Jump to content


ASA 8.4 Site-to-Site IPSec Tunnel Just wont come up

ASA 8.4 Site-to-Site IPSec

  • Please log in to reply
9 replies to this topic

#1 starbearer

starbearer

    Newbie

  • Members
  • Pip
  • 11 posts

Posted 14 August 2012 - 04:14 AM

Hello All,

I'm trying to set up a Site-to-Site IPSec VPN Tunnel between 2 ASA's seperated by a Router in GNS3 but it just won't come up.

Here's the topology:

Posted Image
I ran 'vpnsetup site-to-site steps'

ASA1(config)# vpnsetup site-to-site steps

Steps to configure a site-to-site IKE/IPSec connection with examples:

1. Configure Interfaces

	 interface GigabitEthernet0/0
		 ip address 10.10.4.200 255.255.255.0
		 nameif outside
		 no shutdown

	 interface GigabitEthernet0/1
		 ip address 192.168.0.20 255.255.255.0
		 nameif inside
		 no shutdown

2. Configure ISAKMP policy

	 crypto isakmp policy 10
		 authentication pre-share
		 encryption aes
		 hash sha

3. Configure transform-set

	 crypto ipsec transform-set myset esp-aes esp-sha-hmac

4. Configure ACL

	 access-list L2LAccessList extended permit ip 192.168.0.0 255.255.255.0 192.168.50.0 255.255.255.0

5. Configure Tunnel group

	 tunnel-group 10.20.20.1 type ipsec-l2l
	 tunnel-group 10.20.20.1 ipsec-attributes
		 pre-shared-key P@rtn3rNetw0rk

6. Configure crypto map and attach to interface

	 crypto map mymap 10 match address L2LAccessList
	 crypto map mymap 10 set peer 10.10.4.108
	 crypto map mymap 10 set transform-set myset
	 crypto map mymap 10 set reverse-route
	 crypto map mymap interface outside

7. Enable isakmp on interface

	 crypto isakmp enable outside

I set up everything which is mentioned above in the output on both ASA's

ASA1# more system:running-config
Cryptochecksum: 6bd57e83 c1b98027 e30cdba0 1071781d
: Saved
: Written by enable_15 at 17:50:59.289 UTC Mon Aug 13 2012
!
ASA Version 8.4(2)
!
hostname ASA1
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
nameif outside
security-level 0
ip address 100.100.100.2 255.255.255.0
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface GigabitEthernet2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet5
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
access-list L2LAccessList extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
pager lines 24
logging buffer-size 1048576
logging buffered debugging
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 100.100.100.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set myset esp-aes esp-sha-hmac
crypto map mymap 10 match address L2LAccessList
crypto map mymap 10 set peer 200.200.200.2
crypto map mymap 10 set ikev1 transform-set myset
crypto map mymap 10 set reverse-route
crypto map mymap interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 200.200.200.2 type ipsec-l2l
tunnel-group 200.200.200.2 ipsec-attributes
ikev1 pre-shared-key P@rtn3rNetw0rk
!
!
prompt hostname context
no call-home reporting anonymous
crashinfo save disable
Cryptochecksum:6bd57e83c1b98027e30cdba01071781d
: end

And here's ASA2

ASA2# more system:running-config
Cryptochecksum: f6575487 8a35ee1a f05ecc10 43ed316a
: Saved
: Written by enable_15 at 17:52:57.719 UTC Mon Aug 13 2012
!
ASA Version 8.4(2)
!
hostname ASA2
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
nameif outside
security-level 0
ip address 200.200.200.2 255.255.255.0
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 192.168.20.1 255.255.255.0
!
interface GigabitEthernet2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet5
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
access-list L2LAccessList extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 200.200.200.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set myset esp-aes esp-sha-hmac
crypto map mymap 10 match address L2LAccessList
crypto map mymap 10 set peer 100.100.100.2
crypto map mymap 10 set ikev1 transform-set myset
crypto map mymap 10 set reverse-route
crypto map mymap interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 100.100.100.2 type ipsec-l2l
tunnel-group 100.100.100.2 ipsec-attributes
ikev1 pre-shared-key P@rtn3rNetw0rk
!
!
prompt hostname context
crashinfo save disable
Cryptochecksum:f65754878a35ee1af05ecc1043ed316a
: end


Still Nothing Posted Image

ASA1# ping
TCP Ping [n]:
Interface: inside
Target IP address: 192.168.20.1
Repeat count: [5]
Datagram size: [100]
Timeout in seconds: [2]
Extended commands [n]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
ASA1#
ASA1#
ASA1#
ASA1#
ASA1#
ASA1# sh crypto isa sa

There are no IKEv1 SAs

There are no IKEv2 SAs

Edited by starbearer, 14 August 2012 - 04:16 AM.

  • 0

#2 MarkinManchester

MarkinManchester

    Village Elder

  • Veterans
  • PipPipPipPipPip
  • 3976 posts
  • Gender:Male
  • Location:Manchester

Posted 14 August 2012 - 04:38 AM

You could try this or attempt to debug phase 1 to check for errors? SA is only really any good for phase 2


! ========================================================
! CONFIG FOR: ASA 1 !
! ========================================================



access-list EncryptedTraffic remark ****** Link to ASA 2 ******
access-list EncryptedTraffic extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
!
access-list nonat remark ****** NAT ACL ******
access-list nonat extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
!
nat-control
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.1.1.0 255.255.255.0

!
sysopt connection permit-ipsec
!
crypto isakmp enable outside
crypto isakmp identity address
crypto isakmp policy 10 hash md5
crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encryption 3des
crypto isakmp policy 10 group 2
crypto isakmp policy 10 lifetime 86400
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec df-bit clear-df outside
!
crypto map mymap 1 match address EncryptedTraffic
crypto map mymap 1 set pfs group2
crypto map mymap 1 set peer 2.2.2.2
crypto map mymap 1 set transform-set myset
crypto map mymap interface outside
!
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key cisco123
isakmp keepalive threshold 10 retry 2
!

! ========================================================
! CONFIG FOR: ASA 2 !
! ========================================================



access-list EncryptedTraffic remark ****** Link to ASA 1 ******
access-list EncryptedTraffic extended permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
!
access-list nonat remark ****** NAT ACL ******
access-list nonat extended permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
!
nat-control
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.1.2.0 255.255.255.0

!
sysopt connection permit-ipsec
!
crypto isakmp enable outside
crypto isakmp identity address
crypto isakmp policy 10 hash md5
crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encryption 3des
crypto isakmp policy 10 group 2
crypto isakmp policy 10 lifetime 86400
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec df-bit clear-df outside
!
crypto map mymap 2 match address EncryptedTraffic
crypto map mymap 2 set pfs group2
crypto map mymap 2 set peer 1.1.1.1
crypto map mymap 2 set transform-set myset
crypto map mymap interface outside
!
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key cisco123
isakmp keepalive threshold 10 retry 2
!
  • 0

#3 starbearer

starbearer

    Newbie

  • Members
  • Pip
  • 11 posts

Posted 14 August 2012 - 05:17 AM

Thanks for your reply, MarkinManchester.

I checked the configs you've given and found that the NAT exempt statement was missing and also the "sysopt connection permit-ipsec" statement. I've modified the ASA configs as below:

ASA1
ASA1# more system:running-config
Cryptochecksum: 9d9b88c0 ffcf4992 ab9e3f9d 1154270f
: Saved
: Written by enable_15 at 19:13:55.149 UTC Mon Aug 13 2012
!
ASA Version 8.4(2)
!
hostname ASA1
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
nameif outside
security-level 0
ip address 100.100.100.2 255.255.255.0
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface GigabitEthernet2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet5
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
object-group network SITE-A
network-object 192.168.10.0 255.255.255.0
object-group network SITE-B
network-object 192.168.20.0 255.255.255.0
access-list L2LAccessList extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
pager lines 24
logging buffer-size 1048576
logging buffered debugging
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
[b]nat (inside,outside) source static SITE-A SITE-A destination static SITE-B SITE-B[/b]
route outside 0.0.0.0 0.0.0.0 100.100.100.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set myset esp-aes esp-sha-hmac
crypto map mymap 10 match address L2LAccessList
crypto map mymap 10 set peer 200.200.200.2
crypto map mymap 10 set ikev1 transform-set myset
crypto map mymap 10 set reverse-route
crypto map mymap interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 200.200.200.2 type ipsec-l2l
tunnel-group 200.200.200.2 ipsec-attributes
ikev1 pre-shared-key P@rtn3rNetw0rk
!
!
prompt hostname context
no call-home reporting anonymous
crashinfo save disable
Cryptochecksum:9d9b88c0ffcf4992ab9e3f9d1154270f
: end

ASA2
ASA2# more system:running-config
Cryptochecksum: b27a5ff3 44408692 848d18a5 28f670d3
: Saved
: Written by enable_15 at 19:14:52.009 UTC Mon Aug 13 2012
!
ASA Version 8.4(2)
!
hostname ASA2
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
nameif outside
security-level 0
ip address 200.200.200.2 255.255.255.0
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 192.168.20.1 255.255.255.0
!
interface GigabitEthernet2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet5
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
object-group network SITE-A
network-object 192.168.10.0 255.255.255.0
object-group network SITE-B
network-object 192.168.20.0 255.255.255.0
access-list L2LAccessList extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
[b]nat (inside,outside) source static SITE-B SITE-B destination static SITE-A SITE-A[/b]
route outside 0.0.0.0 0.0.0.0 200.200.200.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set myset esp-aes esp-sha-hmac
crypto map mymap 10 match address L2LAccessList
crypto map mymap 10 set peer 100.100.100.2
crypto map mymap 10 set ikev1 transform-set myset
crypto map mymap 10 set reverse-route
crypto map mymap interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 100.100.100.2 type ipsec-l2l
tunnel-group 100.100.100.2 ipsec-attributes
ikev1 pre-shared-key P@rtn3rNetw0rk
!
!
prompt hostname context
no call-home reporting anonymous
crashinfo save disable
Cryptochecksum:b27a5ff344408692848d18a528f670d3
: end

Still no luck Posted Image
  • 0

#4 MarkinManchester

MarkinManchester

    Village Elder

  • Veterans
  • PipPipPipPipPip
  • 3976 posts
  • Gender:Male
  • Location:Manchester

Posted 14 August 2012 - 07:19 AM

Can you try something like this

Basic VPN template, I have to do these blindfold now as its such a big MO environment and the traffic has to be carried over the live network but it has to be invisible.

crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key "SomePhraseHere" address x.x.x.x
crypto isakmp keepalive 10
!
crypto ipsec transform-set encr&auth esp-aes esp-sha-hmac
!
crypto map MYMAP local-address FastEthernet0
crypto map MYMAP 10 ipsec-isakmp
set peer x.x.x.x

set security-association lifetime seconds 1800
set transform-set encr&auth
match address MYMAP
!
interface FastEthernet0
description ***OUTSIDE***
ip address x.x.x.220 255.255.255.0
crypto map MYMAP

!
interface FastEthernet1
description *** INSIDE***
ip address x.x.x.1 255.255.255.0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 x.x.x.x
!
ip access-list extended MYMAP

permit ip x.x.x.0 0.0.0.255 x.x.x.0 0.0.0.255
  • 0

#5 starbearer

starbearer

    Newbie

  • Members
  • Pip
  • 11 posts

Posted 14 August 2012 - 10:10 PM

Thanks, but isnt the above config from a router? I'm trying to create a tunnel between 2 ASA's
  • 0

#6 MarkinManchester

MarkinManchester

    Village Elder

  • Veterans
  • PipPipPipPipPip
  • 3976 posts
  • Gender:Male
  • Location:Manchester

Posted 14 August 2012 - 11:50 PM

You are right!! Sorry it was the result of tequila and beer Posted Image
  • 0

#7 starbearer

starbearer

    Newbie

  • Members
  • Pip
  • 11 posts

Posted 15 August 2012 - 06:03 AM

It was the ASA not allowing its interfaces to be pinged!!! Posted Image

Full solution here: http://www.networkin...hp?f=35&t=32419
  • 0

#8 othmanjo

othmanjo

    Member

  • Members
  • PipPip
  • 59 posts

Posted 16 August 2012 - 06:09 AM

Hello,

maybe its late now as teh tunnel is working after you added hosts on the inside subnet, however, you can still manage to make this work without having the hosts on the inside by adding the command "management-access inside" on both ASAs, as you were trying to ping sourced from the inside interface of ASA1 and destined to the inside interface of ASA 2, so you need to have this command to allow the ping across the tunnel.

hope that Helps.

Othman - CCIE #34070
  • 0

#9 cnxn.cyborg

cnxn.cyborg

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 21 August 2012 - 01:51 AM

Thanks all...i got mine to finall come up too. The only component missing was the inside hosts...I have a friend as Cisco TAC and he said that ping inside x.x.x.x should have worked. I am not sure if it is a GNS thing or not. Has anyone used physical asa's running 8.4 and try to bring up tunnel from inside interface?
  • 0

#10 mars2020

mars2020

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 25 April 2013 - 06:48 AM

HOla

cnxn.cyborg :

 

Yo tengo el mismisimo problema que tu ahora...Estoy tratando de configurar una VPN site-to-site en 2 ASAs 5520 con 8.4(2) en GNS3 y por nada en la vida he podido. He hecho de todo y ya no se que hacer y es una practica final que debo entregar. Por favor, si pudiste resolver tu problema, me gustaria que me echaras una manito.

 

Gracias de antemano.


  • 0





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users