Announcement

Collapse
No announcement yet.

VPN IPSEC Lan to Lan ASA 5505!

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • VPN IPSEC Lan to Lan ASA 5505!

    Hello,

    I have a problem with the creation of a VPN IPSEC lan to lan on two CISCO ASA 5505.

    I tested in labs the vpn without success.

    With a "show crypto isakmp sa": There are no isakmp sas.

    Maybe it is a license question:
    Licensed features for this platform:
    Maximum Physical Interfaces : 8
    VLANs : 3, DMZ Restricted
    Inside Hosts : 10
    Failover : Disabled
    VPN-DES : Enabled
    VPN-3DES-AES : Enabled
    VPN Peers : 10
    WebVPN Peers : 2
    Dual ISPs : Disabled
    VLAN Trunk Ports : 0
    Advanced Endpoint Assessment : Disabled


    thank you for your help, this is very important!

    My first config file:]

    ASA Version 7.2(4)
    !
    hostname ciscoasa
    domain-name default.domain.invalid
    enable password * encrypted
    passwd *encrypted
    names
    !
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.101.1 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    ip address 172.16.1.2 255.255.255.0
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    ftp mode passive
    dns server-group DefaultDNS
    domain-name default.domain.invalid
    access-list inside_nat0_outbound extended permit ip 192.168.101.0 255.255.255.0 192.168.1.0 255.255.255.0
    access-list outside_1_cryptomap extended permit ip 192.168.101.0 255.255.255.0 192.168.1.0 255.255.255.0
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-524.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    aaa authentication ssh console LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    http 192.168.101.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto map outside_map 1 match address outside_1_cryptomap
    crypto map outside_map 1 set pfs group1
    crypto map outside_map 1 set peer 172.16.1.1
    crypto map outside_map 1 set transform-set ESP-3DES-SHA
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh 192.168.101.0 255.255.255.0 inside
    ssh timeout 5
    ssh version 2
    console timeout 0
    management-access inside

    username * encrypted
    tunnel-group 172.16.1.1 type ipsec-l2l
    tunnel-group 172.16.1.1 ipsec-attributes
    pre-shared-key *
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    !
    service-policy global_policy global
    prompt hostname context
    : end


    My second config file:]

    ASA Version 7.2(4)
    !
    hostname asa1
    domain-name default.domain.invalid
    enable password * encrypted
    passwd * encrypted
    names
    !
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.1.246 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    ip address 172.16.1.1 255.255.255.0
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    ftp mode passive
    dns server-group DefaultDNS
    domain-name default.domain.invalid
    access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.101.0 255.255.255.0
    access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.101.0 255.255.255.0
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-524.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    aaa authentication ssh console LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto map outside_map 1 match address outside_1_cryptomap
    crypto map outside_map 1 set pfs group1
    crypto map outside_map 1 set peer 172.16.1.2
    crypto map outside_map 1 set transform-set ESP-3DES-SHA
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh 192.168.1.0 255.255.255.0 inside
    ssh timeout 50
    ssh version 2
    console timeout 0
    management-access inside

    username * encrypted
    tunnel-group 172.16.1.2 type ipsec-l2l
    tunnel-group 172.16.1.2 ipsec-attributes
    pre-shared-key *
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    !
    service-policy global_policy global
    prompt hostname context
    : end

    thank you for your help, this is very important.

  • #2
    Re: VPN IPSEC Lan to Lan ASA 5505!

    What do the debugs show?
    I can't see anything wrong off the top of my head.
    Have you sent interesting traffic along?
    cheers
    Andy

    Please read this before you post:


    Quis custodiet ipsos custodes?

    Comment


    • #3
      Re: VPN IPSEC Lan to Lan ASA 5505!

      The debug "debug crypto isakmp sa "shows nothing and "show crypto isakmp sa" ->There are no isakmp sa.

      The vpn light on the asa is off.

      I don't understand!

      Comment


      • #4
        Re: VPN IPSEC Lan to Lan ASA 5505!

        I'm far from a vpn specialist on cisco but you might review the following articles:
        http://www.cisco.com/en/US/products/...805e8c80.shtml
        http://www.cisco.com/en/US/products/...80950890.shtml
        Marcel
        Technical Consultant
        Netherlands
        http://www.phetios.com
        http://blog.nessus.nl

        MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
        "No matter how secure, there is always the human factor."

        "Enjoy life today, tomorrow may never come."
        "If you're going through hell, keep going. ~Winston Churchill"

        Comment


        • #5
          Re: VPN IPSEC Lan to Lan ASA 5505!

          It doesn't come on unless the tunnel is up.
          Have you tried a device at both ends and sent interesting traffic between these hosts? You can ping from the ASA to the other side as traffic has to originate (shall we say in this instance) from the network beyond the inside interface.
          cheers
          Andy

          Please read this before you post:


          Quis custodiet ipsos custodes?

          Comment


          • #6
            Re: VPN IPSEC Lan to Lan ASA 5505!

            My tunnel is up! I added a static route on the two sides of the network.

            But now i can ping but i can't access to a share folder , any idea?

            Thank you!

            Comment


            • #7
              Re: VPN IPSEC Lan to Lan ASA 5505!

              where did you put the static routes?
              What else is involved that we don't know about?
              Is there a firewall on the sharing hosts for example?
              Does name resolution work? There is no restriction on your firewalls for traffic so it should allow it to work, implying the problem is elsewhere.
              cheers
              Andy

              Please read this before you post:


              Quis custodiet ipsos custodes?

              Comment


              • #8
                Re: VPN IPSEC Lan to Lan ASA 5505!

                This is a test in lab. My two asa 5505 are directly connected on interface outside. I have upgraded the asa OS. I can ping and transferring data. The tunnel is up.

                How can I know if my packets are encrypted?
                If i want to access to a shared folder with Windows, I do:START > execute > \\ip_adress (for instance), but it doesn't work? Why?

                Thank you


                ASA1 New config:
                ASA Version 8.0(2)
                !
                hostname ciscoasa
                enable password * encrypted
                names
                !
                interface Vlan1
                nameif inside
                security-level 100
                ip address 10.2.2.1 255.255.255.0
                !
                interface Vlan2
                nameif outside
                security-level 0
                ip address 172.16.1.1 255.255.255.0
                !
                interface Ethernet0/0
                switchport access vlan 2
                !
                interface Ethernet0/1
                !
                interface Ethernet0/2
                !
                interface Ethernet0/3
                !
                interface Ethernet0/4
                !
                interface Ethernet0/5
                !
                interface Ethernet0/6
                !
                interface Ethernet0/7
                !
                passwd * encrypted
                boot system disk0:/asa802-k8.bin
                ftp mode passive
                access-list inside_nat0_outbound extended permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0
                access-list outside_1_cryptomap extended permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0
                access-list outside_access_in extended permit ip 172.16.1.0 255.255.255.0 10.2.2.0 255.255.255.0
                pager lines 24
                logging enable
                logging asdm informational
                mtu inside 1500
                mtu outside 1500
                icmp unreachable rate-limit 1 burst-size 1
                asdm image disk0:/asdm-602.bin
                no asdm history enable
                arp timeout 14400
                global (outside) 1 interface
                nat (inside) 0 access-list inside_nat0_outbound
                nat (inside) 1 0.0.0.0 0.0.0.0
                access-group outside_access_in in interface outside
                route outside 10.1.1.0 255.255.255.0 172.16.1.2 1
                timeout xlate 3:00:00
                timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
                timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
                timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
                timeout uauth 0:05:00 absolute
                dynamic-access-policy-record DfltAccessPolicy
                http server enable
                http 10.2.2.0 255.255.255.0 inside
                no snmp-server location
                no snmp-server contact
                snmp-server enable traps snmp authentication linkup linkdown coldstart
                crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
                crypto map outside_map 1 match address outside_1_cryptomap
                crypto map outside_map 1 set pfs
                crypto map outside_map 1 set peer 172.16.1.2
                crypto map outside_map 1 set transform-set ESP-3DES-SHA
                crypto map outside_map interface outside
                crypto isakmp enable outside
                crypto isakmp policy 10
                authentication pre-share
                encryption 3des
                hash sha
                group 2
                lifetime 86400
                telnet timeout 5
                ssh timeout 5
                console timeout 0

                threat-detection basic-threat
                threat-detection statistics access-list
                !
                class-map inspection_default
                match default-inspection-traffic
                !
                !
                policy-map type inspect dns preset_dns_map
                parameters
                message-length maximum 512
                policy-map global_policy
                class inspection_default
                inspect dns preset_dns_map
                inspect ftp
                inspect h323 h225
                inspect h323 ras
                inspect rsh
                inspect rtsp
                inspect esmtp
                inspect sqlnet
                inspect skinny
                inspect sunrpc
                inspect xdmcp
                inspect sip
                inspect netbios
                inspect tftp
                !
                service-policy global_policy global
                tunnel-group 172.16.1.2 type ipsec-l2l
                tunnel-group 172.16.1.2 ipsec-attributes
                pre-shared-key *
                prompt hostname context
                : end

                ASA2:
                ASA Version 8.0(2)
                !
                hostname cisco2
                enable password * encrypted
                names
                !
                interface Vlan1
                nameif inside
                security-level 100
                ip address 10.1.1.1 255.255.255.0
                !
                interface Vlan2
                nameif outside
                security-level 0
                ip address 172.16.1.2 255.255.255.0
                !
                interface Ethernet0/0
                switchport access vlan 2
                !
                interface Ethernet0/1
                !
                interface Ethernet0/2
                !
                interface Ethernet0/3
                !
                interface Ethernet0/4
                !
                interface Ethernet0/5
                !
                interface Ethernet0/6
                !
                interface Ethernet0/7
                !
                passwd * encrypted
                boot system disk0:/asa802-k8.bin
                ftp mode passive
                access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
                access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
                access-list outside_access_in extended permit ip 172.16.1.0 255.255.255.0 10.1.1.0 255.255.255.0
                pager lines 24
                logging enable
                logging asdm informational
                mtu inside 1500
                mtu outside 1500
                icmp unreachable rate-limit 1 burst-size 1
                asdm image disk0:/asdm-602.bin
                no asdm history enable
                arp timeout 14400
                global (outside) 1 interface
                nat (inside) 0 access-list inside_nat0_outbound
                nat (inside) 1 0.0.0.0 0.0.0.0
                access-group outside_access_in in interface outside
                route outside 10.2.2.0 255.255.255.0 172.16.1.1 1
                timeout xlate 3:00:00
                timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
                timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
                timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
                timeout uauth 0:05:00 absolute
                dynamic-access-policy-record DfltAccessPolicy
                http server enable
                http 10.1.1.0 255.255.255.0 inside
                no snmp-server location
                no snmp-server contact
                snmp-server enable traps snmp authentication linkup linkdown coldstart
                crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
                crypto map outside_map 1 match address outside_1_cryptomap
                crypto map outside_map 1 set pfs
                crypto map outside_map 1 set peer 172.16.1.1
                crypto map outside_map 1 set transform-set ESP-3DES-SHA
                crypto map outside_map interface outside
                crypto isakmp enable outside
                crypto isakmp policy 10
                authentication pre-share
                encryption 3des
                hash sha
                group 2
                lifetime 86400
                telnet timeout 5
                ssh timeout 5
                console timeout 0

                threat-detection basic-threat
                threat-detection statistics access-list
                !
                class-map inspection_default
                match default-inspection-traffic
                !
                !
                policy-map type inspect dns preset_dns_map
                parameters
                message-length maximum 512
                policy-map global_policy
                class inspection_default
                inspect dns preset_dns_map
                inspect ftp
                inspect h323 h225
                inspect h323 ras
                inspect rsh
                inspect rtsp
                inspect esmtp
                inspect sqlnet
                inspect skinny
                inspect sunrpc
                inspect xdmcp
                inspect sip
                inspect netbios
                inspect tftp
                !
                service-policy global_policy global
                tunnel-group 172.16.1.1 type ipsec-l2l
                tunnel-group 172.16.1.1 ipsec-attributes
                pre-shared-key *
                prompt hostname context

                I added a static rule, an access-list on both cisco and "crypto isakmp nat-traversal" because of "no crypto isakmp nat-traversal" initially :
                ASA1:route outside 10.1.1.0 255.255.255.0 172.16.1.2 1
                access-list outside_access_in extended permit ip 172.16.1.0 255.255.255.0 10.2.2.0 255.255.255.0
                access-group outside_access_in in interface outside

                ASA2:route outside 10.2.2.0 255.255.255.0 172.16.1.1 1
                access-list outside_access_in extended permit ip 172.16.1.0 255.255.255.0 10.1.1.0 255.255.255.0
                access-group outside_access_in in interface outside

                Comment

                Working...
                X