09-09-2010 11:27 AM
Hey'a folks! I have a config for you guys to check out. Just to have an extra set of eyes on it to make sure I'm not missing anything.
I am setting up a basic site-2-site VPN with a checkpoint. The checkpoint is out of my control. But the 5520 ASA here is all mine
One thing I do find kind of strange, is that when doing a sh isakmp sa or a sh ipsec sa I dont get anything back?
PRASA01# sh isakmp sa
There are no isakmp sas
PRASA01# sh ipsec sa
There are no ipsec sas
Is that expected? I don't think it is... Help me out here
PRASA01# sh run
: Saved
:
ASA Version 7.0(6)
!
hostname PRASA01
domain-name nulldomain.com
enable password nullpass encrypted
names
name 69.7.160.113 CYRUSONE
name 69.7.164.65 LOAD-BALANCER
dns-guard
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 20.20.20.20 255.255.255.248 standby 20.20.20.5
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 20.20.30.20 255.255.255.224 standby 20.20.30.5
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
description LAN/STATE Failover Interface
!
interface Management0/0
nameif management
security-level 100
ip address 172.29.130.250 255.255.255.0 standby 172.29.130.251
management-only
!
passwd nullpasswd encrypted
ftp mode passive
access-list outside_access_in extended permit ip any any
access-list highbeamWD_1_cryptomap extended permit ip 172.29.0.0 255.255.0.0 10.21.0.0 255.255.0.0
access-list inside_nat0_highbeamWD extended permit ip 172.29.0.0 255.255.0.0 10.21.0.0 255.255.0.0
pager lines 24
logging enable
logging timestamp
logging trap errors
logging asdm warnings
logging host management 172.29.130.25 format emblem
logging permit-hostdown
logging rate-limit 500 1000 level 1
logging rate-limit 500 500 level 6
mtu outside 1500
mtu inside 1500
mtu management 1500
ip verify reverse-path interface outside
failover
failover lan unit primary
failover lan interface LIFELINE GigabitEthernet0/3
failover key *****
failover link LIFELINE GigabitEthernet0/3
failover interface ip LIFELINE 10.99.0.1 255.255.255.0 standby 10.99.0.2
no monitor-interface outside
no monitor-interface management
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_nat0_highbeamWD
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 CYRUSONE 1
route inside 172.29.0.0 255.255.0.0 LOAD-BALANCER 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username admin password T2H7QiSm7dsZgRC/ encrypted
aaa authentication ssh console LOCAL
http 172.29.130.100 255.255.255.255 management
service resetoutside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map highbeamWD_map 1 match address highbeamWD_1_cryptomap
crypto map highbeamWD_map 1 set pfs
crypto map highbeamWD_map 1 set peer 123.123.123.123
crypto map highbeamWD_map 1 set transform-set ESP-3DES-SHA
crypto map highbeamWD_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group 123.123.123.123 type ipsec-l2l
tunnel-group 123.123.123.123 ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 5
console timeout 0
management-access management
ntp server 172.29.10.45 source inside prefer
Cryptochecksum:9040ffcf08201d4af345fe553aae8734
: end
PRASA01#
PRASA01# sh ver
Cisco Adaptive Security Appliance Software Version 7.0(6)
Device Manager Version 5.0(6)
Compiled on Tue 22-Aug-06 13:22 by builders
System image file is "disk0:/asa706-k8.bin"
Config file at boot was "startup-config"
PRASA01 up 1 hour 45 mins
failover cluster up 154 days 23 hours
Hardware: ASA5520-K8, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash AT49LW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CNlite-MC-Boot-Cisco-1.2
SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Ext: GigabitEthernet0/0 : address is 0018.199e.c580, irq 9
1: Ext: GigabitEthernet0/1 : address is 0018.199e.c581, irq 9
2: Ext: GigabitEthernet0/2 : address is 0018.199e.c582, irq 9
3: Ext: GigabitEthernet0/3 : address is 0018.199e.c583, irq 9
4: Ext: Management0/0 : address is 0018.199e.c584, irq 11
5: Int: Not licensed : irq 11
6: Int: Not licensed : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 100
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : 750
This platform has an ASA 5520 VPN Plus license.
Serial Number: null
Running Activation Key: null
Configuration register is 0x1
Configuration last modified by enable_15 at 17:01:46.173 UTC Thu Sep 9 2010
Solved! Go to Solution.
09-09-2010 12:33 PM
Please remember to rate the posts and mark your issue as resolved when youre all set.
Your config looks pretty good as it is.
Here are some tips:
- The commands "show crypto isa 127"(phase 1) and "show crypto ipsec 127" (phase 2) will tell you what status the tunnel is in.
- The tunnel will attempt to come up once you start passing some traffic that matches your crypto ACL (highbeamWD_1_cryptomap)
- If the tunnel does not come up, you should run "debug cry isa 127" and "debug cry ipsec 127" to get a better idea of why its failling
- Make sure your internal devices (sitting inside your ASA) have routes setup for the remote network that get the traffic to the ASA
- The version of code youre on is pretty old. If you do have problems you cant solve, you might consider upgrading to a later image in the 8.0 or 8.2 train (dont move to 8.3 unless youre prepared to deal with nat changes that are quite different)
-heather
09-09-2010 01:04 PM
Sorry that was a typo on the show commands:
show crypto isa sa
show crypto ipsec sa
09-09-2010 12:33 PM
Please remember to rate the posts and mark your issue as resolved when youre all set.
Your config looks pretty good as it is.
Here are some tips:
- The commands "show crypto isa 127"(phase 1) and "show crypto ipsec 127" (phase 2) will tell you what status the tunnel is in.
- The tunnel will attempt to come up once you start passing some traffic that matches your crypto ACL (highbeamWD_1_cryptomap)
- If the tunnel does not come up, you should run "debug cry isa 127" and "debug cry ipsec 127" to get a better idea of why its failling
- Make sure your internal devices (sitting inside your ASA) have routes setup for the remote network that get the traffic to the ASA
- The version of code youre on is pretty old. If you do have problems you cant solve, you might consider upgrading to a later image in the 8.0 or 8.2 train (dont move to 8.3 unless youre prepared to deal with nat changes that are quite different)
-heather
09-09-2010 01:01 PM
Thanks for the tips! However, I dont get the 127 after the show crypto isakmp ca 127 and show ipsec 127?
09-09-2010 01:04 PM
Sorry that was a typo on the show commands:
show crypto isa sa
show crypto ipsec sa
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: