Site to site vpn asa5505

Roberto Kippins · ‎09-29-2013

Hi I am trying to configure site to site vpn with two asa5505 but for some reason it is not working, they are in two different areas but we are using the same isp and our public ip is like one router away from eachother please see configs below

site A config

: Written by RobertoKippins at 05:03:43.659 GYT Sun Sep 29 2013

!

ASA Version 8.0(4)

!

hostname EDGE-FW1

domain-name technetworkz.net

enable xxxxxxxxxxxxxxxxxxxxxxxxxxxx encrypted

passwd xxxxxxxxxxxxxxxxxxxxxx encrypted

names

name 10.100.100.0 lg-network

!

interface Vlan1

nameif inside

security-level 100

ip address 10.200.200.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address x.x.x.x x.x.x.x

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

clock timezone GYT -4

dns server-group DefaultDNS

domain-name technetworkz.net

access-list outside_access_in extended permit icmp any any

access-list outside_1_cryptomap extended permit ip 10.200.200.0 255.255.255.0 lg-network 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.200.200.0 255.255.255.0 lg-network 255.255.255.0

pager lines 24

mtu inside 1500

mtu outside 1500

ip verify reverse-path interface inside

ip verify reverse-path interface outside

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-613.bin

asdm location lg-network 255.255.255.0 inside

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.x

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa authentication enable console LOCAL

aaa authentication serial console LOCAL

aaa authentication ssh console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer x.x.x.x

crypto map outside_map 1 set transform-set ESP-DES-SHA

crypto map outside_map 1 set security-association lifetime seconds 28800

crypto map outside_map 1 set security-association lifetime kilobytes 4608000

crypto map outside_map 1 set phase1-mode aggressive

crypto map outside_map 1 set reverse-route

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 2

lifetime none

crypto isakmp ipsec-over-tcp port 10000

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

management-access inside

dhcpd address 10.200.200.20-10.200.200.80 inside

dhcpd dns 8.8.8.8 8.8.4.4 interface inside

dhcpd domain technetworkz.net interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection scanning-threat

threat-detection statistics host

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username xxxxxxxxxx password Fa2BoTlz1xY4u1dS encrypted

username xxxxxxxxxx attributes

service-type remote-access

username xxxxxxxxxxxxxx password uEIVdCEU8YjHNQ4T encrypted privilege 15

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:b8c85c609bc1006aebd2e62a5df0f6ec

Site B config

LGFW1# sh conf

: Saved

: Written by RobertoKippins at 05:07:56.612 GYT Sun Sep 29 2013

!

ASA Version 8.0(4)

!

hostname LGFW1

domain-name technetworkz.net

enable password xxxxxxxxxxxxxxxxxxx encrypted

passwd xxxxxxxxxxxxxxxxxxxx encrypted

names

name 10.100.100.0 inside-network

name 10.200.200.0 rk-network

!

interface Vlan1

nameif inside

security-level 100

ip address 10.100.100.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address x.x.x.x x.x.x.x

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system disk0:/asa804-k8.bin

ftp mode passive

clock timezone GYT -4

dns server-group DefaultDNS

domain-name technetworkz.net

access-list outside_access_in extended permit icmp any any

access-list outside_1_cryptomap extended permit ip inside-network 255.255.255.0 rk-network 255.255.255.0

access-list inside_nat0_outbound extended permit ip inside-network 255.255.255.0 rk-network 255.255.255.0

pager lines 24

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-613.bin

asdm location rk-network 255.255.255.0 inside

no asdm history enable

arp timeout 14400

global (outside) 101 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 101 0.0.0.0 0.0.0.0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.x

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa authentication enable console LOCAL

aaa authentication serial console LOCAL

aaa authentication ssh console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt connection reclassify-vpn

sysopt connection preserve-vpn-flows

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer x.x.x.x

crypto map outside_map 1 set transform-set ESP-DES-SHA

crypto map outside_map 1 set security-association lifetime seconds 28800

crypto map outside_map 1 set security-association lifetime kilobytes 4608000

crypto map outside_map 1 set phase1-mode aggressive

crypto map outside_map 1 set reverse-route

crypto map outside_map interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 2

lifetime none

crypto isakmp ipsec-over-tcp port 10000

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

management-access inside

dhcpd address 10.100.100.50-10.100.100.177 inside

dhcpd dns 8.8.8.8 8.8.4.4 interface inside

dhcpd domain technetworkz.net interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection scanning-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

username xxxxxxxxxxxxxx password xxxxxxxxxxxxxxxxxxxx encrypted privilege 15

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:7d1d3e473e79a3ba23e971922bad69d3

LGFW1#

When i forst configured the connection came up and went after 2 mins and never worked again, I can do client to site vpn on both sites and they work just fine just site to site is not working need help thanks in advance.

chris-lawrence · ‎09-29-2013

Hi,

Do you use ASDM or use CLI... If you use ASDM - the VPN Site to Site Wizard works great if you are going with Pre-Shared keys... Which you appear you want to do by the config you posted.

I on the other hand am trying to do the same but use self-signed certificates - which I can't seem to do at all. PSK works great.

Chris

Jeet Kumar · ‎09-29-2013

Could you please post the output of the following debugs when its going down.

debug cry isa 125

debug cry ips 125

Thanks

Jeet Kumar

shine pothen · ‎09-30-2013

are you getting error message.

please paste the output for

sh cry isa sa

sh cry ipsec sa

Roberto Kippins · ‎09-30-2013

Hey I used the asa vpn wizard to set this up with preshared keys

Roberto Kippins · ‎09-30-2013

EDGE-FW1# sh cry isa sa

There are no isakmp sas

EDGE-FW1#

EDGE-FW1# sh cry ipsec sa

There are no ipsec sas

EDGE-FW1#

Richard Burts · ‎09-30-2013

My first suggestion would be to verify if there is IP connectivity between the tunnel source addresses and the corresponding destination addresses.

My next question is that I see these in the config of site B and do not see corresponding entries at site A. Is this mismatch perhaps a problem?

sysopt connection reclassify-vpn

sysopt connection preserve-vpn-flows

If neither of these provide any improvement then I would suggest running debug crypto isakmp on one (or perhaps both) of the ASA and hope that it will provide some insight into the problem.

HTH

Rick

HTH

Rick

Roberto Kippins · ‎10-01-2013

well now i upgraded to asa software and reconfigured everything on both sides from scratch and i got the tunnel up but the problem is that it wont stay up it goes down after a while is like it goes into some kind of idle tiimeout and i i start a continuous ping to a host on the other end it will come up again after a few minutes.

Richard Burts · ‎10-02-2013

I am glad that you got the tunnel to work. Can you be a bit more specific about the timing of when the tunnel seems to go down? Your configuration specifies a timeout of 8 hours for the IPSec Security Association. So 8 hours after the tunnel comes up it would go down. When there is traffic to go through the tunnel it would be brought back up again. So if your tunnel going down is at about 8 hours then this is the expected behavior. If it is something different then we may need to look for other issues.

HTH

Rick

HTH

Rick

Roberto Kippins · ‎10-02-2013

I did not get a chance to monitor it fully as yet but it goes down about 30 minutes if there is no traffic passing through as i said i did some reconfigurations so the configs would change. ill repost

Roberto Kippins · ‎10-02-2013

EDGE-FW1# sh conf

: Saved

: Written by RobertoKippins at 10:01:31.069 UTC Tue Oct 1 2013

!

ASA Version 8.4(1)

!

hostname EDGE-FW1

domain-name technetworkz.net

enable password xxxxxxxxxxxxxxxxxxxxxxx encrypted

passwd xxxxxxxxxxxxxxxxxxxxxxxxxxxx encrypted

names

name 10.100.100.0 lg-network

name 10.200.200.0 inside-network

!

interface Vlan1

nameif inside

security-level 100

ip address 10.200.200.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address x.x.x.x x.x.x.x

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system disk0:/asa841-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name technetworkz.net

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network lg-network

subnet 10.100.100.0 255.255.255.0

object network NETWORK_OBJ_10.200.200.0_24

subnet 10.200.200.0 255.255.255.0

object network NETWORK_OBJ_10.88.88.0_26

subnet 10.88.88.0 255.255.255.192

object-group network DM_INLINE_NETWORK_1

network-object inside-network 255.255.255.0

network-object object NETWORK_OBJ_10.88.88.0_26

access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 object lg-network

access-list outside_access_in extended permit icmp any any

access-list Kippins-Home_splitTunnelAcl standard permit 10.200.200.0 255.255.255.0

access-list Kippins-Home_splitTunnelAcl standard permit 10.100.100.0 255.255.255.0

pager lines 24

mtu inside 1500

mtu outside 1500

ip local pool VPN_POOL_1 10.99.99.1-10.99.99.50 mask 255.255.255.0

ip local pool VPN_POOL_2 10.88.88.1-10.88.88.50 mask 255.255.255.192

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-641.bin

no asdm history enable

arp timeout 14400

nat (inside,outside) source static NETWORK_OBJ_10.200.200.0_24 NETWORK_OBJ_10.200.200.0_24 destination static lg-network lg-network

nat (inside,outside) source static NETWORK_OBJ_10.200.200.0_24 NETWORK_OBJ_10.200.200.0_24 destination static NETWORK_OBJ_10.88.88.0_26 NETWORK_OBJ_10.88.88.0_26

!

object network obj_any

nat (inside,outside) dynamic interface

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.x

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication enable console LOCAL

aaa authentication serial console LOCAL

aaa authentication ssh console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256