Help with my Cisco ASA VPN config shown below

whiteford · ‎04-10-2008

Hi,

Wondered if I could use your knowledge.

Currently I have all my site-to-site VPN's and Cisco Client VPN's coming into a Cisco Concentrator. But now I have these ASA's I want to start moving all this over from the Concentrator.

I have managed to move the Cisco Client users over, but I am having a little trouble with a site-to-site. It only a test at the moment but I wondered if you can see what I need to add.

Here is the setup:

| |

--| |--

| +-----------+ /-^-^-^-^--\ +-----------+ |

|-----| London |=====| Internet |======| Remote |--------|

| LAN+-----------+Ext \--v-v-v-v-/ Ext+-----------+LAN |

--| 192.168.21.0 100.171.156.65 101.149.110.103 172.19.15.0 |--

| 192.168.20.0 |

The IKE Phase 1 parameters used are:

* Main mode

* AES-256

* SHA

* DH Group 5

* pre-shared secret of "123456789"

* SA lifetime of 28800 seconds (eight hours) with no kbytes rekeying

The IKE Phase 2 parameters used are:

* AES-256

* SHA

* DH Group 5

* Perfect forward secrecy for rekeying

* SA lifetime of 3600 seconds (one hour) with no kbytes rekeying

Trusted networks in London are 192.168.21.0/24 and 192.168.20.0/24 (known as London_VPN_Subnets) and at the remote site are 172.19.15.0/24

The firewalls outside is 100.x.x.66 and the Internet router is 100.x.x.65

I have added the following to the config:

access-list inside_outbound_nat0_acl extended permit ip object-group London_VPN_Subnets 172.19.15.0 255.255.255.0

sysopt noproxyarp inside

service resetoutside

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-256-SHA ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer 101.149.110.103

crypto map outside_map 1 set transform-set ESP-AES-256-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp identity hostname

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp ipsec-over-tcp port 10000

tunnel-group 101.149.110.103 type ipsec-l2l

tunnel-group 101.149.110.103 ipsec-attributes

pre-shared-key 123456789

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 100.171.156.65

What am I missing, it's seems I need a route to contact this remote network, plus some access lists, any ideas?

I don't want any/many ACE's as these create 2 undirectional IPSec SA's, using host-based ACE's are not recommend as these use resources.

Many thanks if you get a chance

andrew.prince · ‎04-10-2008

try adding:-

access-list outside_1_cryptomap extended permit ip object-group London_VPN_Subnets 172.19.15.0 255.255.255.0

whiteford · ‎04-10-2008

My fault I already have that.

I seem to be getting QM FSM error errors on either side too when I do debug crypto ipsec and isakmp.

Is this to do with the protected networks not matching?