Re: ASA Site to Site IP Sec tunnel problem from Piotr Matusiak on 2011-09-30 (Ccielab archives 09/2011)

From: Piotr Matusiak <pitt2k_at_gmail.com>
Date: Fri, 30 Sep 2011 08:25:08 +0200
Hi,
The first question should be how are you verifying this?
Regards,
--
Piotr Matusiak
CCIE #19860 (R&S, Security), CCSI #33705
Technical Instructor
website: www.MicronicsTraining.com <http://www.micronicstraining.com/>
blog: www.ccie1.com
If you can't explain it simply, you don't understand it well enough -
Albert Einstein
2011/9/30 Dinesh Patel <jedidinesh_at_googlemail.com>
> Hi Group
>
> I've decided to go back to my CCIE studies after a few years. Can someone
> help me with an ASA problem. I'm trying to build an site to site IPSec
> tunnel between 2 ASA connected back to back (using GNS3). I can't seem to
> get the tunnel up after trying all day. Below is the config
>
> I have 2 ASAs called ASA2 and ASS3 (sorry asa1 does not exist).
> I have an ethernet cable between them acting like my outside WAN:
>
>
> LAN is 20.0.0.0/24------------*ASA2* (e0/0) 1.0.0.1/24  --------- WAN
> -------- *ASA2* (e0/0) 1.0.0.2/24------------LAN is 20.0.0.0/24
>
>
> asa2#   sh crypto isakmp sa
> There are no isakmp sas
>
> asa2#
> asa2# sh run
> : Saved
> :
> ASA Version 8.0(2)
> !
> hostname asa2
> enable password 8Ry2YjIyt7RRXU24 encrypted
> names
> !
> interface Ethernet0/0
>  nameif outside
>  security-level 0
>  ip address 1.0.0.1 255.0.0.0
> !
> interface Ethernet0/1
>  nameif inside
>  security-level 100
>  ip address 10.0.0.1 255.255.255.0
> !
> interface Ethernet0/2
>  shutdown
>  no nameif
>  no security-level
>  no ip address
> !
> interface Ethernet0/3
>  shutdown
>  no nameif
>  no security-level
>  no ip address
> !
> interface Ethernet0/4
>  shutdown
>  no nameif
>  no security-level
>  no ip address
> !
> interface Ethernet0/5
>  shutdown
>  no nameif
>  no security-level
>  no ip address
> !
> passwd 2KFQnbNIdI.2KYOU encrypted
> ftp mode passive
> object-group network net-local
>  network-object 10.0.0.0 255.255.255.0
> access-list 101 extended permit ip 10.0.0.0 255.255.255.0 20.0.0.0
> 255.255.255.0
> access-list natacl extended permit ip 10.0.0.0 255.255.255.0 20.0.0.0
> 255.255.255.0
> pager lines 24
> mtu outside 1500
> mtu inside 1500
> no failover
> icmp unreachable rate-limit 1 burst-size 1
> no asdm history enable
> arp timeout 14400
> nat (inside) 0 access-list natacl
> route outside 0.0.0.0 0.0.0.0 1.0.0.2 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
> timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
> 0:05:00
> timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
> 0:02:00
> timeout uauth 0:05:00 absolute
> dynamic-access-policy-record DfltAccessPolicy
> no snmp-server location
> no snmp-server contact
> snmp-server enable traps snmp authentication linkup linkdown coldstart
> crypto ipsec transform-set VPNNAME esp-3des esp-sha-hmac
> crypto map VPNNAMEMAP 1 match address 101
> crypto map VPNNAMEMAP 1 set pfs group1
> crypto map VPNNAMEMAP 1 set peer 1.0.0.2
> crypto map VPNNAMEMAP 1 set transform-set VPNNAME
> crypto map VPNNAMEMAP interface outside
> crypto isakmp enable outside
> crypto isakmp policy 10
>  authentication pre-share
>  encryption 3des
>  hash sha
>  group 2
>  lifetime 86400
> crypto isakmp policy 65535
>  authentication pre-share
>  encryption 3des
>  hash sha
>  group 2
>  lifetime 86400
> no crypto isakmp nat-traversal
> telnet timeout 5
> ssh timeout 5
> console timeout 0
> threat-detection basic-threat
> threat-detection statistics access-list
> !
> !
> tunnel-group 1.0.0.2 type ipsec-l2l
> tunnel-group 1.0.0.2 ipsec-attributes
>  pre-shared-key *
> tunnel-group 1.0.0.1 type ipsec-l2l
> tunnel-group 1.0.0.1 ipsec-attributes
>  pre-shared-key *
> prompt hostname context
> Cryptochecksum:00000000000000000000000000000000
> : end
> asa2#
>
>
>
>
> asa3# sh run
> : Saved
> :
> ASA Version 8.0(2)
> !
> hostname asa3
> enable password 8Ry2YjIyt7RRXU24 encrypted
> names
> !
> interface Ethernet0/0
>  nameif outside
>  security-level 0
>  ip address 1.0.0.2 255.0.0.0
> !
> interface Ethernet0/1
>  nameif inside
>  security-level 100
>  ip address 20.0.0.1 255.255.255.0
> !
> interface Ethernet0/2
>  shutdown
>  no nameif
>  no security-level
>  no ip address
> !
> interface Ethernet0/3
>  shutdown
>  no nameif
>  no security-level
>  no ip address
> !
> interface Ethernet0/4
>  shutdown
>  no nameif
>  no security-level
>  no ip address
> !
> interface Ethernet0/5
>  shutdown
>  no nameif
>  no security-level
>  no ip address
> !
> passwd 2KFQnbNIdI.2KYOU encrypted
> ftp mode passive
> access-list 101 extended permit ip 20.0.0.0 255.255.255.0 10.0.0.0
> 255.255.255.0
> access-list natacl extended permit ip 20.0.0.0 255.255.255.0 10.0.0.0
> 255.255.255.0
> pager lines 24
> mtu outside 1500
> mtu inside 1500
> no failover
> icmp unreachable rate-limit 1 burst-size 1
> no asdm history enable
> arp timeout 14400
> nat (inside) 0 access-list natacl
> route outside 0.0.0.0 0.0.0.0 1.0.0.1 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
> timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
> 0:05:00
> timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
> 0:02:00
> timeout uauth 0:05:00 absolute
> dynamic-access-policy-record DfltAccessPolicy
> no snmp-server location
> no snmp-server contact
> snmp-server enable traps snmp authentication linkup linkdown coldstart
> crypto ipsec transform-set VPNNAME esp-3des esp-sha-hmac
> crypto map VPNNAMEMAP 1 match address 101
> crypto map VPNNAMEMAP 1 set pfs group1
> crypto map VPNNAMEMAP 1 set peer 1.0.0.1
> crypto map VPNNAMEMAP 1 set transform-set VPNNAME
> crypto map VPNNAMEMAP interface outside
> crypto isakmp enable outside
> crypto isakmp policy 10
>  authentication pre-share
>  encryption 3des
>  hash sha
>  group 2
>  lifetime 86400
> crypto isakmp policy 65535
>  authentication pre-share
>  encryption 3des
>  hash sha
>  group 2
>  lifetime 86400
> no crypto isakmp nat-traversal
> telnet timeout 5
> ssh timeout 5
> console timeout 0
> threat-detection basic-threat
> threat-detection statistics access-list
> !
> !
> tunnel-group 1.0.0.1 type ipsec-l2l
> tunnel-group 1.0.0.1 ipsec-attributes
>  pre-shared-key *
> prompt hostname context
> Cryptochecksum:00000000000000000000000000000000
> : end
> asa3#
> asa3#
> asa3#
>
> Any help would be appreciated.
>
> thanks
> D.
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Fri Sep 30 2011 - 08:25:08 ART
This archive was generated by hypermail 2.2.0 : Sat Oct 01 2011 - 07:26:26 ART