09-29-2013 03:12 PM
Hi I am trying to configure site to site vpn with two asa5505 but for some reason it is not working, they are in two different areas but we are using the same isp and our public ip is like one router away from eachother please see configs below
site A config
: Written by RobertoKippins at 05:03:43.659 GYT Sun Sep 29 2013
!
ASA Version 8.0(4)
!
hostname EDGE-FW1
domain-name technetworkz.net
enable xxxxxxxxxxxxxxxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxxxxxxxx encrypted
names
name 10.100.100.0 lg-network
!
interface Vlan1
nameif inside
security-level 100
ip address 10.200.200.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x x.x.x.x
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone GYT -4
dns server-group DefaultDNS
domain-name technetworkz.net
access-list outside_access_in extended permit icmp any any
access-list outside_1_cryptomap extended permit ip 10.200.200.0 255.255.255.0 lg-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.200.200.0 255.255.255.0 lg-network 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface inside
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
asdm location lg-network 255.255.255.0 inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer x.x.x.x
crypto map outside_map 1 set transform-set ESP-DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map 1 set phase1-mode aggressive
crypto map outside_map 1 set reverse-route
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime none
crypto isakmp ipsec-over-tcp port 10000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 10.200.200.20-10.200.200.80 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd domain technetworkz.net interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username xxxxxxxxxx password Fa2BoTlz1xY4u1dS encrypted
username xxxxxxxxxx attributes
service-type remote-access
username xxxxxxxxxxxxxx password uEIVdCEU8YjHNQ4T encrypted privilege 15
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:b8c85c609bc1006aebd2e62a5df0f6ec
Site B config
LGFW1# sh conf
: Saved
: Written by RobertoKippins at 05:07:56.612 GYT Sun Sep 29 2013
!
ASA Version 8.0(4)
!
hostname LGFW1
domain-name technetworkz.net
enable password xxxxxxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxxxxxx encrypted
names
name 10.100.100.0 inside-network
name 10.200.200.0 rk-network
!
interface Vlan1
nameif inside
security-level 100
ip address 10.100.100.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x x.x.x.x
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone GYT -4
dns server-group DefaultDNS
domain-name technetworkz.net
access-list outside_access_in extended permit icmp any any
access-list outside_1_cryptomap extended permit ip inside-network 255.255.255.0 rk-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip inside-network 255.255.255.0 rk-network 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
asdm location rk-network 255.255.255.0 inside
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection reclassify-vpn
sysopt connection preserve-vpn-flows
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer x.x.x.x
crypto map outside_map 1 set transform-set ESP-DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map 1 set phase1-mode aggressive
crypto map outside_map 1 set reverse-route
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime none
crypto isakmp ipsec-over-tcp port 10000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 10.100.100.50-10.100.100.177 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd domain technetworkz.net interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
username xxxxxxxxxxxxxx password xxxxxxxxxxxxxxxxxxxx encrypted privilege 15
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:7d1d3e473e79a3ba23e971922bad69d3
LGFW1#
When i forst configured the connection came up and went after 2 mins and never worked again, I can do client to site vpn on both sites and they work just fine just site to site is not working need help thanks in advance.
09-29-2013 07:43 PM
Hi,
Do you use ASDM or use CLI... If you use ASDM - the VPN Site to Site Wizard works great if you are going with Pre-Shared keys... Which you appear you want to do by the config you posted.
I on the other hand am trying to do the same but use self-signed certificates - which I can't seem to do at all. PSK works great.
Chris
09-29-2013 08:12 PM
Could you please post the output of the following debugs when its going down.
debug cry isa 125
debug cry ips 125
Thanks
Jeet Kumar
09-30-2013 04:23 AM
are you getting error message.
please paste the output for
sh cry isa sa
sh cry ipsec sa
09-30-2013 06:52 AM
Hey I used the asa vpn wizard to set this up with preshared keys
09-30-2013 02:10 PM
EDGE-FW1# sh cry isa sa
There are no isakmp sas
EDGE-FW1#
EDGE-FW1#
EDGE-FW1# sh cry ipsec sa
There are no ipsec sas
EDGE-FW1#
09-30-2013 02:54 PM
My first suggestion would be to verify if there is IP connectivity between the tunnel source addresses and the corresponding destination addresses.
My next question is that I see these in the config of site B and do not see corresponding entries at site A. Is this mismatch perhaps a problem?
sysopt connection reclassify-vpn
sysopt connection preserve-vpn-flows
If neither of these provide any improvement then I would suggest running debug crypto isakmp on one (or perhaps both) of the ASA and hope that it will provide some insight into the problem.
HTH
Rick
10-01-2013 05:40 PM
well now i upgraded to asa software and reconfigured everything on both sides from scratch and i got the tunnel up but the problem is that it wont stay up it goes down after a while is like it goes into some kind of idle tiimeout and i i start a continuous ping to a host on the other end it will come up again after a few minutes.
10-02-2013 07:24 AM
I am glad that you got the tunnel to work. Can you be a bit more specific about the timing of when the tunnel seems to go down? Your configuration specifies a timeout of 8 hours for the IPSec Security Association. So 8 hours after the tunnel comes up it would go down. When there is traffic to go through the tunnel it would be brought back up again. So if your tunnel going down is at about 8 hours then this is the expected behavior. If it is something different then we may need to look for other issues.
HTH
Rick
10-02-2013 12:05 PM
I did not get a chance to monitor it fully as yet but it goes down about 30 minutes if there is no traffic passing through as i said i did some reconfigurations so the configs would change. ill repost
10-02-2013 12:13 PM
EDGE-FW1# sh conf
: Saved
: Written by RobertoKippins at 10:01:31.069 UTC Tue Oct 1 2013
!
ASA Version 8.4(1)
!
hostname EDGE-FW1
domain-name technetworkz.net
enable password xxxxxxxxxxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxxxxxxxxxxxxxx encrypted
names
name 10.100.100.0 lg-network
name 10.200.200.0 inside-network
!
interface Vlan1
nameif inside
security-level 100
ip address 10.200.200.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x x.x.x.x
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa841-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name technetworkz.net
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network lg-network
subnet 10.100.100.0 255.255.255.0
object network NETWORK_OBJ_10.200.200.0_24
subnet 10.200.200.0 255.255.255.0
object network NETWORK_OBJ_10.88.88.0_26
subnet 10.88.88.0 255.255.255.192
object-group network DM_INLINE_NETWORK_1
network-object inside-network 255.255.255.0
network-object object NETWORK_OBJ_10.88.88.0_26
access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 object lg-network
access-list outside_access_in extended permit icmp any any
access-list Kippins-Home_splitTunnelAcl standard permit 10.200.200.0 255.255.255.0
access-list Kippins-Home_splitTunnelAcl standard permit 10.100.100.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
ip local pool VPN_POOL_1 10.99.99.1-10.99.99.50 mask 255.255.255.0
ip local pool VPN_POOL_2 10.88.88.1-10.88.88.50 mask 255.255.255.192
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static NETWORK_OBJ_10.200.200.0_24 NETWORK_OBJ_10.200.200.0_24 destination static lg-network lg-network
nat (inside,outside) source static NETWORK_OBJ_10.200.200.0_24 NETWORK_OBJ_10.200.200.0_24 destination static NETWORK_OBJ_10.88.88.0_26 NETWORK_OBJ_10.88.88.0_26
!
object network obj_any
nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer x.x.x.x
crypto map outside_map 1 set ikev1 phase1-mode aggressive
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 1 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 ipsec-over-tcp port 10000
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
management-access inside
vpn-addr-assign local reuse-delay 1
dhcpd address 10.200.200.20-10.200.200.80 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd domain technetworkz.net interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
group-policy Kippins-Home internal
group-policy Kippins-Home attributes
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Kippins-Home_splitTunnelAcl
default-domain value technetworkz.net
group-policy GroupPolicy_x.x.x.x internal
group-policy GroupPolicy_x.x.x.x attributes
vpn-idle-timeout none
vpn-tunnel-protocol ikev1 ikev2
username xxxxxxxxxxxxxxxxxxx password xxxxxxxxxxxxxxxxxxxxxx encrypted privilege 15
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x general-attributes
default-group-policy GroupPolicy_x.x.x.x
tunnel-group x.x.x.x ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group Kippins-Home type remote-access
tunnel-group Kippins-Home general-attributes
address-pool VPN_POOL_2
default-group-policy Kippins-Home
tunnel-group Kippins-Home ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:e4b4876355ff4db266ceb76b07e21a04
EDGE-FW1#
10-02-2013 12:17 PM
another question, in this config yo will notice i have 1 site to site vpn and a client to site, it there any way for me to access the remote network at 10.100.100.0 when i connect to the client vpn at 10.88.88.0
10-03-2013 06:38 AM
I have looked at the config that you posted and do not see anything in it that would cause the tunnel to stop working after about 30 minutes. Though I do wonder about this line in the config
crypto map outside_map 1 set ikev1 phase1-mode aggressive
I usually associate aggressive mode more with Remote Access VPN than with site to site VPN. I wonder if this equates to some type of dead peer detection which might impact the VPN.
As far as your other question about being able to access the remote network from your VPN connection, that should be possible. The issue about it is that by default the ASA will not forward a packet out the same interface that it arrived on. So if your VPN client packet came in on the outside interface then the ASA does not want to forward it back out the outside interface, which is what it needs to do if your VPN client is to access the remote network. There is a command that will allow what you want. Try this in global config:
same-security-traffic permit intra-interface
HTH
Rick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: