ASA5505 to ASA5505 VPN over Intenet - HELP!!

stealthmatt · ‎08-07-2012

I have 2 x ASA 5505's.

I would like one to sit at my office behind an ADSL router with a static IP address, and be configured as a Server.

I would like the other to connect to an ADSL router with a dynamic IP address, and be configured as a Client.

This must be a plug & play setup, so that when the 5505 client is plugged into ANY broadband router, it automatically creates a VPN tunnel to the 5505 server.

The 5505's are to do NOTHING ELSE BUT CREATE AND PROVIDE A VPN LINK AUTOMATICALLY.

Incase it's relevant... the purpose of this link will be to stream video data back to my office from remote locations.

We have "played" around with the ASDM, EasyVPN and wizzards and still cannot get this to work!

If someone could provide us a step-by-step (idiot) guide we would be very grateful.

Please don't provide links to the official Cisco guides - we've tried these and we're obviously too stupid to understand them! : )

CLI instructions would be ideal.

Many thanks.

Matt

Jennifer Halim · ‎08-07-2012

Pls share your existing config on both ends to see where it's failing.

Can you please advise which phase it's failing at? Phase 1 or phase 2?

Pls share the output of the following after attempting to pass traffic from client to server:

show cry isa sa

show cry ipsec sa

stealthmatt · ‎08-07-2012

Hello Jennifer,

Thank you for your assistance.

From the ASDM "Easy VPN Connection Status" the VPN Client Detail shows..............

"LOCAL CONFIGURATION

vpnclient server 213.120.114.230

vpnclient mode network-extension-mode

vpnclient nem-st-autoconnect

vpnclient vpngroup key password *****

vpnclient username tsu password *****

vpnclient enable

MISCELLANEOUS INFORMATION

- Key exchange is based on Pre-Shared Key

- Connection attempt will be automatically initiated

STORED POLICY

Secure Unit Authentication Enabled : Policy not stored

Split Tunnel Networks : None

Backup Servers : None

RELATED CONFIGURATION

global (outside) 1 interface

nat (inside) 0 access-list _vpnc_nwp_acl

nat (inside) 1 0.0.0.0 0.0.0.0

access-list _vpnc_nwp_acl extended permit ip any any

access-list _vpnc_acl extended permit ip host 192.168.2.23 host 213.120.114.230

aaa authentication match _vpnc_nwp_acl inside _vpnc_nwp_server

aaa authentication match _vpnc_nwp_acl _internal_loopback _vpnc_nwp_server

crypto ipsec transform-set _vpnc_tset_1 esp-aes-256 esp-sha-hmac

crypto ipsec transform-set _vpnc_tset_2 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set _vpnc_tset_3 esp-aes-192 esp-sha-hmac

crypto ipsec transform-set _vpnc_tset_4 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set _vpnc_tset_5 esp-aes esp-sha-hmac

crypto ipsec transform-set _vpnc_tset_6 esp-aes esp-md5-hmac

crypto ipsec transform-set _vpnc_tset_7 esp-3des esp-sha-hmac

crypto ipsec transform-set _vpnc_tset_8 esp-3des esp-md5-hmac

crypto ipsec transform-set _vpnc_tset_9 esp-des esp-md5-hmac

crypto ipsec transform-set _vpnc_tset_10 esp-null esp-md5-hmac

crypto ipsec transform-set _vpnc_tset_11 esp-null esp-sha-hmac

crypto map _vpnc_cm 10 match address _vpnc_acl

crypto map _vpnc_cm 10 set peer 213.120.114.230

crypto map _vpnc_cm 10 set transform-set _vpnc_tset_1 _vpnc_tset_2 _vpnc_tset_3 _vpnc_tset_4 _vpnc_tset_5 _vpnc_tset_6 _vpnc_tset_7 _vpnc_tset_8 _vpnc_tset_9 _vpnc_tset_10 _vpnc_tset_11

crypto map _vpnc_cm 10 set security-association lifetime seconds 2147483647

crypto map _vpnc_cm 10 set security-association lifetime kilobytes 2147483647

crypto map _vpnc_cm 10 set phase1-mode aggressive

crypto map _vpnc_cm interface outside

crypto isakmp enable outside

crypto isakmp policy 65001