Announcement

Collapse
No announcement yet.

ASA 5510 ver7 to ver8.4 site-to-site VPN

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • ASA 5510 ver7 to ver8.4 site-to-site VPN

    Hi,

    i have 2 ASA 5510 (ver 8.4) and 5510 (ver 7). Past day i am trying to configure site-to-site with no success. Can't establish phase1. I am using Ikev1 with shared secret (ikev2 not used). I used wizard to create site-to-site.

    This is config from ver 8:

    object network inside_nat
    subnet 192.168.0.0 255.255.255.0

    object network Sterling_private_lan
    subnet 192.168.3.0 255.255.255.0

    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec ikev2 ipsec-proposal DES
    protocol esp encryption des
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal 3DES
    protocol esp encryption 3des
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES
    protocol esp encryption aes
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES192
    protocol esp encryption aes-192
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES256
    protocol esp encryption aes-256
    protocol esp integrity sha-1 md5
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
    crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map inside_map interface inside
    crypto map outside_map 1 match address outside_cryptomap
    crypto map outside_map 1 set peer 1.1.1.1
    crypto map outside_map 1 set ikev1 transform-set ESP-AES-256-SHA ESP-3DES-MD5
    crypto map outside_map 1 set ikev2 pre-shared-key *****
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto ca trustpoint ASDM_TrustPoint0
    enrollment self
    subject-name CN=ciscoasa
    crl configure
    crypto ca certificate map DefaultCertificateMap 10
    crypto ca certificate chain ASDM_TrustPoint0
    certificate 92f57c4e
    308201e9 30820152 a0030201 02020492 f57c4e30 0d06092a 864886f7 0d010105
    05003039 3111300f 06035504 03130863 6973636f 61736131 24302206 092a8648
    86f70d01 09021615 63697363 6f617361 2e646f73 66616374 732e676f 76301e17
    0d313130 39323430 30353631 315a170d 32313039 32313030 35363131 5a303931
    11300f06 03550403 13086369 73636f61 73613124 30220609 2a864886 f70d0109
    02161563 6973636f 6173612e 646f7366 61637473 2e676f76 30819f30 0d06092a
    864886f7 0d010101 05000381 8d003081 89028181 00abc120 c78294c5 56f9c969
    c8451337 c32268c6 ea5710c6 9a9406e5 3cb41de7 0ba404d6 a54273ba b4e15983
    cdb5abe0 5514e3b6 f6ebbd72 24db4d6f 08ebfa66 95063ff7 cf00cf7c df1bada6
    c622c5f1 dc868dff 8beea9bf f76c747c 6ac7d5e4 9e5a4a96 8eeb2ef4 4a56eb3e
    ebc5860b 9143e647 258ac805 2c955b07 c88db581 b3020301 0001300d 06092a86
    4886f70d 01010505 00038181 0093278e 75367626 67a28d24 2a24a281 2c7762a5
    fd7660bd 81146717 3d7da617 7e18508f c7d4d75b 8d97cfc3 185ec50e 8642ce62
    46e8fc0c eda983fb cd278cf3 28cfd4c5 688dba6e 5a01732b 944274ca 5c852b10
    cfa68ed7 5f010c46 1ad5abf7 445ab721 535a1b69 e59f8960 b448e94b c3691314
    df24000c c71d89c3 27752d55 5e
    quit
    crypto isakmp identity address
    crypto ikev2 policy 1
    encryption aes-256
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 10
    encryption aes-192
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 20
    encryption aes
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 30
    encryption 3des
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 40
    encryption des
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 enable outside client-services port 443
    crypto ikev2 enable inside client-services port 443
    crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
    crypto ikev1 enable outside
    crypto ikev1 policy 10
    authentication crack
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 11
    authentication pre-share
    encryption aes-256
    hash sha
    group 5
    lifetime 86400
    crypto ikev1 policy 20
    authentication rsa-sig
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 30
    authentication pre-share
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 40
    authentication crack
    encryption aes-192
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 50
    authentication rsa-sig
    encryption aes-192
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 60
    authentication pre-share
    encryption aes-192
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 70
    authentication crack
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 80
    authentication rsa-sig
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 90
    authentication pre-share
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 100
    authentication crack
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 110
    authentication rsa-sig
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 120
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 130
    authentication crack
    encryption des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 140
    authentication rsa-sig
    encryption des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 150
    authentication pre-share
    encryption des
    hash sha
    group 2
    lifetime 86400

    group-policy GroupPolicy_1.1.1.1 internal
    group-policy GroupPolicy_1.1.1.1 attributes
    vpn-tunnel-protocol ikev1

    tunnel-group 1.1.1.1 type ipsec-l2l
    tunnel-group 1.1.1.1 general-attributes
    default-group-policy GroupPolicy_1.1.1.1
    tunnel-group 1.1.1.1 ipsec-attributes
    ikev1 pre-shared-key *****
    !
    access-list outside_cryptomap extended permit ip object inside_nat object Sterling_private_lan
    access-group outside_in in interface outside

    This is ver 7:

    name 192.168.0.0 Bur_LAN description Bur_LAN

    access-list outside_cryptomap_20_1 extended permit ip 192.168.3.0 255.255.255.0 Bur_LAN 255.255.255.0

    group-policy SiteToSite internal
    group-policy SiteToSite attributes
    vpn-access-hours none
    vpn-idle-timeout none
    vpn-session-timeout none
    vpn-filter none
    vpn-tunnel-protocol IPSec
    group-lock value 2.2.2.2
    pfs disable
    webvpn

    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-MD5
    crypto map outside_map 20 match address outside_cryptomap_20_1
    crypto map outside_map 20 set peer 2.2.2.2
    crypto map outside_map 20 set transform-set ESP-AES-256-SHA ESP-3DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    isakmp identity address
    isakmp enable outside
    isakmp policy 30 authentication pre-share
    isakmp policy 30 encryption aes-256
    isakmp policy 30 hash sha
    isakmp policy 30 group 2
    isakmp policy 30 lifetime 86400
    isakmp nat-traversal 20
    tunnel-group 2.2.2.2 type ipsec-l2l
    tunnel-group 2.2.2.2 general-attributes
    default-group-policy SiteToSite
    tunnel-group 2.2.2.2 ipsec-attributes
    pre-shared-key *
    vpn-sessiondb max-session-limit 20

    Debug log on ver8

    Jan 20 11:38:27 [IKE COMMON DEBUG]IKEv2 was unsuccessful at setting up a tunnel. Map Tag = outside_map. Map Sequence Number = 1.
    Jan 20 11:38:27 [IKE COMMON DEBUG]Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv1 after a failed attempt.. Map Tag = outside_map. Map Sequence Number = 1.
    Jan 20 11:38:31 [IKE COMMON DEBUG]Duplicate entry already in Tunnel Manager
    Jan 20 11:38:36 [IKE COMMON DEBUG]Duplicate entry already in Tunnel Manager
    Jan 20 11:38:41 [IKE COMMON DEBUG]Duplicate entry already in Tunnel Manager
    Jan 20 11:38:46 [IKE COMMON DEBUG]Duplicate entry already in Tunnel Manager
    Jan 20 11:38:51 [IKE COMMON DEBUG]Duplicate entry already in Tunnel Manager
    Jan 20 11:38:56 [IKE COMMON DEBUG]Duplicate entry already in Tunnel Manager
    Jan 20 11:38:59 [IKE COMMON DEBUG]IKEv1 was unsuccessful at setting up a tunnel. Map Tag = outside_map. Map Sequence Number = 1.
    Jan 20 11:38:59 [IKE COMMON DEBUG]Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= outside_map. Map Sequence Number = 1.
    Jan 20 11:38:59 [IKE COMMON DEBUG]Tunnel Manager Removed entry. Map Tag = outside_map. Map Sequence Number = 1.
    Jan 20 11:39:01 [IKE COMMON DEBUG]Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv2. Map Tag = outside_map. Map Sequence Number = 1.
    Jan 20 11:39:06 [IKE COMMON DEBUG]Duplicate entry already in Tunnel Manager

    It's strange that i can't get anything inside Ikev1 debug, only in common i can get output. Could be a bug?

  • #2
    Re: ASA 5510 ver7 to ver8.4 site-to-site VPN

    It's fixed but traffic is not passing trough the tunnel.

    On A side i have simple 1 private network. On B side i have management, developers and 2 DMZ networks (each on it's ASA port) with public IPs.

    I created the tunnel using only 2 private networks just to get the thing started but in the end i have to enable other private LAN to be able to get to developer lan and servers in DMZ.

    ver 8:

    object network Sterling_private_lan
    subnet 192.168.3.0 255.255.255.0
    description Sterling_private_lan
    object network inside_nat
    subnet 192.168.0.0 255.255.255.0

    access-list outside_cryptomap extended permit ip object inside_nat object Sterling_private_lan
    nat (inside,outside) source static inside_nat inside_nat destination static Sterling_private_lan Sterling_private_lan no-proxy-arp route-lookup

    Ver 7:

    global (outside) 1 interface
    global (outside) 10 2.2.2.2
    global (management) 1 192.168.1.2-192.168.1.254 netmask 255.255.255.0
    nat (inside_140) 0 access-list inside_nat0_outbound
    nat (Developer_LAN) 0 access-list Developer_LAN_nat0_outbound
    nat (Developer_LAN) 10 192.168.3.0 255.255.255.0

    access-list inside_nat0_outbound extended permit ip any 192.168.13.0 255.255.255.0
    access-list Developer_LAN_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 server_lan 255.255.255.224
    access-list Developer_LAN_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 192.168.12.0 255.255.255.0
    access-list Developer_LAN_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 Bur_LAN 255.255.255.0
    access-list outside_cryptomap_20_1 extended permit ip 192.168.3.0 255.255.255.0 Bur_LAN 255.255.255.0


    This is config. It could be that NAT is problematic.
    Last edited by dreic; 20th January 2013, 17:55.

    Comment


    • #3
      Re: ASA 5510 ver7 to ver8.4 site-to-site VPN

      Make sure you have nat exemptions for all remote networks that you need access to through the tunnel. It needs to be on both sides
      CCNA, CCNA-Security, CCNP
      CCIE Security (In Progress)

      Comment


      • #4
        Re: ASA 5510 ver7 to ver8.4 site-to-site VPN

        I've got it working.

        One side (vpn client) can reach all subnets on other end of the tunnel, but other side (ssl vpn client) can't reach resources on the other side. Servers in local lan of non working side can reach other side.

        pool for vpn clients is part of local lan so i am suspecting that could be the problem. since on other side vpn clients have their own subnet.

        Comment


        • #5
          Re: ASA 5510 ver7 to ver8.4 site-to-site VPN

          Suspecting this is the problem:

          nat (inside,outside) source static LocalSubnets LocalSubnets destination static RemoteSubnets RemoteSubnets no-proxy-arp route-lookup

          on the other side i had to do following v7 asa:

          access-list inside_nat0_outbound2 extended permit ip object-group LocalSubnets object-group RemoteSubnets

          nat (inside_140) 0 access-list inside_nat0_outbound2
          nat (inside_139) 0 access-list inside_nat0_outbound2
          nat (Developer_LAN) 0 access-list inside_nat0_outbound2
          nat (Developer_LAN) 10 192.168.3.0 255.255.255.0


          So i guess i should do this?

          access-list inside_nat0_outbound extended permit ip object-group LocalSubnets object-group RemoteSubnets
          no nat (inside,outside) source static LocalSubnets LocalSubnets destination static RemoteSubnets RemoteSubnets no-proxy-arp route-lookup
          nat (inside) 0 access-list inside_nat0_outbound


          But since vpn pools is part of local subnet will this command break ability for local servers to use internet?

          Comment


          • #6
            Re: ASA 5510 ver7 to ver8.4 site-to-site VPN

            So i guess i should do this?

            access-list inside_nat0_outbound extended permit ip object-group LocalSubnets object-group RemoteSubnets
            no nat (inside,outside) source static LocalSubnets LocalSubnets destination static RemoteSubnets RemoteSubnets no-proxy-arp route-lookup
            nat (inside) 0 access-list inside_nat0_outbound


            But since vpn pools is part of local subnet will this command break ability for local servers to use internet?

            This should not affect the ability for local servers to reach the internet as that nat exemption rule says "dont" nat when sourced from Local Subnets going to Remote Subnets. So in short if it doesnt match the acl it will fall back on the next nat statement that does match.
            CCNA, CCNA-Security, CCNP
            CCIE Security (In Progress)

            Comment


            • #7
              Re: ASA 5510 ver7 to ver8.4 site-to-site VPN

              Since i suspected the problem could be related to remote VPN cleints have IP range from internal network LAN i created pool 10.23.50.100-200 pool for VNP clients

              object-group network LocalSubnets
              network-object 192.168.0.0 255.255.255.0
              network-object 10.23.50.0 255.255.255.0
              object-group network RemoteSubnets
              network-object 192.168.3.0 255.255.255.0
              network-object 192.168.12.0 255.255.255.0
              network-object 211.45.139.0 255.255.255.224
              network-object 211.45.140.208 255.255.255.240
              object-group network LocalLAN
              network-object 192.168.0.0 255.255.255.0
              object-group network VPNClients
              network-object 10.23.50.0 255.255.255.0


              access-list Split_Tunnel_List standard permit 192.168.0.0 255.255.255.0
              access-list Split_Tunnel_List standard permit 192.168.3.0 255.255.255.0
              access-list Split_Tunnel_List standard permit 211.45.139.0 255.255.255.224
              access-list Split_Tunnel_List standard permit 211.45.140.208 255.255.255.240


              access-list outside_cryptomap extended permit ip object-group LocalSubnets object-group RemoteSubnets

              nat (inside,outside) source static LocalSubnets LocalSubnets destination static RemoteSubnets RemoteSubnets no-proxy-arp route-lookup
              nat (inside,outside) source static LocalLAN LocalLAN destination static VPNClients VPNClients no-proxy-arp route-lookup


              And still i can't ping anything from remote client to the other side the tunnel.

              Comment


              • #8
                Re: ASA 5510 ver7 to ver8.4 site-to-site VPN

                Please post a digram. You said you where trying to setup a site to site vpn but it looks like you have a remote-access vpn configured as well?
                CCNA, CCNA-Security, CCNP
                CCIE Security (In Progress)

                Comment


                • #9
                  Re: ASA 5510 ver7 to ver8.4 site-to-site VPN

                  remote_clients1---------serversA----L2L----internet----2L2----serversB-----remote_clients2

                  From left to right i enabled vpn clients to reach serversB and that is working fine.

                  From right to left, remote_clients2 can reach only serversB, but serversB can reach serversA just fine. So the problem is that remote_clients2 can't reach serversA.

                  Comment


                  • #10
                    Re: ASA 5510 ver7 to ver8.4 site-to-site VPN

                    So if ServerB can reach ServerA then you know the tunnel is working and passing traffic. Its either a nat issue or double check your crypto ACL's on both sides for traffic sourced and destined too remote_clients2. Also check your routing to make sure you have routes to the remote networks. What device is at the ServerB end?
                    CCNA, CCNA-Security, CCNP
                    CCIE Security (In Progress)

                    Comment


                    • #11
                      Re: ASA 5510 ver7 to ver8.4 site-to-site VPN

                      I am pretty sure it's NAT rule so i am unsure did i create it OK, that's why i gave the commands.

                      On serversB is ASA 5510 ver 8.4

                      Comment


                      • #12
                        Re: ASA 5510 ver7 to ver8.4 site-to-site VPN

                        Hard for me to tell as I dont know the local networks on that network.
                        CCNA, CCNA-Security, CCNP
                        CCIE Security (In Progress)

                        Comment


                        • #13
                          Re: ASA 5510 ver7 to ver8.4 site-to-site VPN

                          object-group network LocalSubnets
                          network-object 192.168.0.0 255.255.255.0
                          network-object 10.23.50.0 255.255.255.0
                          object-group network RemoteSubnets
                          network-object 192.168.3.0 255.255.255.0
                          network-object 192.168.12.0 255.255.255.0
                          network-object 211.45.139.0 255.255.255.224
                          network-object 211.45.140.208 255.255.255.240
                          object-group network LocalLAN
                          network-object 192.168.0.0 255.255.255.0
                          object-group network VPNClients
                          network-object 10.23.50.0 255.255.255.0

                          That's why i pasted this also . Note that VPNCleints network is also in LocalSubnets (don't know is that correct way but from other side of the tunnel that was correct way).

                          Comment


                          • #14
                            Re: ASA 5510 ver7 to ver8.4 site-to-site VPN

                            Post a diagram of all the addressing on both sides. Post your configs again since their have been changes. Have you run any debugs or checked any logs.
                            CCNA, CCNA-Security, CCNP
                            CCIE Security (In Progress)

                            Comment


                            • #15
                              Re: ASA 5510 ver7 to ver8.4 site-to-site VPN

                              same-security-traffic permit intra-interface


                              fixed my problem

                              Comment

                              Working...
                              X