Re: ASA Site to Site IP Sec tunnel problem from Manouchehr Omari on 2011-09-30 (Ccielab archives 09/2011)

From: Manouchehr Omari <manouchehr1979_at_gmail.com>
Date: Fri, 30 Sep 2011 11:01:30 -0700

Try to simulate a host by connecting two routers through ethernet switch to
the inside interface of ASAs and then ping from the router.

On Thu, Sep 29, 2011 at 3:14 PM, Dinesh Patel <jedidinesh_at_googlemail.com>wrote:

> Hi Group
>
> I've decided to go back to my CCIE studies after a few years. Can someone
> help me with an ASA problem. I'm trying to build an site to site IPSec
> tunnel between 2 ASA connected back to back (using GNS3). I can't seem to
> get the tunnel up after trying all day. Below is the config
>
> I have 2 ASAs called ASA2 and ASS3 (sorry asa1 does not exist).
> I have an ethernet cable between them acting like my outside WAN:
>
>
> LAN is 20.0.0.0/24------------*ASA2* (e0/0) 1.0.0.1/24 --------- WAN
> -------- *ASA2* (e0/0) 1.0.0.2/24------------LAN is 20.0.0.0/24
>
>
> asa2# sh crypto isakmp sa
> There are no isakmp sas
>
> asa2#
> asa2# sh run
> : Saved
> :
> ASA Version 8.0(2)
> !
> hostname asa2
> enable password 8Ry2YjIyt7RRXU24 encrypted
> names
> !
> interface Ethernet0/0
> nameif outside
> security-level 0
> ip address 1.0.0.1 255.0.0.0
> !
> interface Ethernet0/1
> nameif inside
> security-level 100
> ip address 10.0.0.1 255.255.255.0
> !
> interface Ethernet0/2
> shutdown
> no nameif
> no security-level
> no ip address
> !
> interface Ethernet0/3
> shutdown
> no nameif
> no security-level
> no ip address
> !
> interface Ethernet0/4
> shutdown
> no nameif
> no security-level
> no ip address
> !
> interface Ethernet0/5
> shutdown
> no nameif
> no security-level
> no ip address
> !
> passwd 2KFQnbNIdI.2KYOU encrypted
> ftp mode passive
> object-group network net-local
> network-object 10.0.0.0 255.255.255.0
> access-list 101 extended permit ip 10.0.0.0 255.255.255.0 20.0.0.0
> 255.255.255.0
> access-list natacl extended permit ip 10.0.0.0 255.255.255.0 20.0.0.0
> 255.255.255.0
> pager lines 24
> mtu outside 1500
> mtu inside 1500
> no failover
> icmp unreachable rate-limit 1 burst-size 1
> no asdm history enable
> arp timeout 14400
> nat (inside) 0 access-list natacl
> route outside 0.0.0.0 0.0.0.0 1.0.0.2 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
> timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
> 0:05:00
> timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
> 0:02:00
> timeout uauth 0:05:00 absolute
> dynamic-access-policy-record DfltAccessPolicy
> no snmp-server location
> no snmp-server contact
> snmp-server enable traps snmp authentication linkup linkdown coldstart
> crypto ipsec transform-set VPNNAME esp-3des esp-sha-hmac
> crypto map VPNNAMEMAP 1 match address 101
> crypto map VPNNAMEMAP 1 set pfs group1
> crypto map VPNNAMEMAP 1 set peer 1.0.0.2
> crypto map VPNNAMEMAP 1 set transform-set VPNNAME
> crypto map VPNNAMEMAP interface outside
> crypto isakmp enable outside
> crypto isakmp policy 10
> authentication pre-share
> encryption 3des
> hash sha
> group 2
> lifetime 86400
> crypto isakmp policy 65535
> authentication pre-share
> encryption 3des
> hash sha
> group 2
> lifetime 86400
> no crypto isakmp nat-traversal
> telnet timeout 5
> ssh timeout 5
> console timeout 0
> threat-detection basic-threat
> threat-detection statistics access-list
> !
> !
> tunnel-group 1.0.0.2 type ipsec-l2l
> tunnel-group 1.0.0.2 ipsec-attributes
> pre-shared-key *
> tunnel-group 1.0.0.1 type ipsec-l2l
> tunnel-group 1.0.0.1 ipsec-attributes
> pre-shared-key *
> prompt hostname context
> Cryptochecksum:00000000000000000000000000000000
> : end
> asa2#
>
>
>
>
> asa3# sh run
> : Saved
> :
> ASA Version 8.0(2)
> !
> hostname asa3
> enable password 8Ry2YjIyt7RRXU24 encrypted
> names
> !
> interface Ethernet0/0
> nameif outside
> security-level 0
> ip address 1.0.0.2 255.0.0.0
> !
> interface Ethernet0/1
> nameif inside
> security-level 100
> ip address 20.0.0.1 255.255.255.0
> !
> interface Ethernet0/2
> shutdown
> no nameif
> no security-level
> no ip address
> !
> interface Ethernet0/3
> shutdown
> no nameif
> no security-level
> no ip address
> !
> interface Ethernet0/4
> shutdown
> no nameif
> no security-level
> no ip address
> !
> interface Ethernet0/5
> shutdown
> no nameif
> no security-level
> no ip address
> !
> passwd 2KFQnbNIdI.2KYOU encrypted
> ftp mode passive
> access-list 101 extended permit ip 20.0.0.0 255.255.255.0 10.0.0.0
> 255.255.255.0
> access-list natacl extended permit ip 20.0.0.0 255.255.255.0 10.0.0.0
> 255.255.255.0
> pager lines 24
> mtu outside 1500
> mtu inside 1500
> no failover
> icmp unreachable rate-limit 1 burst-size 1
> no asdm history enable
> arp timeout 14400
> nat (inside) 0 access-list natacl
> route outside 0.0.0.0 0.0.0.0 1.0.0.1 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
> timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
> 0:05:00
> timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
> 0:02:00
> timeout uauth 0:05:00 absolute
> dynamic-access-policy-record DfltAccessPolicy
> no snmp-server location
> no snmp-server contact
> snmp-server enable traps snmp authentication linkup linkdown coldstart
> crypto ipsec transform-set VPNNAME esp-3des esp-sha-hmac
> crypto map VPNNAMEMAP 1 match address 101
> crypto map VPNNAMEMAP 1 set pfs group1
> crypto map VPNNAMEMAP 1 set peer 1.0.0.1
> crypto map VPNNAMEMAP 1 set transform-set VPNNAME
> crypto map VPNNAMEMAP interface outside
> crypto isakmp enable outside
> crypto isakmp policy 10
> authentication pre-share
> encryption 3des
> hash sha
> group 2
> lifetime 86400
> crypto isakmp policy 65535
> authentication pre-share
> encryption 3des
> hash sha
> group 2
> lifetime 86400
> no crypto isakmp nat-traversal
> telnet timeout 5
> ssh timeout 5
> console timeout 0
> threat-detection basic-threat
> threat-detection statistics access-list
> !
> !
> tunnel-group 1.0.0.1 type ipsec-l2l
> tunnel-group 1.0.0.1 ipsec-attributes
> pre-shared-key *
> prompt hostname context
> Cryptochecksum:00000000000000000000000000000000
> : end
> asa3#
> asa3#
> asa3#
>
> Any help would be appreciated.
>
> thanks
> D.
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Fri Sep 30 2011 - 11:01:30 ART

This archive was generated by hypermail 2.2.0 : Sat Oct 01 2011 - 07:26:26 ART