|
Question : ASA 5510 Site-to-Site VPN
|
|
I'm having trouble getting a Site-to-Site VPN stood up between a couple of ASA 5510's at remote locations. It doesn't look like the two ASA's are even attempting to bring up the tunnel - "show crypto ipsec sa" says there are no SA's. Here is some info regarding the locations and the configs of the two firewalls:
Location 1: Internet IP: a.b.c.34 Internal IP: 192.168.40.0/24
Location 2: Internet IP: x.y.z.116 Internal IP: 192.168.100.0/24
######################################################################### # Firewall 1 #########################################################################
ASA Version 7.2(2)10 ! hostname ********* domain-name ******************* enable password *********** encrypted names dns-guard ! interface Ethernet0/0 speed 10 duplex full nameif Internet security-level 0 ip address a.b.c.34 255.255.255.240 ! interface Ethernet0/1 speed 100 duplex full nameif corporate security-level 75 ip address 192.168.40.1 255.255.255.0 ! interface Ethernet0/2 speed 100 duplex full nameif DSL security-level 0 ip address 192.168.0.2 255.255.255.0 ! interface Ethernet0/3 speed 100 duplex full shutdown no nameif no security-level no ip address ! interface Management0/0 shutdown no nameif no security-level no ip address ! passwd ************* encrypted boot system disk0:/asa722-10-k8.bin ftp mode passive clock timezone EST -5 clock summer-time EDT recurring dns server-group DefaultDNS domain-name ************ object-group icmp-type icmp_allowed_into_corporateNet icmp-object echo-reply icmp-object time-exceeded icmp-object traceroute icmp-object unreachable icmp-object echo access-list internal_access_in remark allow internal users any icmp thru the firewall for now access-list internal_access_in extended permit icmp any any access-list internal_access_in remark allow anything outbound for now access-list internal_access_in extended permit ip any any access-list DSL_access_in extended permit icmp any any object-group icmp_allowed_into_corporateNet access-list Internet_20_cryptomap extended permit ip 192.168.40.0 255.255.255.0 host x.y.z.116 access-list corporate_nat0_outbound extended permit ip 192.168.40.0 255.255.255.0 host x.y.z.116 pager lines 50 logging enable logging asdm informational mtu Internet 1500 mtu corporate 1500 mtu DSL 1500 no failover icmp unreachable rate-limit 1 burst-size 1 icmp permit any Internet icmp permit any corporate icmp permit any DSL asdm image disk0:/asdm522-54.bin asdm history enable arp timeout 14400 nat-control global (Internet) 10 interface global (DSL) 10 interface nat (corporate) 0 access-list corporate_nat0_outbound nat (corporate) 10 192.168.1.0 255.255.255.0 nat (corporate) 10 192.168.40.0 255.255.255.0 access-group internet_access_in in interface Internet access-group internal_access_in in interface corporate access-group DSL_access_in in interface DSL route Internet 0.0.0.0 0.0.0.0 a.b.c.33 1 track 1 route corporate 192.168.1.0 255.255.255.0 192.168.40.8 1 route DSL 0.0.0.0 0.0.0.0 192.168.0.1 254 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute http server enable http 192.168.40.0 255.255.255.0 corporate no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart sla monitor 123 type echo protocol ipIcmpEcho a.b.c.33 interface Internet num-packets 3 frequency 10 sla monitor schedule 123 life forever start-time now crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto map Internet_map 20 match address Internet_20_cryptomap crypto map Internet_map 20 set pfs crypto map Internet_map 20 set peer x.y.z.116 crypto map Internet_map 20 set transform-set ESP-3DES-SHA crypto map Internet_map interface Internet crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 ! track 1 rtr 123 reachability tunnel-group x.y.z.116 type ipsec-l2l tunnel-group x.y.z.116 ipsec-attributes pre-shared-key * telnet 192.168.1.0 255.255.255.0 corporate telnet 192.168.40.0 255.255.255.0 corporate telnet timeout 15 ssh timeout 5 console timeout 0 ! class-map inspection_default match default-inspection-traffic ! ! policy-map asa_global_fw_policy class inspection_default inspect ftp inspect dns ! service-policy asa_global_fw_policy global ntp server 192.5.41.41 source Internet prefer prompt hostname context Cryptochecksum:716f3096c3c4381fafa9e15ea0c94fba : end
######################################################################### # Firewall 2 #########################################################################
ASA Version 7.2(2)10 ! hostname ****** domain-name ******************* enable password ********** encrypted names dns-guard ! interface Ethernet0/0 speed 100 duplex full nameif Internet security-level 0 ip address x.y.z.116 255.255.255.248 standby x.y.z.117 ! interface Ethernet0/1 speed 100 duplex full nameif SomeNet security-level 100 ip address 192.168.100.253 255.255.255.0 standby 192.168.100.254 ! interface Ethernet0/2 speed 100 duplex full nameif DMZ security-level 0 ip address 192.168.53.1 255.255.255.0 standby 192.168.53.2 ! interface Ethernet0/3 speed 100 duplex full nameif corporate security-level 0 ip address 192.168.48.1 255.255.255.0 standby 192.168.48.2 ! interface Management0/0 description LAN/STATE Failover Interface ! passwd ************ encrypted boot system disk0:/asa722-10-k8.bin ftp mode passive clock timezone EST -5 clock summer-time EDT recurring dns server-group DefaultDNS domain-name corp.precysesolutions.com object-group icmp-type icmp_allowed_in icmp-object echo icmp-object echo-reply icmp-object time-exceeded icmp-object traceroute icmp-object unreachable access-list SomeNet_access_in extended permit ip any any access-list Internet_access_in extended permit icmp any any object-group icmp_allowed_in access-list SomeNet_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 host a.b.c.34 access-list Internet_20_cryptomap extended permit ip 192.168.100.0 255.255.255.0 host a.b.c.34 pager lines 24 logging enable logging asdm informational mtu Internet 1500 mtu SomeNet 1500 mtu DMZ 1500 mtu corporate 1500 icmp unreachable rate-limit 1 burst-size 1 icmp permit any Internet icmp permit any SomeNet icmp permit any DMZ icmp permit any corporate asdm image disk0:/asdm522-54.bin no asdm history enable arp timeout 14400 nat-control global (Internet) 1 interface nat (SomeNet) 0 access-list SomeNet_nat0_outbound nat (SomeNet) 1 192.168.100.0 255.255.255.0 access-group Internet_access_in in interface Internet access-group SomeNet_access_in in interface SomeNet route Internet 0.0.0.0 0.0.0.0 x.y.z.113 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute http server enable http 192.168.100.0 255.255.255.0 SomeNet no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto map Internet_map 20 match address Internet_20_cryptomap crypto map Internet_map 20 set pfs crypto map Internet_map 20 set peer a.b.c.34 crypto map Internet_map 20 set transform-set ESP-3DES-SHA crypto map Internet_map interface Internet crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 tunnel-group a.b.c.34 type ipsec-l2l tunnel-group a.b.c.34 ipsec-attributes pre-shared-key * telnet 192.168.100.0 255.255.255.0 SomeNet telnet timeout 15 ssh timeout 5 console timeout 0 ! ! ntp authenticate ntp server 192.5.41.41 source Internet prefer prompt hostname context Cryptochecksum:be267d2521225057f7eccf7195a95941 : end
|
Answer : ASA 5510 Site-to-Site VPN
|
|
>access-list Internet_20_cryptomap extended permit ip 192.168.40.0 255.255.255.0 host x.y.z.116 >access-list corporate_nat0_outbound extended permit ip 192.168.40.0 255.255.255.0 host x.y.z.116 Do NOT put the remote host in the access-lists. Remove them and start over: access-list Internet_20_cryptomap permit ip 192.168.40.0 255.255.255.0 192.168.100.0 255.255.255.0 access-list corporate_nat0_outbound permit ip 192.168.40.0 255.255.255.0 192.168.100.0 255.255.255.0
Re-apply these because they disappear when you remove the acls in the first step: nat (corporate) 0 access-list corporate_nat0_outbound crypto map Internet_map 20 match address Internet_20_cryptomap
Do the same on the remote site, mirror image: no access-list SomeNet_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 host a.b.c.34 no access-list Internet_20_cryptomap extended permit ip 192.168.100.0 255.255.255.0 host a.b.c.34 access-list SomeNet_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.40.0 255.255.255.0 access-list Internet_20_cryptomap extended permit ip 192.168.100.0 255.255.255.0 192.168.40.0 255.255.255.0 nat (corporate) 0 access-list SomeNet_nat0_outbound crypto map Internet_map 20 match address Internet_20_cryptomap
|
|
|