Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1004
Views
0
Helpful
3
Replies

Simple Site-to-Site VPN

Go to solution
williamhyman
Level 1
Level 1

‎09-09-2010 11:27 AM

Hey'a folks! I have a config for you guys to check out. Just to have an extra set of eyes on it to make sure I'm not missing anything.

I am setting up a basic site-2-site VPN with a checkpoint. The checkpoint is out of my control. But the 5520 ASA here is all mine

One thing I do find kind of strange, is that when doing a sh isakmp sa or a sh ipsec sa I dont get anything back?

PRASA01# sh isakmp sa

There are no isakmp sas

PRASA01# sh ipsec sa

There are no ipsec sas

Is that expected? I don't think it is... Help me out here

PRASA01# sh run

: Saved

:

ASA Version 7.0(6)

!

hostname PRASA01

domain-name nulldomain.com

enable password nullpass encrypted

names

name 69.7.160.113 CYRUSONE

name 69.7.164.65 LOAD-BALANCER

dns-guard

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 20.20.20.20 255.255.255.248 standby 20.20.20.5

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 20.20.30.20 255.255.255.224 standby 20.20.30.5

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

description LAN/STATE Failover Interface

!

interface Management0/0

nameif management

security-level 100

ip address 172.29.130.250 255.255.255.0 standby 172.29.130.251

management-only

!

passwd nullpasswd encrypted

ftp mode passive

access-list outside_access_in extended permit ip any any

access-list highbeamWD_1_cryptomap extended permit ip 172.29.0.0 255.255.0.0 10.21.0.0 255.255.0.0

access-list inside_nat0_highbeamWD extended permit ip 172.29.0.0 255.255.0.0 10.21.0.0 255.255.0.0

pager lines 24

logging enable

logging timestamp

logging trap errors

logging asdm warnings

logging host management 172.29.130.25 format emblem

logging permit-hostdown

logging rate-limit 500 1000 level 1

logging rate-limit 500 500 level 6

mtu outside 1500

mtu inside 1500

mtu management 1500

ip verify reverse-path interface outside

failover

failover lan unit primary

failover lan interface LIFELINE GigabitEthernet0/3

failover key *****

failover link LIFELINE GigabitEthernet0/3

failover interface ip LIFELINE 10.99.0.1 255.255.255.0 standby 10.99.0.2

no monitor-interface outside

no monitor-interface management

asdm image disk0:/asdm506.bin

no asdm history enable

arp timeout 14400

nat (inside) 0 access-list inside_nat0_highbeamWD

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 CYRUSONE 1

route inside 172.29.0.0 255.255.0.0 LOAD-BALANCER 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

username admin password T2H7QiSm7dsZgRC/ encrypted

aaa authentication ssh console LOCAL

http 172.29.130.100 255.255.255.255 management

service resetoutside

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map highbeamWD_map 1 match address highbeamWD_1_cryptomap

crypto map highbeamWD_map 1 set pfs

crypto map highbeamWD_map 1 set peer 123.123.123.123

crypto map highbeamWD_map 1 set transform-set ESP-3DES-SHA

crypto map highbeamWD_map interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

tunnel-group 123.123.123.123 type ipsec-l2l

tunnel-group 123.123.123.123 ipsec-attributes

pre-shared-key *

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 management

ssh timeout 5

console timeout 0

management-access management

ntp server 172.29.10.45 source inside prefer

Cryptochecksum:9040ffcf08201d4af345fe553aae8734

: end

PRASA01#

PRASA01# sh ver

Cisco Adaptive Security Appliance Software Version 7.0(6)

Device Manager Version 5.0(6)

Compiled on Tue 22-Aug-06 13:22 by builders

System image file is "disk0:/asa706-k8.bin"

Config file at boot was "startup-config"

PRASA01 up 1 hour 45 mins

failover cluster up 154 days 23 hours

Hardware:   ASA5520-K8, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz

Internal ATA Compact Flash, 256MB

BIOS Flash AT49LW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)

                             Boot microcode   : CNlite-MC-Boot-Cisco-1.2

                             SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03

                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.04

0: Ext: GigabitEthernet0/0  : address is 0018.199e.c580, irq 9

1: Ext: GigabitEthernet0/1  : address is 0018.199e.c581, irq 9

2: Ext: GigabitEthernet0/2  : address is 0018.199e.c582, irq 9

3: Ext: GigabitEthernet0/3  : address is 0018.199e.c583, irq 9

4: Ext: Management0/0       : address is 0018.199e.c584, irq 11

5: Int: Not licensed        : irq 11

6: Int: Not licensed        : irq 5

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited

Maximum VLANs               : 100      

Inside Hosts                : Unlimited

Failover                    : Active/Active

VPN-DES                     : Enabled  

VPN-3DES-AES                : Enabled  

Security Contexts           : 2        

GTP/GPRS                    : Disabled 

VPN Peers                   : 750      

This platform has an ASA 5520 VPN Plus license.

Serial Number: null

Running Activation Key: null

Configuration register is 0x1

Configuration last modified by enable_15 at 17:01:46.173 UTC Thu Sep 9 2010

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
hdashnau
Cisco Employee
Cisco Employee

‎09-09-2010 12:33 PM

Please remember to rate the posts and mark your issue as resolved when youre all set.

Your config looks pretty good as it is.

Here are some tips:

- The commands "show crypto isa 127"(phase 1) and "show crypto ipsec 127" (phase 2) will tell you what status the tunnel is in.

- The tunnel will attempt to come up once you start passing some traffic that matches your crypto ACL (highbeamWD_1_cryptomap)

- If the tunnel does not come up, you should run "debug cry isa 127" and "debug cry ipsec 127" to get a better idea of why its failling

- Make sure your internal devices (sitting inside your ASA) have routes setup for the remote network that get the traffic to the ASA

- The version of code youre on is pretty old. If you do have problems you cant solve, you might consider upgrading to a later image in the 8.0 or 8.2 train (dont move to 8.3 unless youre prepared to deal with nat changes that are quite different)

-heather

View solution in original post

0 Helpful

Go to solution
hdashnau
Cisco Employee
Cisco Employee
In response to williamhyman

‎09-09-2010 01:04 PM

Sorry that was a typo on the show commands:

show crypto isa sa

show crypto ipsec sa

View solution in original post

0 Helpful
3 Replies 3

Go to solution
hdashnau
Cisco Employee
Cisco Employee

‎09-09-2010 12:33 PM

Please remember to rate the posts and mark your issue as resolved when youre all set.

Your config looks pretty good as it is.

Here are some tips:

- The commands "show crypto isa 127"(phase 1) and "show crypto ipsec 127" (phase 2) will tell you what status the tunnel is in.

- The tunnel will attempt to come up once you start passing some traffic that matches your crypto ACL (highbeamWD_1_cryptomap)

- If the tunnel does not come up, you should run "debug cry isa 127" and "debug cry ipsec 127" to get a better idea of why its failling

- Make sure your internal devices (sitting inside your ASA) have routes setup for the remote network that get the traffic to the ASA

- The version of code youre on is pretty old. If you do have problems you cant solve, you might consider upgrading to a later image in the 8.0 or 8.2 train (dont move to 8.3 unless youre prepared to deal with nat changes that are quite different)

-heather

0 Helpful

Go to solution
williamhyman
Level 1
Level 1
In response to hdashnau

‎09-09-2010 01:01 PM

Thanks for the tips! However, I dont get the 127 after the show crypto isakmp ca 127 and show ipsec 127?

0 Helpful

Go to solution
hdashnau
Cisco Employee
Cisco Employee
In response to williamhyman

‎09-09-2010 01:04 PM

Sorry that was a typo on the show commands:

show crypto isa sa

show crypto ipsec sa

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents