07-05-2012 05:13 PM
hi,
i try to configure VPN site to site on ASA Version 8.4.4, but all the tests are unreachable the LAN from the LAN (the other side).
i try with the links:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080bb8500.shtml
http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/s2.html#wp1487767
http://www.cisco.com/en/US/docs/security/asa/asa84/asdm64/configuration_guide/wizard_vpn.html
but i told them, in every case is unreachable, i see with the show crypto isakmp sa command that tunnel is up but of the show crypto ipsec sa the packet are mismatch (decrypted, encapsu, etc).
TresASA1# sh crypto isakmp sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 200.30.30.1
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
There are no IKEv2 SAs
---------------------------------------------------
TresASA1# sh ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: 200.20.20.1
access-list outside_cryptomap extended permit ip 172.16.3.0 255.255.255.0 172.16.103.0 255.255.255.0
local ident (addr/mask/prot/port): (172.16.3.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.103.0/255.255.255.0/0/0)
current_peer: 200.30.30.1
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 34, #pkts decrypt: 34, #pkts verify: 34
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 200.20.20.1/0, remote crypto endpt.: 200.30.30.1/0
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: D81B4BDA
current inbound spi : 939049E1
inbound esp sas:
spi: 0x939049E1 (2475706849)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 8192, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914998/27755)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000007 0xFFFFFFFF
outbound esp sas:
spi: 0xD81B4BDA (3625667546)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 8192, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3915000/27755)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
------ THIS IS MY SHOW RUN------
TresASA1(config)# sh run
: Saved
:
ASA Version 8.4(4)
!
hostname TresASA1
enable password E0HXgOXKEFi9sKqd encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 172.16.3.2 255.255.255.0
!
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 200.20.20.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
description LAN Failover Interface
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa844-k8.bin
ftp mode passive
clock timezone UTC -6
clock summer-time UTC-6 recurring 1 Sun Apr 2:00 last Sun Oct 2:00
object network NAT
range 172.16.0.0 172.16.11.254
object network NETWORK_OBJ_192.168.0.0_24
subnet 192.168.0.0 255.255.255.0
object-group network DM_INLINE_NETWORK_1
network-object 172.16.0.0 255.255.255.0
network-object 172.16.1.0 255.255.255.0
network-object 172.16.11.0 255.255.255.0
network-object 172.16.2.0 255.255.255.0
network-object 172.16.3.0 255.255.255.0
network-object 172.16.4.0 255.255.255.0
network-object 172.16.5.0 255.255.255.0
network-object 172.16.6.0 255.255.255.0
network-object 172.16.7.0 255.255.255.0
network-object 172.16.8.0 255.255.255.0
network-object 172.16.9.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
network-object 172.16.100.0 255.255.255.0
network-object 172.16.101.0 255.255.255.0
network-object 172.16.102.0 255.255.255.0
network-object 172.16.103.0 255.255.255.0
access-list tresaliagroup_splitTunnelAcl standard permit any
access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_2 object-group DM_INLINE_NETWORK_1
pager lines 24
logging enable
logging monitor debugging
logging asdm notifications
mtu inside 1500
mtu outside 1500
mtu management 1500
ip local pool pooltresalia 192.168.0.1-192.168.0.254 mask 255.255.255.0
failover
failover lan unit primary
failover lan interface failover GigabitEthernet0/3
failover interface ip failover 172.16.10.2 255.255.255.0 standby 172.16.10.3
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 no-proxy-arp route-lookup
!
object network NAT
nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 200.20.20.2 1
route inside 172.16.1.0 255.255.255.0 172.16.3.1 1
route inside 172.16.2.0 255.255.255.0 172.16.3.1 1
route inside 172.16.4.0 255.255.255.0 172.16.3.1 1
route inside 172.16.5.0 255.255.255.0 172.16.3.1 1
route inside 172.16.6.0 255.255.255.0 172.16.3.1 1
route inside 172.16.7.0 255.255.255.0 172.16.3.1 1
route inside 172.16.8.0 255.255.255.0 172.16.3.1 1
route inside 172.16.9.0 255.255.255.0 172.16.3.1 1
route inside 172.16.11.0 255.255.255.0 172.16.3.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 172.16.3.18 255.255.255.255 inside
http 172.16.3.19 255.255.255.255 inside
http 172.16.3.20 255.255.255.255 inside
http 172.16.11.24 255.255.255.255 inside
snmp-server group TresaliaGroup1 v3 priv
snmp-server user h01a TresaliaGroup1 v3 encrypted auth md5 91:98:6c:75:4b:70:a0:70:3b:b4:d3:9c:b2:3e:09:3d priv aes 128 1b:fd:94:f2:cc:f9:07:25:a0:f6:03:41:5b:61:9f:61
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 200.30.30.1
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 172.16.3.18 255.255.255.255 inside
ssh 172.16.3.19 255.255.255.255 inside
ssh 172.16.3.20 255.255.255.255 inside
ssh 172.16.3.0 255.255.255.0 inside
ssh 172.16.3.1 255.255.255.255 inside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
vpn-sessiondb max-other-vpn-limit 450
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
group-policy GroupPolicy_200.30.30.1 internal
group-policy GroupPolicy_200.30.30.1 attributes
vpn-tunnel-protocol ikev1 ikev2
group-policy tresaliagroup internal
group-policy tresaliagroup attributes
dns-server value 200.57.64.85 200.57.64.86
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value tresaliagroup_splitTunnelAcl
group-policy vpngroup1 internal
username h01a password bG23D78KwZ2Ii2Ia encrypted privilege 15
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
tunnel-group tresaliagroup type remote-access
tunnel-group tresaliagroup general-attributes
address-pool pooltresalia
default-group-policy tresaliagroup
tunnel-group tresaliagroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 200.30.30.1 type ipsec-l2l
tunnel-group 200.30.30.1 general-attributes
default-group-policy GroupPolicy_200.30.30.1
tunnel-group 200.30.30.1 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:9a222108420b00a5eda4cc954942656c
: end
----------------------------
The topology is LAN-->TresASA1<-->ISP<--TresASA2<--LAN
some one help me please with examples or notes?
thk and regards!!!
07-05-2012 08:21 PM
Your crypto ACL is the other way round, it should have been:
access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_2
07-09-2012 02:21 PM
hi Jeniffer.
I downgrade to version 8.2(5), now I trouble is of the tunnel is down. :-(, with this configuration I probe same day and the tunnel is up, but now copy and paste the configuration and do not work the tunnel.
hostname TresASA1
enable password cisco
interface eth 0/0
nameif inside
security-level 100
ip address 172.16.3.2 255.255.255.0
no shut
!
interface eth 0/1
nameif outside
security-level 0
ip address 200.20.20.1 255.255.255.0
no shut
interface eth0/5
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
object-group network net-local
network-object 172.16.0.0 255.255.255.0
network-object 172.16.1.0 255.255.255.0
network-object 172.16.2.0 255.255.255.0
network-object 172.16.3.0 255.255.255.0
network-object 172.16.4.0 255.255.255.0
network-object 172.16.5.0 255.255.255.0
network-object 172.16.6.0 255.255.255.0
network-object 172.16.7.0 255.255.255.0
network-object 172.16.8.0 255.255.255.0
network-object 172.16.9.0 255.255.255.0
network-object 172.16.11.0 255.255.255.0
object-group network net-remote
network-object 172.16.100.0 255.255.255.0
network-object 172.16.101.0 255.255.255.0
network-object 172.16.102.0 255.255.255.0
network-object 172.16.103.0 255.255.255.0
access-list nat extended permit ip object-group net-local any
access-list nonat extended permit ip object-group net-local object-group net-remote
access-list nonat1 extended permit ip object-group net-local object-group net-remote
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 access-list nat
route outside 0.0.0.0 0.0.0.0 200.20.20.2 1
route inside 172.16.1.0 255.255.255.0 172.16.3.1 1
route inside 172.16.2.0 255.255.255.0 172.16.3.1 1
route inside 172.16.4.0 255.255.255.0 172.16.3.1 1
route inside 172.16.5.0 255.255.255.0 172.16.3.1 1
route inside 172.16.6.0 255.255.255.0 172.16.3.1 1
route inside 172.16.7.0 255.255.255.0 172.16.3.1 1
route inside 172.16.8.0 255.255.255.0 172.16.3.1 1
route inside 172.16.9.0 255.255.255.0 172.16.3.1 1
route inside 172.16.10.0 255.255.255.0 172.16.3.1 1
route inside 172.16.11.0 255.255.255.0 172.16.3.1 1
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
aaa authentication enable console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association lifetime kilobytes 400000
crypto map vpns 1 match address nonat1
crypto map vpns 1 set peer 200.30.30.1
crypto map vpns 1 set transform-set ESP-3DES-MD5
crypto map vpns interface outside
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
username ho1a password Tr3s41ia.2012 privilege 15
username cisco password cisco privilege 15
tunnel-group 200.30.30.1 type ipsec-l2l
tunnel-group 200.30.30.1 ipsec-attributes
pre-shared-key cisco
------------------------------------------------------------------------
hostname TresASA2
enable password cisco
interface eth 0/0
nameif inside
security-level 100
ip address 172.16.103.2 255.255.255.0
no shut
!
interface eth 0/1
nameif outside
security-level 0
ip address 200.30.30.1 255.255.255.0
no shut
interface eth0/5
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
object-group network net-local
network-object 172.16.100.0 255.255.255.0
network-object 172.16.101.0 255.255.255.0
network-object 172.16.102.0 255.255.255.0
network-object 172.16.103.0 255.255.255.0
object-group network net-remote
network-object 172.16.0.0 255.255.255.0
network-object 172.16.1.0 255.255.255.0
network-object 172.16.2.0 255.255.255.0
network-object 172.16.3.0 255.255.255.0
network-object 172.16.4.0 255.255.255.0
network-object 172.16.5.0 255.255.255.0
network-object 172.16.6.0 255.255.255.0
network-object 172.16.7.0 255.255.255.0
network-object 172.16.8.0 255.255.255.0
network-object 172.16.9.0 255.255.255.0
network-object 172.16.11.0 255.255.255.0
access-list nat extended permit ip object-group net-local any
access-list nonat extended permit ip object-group net-local object-group net-remote
access-list nonat1 extended permit ip object-group net-local object-group net-remote
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 access-list nat
route outside 0.0.0.0 0.0.0.0 200.20.20.1 1
route inside 172.16.100.0 255.255.255.0 172.16.103.2 1
route inside 172.16.101.0 255.255.255.0 172.16.103.2 1
route inside 172.16.102.0 255.255.255.0 172.16.103.2 1
route inside 172.16.103.0 255.255.255.0 172.16.103.2 1
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
aaa authentication enable console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association lifetime kilobytes 400000
crypto map vpns 1 match address nonat1
crypto map vpns 1 set peer 200.20.20.1
crypto map vpns 1 set transform-set ESP-3DES-MD5
crypto map vpns interface outside
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
username ho1a password Tr3s41ia.2012 privilege 15
username cisco password cisco privilege 15
tunnel-group 200.20.20.1 type ipsec-l2l
tunnel-group 200.20.20.1 ipsec-attributes
pre-shared-key cisco
my topology
do you have links, examples, videos, whatever that help me??
thk so much!!!
07-09-2012 07:56 PM
Config looks ok to me, you might want to run some debugs and see where it's failing.
Also what is the output of:
show cry isa sa
show cry ipsec sa
Run the following debugs:
debug cry isa
debug cry ipsec
07-10-2012 12:49 AM
hi Jennifer
this is the show crypto isakmp sa
TresASA2# sh crypto isa
TresASA2# sh crypto isakmp sa
There are no isakmp sas
TresASA2#
---------------------------------------
TresASA1(config)# sh crypto isakmp sa
There are no isakmp sas
TresASA1(config)#
and I enable the debugs that you tell me....
is funny because on TresASA1 I Configure VPN remote and this work fine..... I honestly do not know is what happens with VPN site to site.
07-10-2012 01:26 AM
I don't see the vpn remote client configuration on TresASA1, nor there is any ISAKMP SA for the VPN Client, are you sure you have the correct ASA config?
Also what did you try to do to bring up the tunnel? Ping between the 2 LANs? What are you trying to ping/access to and from?
07-10-2012 08:17 AM
excuse me this configuration (VPN remote), I do today :-)
TresASA1(config)# sh run
isakmp policy 20 is superceded by identical policy 1
: Saved
:
ASA Version 8.2(5)
!
hostname TresASA1
enable password E0HXgOXKEFi9sKqd encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 172.16.3.2 255.255.255.0
!
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 200.20.20.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa825-k8.bin
ftp mode passive
object-group network net-local
network-object 172.16.0.0 255.255.255.0
network-object 172.16.1.0 255.255.255.0
network-object 172.16.2.0 255.255.255.0
network-object 172.16.3.0 255.255.255.0
network-object 172.16.4.0 255.255.255.0
network-object 172.16.5.0 255.255.255.0
network-object 172.16.6.0 255.255.255.0
network-object 172.16.7.0 255.255.255.0
network-object 172.16.8.0 255.255.255.0
network-object 172.16.9.0 255.255.255.0
network-object 172.16.11.0 255.255.255.0
object-group network net-remote
network-object 172.16.100.0 255.255.255.0
network-object 172.16.101.0 255.255.255.0
network-object 172.16.102.0 255.255.255.0
network-object 172.16.103.0 255.255.255.0
object-group network net-poolvpn
network-object 192.168.11.0 255.255.255.0
access-list nat extended permit ip object-group net-local any
access-list nonat extended permit ip object-group net-local object-group net-remote
access-list nonat extended permit ip object-group net-local object-group net-poolvpn
access-list nonat1 extended permit ip object-group net-local object-group net-remote
access-list splittun-vpngroup1 extended permit ip object-group net-local object-group net-poolvpn
pager lines 24
logging console debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu management 1500
ip local pool ippool 192.168.11.1-192.168.11.100 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 access-list nat
route outside 0.0.0.0 0.0.0.0 200.20.20.2 1
route inside 172.16.1.0 255.255.255.0 172.16.3.1 1
route inside 172.16.2.0 255.255.255.0 172.16.3.1 1
route inside 172.16.4.0 255.255.255.0 172.16.3.1 1
route inside 172.16.5.0 255.255.255.0 172.16.3.1 1
route inside 172.16.6.0 255.255.255.0 172.16.3.1 1
route inside 172.16.7.0 255.255.255.0 172.16.3.1 1
route inside 172.16.8.0 255.255.255.0 172.16.3.1 1
route inside 172.16.9.0 255.255.255.0 172.16.3.1 1
route inside 172.16.10.0 255.255.255.0 172.16.3.1 1
route inside 172.16.11.0 255.255.255.0 172.16.3.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
aaa authentication enable console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association lifetime kilobytes 400000
crypto dynamic-map dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map dyn_map 65535 set transform-set ESP-3DES-SHA
crypto map vpns 1 match address nonat1
crypto map vpns 1 set peer 200.30.30.1
crypto map vpns 1 set transform-set ESP-3DES-MD5
crypto map vpns 65535 ipsec-isakmp dynamic dyn_map
crypto map vpns interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
vpn-sessiondb max-session-limit 450
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
group-policy vpngroup1 internal
group-policy vpngroup1 attributes
banner value ++++Welcome to Cisco Systems.+++++ PROPIEDAD PRIVADA, CUALQUIER PERSONA AJENA AL CORPORATIVO, SERA CONSIGNADA A LAS AUTORIDADES
dns-server value 200.57.64.85 200.57.64.86
vpn-simultaneous-logins 20
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittun-vpngroup1
default-domain value ad-domain.local
split-dns value ad-domain.local
address-pools value ippool
username ho1a password DXK.iozVseM0AOzr encrypted privilege 15
username ciscouser password z4c9KJvMNAA7soAj encrypted privilege 15
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
tunnel-group 200.30.30.1 type ipsec-l2l
tunnel-group 200.30.30.1 ipsec-attributes
pre-shared-key *****
tunnel-group vpngroup1 type remote-access
tunnel-group vpngroup1 general-attributes
address-pool ippool
default-group-policy vpngroup1
tunnel-group vpngroup1 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:fea2b3d94bac70f546123d723bb6f06a
: end
TresASA1(config)#
TresASA1(config)# sh crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 200.40.40.2
Type : user Role : responder
Rekey : no State : AM_ACTIVE
TresASA1(config)# sh cru
TresASA1(config)# sh cr
TresASA1(config)# sh crypto ipsec sa
interface: outside
Crypto map tag: dyn_map, seq num: 20, local addr: 200.20.20.1
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.11.1/255.255.255.255/0/0)
current_peer: 200.40.40.2, username: cisco
dynamic allocated peer ip: 192.168.11.1
#pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3
#pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 3, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 200.20.20.1, remote crypto endpt.: 200.40.40.2
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 4DB45069
current inbound spi : 32CF2413
inbound esp sas:
spi: 0x32CF2413 (852435987)
transform: esp-3des esp-sha-hmac no compression
and the debug commands is ready and yes, try to ping the from LAN TresASA1´s to LAN TresASA2´s.
thk for you help I am stay unattended !!!!
07-10-2012 11:11 AM
hi, I try with this links:
http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/specs.html
http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/site2sit.html#wp1042828
I do not see the difference, is the same configuration in 3 cases
07-11-2012 06:59 AM
How did you try to bring up the site-to-site VPN tunnel?
Did you try to ping between the 2 LANs?
Can you advise where you are trying to ping to and from?
07-11-2012 08:14 AM
hi Jennifer
yes yesterday I try from LAN to LAN, but now re-configure the 2 ASA (same configuration copy and paste) and now test the tunnel and both tunnel the TresASA1 is up (site to site and remote), but in TresASA2 don't pass traffic across the tunnel, input the show crypto ipsec sa command and view of the numbers (#pkts encaps: #pkts encrypt: , #pkts digest: 99) mismatch....
the configuration the access-list is:
TresASA1(config)# sh run access-list
access-list nat extended permit ip object-group net-local any
access-list nonat extended permit ip object-group net-local object-group net-remote
access-list nonat extended permit ip object-group net-local object-group net-poolvpn
access-list nonat1 extended permit ip object-group net-local object-group net-remote
access-list splittun-vpngroup1 extended permit ip object-group net-local object-group net-poolvpn
TresASA1(config)# sh run crypto
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association lifetime kilobytes 400000
crypto dynamic-map dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map dyn_map 65535 set transform-set ESP-3DES-SHA
crypto map vpns 1 match address nonat1
crypto map vpns 1 set peer 200.30.30.1
crypto map vpns 1 set transform-set ESP-3DES-MD5
crypto map vpns 65535 ipsec-isakmp dynamic dyn_map
crypto map vpns interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
TresASA1(config)# sh run tunnel
tunnel-group 200.30.30.1 type ipsec-l2l
tunnel-group 200.30.30.1 ipsec-attributes
pre-shared-key *****
tunnel-group vpngroup1 type remote-access
tunnel-group vpngroup1 general-attributes
address-pool ippool
default-group-policy vpngroup1
tunnel-group vpngroup1 ipsec-attributes
pre-shared-key *****
TresASA1(config)# sh run nat
nat (inside) 0 access-list nonat
nat (inside) 1 access-list nat
TresASA1(config)# sh run global
global (outside) 1 interface
TresASA1(config)#
---------------------------------------
TresASA2(config)# sh run access-list
access-list nat extended permit ip object-group net-local any
access-list nonat extended permit ip object-group net-local object-group net-remote
access-list nonat1 extended permit ip object-group net-local object-group net-remote
TresASA2(config)# sh run nat
nat (inside) 0 access-list nonat
nat (inside) 1 access-list nat
TresASA2(config)# sh run cryt
TresASA2(config)# sh run cryptoi
TresASA2(config)# sh run cryptto
TresASA2(config)# sh run crypto
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association lifetime kilobytes 400000
crypto map vpns 1 match address nonat1
crypto map vpns 1 set peer 200.20.20.1
crypto map vpns 1 set transform-set ESP-3DES-MD5
crypto map vpns interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
TresASA2(config)# sh run globa
global (outside) 1 interface
TresASA2(config)#
thk!!!
07-11-2012 08:21 AM
TresASA2 seems to be OK as you can see the encrypt counters are increasing, that means it is sending the packet towards ASA1, but there is no reply.
What is the corresponding "show cry ipsec sa" on TresASA1?
07-11-2012 08:26 AM
thi is the output:
TresASA1(config)# sh crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 200.30.30.1
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
TresASA1(config)# sh ipse
TresASA1(config)# sh ipsec isa
TresASA1(config)# sh ipsec sa
interface: outside
Crypto map tag: vpns, seq num: 1, local addr: 200.20.20.1
access-list nonat1 extended permit ip 172.16.3.0 255.255.255.0 172.16.103.0 255.255.255.0
local ident (addr/mask/prot/port): (172.16.3.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.103.0/255.255.255.0/0/0)
current_peer: 200.30.30.1
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 104, #pkts decrypt: 104, #pkts verify: 104
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 200.20.20.1, remote crypto endpt.: 200.30.30.1
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: CC3779CB
current inbound spi : 5B2A23F8
inbound esp sas:
spi: 0x5B2A23F8 (1529488376)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 49152, crypto-map: vpns
sa timing: remaining key lifetime (kB/sec): (339832/83396)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xCC3779CB (3426187723)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 49152, crypto-map: vpns
sa timing: remaining key lifetime (kB/sec): (339843/83396)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
TresASA1(config)#
regards!!!
07-11-2012 10:51 PM
is R2 default route pointing towards ASA1 inside interface?
Looks like there is no reply from the host behind ASA1. Pls make sure that they have route towards the remote LAN subnets, ie: via ASA1 inside interface.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide