAT that is used for normal outbound Internet traffic was overriding the NAT0 for L2L VPN. So no traffic coming from this firewalls LAN never matched the L2L VPN configuration.

There are 3 Sections in NAT configurations

  • Section 1 is Manual NAT
  • Section 2 is Auto NAT
  • Section 3 is Manual NAT (parameter "after-auto" refers that it comes after Section 2 Auto NAT)

So your original NAT configuration for VPN was Section 3 (since it has "after-auto")

nat (inside,any) after-auto source static internal-10.101.61.0 internal-10.101.61.0 destination static Corp Corp no-proxy-arp

You also had Auto NAT configuration (Dynamic PAT)

object network Internal-0.0.0.0

nat (inside,outside) dynamic interface

And as we see from my earlier description, Auto NAT is Section 2 and therefore caused to override your NAT0

We reconfigured the NAT0 without the "after-auto" parameter which makes it a Section 1 Manual NAT and therefore it now comes before the Dynamic PAT (Auto NAT) rule in the configuration and when the ASA matches traffic against NAT rules.

Hope I made sense

- Jouni

New Member

ASA VPN not working

So is it best to always keep the PAT at the bottom of the NAT list?

New Member

ASA VPN not working

Hello,

One last thing, I've added:

"ssh 80.171.156.66 255.255.255.255 outside" on the ASA so the remote ASA can SSH to this ASA and I get a username and password prompt which it accepts, but when I tpe enable it asked for a password and won't accept it.

What do I need to do?

New Member

ASA VPN not working

Fixed - human error

329
Views
0
Helpful
6
Replies
CreatePlease to create content