Announcement

Collapse
No announcement yet.

problem with l2l vpn on asa 5505

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • problem with l2l vpn on asa 5505

    hi, i have a problem with my asa's 5505 in l2l vpn.configuration of my network is

    LAN(192.168.5.0)>asa192.168.5.1>asa10.15.100.15>ro uter10.15.100.1>8 routers>router10.13.74.1>asa10.13.74.50>asa192.168 .0.15>LAN192.168.0.0

    configurations of asa

    Result of the command: "sh ru"
    ASA Version 8.4(2)
    hostname ciscoasa
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.5.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address 10.15.100.15 255.255.255.0
    ftp mode passive
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object network Makenzijeva-site
    subnet 192.168.0.0 255.255.255.0
    object network Palata-site
    subnet 192.168.5.0 255.255.255.0
    object network Sharepoint
    host 192.168.5.37
    access-list outside_cryptomap extended permit ip object Palata-site object Makenzijeva-site
    access-list inside_access_in extended permit ip object Palata-site any
    access-list outside_access_in extended permit ip any any
    pager lines 24
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    nat (inside,outside) source static Palata-site Palata-site destination static Makenzijeva-site Makenzijeva-site no-proxy-arp route-lookup
    object network obj_any
    nat (inside,outside) dynamic interface
    object network Sharepoint
    nat (inside,outside) static 10.15.100.20 dns
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    route outside 0.0.0.0 0.0.0.0 10.15.100.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    ....
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec ikev2 ipsec-proposal DES
    ..
    crypto map outside_map 1 match address outside_cryptomap
    crypto map outside_map 1 set pfs
    crypto map outside_map 1 set peer 10.13.74.50

    crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
    crypto map outside_map interface outside

    dhcpd address 192.168.5.5-192.168.5.132 inside
    dhcpd enable inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn

    group-policy GroupPolicy_10.13.74.50 internal
    group-policy GroupPolicy_10.13.74.50 attributes
    vpn-tunnel-protocol ikev1 ikev2
    tunnel-group 10.13.74.50 type ipsec-l2l
    tunnel-group 10.13.74.50 general-attributes
    default-group-policy GroupPolicy_10.13.74.50
    tunnel-group 10.13.74.50 ipsec-attributes
    ikev1 pre-shared-key *****
    ikev2 remote-authentication pre-shared-key *****
    ikev2 local-authentication pre-shared-key *****
    class-map inspection_default
    match default-inspection-traffic
    ..

    hostname asa-makenzijeva
    enable password csq7sfr0bQJqMGET encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names

    interface Ethernet0/0
    switchport access vlan 2

    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.0.15 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address 10.13.74.50 255.255.255.0
    ftp mode passive
    clock timezone CEST 1
    clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object network FIREWALL-MAKENZIJEVA-LAN
    host 192.168.0.15
    object network MAKENZIJEVA-site
    subnet 192.168.0.0 255.255.255.0
    object network PALATA-site
    subnet 192.168.5.0 255.255.255.0
    object network DRI-AD
    host 192.168.0.20
    object network DRI-VM
    host 192.168.0.28
    object network UPRAVA-Router
    host 10.13.74.1
    access-list outside_cryptomap extended permit ip object MAKENZIJEVA-site object PALATA-site
    access-list INTERESTING-VPN-TRAFFIC extended permit ip object MAKENZIJEVA-site object PALATA-site
    access-list inside_access_in extended permit ip object MAKENZIJEVA-site any
    access-list outside_access_in extended permit ip any any

    nat (inside,outside) source static MAKENZIJEVA-site MAKENZIJEVA-site destination static PALATA-site PALATA-site no-proxy-arp route-lookup
    object network obj_any
    nat (inside,outside) dynamic interface
    object network DRI-AD
    nat (inside,outside) static 10.13.74.51 dns
    access-group inside_access_in in interface inside
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 10.13.74.1 1

    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    http server enable
    http 10.13.74.0 255.255.255.0 outside
    http 10.15.100.0 255.255.255.0 outside
    http 192.168.5.0 255.255.255.0 outside
    http 192.168.0.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    ..
    crypto map outside_map 1 match address outside_cryptomap
    crypto map outside_map 1 set pfs
    crypto map outside_map 1 set peer 10.15.100.15
    crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
    crypto map outside_map interface outside

    dhcpd auto_config outside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy GroupPolicy_10.15.100.15 internal
    group-policy GroupPolicy_10.15.100.15 attributes
    vpn-tunnel-protocol ikev1 ikev2
    tunnel-group 10.15.100.15 type ipsec-l2l
    tunnel-group 10.15.100.15 general-attributes
    default-group-policy GroupPolicy_10.15.100.15
    tunnel-group 10.15.100.15 ipsec-attributes
    ikev1 pre-shared-key *****
    ikev2 remote-authentication pre-shared-key *****
    ikev2 local-authentication pre-shared-key *****
    class-map inspection_default
    match default-inspection-traffic


    i configured l2l vpn over site to site wizard, but traffic does not goes through tunnel. there's tunnel

  • #2
    Re: problem with l2l vpn on asa 5505

    i used commands

    Result of the command: "show isakmp sa"

    There are no IKEv1 SAs

    IKEv2 SAs:

    Session-id:4, Status:UP-ACTIVE, IKE count:1, CHILD count:1

    Tunnel-id Local Remote Status Role
    1744962893 10.15.100.15/500 10.13.74.50/500 READY INITIATOR
    Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
    Life/Active Time: 86400/2831 sec
    Child sa: local selector 192.168.5.0/0 - 192.168.5.255/65535
    remote selector 192.168.0.0/0 - 192.168.0.255/65535
    ESP spi in/out: 0xef9aeee/0x6cbcf15b

    Result of the command: "show isakmp sa"

    There are no IKEv1 SAs

    IKEv2 SAs:

    Session-id:13, Status:UP-ACTIVE, IKE count:1, CHILD count:1

    Tunnel-id Local Remote Status Role
    588528855 10.13.74.50/500 10.15.100.15/500 READY RESPONDER
    Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
    Life/Active Time: 86400/2884 sec
    Child sa: local selector 192.168.0.0/0 - 192.168.0.255/65535
    remote selector 192.168.5.0/0 - 192.168.5.255/65535
    ESP spi in/out: 0x6cbcf15b/0xef9aeee

    Result of the command: "show ipsec sa"

    interface: outside
    Crypto map tag: outside_map, seq num: 1, local addr: 10.13.74.50

    access-list outside_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.5.0 255.255.255.0
    local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
    remote ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0/0/0)
    current_peer: 10.15.100.15

    #pkts encaps: 214, #pkts encrypt: 214, #pkts digest: 214
    #pkts decaps: 1441, #pkts decrypt: 1441, #pkts verify: 1441
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 214, #pkts comp failed: 0, #pkts decomp failed: 0
    #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

    local crypto endpt.: 10.13.74.50/500, remote crypto endpt.: 10.15.100.15/500
    path mtu 1500, ipsec overhead 74, media mtu 1500
    current outbound spi: 0EF9AEEE
    current inbound spi : 6CBCF15B
    inbound esp sas:
    spi: 0x6CBCF15B (1824321883)
    transform: esp-aes-256 esp-sha-hmac no compression
    in use settings ={L2L, Tunnel, }
    slot: 0, conn_id: 102400, crypto-map: outside_map
    sa timing: remaining key lifetime (kB/sec): (4193137/25899)
    IV size: 16 bytes
    replay detection support: Y
    Anti replay bitmap:
    0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
    spi: 0x0EF9AEEE (251244270)
    transform: esp-aes-256 esp-sha-hmac no compression
    in use settings ={L2L, Tunnel, }
    slot: 0, conn_id: 102400, crypto-map: outside_map
    sa timing: remaining key lifetime (kB/sec): (4239344/25899)
    IV size: 16 bytes
    replay detection support: Y
    Anti replay bitmap:
    0x00000000 0x00000001


    esult of the command: "show ipsec sa"

    interface: outside
    Crypto map tag: outside_map, seq num: 1, local addr: 10.15.100.15

    access-list outside_cryptomap extended permit ip 192.168.5.0 255.255.255.0 192.168.0.0 255.255.255.0
    local ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0/0/0)
    remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
    current_peer: 10.13.74.50
    #pkts encaps: 1472, #pkts encrypt: 1472, #pkts digest: 1472
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 1472, #pkts comp failed: 0, #pkts decomp failed: 0

    local crypto endpt.: 10.15.100.15/500, remote crypto endpt.: 10.13.74.50/500
    path mtu 1500, ipsec overhead 74, media mtu 1500
    current outbound spi: 6CBCF15B
    current inbound spi : 0EF9AEEE

    inbound esp sas:
    spi: 0x0EF9AEEE (251244270)
    transform: esp-aes-256 esp-sha-hmac no compression
    in use settings ={L2L, Tunnel, PFS Group 2, }
    slot: 0, conn_id: 110592, crypto-map: outside_map
    sa timing: remaining key lifetime (kB/sec): (3916800/25843)
    IV size: 16 bytes
    replay detection support: Y
    Anti replay bitmap:
    0x00000000 0x00000001
    outbound esp sas:
    spi: 0x6CBCF15B (1824321883)
    transform: esp-aes-256 esp-sha-hmac no compression
    in use settings ={L2L, Tunnel, PFS Group 2, }
    slot: 0, conn_id: 110592, crypto-map: outside_map
    sa timing: remaining key lifetime (kB/sec): (4054895/25843)
    IV size: 16 bytes
    replay detection support: Y
    Anti replay bitmap:
    0x00000000 0x00000001

    all is tryed but nothing, plz help me

    where is mistake?

    then, tunnel is up, but traffic is not working

    Comment

    Working...
    X