Help with Site to Site VPN on ASA5505 - Page 2

Steven Williams · ‎11-03-2011

Hey guys,

Hope all is well on netpro, I really need some help. I have been trying to work on a site to site VPN for almost a full two weeks now and can't seem to get any further than I am now. I am hoping someone can take a look at the thread below and help me out. I have started over about 100 times and always come to the same place...I can get the VPN connection active, but cannot pass traffic at all or correctly.

https://learningnetwork.cisco.com/thread/36319?tstart=0

Here is my latest configuration for my ASA:

: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.5.12.251 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 1.1.1.2 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list OUTSIDE_CRYPTOMAP extended permit ip 192.168.133.0 255.255.255.0 192.168.134.0 255.255.255.0
access-list POLICY_NAT extended permit ip 10.5.12.0 255.255.255.0 192.168.134.0 255.255.255.0
access-list INSIDE_NAT_STATIC extended permit ip 192.168.134.0 255.255.255.0 10.0.0.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 192.168.133.0 access-list POLICY_NAT
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.5.12.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ASA_VPN_TO_SONIC esp-3des esp-md5-hmac
crypto map OUTSIDE_MAP 20 match address OUTSIDE_CRYPTOMAP
crypto map OUTSIDE_MAP 20 set pfs
crypto map OUTSIDE_MAP 20 set peer 2.2.2.2
crypto map OUTSIDE_MAP 20 set transform-set ASA_VPN_TO_SONIC
crypto map OUTSIDE_MAP interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 100
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:6830d2eaae271ea805d9357910b5dcdf
: end

The real internal IP address range behind the ASA is 10.5.12.0/24 and that should be natted to 192.168.133.0/24 when leaving the ASA to cross the tunnel.

The remote internal address range is a combination of 10.x.0.0/16 addresses and those need to be natted to 192.168.134.0/24 when leaving the remote Sonicwall firewall. So to make that simple I want to just NAT the entire 10.0.0.0/8 subnet.

I can't wrap my head around how the ASA knows to use the tunnel for all 10.0.0.0/8 traffic when itself is connected to a 10.5.12.0/24 subnet. I assume routing.

Please let me know anymore info that is needed.

Steven Williams · ‎11-04-2011

This doesnt seem right to me:

ciscoasa# show nat

NAT policies on Interface inside:
match ip inside 10.5.12.0 255.255.255.0 outside 10.0.0.0 255.0.0.0
static translation to 192.168.134.0
translate_hits = 1517, untranslate_hits = 0

NAT policies on Interface outside:
match ip outside 10.5.12.0 255.255.255.0 inside any
static translation to 192.168.133.0
translate_hits = 0, untranslate_hits = 1

Steven Williams · ‎11-04-2011

ciscoasa# show ipsec sa
interface: outside
Crypto map tag: OUTSIDE_MAP, seq num: 20, local addr: 1.1.1.2

      access-list OUTSIDE_CRYPTOMAP permit ip 192.168.133.0 255.255.255.0 192.168.134.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.133.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.134.0/255.255.255.0/0/0)
      current_peer: 2.2.2.2

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

local crypto endpt.: 1.1.1.2, remote crypto endpt.: 2.2.2.2

path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: CC2699B5

    inbound esp sas:
      spi: 0x168AB64E (378189390)
         transform: esp-3des esp-md5-hmac none
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 9207, crypto-map: OUTSIDE_MAP
         sa timing: remaining key lifetime (sec): 27911
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0xCC2699B5 (3425081781)
         transform: esp-3des esp-md5-hmac none
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 9207, crypto-map: OUTSIDE_MAP
         sa timing: remaining key lifetime (sec): 27911
         IV size: 8 bytes
         replay detection support: Y

Should the local identity be 10.5.12.0/24??

ajay chauhan · ‎11-04-2011

right

access-list OUTSIDE_CRYPTOMAP extended permit ip 192.168.133.0 255.255.255.0 192.168.134.0 255.255.255.0

access-list POLICY_NAT extended permit ip 10.5.12.0 255.255.255.0 192.168.134.0 255.255.255.0

If remote site is natted with 192.168.134.0/24 then on ASA ACL POLICY_NAT should be

access-list POLICY_NAT extended permit ip 10.5.12.0 255.255.255.0 192.168.133.0 255.255.255.0

So from ASA CRPTO would be from 192.168.133.0 255.255.255.0 > 192.168.134.0 255.255.255.0

From sonic wall CRPTO would be from 192.168.134.0 255.255.255.0 > 192.168.133.0 255.255.255.0

Try this once.

Steven Williams · ‎11-04-2011

Making that change on the Policy nat acl gave me this for the show NAT command:

ciscoasa# show nat

NAT policies on Interface inside:
match ip inside 10.5.12.0 255.255.255.0 outside 192.168.134.0 255.255.255.0
static translation to 192.168.134.0
translate_hits = 0, untranslate_hits = 0

NAT policies on Interface outside:
match ip outside 10.5.12.0 255.255.255.0 inside any
static translation to 192.168.133.0
translate_hits = 0, untranslate_hits = 0

This doesnt seem right to me nor does it make sense.

Steven Williams · ‎11-04-2011

If indeed my VPN tunnel is active which the "show isakmp sa" shows, when I try to ping 10.101.1.1 for instance it shows it going out to the default gateway and over the internet? That is not correct is it?

acomiskey · ‎11-04-2011

Yes it is correct. The whole idea of what you are doing here is to hide the real address behind a masqueraded address. You cannot attempt to communicate with the real addresses as these addresses overlap on each remote end. Therefore you create a masqueraded address which is used to traverse the tunnel. You have made these 192.168.133 and 134. According to the routing table, 10.100.1.1 is out the internet and not over the vpn.

How this needs to work is you need to actually ping w.x.y.z, then it goes over the tunnel and gets translated on the remote end to 10.x.y.z.

Steven Williams · ‎11-07-2011

I can get the VPN tunnel up between the ASA and the Sonicwall but I cannot pass traffic over the tunnel? Can someone help me how to get this done? Do I need to add routing? What is the default gateway when trying to send the traffic over the tunnel?

Steven Williams · ‎11-07-2011

static (outside,inside) 192.168.134.0 10.0.0.0 netmask 255.0.0.0

Is this saying see packets coming in from the outside interface that will be labeled as 192.168.134.0 addresses, but those packets really came from a network that belonged to 10.0.0.0 255.0.0.0?

acomiskey · ‎11-08-2011

Ok Steven, I got this set up and working between 2 ASA5505's. Here are the configs. What you need to do is look at your situation like the entire 10.0.0.0/8 is overlapping on both ends.

hostname ASA-1

!

interface Vlan1

nameif inside

security-level 100

ip address 10.0.0.1 255.0.0.0

!

interface Vlan2

nameif outside

security-level 0

ip address 1.1.1.1 255.255.255.252

!

interface Ethernet0/0

switchport access vlan 2

!

access-list policy-nat extended permit ip 10.0.0.0 255.0.0.0 192.0.0.0 255.0.0.0

access-list vpn extended permit ip 192.0.0.0 255.0.0.0 192.0.0.0 255.0.0.0

access-list outside_access_in extended permit icmp any any

!

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) 192.0.0.0 access-list policy-nat

!

access-group outside_access_in in interface outside

!

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map1 1 match address vpn

crypto map outside_map1 1 set peer 1.1.1.2

crypto map outside_map1 1 set transform-set ESP-3DES-MD5

crypto map outside_map1 interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

!

tunnel-group 1.1.1.2 type ipsec-l2l

tunnel-group 1.1.1.2 ipsec-attributes

pre-shared-key *

hostname ASA-2
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.0.0.0
!
interface Vlan2
nameif outside
security-level 0
ip address 1.1.1.2 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
!
access-list policy-nat extended permit ip 10.0.0.0 255.0.0.0 192.0.0.0 255.0.0.0
access-list vpn extended permit ip 192.0.0.0 255.0.0.0 192.0.0.0 255.0.0.0
!
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 192.0.0.0 access-list policy-nat
!
route outside 0.0.0.0 0.0.0.0 1.1.1.1
!

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map0 1 match address vpn
crypto map outside_map0 1 set peer 1.1.1.1
crypto map outside_map0 1 set transform-set ESP-3DES-MD5
crypto map outside_map0 interface outside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
!
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *

Here is how it works. So behind ASA-1 I had a host we will call Host-A (real ip of 10.1.100.1/8). Behind ASA-2 I had a host we will call Host-B (real ip of 10.5.100.1/8.)

To ping from Host-A to Host-B you must ping 192.5.100.1 (Use 192 for the network mask bit, and the host address for the rest).

1. Ping 192.5.100.1 from Host-A.

2. ASA-1 matches this traffic (10.1.100.1 -> 192.5.100.1) to the policy-nat acl and translates the source address from 10.1.100.1 to 192.1.100.1.

3. ASA-1 matches this new source and destination address (192.1.100.1 -> 192.5.100.1) to the vpn acl and sends it over the tunnel.

4. Traffic arrives at ASA-2.

5. Destination address (192.5.100.1) matches the policy-nat acl and the destination is translated from 192.5.100.1 to 10.5.100.1.

6. Ping is sent to 10.5.100.1 and it replies to the ping.

7. ASA-2 matches this traffic (10.5.100.1 -> 192.1.100.1) to the policy-nat acl and translates the source address from 10.5.100.1 to 192.5.100.1.

8. ASA-2 matches this new source and destination adddress (192.5.100.1 -> 192.1.100.1) to the vpn acl and sends it over the tunnel.

9. Traffic arrives at ASA-1.

10. Destination address (192.1.100.1) matches the policy-nat acl and the destination is translated from 192.1.100.1 to 10.1.100.1.

11. Host-A receives the ping reply.

So, if you want to ping from either side to 10.x.y.z on the other end, simply change the 10 to 192 and ping to 192.x.y.z. This worked for me and hopefully will work for you. Unfortunately you don't have 2 ASA's and I can't help on the Sonicwall config.

acomiskey · ‎11-10-2011

Curious if you had any success with the solution above?