Announcement

Collapse
No announcement yet.

ASA IPSec VPN issue

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • ASA IPSec VPN issue

    Hi all, my LANs cant ping each other, i have establish site to site ipsec vpn, can any one find find out the solution why their is no rechability between LANs.
    Thanks in advance. This is the scenario.

    LAN A------ASA1-----------ASA2-------LAN B

    ASA1
    ------
    ASA Version 8.0(2)
    !
    hostname ASA1
    enable password 8Ry2YjIyt7RRXU24 encrypted
    names
    !
    interface Ethernet0/0
    nameif outside
    security-level 0
    ip address 10.1.1.1 255.255.252.0
    !
    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    !
    interface Ethernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Ethernet0/4
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Ethernet0/5
    shutdown
    no nameif
    no security-level
    no ip address
    !
    passwd 2KFQnbNIdI.2KYOU encrypted
    ftp mode passive
    access-list 101 extended permit icmp any interface outside echo-reply
    access-list vpn extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
    access-list nat extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any outside
    icmp permit any inside
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list nat
    nat (inside) 1 192.168.1.0 255.255.255.0
    access-group 101 in interface outside
    route outside 172.16.1.0 255.255.255.0 10.1.1.2 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set leve_set esp-aes-256 esp-sha-hmac
    crypto map level_map 10 match address vpn
    crypto map level_map 10 set peer 10.1.1.2
    crypto map level_map interface outside
    crypto map leve_map 10 set transform-set leve_set
    crypto isakmp enable outside
    crypto isakmp policy 1
    authentication pre-share
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 65535
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    !
    service-policy global_policy global
    tunnel-group 10.1.1.2 type ipsec-l2l
    tunnel-group 10.1.1.2 ipsec-attributes
    pre-shared-key *
    prompt hostname context
    Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
    : end

    ASA2
    ------

    ASA Version 8.0(2)
    !
    hostname ASA2
    enable password 8Ry2YjIyt7RRXU24 encrypted
    names
    !
    interface Ethernet0/0
    nameif outside
    security-level 0
    ip address 10.1.1.2 255.255.252.0
    !
    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address 172.16.1.1 255.255.255.0
    !
    interface Ethernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Ethernet0/4
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Ethernet0/5
    shutdown
    no nameif
    no security-level
    no ip address
    !
    passwd 2KFQnbNIdI.2KYOU encrypted
    ftp mode passive
    access-list 101 extended permit icmp any interface outside echo-reply
    access-list vpn extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0
    access-list nat extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any outside
    icmp permit any inside
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list nat
    nat (inside) 1 172.16.1.0 255.255.255.0
    access-group 101 in interface outside
    route outside 192.168.1.0 255.255.255.0 10.1.1.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set leve_set esp-aes-256 esp-sha-hmac
    crypto map leve_map 10 match address vpn
    crypto map leve_map 10 set peer 10.1.1.1
    crypto map leve_map 10 set transform-set leve_set
    crypto map leve_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 1
    authentication pre-share
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 65535
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    !
    !
    tunnel-group 10.1.1.1 type ipsec-l2l
    tunnel-group 10.1.1.1 ipsec-attributes
    pre-shared-key *
    prompt hostname context
    Cryptochecksum:00000000000000000000000000000000
    : end
    Last edited by kung; 25th June 2011, 18:10.

  • #2
    Re: ASA IPSec VPN issue

    On ASA1, it appears you have an incomplete crypto map definition. Its missing the transform-set due to what looks like a type-o (leve vs level).

    Comment


    • #3
      Re: ASA IPSec VPN issue

      I have changed the config on the ASA1 but I have the same problem.
      i tried the debug commands as shown in output

      show cry isa sa
      show cry ipsec sa
      these commands are giving no output, so i gave debug cry isa and debug cry ipsec commands on ASA2 and pinged from ASA1 as shown in output.

      ASA1# ping 172.16.1.1
      Type escape sequence to abort.
      Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
      ?????
      Success rate is 0 percent (0/5)

      ASA2# sh debug
      debug crypto ipsec enabled at level 1
      debug crypto isakmp enabled at level 1
      ASA2#
      ASA2# ping 192.168.1.1
      Type escape sequence to abort.
      Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
      ?????
      Success rate is 0 percent (0/5)
      --------------------------------------------------------------------------------------------------------------------

      as you can see debug commands also not showing anything much, so i tried this command
      debug icmp trace on ASA2 and again tried to ping from ASA1

      ASA2# debug icmp trace
      debug icmp trace enabled at level 1
      ASA2#
      ASA2# ICMP echo request from 10.1.1.1 to 172.16.1.1 ID=4388 seq=8678 len=72
      ICMP echo request from 10.1.1.1 to 172.16.1.1 ID=4388 seq=8678 len=72
      ICMP echo request from 10.1.1.1 to 172.16.1.1 ID=4388 seq=8678 len=72
      ICMP echo request from 10.1.1.1 to 172.16.1.1 ID=4388 seq=8678 len=72
      ICMP echo request from 10.1.1.1 to 172.16.1.1 ID=4388 seq=8678 len=72

      ASA1#
      ASA1# ping 172.16.1.1
      Type escape sequence to abort.
      Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
      ?????
      Success rate is 0 percent (0/5)

      Comment


      • #4
        Re: ASA IPSec VPN issue

        If you have fixed the incomplete crypto map definition, then the rest of your configuration looks good and I'd be willing to bet that if you connected a host behind each ASA and then generate traffic between each host (not the interfaces), the tunnel will come up and work as you expect. If you must test using the interfaces, then enable the global command "management-access inside" on both ASA's.

        Also, in your posted debug example, the source address of your ping is 10.1.1.1 (outside), not 192.168.1.1 (inside), so the crypto map acl "vpn" on ASA1 does not match. Without a match, the lan-2-lan VPN is NOT brought up.

        Try using "ping inside 172.16.1.1" so the source address is the inside interface along with adding the management access noted above and see if your configuration works.

        Comment

        Working...
        X