Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Simple Site-to-Site VPN

Hey'a folks! I have a config for you guys to check out. Just to have an extra set of eyes on it to make sure I'm not missing anything.

I am setting up a basic site-2-site VPN with a checkpoint. The checkpoint is out of my control. But the 5520 ASA here is all mine

One thing I do find kind of strange, is that when doing a sh isakmp sa or a sh ipsec sa I dont get anything back?

PRASA01# sh isakmp sa

There are no isakmp sas

PRASA01# sh ipsec sa

There are no ipsec sas

Is that expected? I don't think it is... Help me out here

PRASA01# sh run

: Saved

:

ASA Version 7.0(6)

!

hostname PRASA01

domain-name nulldomain.com

enable password nullpass encrypted

names

name 69.7.160.113 CYRUSONE

name 69.7.164.65 LOAD-BALANCER

dns-guard

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 20.20.20.20 255.255.255.248 standby 20.20.20.5

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 20.20.30.20 255.255.255.224 standby 20.20.30.5

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

description LAN/STATE Failover Interface

!

interface Management0/0

nameif management

security-level 100

ip address 172.29.130.250 255.255.255.0 standby 172.29.130.251

management-only

!

passwd nullpasswd encrypted

ftp mode passive

access-list outside_access_in extended permit ip any any

access-list highbeamWD_1_cryptomap extended permit ip 172.29.0.0 255.255.0.0 10.21.0.0 255.255.0.0

access-list inside_nat0_highbeamWD extended permit ip 172.29.0.0 255.255.0.0 10.21.0.0 255.255.0.0

pager lines 24

logging enable

logging timestamp

logging trap errors

logging asdm warnings

logging host management 172.29.130.25 format emblem

logging permit-hostdown

logging rate-limit 500 1000 level 1

logging rate-limit 500 500 level 6

mtu outside 1500

mtu inside 1500

mtu management 1500

ip verify reverse-path interface outside

failover

failover lan unit primary

failover lan interface LIFELINE GigabitEthernet0/3

failover key *****

failover link LIFELINE GigabitEthernet0/3

failover interface ip LIFELINE 10.99.0.1 255.255.255.0 standby 10.99.0.2

no monitor-interface outside

no monitor-interface management

asdm image disk0:/asdm506.bin

no asdm history enable

arp timeout 14400

nat (inside) 0 access-list inside_nat0_highbeamWD

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 CYRUSONE 1

route inside 172.29.0.0 255.255.0.0 LOAD-BALANCER 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

username admin password T2H7QiSm7dsZgRC/ encrypted

aaa authentication ssh console LOCAL

http 172.29.130.100 255.255.255.255 management

service resetoutside

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map highbeamWD_map 1 match address highbeamWD_1_cryptomap

crypto map highbeamWD_map 1 set pfs

crypto map highbeamWD_map 1 set peer 123.123.123.123

crypto map highbeamWD_map 1 set transform-set ESP-3DES-SHA

crypto map highbeamWD_map interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

tunnel-group 123.123.123.123 type ipsec-l2l

tunnel-group 123.123.123.123 ipsec-attributes

pre-shared-key *

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 management

ssh timeout 5

console timeout 0

management-access management

ntp server 172.29.10.45 source inside prefer

Cryptochecksum:9040ffcf08201d4af345fe553aae8734

: end

PRASA01#

PRASA01# sh ver

Cisco Adaptive Security Appliance Software Version 7.0(6)

Device Manager Version 5.0(6)

Compiled on Tue 22-Aug-06 13:22 by builders

System image file is "disk0:/asa706-k8.bin"

Config file at boot was "startup-config"

PRASA01 up 1 hour 45 mins

failover cluster up 154 days 23 hours

Hardware:   ASA5520-K8, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz

Internal ATA Compact Flash, 256MB

BIOS Flash AT49LW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)

                             Boot microcode   : CNlite-MC-Boot-Cisco-1.2

                             SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03

                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.04

0: Ext: GigabitEthernet0/0  : address is 0018.199e.c580, irq 9

1: Ext: GigabitEthernet0/1  : address is 0018.199e.c581, irq 9

2: Ext: GigabitEthernet0/2  : address is 0018.199e.c582, irq 9

3: Ext: GigabitEthernet0/3  : address is 0018.199e.c583, irq 9

4: Ext: Management0/0       : address is 0018.199e.c584, irq 11

5: Int: Not licensed        : irq 11

6: Int: Not licensed        : irq 5

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited

Maximum VLANs               : 100      

Inside Hosts                : Unlimited

Failover                    : Active/Active

VPN-DES                     : Enabled  

VPN-3DES-AES                : Enabled  

Security Contexts           : 2        

GTP/GPRS                    : Disabled 

VPN Peers                   : 750      

This platform has an ASA 5520 VPN Plus license.

Serial Number: null

Running Activation Key: null

Configuration register is 0x1

Configuration last modified by enable_15 at 17:01:46.173 UTC Thu Sep 9 2010

Everyone's tags (3)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: Simple Site-to-Site VPN

Please remember to rate the posts and mark your issue as resolved when youre all set.

Your config looks pretty good as it is.

Here are some tips:

- The commands "show crypto isa 127"(phase 1) and "show crypto ipsec 127" (phase 2) will tell you what status the tunnel is in.

- The tunnel will attempt to come up once you start passing some traffic that matches your crypto ACL (highbeamWD_1_cryptomap)

- If the tunnel does not come up, you should run "debug cry isa 127" and "debug cry ipsec 127" to get a better idea of why its failling

- Make sure your internal devices (sitting inside your ASA) have routes setup for the remote network that get the traffic to the ASA

- The version of code youre on is pretty old. If you do have problems you cant solve, you might consider upgrading to a later image in the 8.0 or 8.2 train (dont move to 8.3 unless youre prepared to deal with nat changes that are quite different)

-heather

Cisco Employee

Re: Simple Site-to-Site VPN

Sorry that was a typo on the show commands:

show crypto isa sa

show crypto ipsec sa

3 REPLIES
Cisco Employee

Re: Simple Site-to-Site VPN

Please remember to rate the posts and mark your issue as resolved when youre all set.

Your config looks pretty good as it is.

Here are some tips:

- The commands "show crypto isa 127"(phase 1) and "show crypto ipsec 127" (phase 2) will tell you what status the tunnel is in.

- The tunnel will attempt to come up once you start passing some traffic that matches your crypto ACL (highbeamWD_1_cryptomap)

- If the tunnel does not come up, you should run "debug cry isa 127" and "debug cry ipsec 127" to get a better idea of why its failling

- Make sure your internal devices (sitting inside your ASA) have routes setup for the remote network that get the traffic to the ASA

- The version of code youre on is pretty old. If you do have problems you cant solve, you might consider upgrading to a later image in the 8.0 or 8.2 train (dont move to 8.3 unless youre prepared to deal with nat changes that are quite different)

-heather

New Member

Re: Simple Site-to-Site VPN

Thanks for the tips! However, I dont get the 127 after the show crypto isakmp ca 127 and show ipsec 127?

Cisco Employee

Re: Simple Site-to-Site VPN

Sorry that was a typo on the show commands:

show crypto isa sa

show crypto ipsec sa

609
Views
0
Helpful
3
Replies
CreatePlease to create content