Cisco ASA 5500 to Router site to site VPN
in [Cisco]
|
From: Stephen Reese on 11 Nov 2008 11:57 I'm trying to setup a site to site VPN between a Cisco 3725 and a ASA5505, I am able to create a VPN between the ASA5505 and a PIX515 and the 3725 router and a 2600 router so I'm not sure what I'm missing when it comes to the router/ASA combo. My two configurations are below... ASA5500 : Saved : ASA Version 7.2(4) ! hostname bambam domain-name default.domain.invalid enable password blah encrypted passwd blah encrypted names ! interface Vlan1 nameif inside security-level 100 ip address 172.31.12.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 pppoe client vpdn group ppoe ip address pppoe setroute ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! ftp mode passive dns server-group DefaultDNS domain-name default.domain.invalid access-list COLO_VPN extended permit ip 172.31.12.0 255.255.255.0 172.31.0.0 255.255.0.0 access-list nonat extended permit ip 172.31.12.0 255.255.255.0 172.31.0.0 255.255.0.0 access-list nonat extended permit ip 172.31.12.0 255.255.255.0 172.16.2.0 255.255.255.0 access-list nonat extended permit ip 172.31.12.0 255.255.255.0 172.31.1.0 255.255.255.0 access-list nonat extended permit ip 172.31.12.0 255.255.255.0 192.168.10.96 255.255.255.240 access-list nonat extended permit ip any 192.168.10.96 255.255.255.240 access-list outside_2_cryptomap extended permit ip 172.31.12.0 255.255.255.0 172.31.1.0 255.255.255.0 access-list clientvpn_splitTunnelAcl standard permit any access-list outside_3_cryptomap extended permit ip 172.31.12.0 255.255.255.0 172.16.2.0 255.255.255.0 pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 ip local pool vpn-pool 192.168.10.100-192.168.10.110 mask 255.255.255.0 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-524.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list nonat nat (inside) 1 0.0.0.0 0.0.0.0 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip- disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute http server enable http 0.0.0.0 0.0.0.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac crypto dynamic-map outside_dyn_map 20 set pfs group1 crypto dynamic-map outside_dyn_map 20 set transform-set 3DES-SHA crypto dynamic-map outside_dyn_map 40 set pfs group1 crypto dynamic-map outside_dyn_map 40 set transform-set 3DES-SHA crypto map VPN 10 match address COLO_VPN crypto map VPN 10 set peer crypto map VPN 10 set transform-set 3DES-SHA crypto map outside_map 2 match address outside_2_cryptomap crypto map outside_map 2 set pfs group1 crypto map outside_map 2 set peer 66.1.12.3 crypto map outside_map 2 set transform-set 3DES-SHA crypto map outside_map 3 match address outside_3_cryptomap crypto map outside_map 3 set pfs group1 crypto map outside_map 3 set peer 75.12.2.3 crypto map outside_map 3 set transform-set 3DES-SHA crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 30 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 ! group-policy VPN-CLIENT internal group-policy VPN-CLIENT attributes vpn-tunnel-protocol IPSec username ashields password eatme encrypted privilege 0 username ashields attributes vpn-group-policy VPN-CLIENT tunnel-group COLO type ipsec-l2l tunnel-group COLO ipsec-attributes pre-shared-key * tunnel-group 66.1.12.3 type ipsec-l2l tunnel-group 66.1.12.3 ipsec-attributes pre-shared-key * tunnel-group 75.12.2.3 type ipsec-l2l tunnel-group 75.12.2.3 ipsec-attributes pre-shared-key * ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global prompt hostname context Cryptochecksum:88fca23d835b8fa6b66ac4a42cbab21a : end asdm image disk0:/asdm-524.bin asdm location 172.31.1.0 255.255.255.0 inside no asdm history enable ROUTER ! ip domain name neocipher.net ip name-server 68.87.74.162 ip name-server 68.87.68.162 ip inspect udp idle-time 900 ip inspect name SDM_LOW cuseeme ip inspect name SDM_LOW dns ip inspect name SDM_LOW ftp ip inspect name SDM_LOW h323 ip inspect name SDM_LOW https ip inspect name SDM_LOW icmp ip inspect name SDM_LOW netshow ip inspect name SDM_LOW rcmd ip inspect name SDM_LOW realaudio ip inspect name SDM_LOW rtsp ip inspect name SDM_LOW sqlnet ip inspect name SDM_LOW streamworks ip inspect name SDM_LOW tftp ip inspect name SDM_LOW tcp ip inspect name SDM_LOW udp ip inspect name SDM_LOW vdolive ip inspect name SDM_LOW imap ip inspect name SDM_LOW pop3 ip inspect name SDM_LOW esmtp ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 ip ips sdf location flash://256MB.sdf ip ips notify SDEE ip ips name sdm_ips_rule vpdn enable ! username rsreese privilege 15 secret 5 test ! ! ip ssh authentication-retries 2 ! ! crypto isakmp policy 3 encr 3des authentication pre-share group 2 ! crypto isakmp policy 10 authentication pre-share crypto isakmp key test address 10.0.0.2 no-xauth crypto isakmp key test address 71.2.1.5 no-xauth ! crypto isakmp client configuration group VPN-Users key test dns 68.87.74.162 68.87.68.162 domain neocipher.net pool VPN_POOL acl 115 include-local-lan netmask 255.255.255.0 crypto isakmp profile IKE-PROFILE match identity group VPN-Users client authentication list default isakmp authorization list default client configuration address initiate client configuration address respond virtual-template 1 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac mode transport ! crypto ipsec profile IPSEC_PROFILE1 set transform-set ESP-3DES-SHA set isakmp-profile IKE-PROFILE ! ! crypto dynamic-map DYNMAP 10 set transform-set ESP-3DES-SHA ! ! crypto map CLIENTMAP client authentication list default crypto map CLIENTMAP isakmp authorization list default crypto map CLIENTMAP client configuration address respond crypto map CLIENTMAP 1 ipsec-isakmp set peer 10.0.0.2 set peer 71.2.1.5 set transform-set ESP-3DES-SHA match address 100 crypto map CLIENTMAP 10 ipsec-isakmp dynamic DYNMAP ! ! ! ! interface Loopback0 ip address 192.168.0.1 255.255.255.0 no ip unreachables ip virtual-reassembly ! interface Tunnel0 description HE.net no ip address ipv6 address 2001:470:1F06:3B6::2/64 ipv6 enable tunnel source 71.2.1.5 tunnel destination 209.51.161.14 tunnel mode ipv6ip ! interface Null0 no ip unreachables ! interface FastEthernet0/0 description $ETH-WAN$$FW_OUTSIDE$ ip address dhcp client-id FastEthernet0/0 hostname 3725router ip access-group 104 in no ip unreachables ip nat outside ip inspect SDM_LOW out ip ips sdm_ips_rule in ip virtual-reassembly duplex auto speed auto crypto map CLIENTMAP ! interface Serial0/0 description $FW_OUTSIDE$ ip address 10.0.0.1 255.255.240.0 ip access-group 105 in ip verify unicast reverse-path no ip unreachables ip inspect SDM_LOW out ip virtual-reassembly clock rate 2000000 crypto map CLIENTMAP ! interface FastEthernet0/1 no ip address no ip unreachables ip virtual-reassembly duplex auto speed auto ! interface FastEthernet0/1.2 description $FW_INSIDE$ encapsulation dot1Q 2 ip address 172.16.2.1 255.255.255.0 ip access-group 101 in no ip unreachables ip nat inside ip virtual-reassembly ipv6 address 2001:470:1F07:3B6::/64 eui-64 ipv6 enable ! interface FastEthernet0/1.3 description $FW_INSIDE$ encapsulation dot1Q 3 ip address 172.16.3.1 255.255.255.0 ip access-group 102 in no ip unreachables ip nat inside ip virtual-reassembly ! interface FastEthernet0/1.10 ! interface Serial0/1 no ip address no ip unreachables shutdown clock rate 2000000 ! interface Virtual-Template1 type tunnel description $FW_INSIDE$ ip unnumbered Loopback0 ip access-group 103 in no ip unreachables ip virtual-reassembly tunnel mode ipsec ipv4 tunnel protection ipsec profile IPSEC_PROFILE1 ! ip local pool VPN_POOL 192.168.0.100 192.168.0.105 ip forward-protocol nd ip route 172.16.10.0 255.255.255.0 10.0.0.2 ip route 172.31.12.0 255.255.255.0 71.2.1.5 ! ! ip http server ip http authentication local ip http secure-server ip http timeout-policy idle 600 life 86400 requests 10000 ip nat translation udp-timeout 900 ip nat inside source list 1 interface FastEthernet0/0 overload ! logging trap debugging logging origin-id hostname logging 172.16.2.5 access-list 1 permit 172.16.2.0 0.0.0.255 access-list 1 permit 172.16.3.0 0.0.0.255 access-list 100 permit ip 172.16.2.0 0.0.0.255 172.16.10.0 0.0.0.255 access-list 100 permit ip 172.16.2.0 0.0.0.255 172.31.12.0 0.0.0.255 access-list 101 remark auto generated by SDM firewall configuration access-list 101 remark SDM_ACL Category=1 access-list 101 permit ahp any host 172.16.2.1 access-list 101 permit esp any host 172.16.2.1 access-list 101 permit udp any host 172.16.2.1 eq isakmp access-list 101 permit udp any host 172.16.2.1 eq non500-isakmp access-list 101 permit ip 172.16.10.0 0.0.0.255 172.16.2.0 0.0.0.255 access-list 101 deny ip 10.0.0.0 0.0.15.255 any log access-list 101 deny ip 192.168.0.0 0.0.0.255 any log access-list 101 deny ip 172.16.3.0 0.0.0.255 any log access-list 101 deny ip host 255.255.255.255 any log access-list 101 deny ip 127.0.0.0 0.255.255.255 any log access-list 101 deny tcp any any range 1 chargen log access-list 101 deny tcp any any eq whois log access-list 101 deny tcp any any eq 93 log access-list 101 deny tcp any any range 135 139 log access-list 101 deny tcp any any eq 445 log access-list 101 deny tcp any any range exec 518 log access-list 101 deny tcp any any eq uucp log access-list 101 permit ip any any access-list 102 remark auto generated by SDM firewall configuration access-list 102 remark SDM_ACL Category=1 access-list 102 deny ip 172.16.2.0 0.0.0.255 any log access-list 102 deny ip 10.0.0.0 0.0.15.255 any log access-list 102 deny ip 192.168.0.0 0.0.0.255 any log access-list 102 deny ip host 255.255.255.255 any log access-list 102 deny ip 127.0.0.0 0.255.255.255 any log access-list 102 permit ip any any access-list 103 remark auto generated by SDM firewall configuration access-list 103 remark SDM_ACL Category=1 access-list 103 deny ip 172.16.2.0 0.0.0.255 any access-list 103 deny ip 10.0.0.0 0.0.15.255 any access-list 103 deny ip 172.16.3.0 0.0.0.255 any access-list 103 deny ip host 255.255.255.255 any access-list 103 deny ip 127.0.0.0 0.255.255.255 any access-list 103 permit ip any any access-list 104 remark auto generated by SDM firewall configuration access-list 104 remark SDM_ACL Category=1 access-list 104 permit udp host 205.152.132.23 eq domain any access-list 104 permit udp host 205.152.144.23 eq domain any access-list 104 remark Auto generated by SDM for NTP (123) 129.6.15.29 access-list 104 permit udp host 129.6.15.29 eq ntp any eq ntp access-list 104 permit ahp any any access-list 104 permit esp any any access-list 104 permit udp any any eq isakmp access-list 104 permit udp any any eq non500-isakmp access-list 104 deny ip 10.0.0.0 0.0.15.255 any log access-list 104 permit ip 172.16.10.0 0.0.0.255 172.16.2.0 0.0.0.255 access-list 104 deny ip 172.16.2.0 0.0.0.255 any log access-list 104 deny ip 192.168.0.0 0.0.0.255 any log access-list 104 deny ip 172.16.3.0 0.0.0.255 any log access-list 104 permit udp any eq bootps any eq bootpc access-list 104 permit icmp any any echo-reply access-list 104 permit icmp any any time-exceeded access-list 104 permit icmp any any unreachable access-list 104 deny icmp any any echo log access-list 104 deny icmp any any mask-request log access-list 104 deny icmp any any redirect log access-list 104 deny ip 10.0.0.0 0.255.255.255 any log access-list 104 deny ip 172.16.0.0 0.15.255.255 any log access-list 104 deny ip 192.168.0.0 0.0.255.255 any log access-list 104 deny ip 127.0.0.0 0.255.255.255 any log access-list 104 deny ip 224.0.0.0 15.255.255.255 any log access-list 104 deny ip host 255.255.255.255 any log access-list 104 deny tcp any any range 6000 6063 log access-list 104 deny tcp any any eq 6667 log access-list 104 deny tcp any any range 12345 12346 log access-list 104 deny tcp any any eq 31337 log access-list 104 deny udp any any eq 2049 log access-list 104 deny udp any any eq 31337 log access-list 104 deny udp any any range 33400 34400 log access-list 104 deny ip any any log access-list 105 remark auto generated by SDM firewall configuration access-list 105 remark SDM_ACL Category=1 access-list 105 remark Auto generated by SDM for NTP (123) 129.6.15.29 access-list 105 permit udp host 129.6.15.29 eq ntp host 10.0.0.1 eq ntp access-list 105 permit ahp host 10.0.0.2 host 10.0.0.1 access-list 105 permit esp host 10.0.0.2 host 10.0.0.1 access-list 105 permit udp host 10.0.0.2 host 10.0.0.1 eq isakmp access-list 105 permit udp host 10.0.0.2 host 10.0.0.1 eq non500- isakmp access-list 105 permit ip 172.16.10.0 0.0.0.255 172.16.2.0 0.0.0.255 access-list 105 permit udp host 10.0.0.2 host 172.16.2.10 eq tftp access-list 105 permit udp host 10.0.0.2 host 172.16.2.5 eq syslog access-list 105 deny ip 172.16.2.0 0.0.0.255 any access-list 105 deny ip 192.168.0.0 0.0.0.255 any access-list 105 deny ip 172.16.3.0 0.0.0.255 any access-list 105 permit icmp any host 10.0.0.1 echo-reply access-list 105 permit icmp any host 10.0.0.1 time-exceeded access-list 105 permit icmp any host 10.0.0.1 unreachable access-list 105 deny ip 10.0.0.0 0.255.255.255 any access-list 105 deny ip 172.16.0.0 0.15.255.255 any access-list 105 deny ip 192.168.0.0 0.0.255.255 any access-list 105 deny ip 127.0.0.0 0.255.255.255 any access-list 105 deny ip host 255.255.255.255 any access-list 105 deny ip host 0.0.0.0 any access-list 105 deny ip any any log access-list 115 permit ip 172.16.0.0 0.0.255.255 any access-list 120 deny ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.0.255 access-list 120 permit ip 172.16.0.0 0.0.255.255 any snmp-server community public RO ipv6 route 2001:470:1F07:3B6::/64 FastEthernet0/1.2 ipv6 route ::/0 Tunnel0
From: Artie Lange on 11 Nov 2008 13:23 Stephen Reese wrote: > access-list COLO_VPN extended permit ip 172.31.12.0 255.255.255.0 > 172.31.0.0 255.255.0.0 > nat (inside) 0 access-list nonat > nat (inside) 1 0.0.0.0 0.0.0.0 > crypto map VPN 10 match address COLO_VPN One thing I notice is that your crypto map is COLO_VPN but you are using nonat for your NAT exclusion where it should be nat (inside) 0 access-list COLO_VPN Also looking at your ACL's it appears that your network segments overlap access-list COLO_VPN permit ip 172.31.12.0 255.255.255.0 172.31.0.0 255.255.0.0 I can not speak for the router side of things.
From: Stephen Reese on 11 Nov 2008 13:36 On Nov 11, 1:23 pm, Artie Lange <spam...(a)jamiebaillie.net> wrote: > Stephen Reese wrote: > > access-list COLO_VPN extended permit ip 172.31.12.0 255.255.255.0 > > 172.31.0.0 255.255.0.0 > > nat (inside) 0 access-list nonat > > nat (inside) 1 0.0.0.0 0.0.0.0 > > crypto map VPN 10 match address COLO_VPN > > One thing I notice is that your crypto map is COLO_VPN but you are using > nonat for your NAT exclusion where it should be > > nat (inside) 0 access-list COLO_VPN > > Also looking at your ACL's it appears that your network segments overlap > > access-list COLO_VPN permit ip 172.31.12.0 255.255.255.0 172.31.0.0 > 255.255.0.0 > > I can not speak for the router side of things. The COLO stuff is not relevant, I'm actually in the process of removing that from the configuration.
From: bod43 on 11 Nov 2008 16:26 On 11 Nov, 18:36, Stephen Reese <rsre...(a)gmail.com> wrote: > On Nov 11, 1:23 pm, Artie Lange <spam...(a)jamiebaillie.net> wrote: > > > > > > > Stephen Reese wrote: > > > access-list COLO_VPN extended permit ip 172.31.12.0 255.255.255.0 > > > 172.31.0.0 255.255.0.0 > > > nat (inside) 0 access-list nonat > > > nat (inside) 1 0.0.0.0 0.0.0.0 > > > crypto map VPN 10 match address COLO_VPN > > > One thing I notice is that your crypto map is COLO_VPN but you are using > > nonat for your NAT exclusion where it should be > > > nat (inside) 0 access-list COLO_VPN > > > Also looking at your ACL's it appears that your network segments overlap > > > access-list COLO_VPN permit ip 172.31.12.0 255.255.255.0 172.31.0.0 > > 255.255.0.0 > > > I can not speak for the router side of things. > > The COLO stuff is not relevant, I'm actually in the process of > removing that from the configuration.- Hide quoted text - I have not looked in detail but I have done pix-router VPNs with no issues that I can recall so it does work without doing anything special. Most likely a small error somewhere. maybe worth checking the timeouts and looking at a debug. on router deb crypto isakmp deb cry ipsec Pix similar. You also need to arrange to view the debugs.
From: Stephen Reese on 11 Nov 2008 18:50 > I have not looked in detail but I have done pix-router > VPNs with no issues that I can recall so > it does work without doing anything special. > > Most likely a small error somewhere. > > maybe worth checking the timeouts and > looking at a debug. > > on router > deb crypto isakmp > deb cry ipsec > > Pix similar. > You also need to arrange to view the debugs. When I try to initiate a connection from the ASA side the tunnel seems to come up but I'm still unable to pass any traffic through. The router side does not seem to initiate a connection. # sh crypto isakmp sa Active SA: 2 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 2 1 IKE Peer: x.x.x.x. Type : user Role : responder Rekey : no State : AM_ACTIVE 2 IKE Peer: x.x.x.x Type : L2L Role : initiator Rekey : no State : MM_ACTIVE #sh crypto isakmp sa dst src state conn-id slot status x.x.x.x x.x.x.x QM_IDLE 1 0 ACTIVE
|
Next
|
Last
Pages: 1 2 3 Prev: 802.11 b/g wireless lan pc card driver??? Next: 2960 Ethernet interfaces going down |