Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Site to site vpn asa5505

Hi I am trying to configure site to site vpn with two asa5505 but for some reason it is not working, they are in two different areas but we are using the same isp and our public ip is like one router away from eachother please see configs below

site A config

: Written by RobertoKippins at 05:03:43.659 GYT Sun Sep 29 2013

!

ASA Version 8.0(4)

!

hostname EDGE-FW1

domain-name technetworkz.net

enable xxxxxxxxxxxxxxxxxxxxxxxxxxxx encrypted

passwd xxxxxxxxxxxxxxxxxxxxxx encrypted

names

name 10.100.100.0 lg-network

!

interface Vlan1

nameif inside

security-level 100

ip address 10.200.200.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address x.x.x.x x.x.x.x

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

clock timezone GYT -4

dns server-group DefaultDNS

domain-name technetworkz.net

access-list outside_access_in extended permit icmp any any

access-list outside_1_cryptomap extended permit ip 10.200.200.0 255.255.255.0 lg-network 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.200.200.0 255.255.255.0 lg-network 255.255.255.0

pager lines 24

mtu inside 1500

mtu outside 1500

ip verify reverse-path interface inside

ip verify reverse-path interface outside

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-613.bin

asdm location lg-network 255.255.255.0 inside

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.x

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa authentication enable console LOCAL

aaa authentication serial console LOCAL

aaa authentication ssh console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer x.x.x.x

crypto map outside_map 1 set transform-set ESP-DES-SHA

crypto map outside_map 1 set security-association lifetime seconds 28800

crypto map outside_map 1 set security-association lifetime kilobytes 4608000

crypto map outside_map 1 set phase1-mode aggressive

crypto map outside_map 1 set reverse-route

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 2

lifetime none

crypto isakmp ipsec-over-tcp port 10000

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

management-access inside

dhcpd address 10.200.200.20-10.200.200.80 inside

dhcpd dns 8.8.8.8 8.8.4.4 interface inside

dhcpd domain technetworkz.net interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection scanning-threat

threat-detection statistics host

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username xxxxxxxxxx password Fa2BoTlz1xY4u1dS encrypted

username xxxxxxxxxx attributes

service-type remote-access

username xxxxxxxxxxxxxx password uEIVdCEU8YjHNQ4T encrypted privilege 15

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:b8c85c609bc1006aebd2e62a5df0f6ec

Site B config

LGFW1# sh conf

: Saved

: Written by RobertoKippins at 05:07:56.612 GYT Sun Sep 29 2013

!

ASA Version 8.0(4)

!

hostname LGFW1

domain-name technetworkz.net

enable password xxxxxxxxxxxxxxxxxxx encrypted

passwd xxxxxxxxxxxxxxxxxxxx encrypted

names

name 10.100.100.0 inside-network

name 10.200.200.0 rk-network

!

interface Vlan1

nameif inside

security-level 100

ip address 10.100.100.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address x.x.x.x x.x.x.x

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system disk0:/asa804-k8.bin

ftp mode passive

clock timezone GYT -4

dns server-group DefaultDNS

domain-name technetworkz.net

access-list outside_access_in extended permit icmp any any

access-list outside_1_cryptomap extended permit ip inside-network 255.255.255.0 rk-network 255.255.255.0

access-list inside_nat0_outbound extended permit ip inside-network 255.255.255.0 rk-network 255.255.255.0

pager lines 24

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-613.bin

asdm location rk-network 255.255.255.0 inside

no asdm history enable

arp timeout 14400

global (outside) 101 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 101 0.0.0.0 0.0.0.0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.x

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa authentication enable console LOCAL

aaa authentication serial console LOCAL

aaa authentication ssh console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt connection reclassify-vpn

sysopt connection preserve-vpn-flows

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer x.x.x.x

crypto map outside_map 1 set transform-set ESP-DES-SHA

crypto map outside_map 1 set security-association lifetime seconds 28800

crypto map outside_map 1 set security-association lifetime kilobytes 4608000

crypto map outside_map 1 set phase1-mode aggressive

crypto map outside_map 1 set reverse-route

crypto map outside_map interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 2

lifetime none

crypto isakmp ipsec-over-tcp port 10000

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

management-access inside

dhcpd address 10.100.100.50-10.100.100.177 inside

dhcpd dns 8.8.8.8 8.8.4.4 interface inside

dhcpd domain technetworkz.net interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection scanning-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

username xxxxxxxxxxxxxx password xxxxxxxxxxxxxxxxxxxx encrypted privilege 15

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:7d1d3e473e79a3ba23e971922bad69d3

LGFW1#

When i forst configured the connection came up and went after 2 mins and never worked again, I can do client to site vpn on both sites and they work just fine just site to site is not working need help thanks in advance.

  • VPN
12 REPLIES
New Member

Site to site vpn asa5505

Hi,

Do you use ASDM or use CLI... If you use ASDM - the VPN Site to Site Wizard works great if you are going with Pre-Shared keys... Which you appear you want to do by the config you posted.

I on the other hand am trying to do the same but use self-signed certificates - which I can't seem to do at all. PSK works great.

Chris

Cisco Employee

Site to site vpn asa5505

Could you please post the output of the following debugs when its going down.

debug cry isa 125

debug cry ips 125

Thanks

Jeet Kumar

Site to site vpn asa5505

are you getting error message.

please paste the output for

sh cry isa sa

sh cry ipsec sa

New Member

Site to site vpn asa5505

Hey I used the asa vpn wizard to set this up with preshared keys

New Member

Site to site vpn asa5505

EDGE-FW1# sh cry isa sa

There are no isakmp sas

EDGE-FW1#

EDGE-FW1#

EDGE-FW1# sh cry ipsec sa

There are no ipsec sas

EDGE-FW1#

Hall of Fame Super Silver

Site to site vpn asa5505

My first suggestion would be to verify if there is IP connectivity between the tunnel source addresses and the corresponding destination addresses.

My next question is that I see these in the config of site B and do not see corresponding entries at site A. Is this mismatch perhaps a problem?

sysopt connection reclassify-vpn

sysopt connection preserve-vpn-flows

If neither of these provide any improvement then I would suggest running debug crypto isakmp on one (or perhaps both) of the ASA and hope that it will provide some insight into the problem.

HTH

Rick

New Member

Site to site vpn asa5505

well now i upgraded to asa software and reconfigured everything on both sides from scratch and i got the tunnel up but the problem is that it wont stay up it goes down after a while is like it goes into some kind of idle tiimeout and i i start a continuous ping to a host on the other end it will come up again after a few minutes.

Hall of Fame Super Silver

Site to site vpn asa5505

I am glad that you got the tunnel to work. Can you be a bit more specific about the timing of when the tunnel seems to go down? Your configuration specifies a timeout of 8 hours for the IPSec Security Association. So 8 hours after the tunnel comes up it would go down. When there is traffic to go through the tunnel it would be brought back up again. So if your tunnel going down is at about 8 hours then this is the expected behavior. If it is something different then we may need to look for other issues.

HTH

Rick

New Member

Site to site vpn asa5505

I did not get a chance to monitor it fully as yet but it goes down about 30 minutes if there is no traffic passing through as i said i did some reconfigurations so the configs would change. ill repost

434
Views
0
Helpful
12
Replies