Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco ASA 5505 L2L VPN Tunnel with one Dynamic IP

Hi Rizwan,

Thanks for your response.  I updated the configuration per your response below... It still doesn't work.  please see my new config files below.  Please help.  Thanks in advance for your help....

Hi Pinesh,

Please make follow changes on host: officeasa


remove this line below highlighted.

crypto dynamic-map L2LMap 1 match address Crypto_L2L


It is only because group1 is weak, so please change it to group2

crypto dynamic-map L2LMap 1 set pfs group1

route outside 10.10.6.0 255.255.255.0 96.xxx.xxx.117


Please make follow changes on host: homeasa


It is only because group1 is weak, so please change it to group2
crypto map L2Lmap 1 set pfs group1

route outside 10.10.5.0 255.255.255.0 xxx.xxx.xxx.xxx default gateway on homeasa.

Hope that helps, if not please open a new thread.

Thanks

Rizwan Rafeek

***********************************************

New config files..

Site-A:   (Office):

Hostname: asaoffice

Inside: 10.10.5.0/254

Outside e0/0: Static IP 96.xxx.xxx.118/30

Site-B:   (Home):

Hostname: asahome

Inside: 10.10.6.0/254

Outside e0/0: Dynamic IP (DG: 66.xxx.xxx.1)

SIte-A:

officeasa(config)# sh config

: Saved

: Written by enable_15 at 15:34:23.899 UTC Sat Mar 3 2012

!

ASA Version 8.2(5)

!

hostname officeasa

enable password xyz encrypted

passwd xyz encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport access vlan 3

!

interface Ethernet0/2

switchport access vlan 3

!

interface Ethernet0/3

switchport access vlan 3

!

interface Ethernet0/4

switchport access vlan 3

!

interface Ethernet0/5

switchport access vlan 3

!

interface Ethernet0/6

switchport access vlan 3

!

interface Ethernet0/7

switchport access vlan 3

!

interface Vlan2

nameif outside

security-level 0

ip address 96.xxx.xxx.118 255.255.255.252

!

interface Vlan3

nameif inside

security-level 100

ip address 10.10.5.254 255.255.255.0

!

ftp mode passive

same-security-traffic permit inter-interface

access-list NONAT extended permit ip 10.10.5.0 255.255.255.0 192.168.100.0 255.2

access-list NONAT extended permit ip 10.10.5.0 255.255.255.0 10.10.6.0 255.255.2

access-list ormtST standard permit 10.10.5.0 255.255.255.0

access-list OCrypto_L2L extended permit ip 10.10.5.0 255.255.255.0 10.10.6.0 255

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

ip local pool ormtIPP 192.168.100.100-192.168.100.110 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list NONAT

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 96.xxx.xxx.117 1

route outside 10.10.6.0 255.255.255.0 96.xxx.xxx.117 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 10.10.5.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set OSite2Site esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map OL2LMap 1 set pfs

crypto dynamic-map OL2LMap 1 set transform-set OSite2Site

crypto dynamic-map OL2LMap 1 set reverse-route

crypto map out_L2lMap 65535 ipsec-isakmp dynamic OL2LMap

crypto map out_L2LMap interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

client-update enable

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 10.10.5.101-10.10.5.132 inside

dhcpd dns 8.8.8.8 8.8.4.4 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable outside

svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1

svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 2

svc enable

tunnel-group-list enable

group-policy ormtGP internal

group-policy ormtGP attributes

dns-server value 8.8.8.8

vpn-tunnel-protocol svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value ormtST

address-pools value ormtIPP

webvpn

svc keep-installer installed

svc rekey time 30

svc rekey method ssl

svc ask enable default svc timeout 20

username user1 password abcxyz encrypted

username user1 attributes

service-type remote-access

tunnel-group ormtProfile type remote-access

tunnel-group ormtProfile general-attributes

default-group-policy ormtGP

tunnel-group ormtProfile webvpn-attributes

group-alias OFFICE enable

tunnel-group defaultL2LGroup type ipsec-l2l

tunnel-group defaultL2LGroup ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:46d5c2e1ac91d73293f2fb1a0045180c

officeasa(config)#

Site-B:

Home ASA Configuration:

homeasa# sh config

: Saved

: Written by enable_15 at 15:48:42.479 UTC Sat Mar 3 2012

!

ASA Version 8.2(5)

!

hostname homeasa

enable password xyz encrypted

passwd xyz encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport access vlan 3

!

interface Ethernet0/2

switchport access vlan 3

!

interface Ethernet0/3

switchport access vlan 3

!

interface Ethernet0/4

switchport access vlan 3

!

interface Ethernet0/5

switchport access vlan 3

!

interface Ethernet0/6

switchport access vlan 3

!

interface Ethernet0/7

switchport access vlan 3

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Vlan3

nameif inside

security-level 100

ip address 10.10.6.254 255.255.255.0

!

ftp mode passive

same-security-traffic permit inter-interface

access-list NONAT extended permit ip 10.10.6.0 255.255.255.0 192.168.101.0 255.255.255.0

access-list NONAT extended permit ip 10.10.6.0 255.255.255.0 10.10.5.0 255.255.255.0

access-list hrmtST standard permit 10.10.6.0 255.255.255.0

access-list Crypto_L2L extended permit ip 10.10.6.0 255.255.255.0 10.10.5.0 255.255.255.0

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

ip local pool hrmtIPP 192.168.101.100-192.168.101.110 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list NONAT

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 10.10.5.0 255.255.255.0 66.xxx.xxx.1 1   (IP address of the Dynamic IP from ISP)

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 10.10.6.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set Site2Site esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map L2Lmap 1 match address Crypto_L2L

crypto map L2Lmap 1 set peer 96.xxx.xxx.118

crypto map L2Lmap 1 set transform-set Site2Site

crypto map L2LMap 1 set pfs

crypto map L2LMap interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 10.10.6.101-10.10.6.132 inside

dhcpd dns 8.8.8.8 8.8.4.4 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable outside

svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1

svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 2

svc enable

tunnel-group-list enable

group-policy hrmtGP internal

group-policy hrmtGP attributes

dns-server value 8.8.8.8

vpn-tunnel-protocol svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value hrmtST

address-pools value hrmtIPP

webvpn

svc keep-installer installed

svc rekey time 30

svc rekey method ssl

svc ask enable default svc timeout 20

username user1 password abcxyz encrypted

username user1 attributes

service-type admin

tunnel-group hrmtProfile type remote-access

tunnel-group hrmtProfile general-attributes

default-group-policy hrmtGP

tunnel-group hrmtProfile webvpn-attributes

group-alias hrmtCGA enable

tunnel-group 96.xxx.xxx.118 type ipsec-l2l

tunnel-group 96.xxx.xxx.118 ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:d16a0d49f275612dff7e404f49bcc499

homeasa#

5 REPLIES

Cisco ASA 5505 L2L VPN Tunnel with one Dynamic IP

Please remove this line below from host:officeasa

crypto dynamic-map OL2LMap 1 set pfs

Please remove this line from from host:homeasa

crypto map L2LMap 1 set pfs

Please initiate traffic from host:homeasa from inside the network.

FYI... Tunnnel can be initiated from hosts behind the device:homeasa but not from the server side. i.e. officeasa, so please try to to initiate the traffic from client tunnel-end side:homeasa, i.e. preferably from inside the network.

Once tunnel has been established from client-side and then traffic can flow between both lan side, as if they are pure site to site tunnel.

Everything else looks good.

Let me know result.

If it does not help, please enable debug.

debug crypto isakmp 7

debug crypto ipsec 7

Thanks

Rizwan Rafeek

New Member

Cisco ASA 5505 L2L VPN Tunnel with one Dynamic IP

Thanks Rizwan,

Still no luck.  I can't even ping the otherside (office)..  I am not sure if i'm running the debug rightway.   Here are my results...

homeasa(config)# ping inside 10.10.5.254............. (Office CIsco ASA5505 IP on local side.  I also tried pinging the server on other side (office) whic is @10.10.5.10 and got the same result)

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.5.254, timeout is 2 seconds:

?????

Success rate is 0

homeasa(config)# debug crypto isakmp 7

homeasa(config)# debug crypto ipsec 7

homeasa(config)# sho crypto isakmp 7

                                   ^

ERROR: % Invalid input detected at '^' marker.

homeasa(config)# sho crypto isakmp

There are no isakmp sas

Global IKE Statistics

Active Tunnels: 0

Previous Tunnels: 0

In Octets: 0

In Packets: 0

In Drop Packets: 0

In Notifys: 0

In P2 Exchanges: 0

In P2 Exchange Invalids: 0

In P2 Exchange Rejects: 0

In P2 Sa Delete Requests: 0

Out Octets: 0

Out Packets: 0

Out Drop Packets: 0

Out Notifys: 0

Out P2 Exchanges: 0

Out P2 Exchange Invalids: 0

Out P2 Exchange Rejects: 0

Out P2 Sa Delete Requests: 0

Initiator Tunnels: 0

Initiator Fails: 0

Responder Fails: 0

System Capacity Fails: 0

Auth Fails: 0

Decrypt Fails: 0

Hash Valid Fails: 0

No Sa Fails: 0

Global IPSec over TCP Statistics

--------------------------------

Embryonic connections: 0

Active connections: 0

Previous connections: 0

Inbound packets: 0

Inbound dropped packets: 0

Outbound packets: 0

Outbound dropped packets: 0

RST packets: 0

Recevied ACK heart-beat packets: 0

Bad headers: 0

Bad trailers: 0

Timer failures: 0

Checksum errors: 0

Internal errors: 0

hjnavasa(config)# sh crypto ipsec sa peer 96.xxx.xxx.118

There are no ipsec sas

homeasa(config)#

Re: Cisco ASA 5505 L2L VPN Tunnel with one Dynamic IP

Tunnnel can be initiated from hosts behind the device:homeasa, if you have a PC ping it from the PC not from ASA.

Enable debug from exec mode.

debug crypto isakmp 7

debug crypto ipsec 7

Re: Cisco ASA 5505 L2L VPN Tunnel with one Dynamic IP

Did you try, like I said?

New Member

Re: Cisco ASA 5505 L2L VPN Tunnel with one Dynamic IP

Hi Rizwan,

Yes, I tried pinging from the other PC on a network but the request timed out .  I also tried debugging but I couldn't get the debug to work.  Finally, I used the Dynamic IP address as a static IP in tunnel configuration and it worked fine.   Before I configured the ASA, I added the UPS battery backup at the cable modem so I never loose the power and maintain the same IP address.  The tunnel works perfectly fine. 

I really appreciate your help and follow up.  I will still try one more time when i get a chnace again and i will keep you posted.  I just didn't want to hold up the operation in the office.

Once again, thank you so much.

5135
Views
0
Helpful
5
Replies
CreatePlease login to create content