VPN site to site on ASA v8.4.4

josue jonathan rivero herrera · ‎07-05-2012

hi,

i try to configure VPN site to site on ASA Version 8.4.4, but all the tests are unreachable the LAN from the LAN (the other side).

i try with the links:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080bb8500.shtml

http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/s2.html#wp1487767

http://www.cisco.com/en/US/docs/security/asa/asa84/asdm64/configuration_guide/wizard_vpn.html

but i told them, in every case is unreachable, i see with the show crypto isakmp sa command that tunnel is up but of the show crypto ipsec sa the packet are mismatch (decrypted, encapsu, etc).

TresASA1# sh crypto isakmp sa

IKEv1 SAs:

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1 IKE Peer: 200.30.30.1

Type : L2L Role : responder

Rekey : no State : MM_ACTIVE

There are no IKEv2 SAs

---------------------------------------------------

TresASA1# sh ipsec sa

interface: outside

Crypto map tag: outside_map, seq num: 1, local addr: 200.20.20.1

access-list outside_cryptomap extended permit ip 172.16.3.0 255.255.255.0 172.16.103.0 255.255.255.0

local ident (addr/mask/prot/port): (172.16.3.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (172.16.103.0/255.255.255.0/0/0)

current_peer: 200.30.30.1

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 34, #pkts decrypt: 34, #pkts verify: 34

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 200.20.20.1/0, remote crypto endpt.: 200.30.30.1/0

path mtu 1500, ipsec overhead 74, media mtu 1500

current outbound spi: D81B4BDA

current inbound spi : 939049E1

inbound esp sas:

spi: 0x939049E1 (2475706849)

transform: esp-aes esp-sha-hmac no compression

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 8192, crypto-map: outside_map

sa timing: remaining key lifetime (kB/sec): (3914998/27755)

IV size: 16 bytes

replay detection support: Y

Anti replay bitmap:

0x00000007 0xFFFFFFFF

outbound esp sas:

spi: 0xD81B4BDA (3625667546)

transform: esp-aes esp-sha-hmac no compression

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 8192, crypto-map: outside_map

sa timing: remaining key lifetime (kB/sec): (3915000/27755)

IV size: 16 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

------ THIS IS MY SHOW RUN------

TresASA1(config)# sh run

: Saved

:

ASA Version 8.4(4)

!

hostname TresASA1

enable password E0HXgOXKEFi9sKqd encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0/0

nameif inside

security-level 100

ip address 172.16.3.2 255.255.255.0

!

interface GigabitEthernet0/1

nameif outside

security-level 0

ip address 200.20.20.1 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

description LAN Failover Interface

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa844-k8.bin

ftp mode passive

clock timezone UTC -6

clock summer-time UTC-6 recurring 1 Sun Apr 2:00 last Sun Oct 2:00

object network NAT

range 172.16.0.0 172.16.11.254

object network NETWORK_OBJ_192.168.0.0_24

subnet 192.168.0.0 255.255.255.0

object-group network DM_INLINE_NETWORK_1

network-object 172.16.0.0 255.255.255.0

network-object 172.16.1.0 255.255.255.0

network-object 172.16.11.0 255.255.255.0

network-object 172.16.2.0 255.255.255.0

network-object 172.16.3.0 255.255.255.0

network-object 172.16.4.0 255.255.255.0

network-object 172.16.5.0 255.255.255.0

network-object 172.16.6.0 255.255.255.0

network-object 172.16.7.0 255.255.255.0

network-object 172.16.8.0 255.255.255.0

network-object 172.16.9.0 255.255.255.0

object-group network DM_INLINE_NETWORK_2

network-object 172.16.100.0 255.255.255.0

network-object 172.16.101.0 255.255.255.0

network-object 172.16.102.0 255.255.255.0

network-object 172.16.103.0 255.255.255.0

access-list tresaliagroup_splitTunnelAcl standard permit any

access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_2 object-group DM_INLINE_NETWORK_1

pager lines 24

logging enable

logging monitor debugging

logging asdm notifications

mtu inside 1500

mtu outside 1500

mtu management 1500

ip local pool pooltresalia 192.168.0.1-192.168.0.254 mask 255.255.255.0

failover

failover lan unit primary

failover lan interface failover GigabitEthernet0/3

failover interface ip failover 172.16.10.2 255.255.255.0 standby 172.16.10.3

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 no-proxy-arp route-lookup

nat (inside,outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 no-proxy-arp route-lookup

!

object network NAT

nat (inside,outside) dynamic interface

route outside 0.0.0.0 0.0.0.0 200.20.20.2 1

route inside 172.16.1.0 255.255.255.0 172.16.3.1 1

route inside 172.16.2.0 255.255.255.0 172.16.3.1 1

route inside 172.16.4.0 255.255.255.0 172.16.3.1 1

route inside 172.16.5.0 255.255.255.0 172.16.3.1 1

route inside 172.16.6.0 255.255.255.0 172.16.3.1 1

route inside 172.16.7.0 255.255.255.0 172.16.3.1 1

route inside 172.16.8.0 255.255.255.0 172.16.3.1 1

route inside 172.16.9.0 255.255.255.0 172.16.3.1 1

route inside 172.16.11.0 255.255.255.0 172.16.3.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 172.16.3.18 255.255.255.255 inside

http 172.16.3.19 255.255.255.255 inside

http 172.16.3.20 255.255.255.255 inside

http 172.16.11.24 255.255.255.255 inside

snmp-server group TresaliaGroup1 v3 priv

snmp-server user h01a TresaliaGroup1 v3 encrypted auth md5 91:98:6c:75:4b:70:a0:70:3b:b4:d3:9c:b2:3e:09:3d priv aes 128 1b:fd:94:f2:cc:f9:07:25:a0:f6:03:41:5b:61:9f:61

no snmp-server location

no snmp-server contact

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

snmp-server enable traps syslog

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 match address outside_cryptomap

crypto map outside_map 1 set peer 200.30.30.1

crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable outside

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 172.16.3.18 255.255.255.255 inside

ssh 172.16.3.19 255.255.255.255 inside

ssh 172.16.3.20 255.255.255.255 inside

ssh 172.16.3.0 255.255.255.0 inside

ssh 172.16.3.1 255.255.255.255 inside

ssh timeout 60

ssh version 2

ssh key-exchange group dh-group1-sha1

console timeout 0

vpn-sessiondb max-other-vpn-limit 450

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

anyconnect-essentials

group-policy GroupPolicy_200.30.30.1 internal

group-policy GroupPolicy_200.30.30.1 attributes

vpn-tunnel-protocol ikev1 ikev2

group-policy tresaliagroup internal

group-policy tresaliagroup attributes

dns-server value 200.57.64.85 200.57.64.86

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelspecified

split-tunnel-network-list value tresaliagroup_splitTunnelAcl

group-policy vpngroup1 internal

username h01a password bG23D78KwZ2Ii2Ia encrypted privilege 15

username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15

tunnel-group tresaliagroup type remote-access

tunnel-group tresaliagroup general-attributes

address-pool pooltresalia

default-group-policy tresaliagroup

tunnel-group tresaliagroup ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group 200.30.30.1 type ipsec-l2l

tunnel-group 200.30.30.1 general-attributes

default-group-policy GroupPolicy_200.30.30.1

tunnel-group 200.30.30.1 ipsec-attributes

ikev1 pre-shared-key *****

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:9a222108420b00a5eda4cc954942656c

: end

----------------------------

The topology is LAN-->TresASA1<-->ISP<--TresASA2<--LAN

some one help me please with examples or notes?

thk and regards!!!

Jennifer Halim · ‎07-05-2012

Your crypto ACL is the other way round, it should have been:

access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_2

josue jonathan rivero herrera · ‎07-09-2012

hi Jeniffer.

I downgrade to version 8.2(5), now I trouble is of the tunnel is down. :-(, with this configuration I probe same day and the tunnel is up, but now copy and paste the configuration and do not work the tunnel.

hostname TresASA1

enable password cisco

interface eth 0/0

nameif inside

security-level 100

ip address 172.16.3.2 255.255.255.0

no shut

!

interface eth 0/1

nameif outside

security-level 0

ip address 200.20.20.1 255.255.255.0

no shut

interface eth0/5

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

object-group network net-local

network-object 172.16.0.0 255.255.255.0

network-object 172.16.1.0 255.255.255.0

network-object 172.16.2.0 255.255.255.0

network-object 172.16.3.0 255.255.255.0

network-object 172.16.4.0 255.255.255.0

network-object 172.16.5.0 255.255.255.0

network-object 172.16.6.0 255.255.255.0

network-object 172.16.7.0 255.255.255.0

network-object 172.16.8.0 255.255.255.0

network-object 172.16.9.0 255.255.255.0

network-object 172.16.11.0 255.255.255.0

object-group network net-remote

network-object 172.16.100.0 255.255.255.0

network-object 172.16.101.0 255.255.255.0

network-object 172.16.102.0 255.255.255.0

network-object 172.16.103.0 255.255.255.0

access-list nat extended permit ip object-group net-local any

access-list nonat extended permit ip object-group net-local object-group net-remote

access-list nonat1 extended permit ip object-group net-local object-group net-remote

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 access-list nat

route outside 0.0.0.0 0.0.0.0 200.20.20.2 1

route inside 172.16.1.0 255.255.255.0 172.16.3.1 1

route inside 172.16.2.0 255.255.255.0 172.16.3.1 1

route inside 172.16.4.0 255.255.255.0 172.16.3.1 1

route inside 172.16.5.0 255.255.255.0 172.16.3.1 1

route inside 172.16.6.0 255.255.255.0 172.16.3.1 1

route inside 172.16.7.0 255.255.255.0 172.16.3.1 1

route inside 172.16.8.0 255.255.255.0 172.16.3.1 1

route inside 172.16.9.0 255.255.255.0 172.16.3.1 1

route inside 172.16.10.0 255.255.255.0 172.16.3.1 1

route inside 172.16.11.0 255.255.255.0 172.16.3.1 1

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

aaa authentication http console LOCAL

aaa authentication enable console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 86400

crypto ipsec security-association lifetime kilobytes 400000

crypto map vpns 1 match address nonat1

crypto map vpns 1 set peer 200.30.30.1

crypto map vpns 1 set transform-set ESP-3DES-MD5

crypto map vpns interface outside

crypto isakmp enable outside

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

username ho1a password Tr3s41ia.2012 privilege 15

username cisco password cisco privilege 15

tunnel-group 200.30.30.1 type ipsec-l2l

tunnel-group 200.30.30.1 ipsec-attributes

pre-shared-key cisco

------------------------------------------------------------------------

hostname TresASA2

enable password cisco

interface eth 0/0

nameif inside

security-level 100

ip address 172.16.103.2 255.255.255.0

no shut

!

interface eth 0/1

nameif outside

security-level 0

ip address 200.30.30.1 255.255.255.0

no shut

interface eth0/5

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

object-group network net-local

network-object 172.16.100.0 255.255.255.0

network-object 172.16.101.0 255.255.255.0

network-object 172.16.102.0 255.255.255.0

network-object 172.16.103.0 255.255.255.0

object-group network net-remote

network-object 172.16.0.0 255.255.255.0

network-object 172.16.1.0 255.255.255.0

network-object 172.16.2.0 255.255.255.0

network-object 172.16.3.0 255.255.255.0

network-object 172.16.4.0 255.255.255.0

network-object 172.16.5.0 255.255.255.0

network-object 172.16.6.0 255.255.255.0

network-object 172.16.7.0 255.255.255.0

network-object 172.16.8.0 255.255.255.0

network-object 172.16.9.0 255.255.255.0

network-object 172.16.11.0 255.255.255.0

access-list nat extended permit ip object-group net-local any

access-list nonat extended permit ip object-group net-local object-group net-remote

access-list nonat1 extended permit ip object-group net-local object-group net-remote

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 access-list nat

route outside 0.0.0.0 0.0.0.0 200.20.20.1 1

route inside 172.16.100.0 255.255.255.0 172.16.103.2 1

route inside 172.16.101.0 255.255.255.0 172.16.103.2 1

route inside 172.16.102.0 255.255.255.0 172.16.103.2 1

route inside 172.16.103.0 255.255.255.0 172.16.103.2 1

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

aaa authentication http console LOCAL

aaa authentication enable console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 86400

crypto ipsec security-association lifetime kilobytes 400000

crypto map vpns 1 match address nonat1

crypto map vpns 1 set peer 200.20.20.1

crypto map vpns 1 set transform-set ESP-3DES-MD5

crypto map vpns interface outside

crypto isakmp enable outside

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

username ho1a password Tr3s41ia.2012 privilege 15

username cisco password cisco privilege 15

tunnel-group 200.20.20.1 type ipsec-l2l

tunnel-group 200.20.20.1 ipsec-attributes

pre-shared-key cisco

my topology

do you have links, examples, videos, whatever that help me??

thk so much!!!

Jennifer Halim · ‎07-09-2012

Config looks ok to me, you might want to run some debugs and see where it's failing.

Also what is the output of:

show cry isa sa

show cry ipsec sa

Run the following debugs:

debug cry isa

debug cry ipsec

josue jonathan rivero herrera · ‎07-10-2012

hi Jennifer

this is the show crypto isakmp sa

TresASA2# sh crypto isa

TresASA2# sh crypto isakmp sa

There are no isakmp sas

TresASA2#

---------------------------------------

TresASA1(config)# sh crypto isakmp sa

There are no isakmp sas

TresASA1(config)#

and I enable the debugs that you tell me....

is funny because on TresASA1 I Configure VPN remote and this work fine..... I honestly do not know is what happens with VPN site to site.

Jennifer Halim · ‎07-10-2012

I don't see the vpn remote client configuration on TresASA1, nor there is any ISAKMP SA for the VPN Client, are you sure you have the correct ASA config?

Also what did you try to do to bring up the tunnel? Ping between the 2 LANs? What are you trying to ping/access to and from?

josue jonathan rivero herrera · ‎07-10-2012

excuse me this configuration (VPN remote), I do today :-)

TresASA1(config)# sh run

isakmp policy 20 is superceded by identical policy 1

: Saved

:

ASA Version 8.2(5)

!

hostname TresASA1

enable password E0HXgOXKEFi9sKqd encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0/0

nameif inside

security-level 100

ip address 172.16.3.2 255.255.255.0

!

interface GigabitEthernet0/1

nameif outside

security-level 0

ip address 200.20.20.1 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa825-k8.bin

ftp mode passive

object-group network net-local

network-object 172.16.0.0 255.255.255.0

network-object 172.16.1.0 255.255.255.0

network-object 172.16.2.0 255.255.255.0

network-object 172.16.3.0 255.255.255.0

network-object 172.16.4.0 255.255.255.0

network-object 172.16.5.0 255.255.255.0

network-object 172.16.6.0 255.255.255.0

network-object 172.16.7.0 255.255.255.0

network-object 172.16.8.0 255.255.255.0

network-object 172.16.9.0 255.255.255.0

network-object 172.16.11.0 255.255.255.0

object-group network net-remote

network-object 172.16.100.0 255.255.255.0

network-object 172.16.101.0 255.255.255.0

network-object 172.16.102.0 255.255.255.0

network-object 172.16.103.0 255.255.255.0

object-group network net-poolvpn

network-object 192.168.11.0 255.255.255.0

access-list nat extended permit ip object-group net-local any

access-list nonat extended permit ip object-group net-local object-group net-remote

access-list nonat extended permit ip object-group net-local object-group net-poolvpn

access-list nonat1 extended permit ip object-group net-local object-group net-remote

access-list splittun-vpngroup1 extended permit ip object-group net-local object-group net-poolvpn

pager lines 24

logging console debugging

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu management 1500

ip local pool ippool 192.168.11.1-192.168.11.100 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 access-list nat

route outside 0.0.0.0 0.0.0.0 200.20.20.2 1

route inside 172.16.1.0 255.255.255.0 172.16.3.1 1

route inside 172.16.2.0 255.255.255.0 172.16.3.1 1

route inside 172.16.4.0 255.255.255.0 172.16.3.1 1

route inside 172.16.5.0 255.255.255.0 172.16.3.1 1

route inside 172.16.6.0 255.255.255.0 172.16.3.1 1

route inside 172.16.7.0 255.255.255.0 172.16.3.1 1

route inside 172.16.8.0 255.255.255.0 172.16.3.1 1

route inside 172.16.9.0 255.255.255.0 172.16.3.1 1

route inside 172.16.10.0 255.255.255.0 172.16.3.1 1

route inside 172.16.11.0 255.255.255.0 172.16.3.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

aaa authentication http console LOCAL

aaa authentication enable console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 86400

crypto ipsec security-association lifetime kilobytes 400000

crypto dynamic-map dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map dyn_map 65535 set transform-set ESP-3DES-SHA

crypto map vpns 1 match address nonat1

crypto map vpns 1 set peer 200.30.30.1

crypto map vpns 1 set transform-set ESP-3DES-MD5

crypto map vpns 65535 ipsec-isakmp dynamic dyn_map

crypto map vpns interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

vpn-sessiondb max-session-limit 450

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

anyconnect-essentials

group-policy vpngroup1 internal

group-policy vpngroup1 attributes

banner value ++++Welcome to Cisco Systems.+++++ PROPIEDAD PRIVADA, CUALQUIER PERSONA AJENA AL CORPORATIVO, SERA CONSIGNADA A LAS AUTORIDADES

dns-server value 200.57.64.85 200.57.64.86

vpn-simultaneous-logins 20

split-tunnel-policy tunnelspecified

split-tunnel-network-list value splittun-vpngroup1

default-domain value ad-domain.local

split-dns value ad-domain.local

address-pools value ippool

username ho1a password DXK.iozVseM0AOzr encrypted privilege 15

username ciscouser password z4c9KJvMNAA7soAj encrypted privilege 15

username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15

tunnel-group 200.30.30.1 type ipsec-l2l

tunnel-group 200.30.30.1 ipsec-attributes

pre-shared-key *****

tunnel-group vpngroup1 type remote-access

tunnel-group vpngroup1 general-attributes

address-pool ippool

default-group-policy vpngroup1

tunnel-group vpngroup1 ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:fea2b3d94bac70f546123d723bb6f06a

: end

TresASA1(config)#

TresASA1(config)# sh crypto isakmp sa

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1 IKE Peer: 200.40.40.2

Type : user Role : responder

Rekey : no State : AM_ACTIVE

TresASA1(config)# sh cru

TresASA1(config)# sh cr

TresASA1(config)# sh crypto ipsec sa

interface: outside

Crypto map tag: dyn_map, seq num: 20, local addr: 200.20.20.1

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (192.168.11.1/255.255.255.255/0/0)

current_peer: 200.40.40.2, username: cisco

dynamic allocated peer ip: 192.168.11.1

#pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3

#pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 3, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 200.20.20.1, remote crypto endpt.: 200.40.40.2

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: 4DB45069

current inbound spi : 32CF2413

inbound esp sas:

spi: 0x32CF2413 (852435987)

transform: esp-3des esp-sha-hmac no compression

and the debug commands is ready and yes, try to ping the from LAN TresASA1´s to LAN TresASA2´s.

thk for you help I am stay unattended !!!!

josue jonathan rivero herrera · ‎07-10-2012

hi, I try with this links:

http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/A_1276-How-to-configure-Site-to-Site-VPN-on-a-Cisco-ASA.html

http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/specs.html

http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/site2sit.html#wp1042828

I do not see the difference, is the same configuration in 3 cases

Jennifer Halim · ‎07-11-2012

How did you try to bring up the site-to-site VPN tunnel?

Did you try to ping between the 2 LANs?

Can you advise where you are trying to ping to and from?

josue jonathan rivero herrera · ‎07-11-2012

hi Jennifer

yes yesterday I try from LAN to LAN, but now re-configure the 2 ASA (same configuration copy and paste) and now test the tunnel and both tunnel the TresASA1 is up (site to site and remote), but in TresASA2 don't pass traffic across the tunnel, input the show crypto ipsec sa command and view of the numbers (#pkts encaps: #pkts encrypt: , #pkts digest: 99) mismatch....

the configuration the access-list is:

TresASA1(config)# sh run access-list

access-list nat extended permit ip object-group net-local any

access-list nonat extended permit ip object-group net-local object-group net-remote

access-list nonat extended permit ip object-group net-local object-group net-poolvpn

access-list nonat1 extended permit ip object-group net-local object-group net-remote

access-list splittun-vpngroup1 extended permit ip object-group net-local object-group net-poolvpn

TresASA1(config)# sh run crypto

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 86400

crypto ipsec security-association lifetime kilobytes 400000

crypto dynamic-map dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map dyn_map 65535 set transform-set ESP-3DES-SHA

crypto map vpns 1 match address nonat1

crypto map vpns 1 set peer 200.30.30.1

crypto map vpns 1 set transform-set ESP-3DES-MD5

crypto map vpns 65535 ipsec-isakmp dynamic dyn_map

crypto map vpns interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

TresASA1(config)# sh run tunnel

tunnel-group 200.30.30.1 type ipsec-l2l

tunnel-group 200.30.30.1 ipsec-attributes

pre-shared-key *****

tunnel-group vpngroup1 type remote-access

tunnel-group vpngroup1 general-attributes

address-pool ippool

default-group-policy vpngroup1

tunnel-group vpngroup1 ipsec-attributes

pre-shared-key *****

TresASA1(config)# sh run nat

nat (inside) 0 access-list nonat

nat (inside) 1 access-list nat

TresASA1(config)# sh run global

global (outside) 1 interface

TresASA1(config)#

---------------------------------------

TresASA2(config)# sh run access-list

access-list nat extended permit ip object-group net-local any

access-list nonat extended permit ip object-group net-local object-group net-remote

access-list nonat1 extended permit ip object-group net-local object-group net-remote

TresASA2(config)# sh run nat

nat (inside) 0 access-list nonat

nat (inside) 1 access-list nat

TresASA2(config)# sh run cryt

TresASA2(config)# sh run cryptoi

TresASA2(config)# sh run cryptto

TresASA2(config)# sh run crypto

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 86400

crypto ipsec security-association lifetime kilobytes 400000

crypto map vpns 1 match address nonat1

crypto map vpns 1 set peer 200.20.20.1

crypto map vpns 1 set transform-set ESP-3DES-MD5

crypto map vpns interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

TresASA2(config)# sh run globa

global (outside) 1 interface

TresASA2(config)#

thk!!!

Jennifer Halim · ‎07-11-2012

TresASA2 seems to be OK as you can see the encrypt counters are increasing, that means it is sending the packet towards ASA1, but there is no reply.

What is the corresponding "show cry ipsec sa" on TresASA1?

josue jonathan rivero herrera · ‎07-11-2012

thi is the output:

TresASA1(config)# sh crypto isakmp sa

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1 IKE Peer: 200.30.30.1

Type : L2L Role : responder

Rekey : no State : MM_ACTIVE

TresASA1(config)# sh ipse

TresASA1(config)# sh ipsec isa

TresASA1(config)# sh ipsec sa

interface: outside

Crypto map tag: vpns, seq num: 1, local addr: 200.20.20.1

access-list nonat1 extended permit ip 172.16.3.0 255.255.255.0 172.16.103.0 255.255.255.0

local ident (addr/mask/prot/port): (172.16.3.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (172.16.103.0/255.255.255.0/0/0)

current_peer: 200.30.30.1

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 104, #pkts decrypt: 104, #pkts verify: 104

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 200.20.20.1, remote crypto endpt.: 200.30.30.1

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: CC3779CB

current inbound spi : 5B2A23F8

inbound esp sas:

spi: 0x5B2A23F8 (1529488376)

transform: esp-3des esp-md5-hmac no compression

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 49152, crypto-map: vpns

sa timing: remaining key lifetime (kB/sec): (339832/83396)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0xFFFFFFFF 0xFFFFFFFF

outbound esp sas:

spi: 0xCC3779CB (3426187723)

transform: esp-3des esp-md5-hmac no compression

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 49152, crypto-map: vpns

sa timing: remaining key lifetime (kB/sec): (339843/83396)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

TresASA1(config)#

regards!!!

Jennifer Halim · ‎07-11-2012

is R2 default route pointing towards ASA1 inside interface?

Looks like there is no reply from the host behind ASA1. Pls make sure that they have route towards the remote LAN subnets, ie: via ASA1 inside interface.