RE: ASA Site to Site IP Sec tunnel problem

From: Joseph L. Brunner <joe_at_affirmedsystems.com>
Date: Fri, 30 Sep 2011 07:14:06 +0000

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Dinesh Patel
Sent: Thursday, September 29, 2011 6:14 PM
To: ccielab_at_groupstudy.com
Subject: ASA Site to Site IP Sec tunnel problem

Hi Group

I've decided to go back to my CCIE studies after a few years. Can someone
help me with an ASA problem. I'm trying to build an site to site IPSec
tunnel between 2 ASA connected back to back (using GNS3). I can't seem to
get the tunnel up after trying all day. Below is the config

I have 2 ASAs called ASA2 and ASS3 (sorry asa1 does not exist).
I have an ethernet cable between them acting like my outside WAN:

LAN is 20.0.0.0/24------------*ASA2* (e0/0) 1.0.0.1/24 --------- WAN
-------- *ASA2* (e0/0) 1.0.0.2/24------------LAN is 20.0.0.0/24

asa2# sh crypto isakmp sa
There are no isakmp sas

asa2#
asa2# sh run
: Saved
:
ASA Version 8.0(2)
!
hostname asa2
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 1.0.0.1 255.0.0.0
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.0.0.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
object-group network net-local
 network-object 10.0.0.0 255.255.255.0
access-list 101 extended permit ip 10.0.0.0 255.255.255.0 20.0.0.0
255.255.255.0
access-list natacl extended permit ip 10.0.0.0 255.255.255.0 20.0.0.0
255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list natacl
route outside 0.0.0.0 0.0.0.0 1.0.0.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set VPNNAME esp-3des esp-sha-hmac
crypto map VPNNAMEMAP 1 match address 101
crypto map VPNNAMEMAP 1 set pfs group1
crypto map VPNNAMEMAP 1 set peer 1.0.0.2
crypto map VPNNAMEMAP 1 set transform-set VPNNAME
crypto map VPNNAMEMAP interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
!
tunnel-group 1.0.0.2 type ipsec-l2l
tunnel-group 1.0.0.2 ipsec-attributes
 pre-shared-key *
tunnel-group 1.0.0.1 type ipsec-l2l
tunnel-group 1.0.0.1 ipsec-attributes
 pre-shared-key *
prompt hostname context
Cryptochecksum:00000000000000000000000000000000
: end
asa2#

asa3# sh run
: Saved
:
ASA Version 8.0(2)
!
hostname asa3
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 1.0.0.2 255.0.0.0
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 20.0.0.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list 101 extended permit ip 20.0.0.0 255.255.255.0 10.0.0.0
255.255.255.0
access-list natacl extended permit ip 20.0.0.0 255.255.255.0 10.0.0.0
255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list natacl
route outside 0.0.0.0 0.0.0.0 1.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set VPNNAME esp-3des esp-sha-hmac
crypto map VPNNAMEMAP 1 match address 101
crypto map VPNNAMEMAP 1 set pfs group1
crypto map VPNNAMEMAP 1 set peer 1.0.0.1
crypto map VPNNAMEMAP 1 set transform-set VPNNAME
crypto map VPNNAMEMAP interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
!
tunnel-group 1.0.0.1 type ipsec-l2l
tunnel-group 1.0.0.1 ipsec-attributes
 pre-shared-key *
prompt hostname context
Cryptochecksum:00000000000000000000000000000000
: end
asa3#
asa3#
asa3#

Any help would be appreciated.

thanks
D.

Blogs and organic groups at http://www.ccie.net
Received on Fri Sep 30 2011 - 07:14:06 ART

This archive was generated by hypermail 2.2.0 : Sat Oct 01 2011 - 07:26:26 ART