RE: ASA Site to Site IP Sec tunnel problem from Timothy Chin on 2011-09-30 (Ccielab archives 09/2011)

From: Timothy Chin <tim_at_1csol.com>
Date: Fri, 30 Sep 2011 14:25:32 -0400

I'm guessing he has nothing connected to the inside interfaces since
this is a GNS3 setup. He was trying to bring the tunnel up by pinging
the other ASA inside interface from the originating ASA outside
interface which will not bring up the tunnel. He can bring up the tunnel
for testing purposes from ASA to ASA directly by configuring
"management-access inside" and originating a ping from one ASA inside
interface to the other ASA inside interface:

On ASA2:

ping inside 20.0.0.1

Or ASA3:

ping inside 10.0.0.1

This should bring up the tunnel. This is what I do when testing a new
L2L implementation.

Also on ASA2 remove the following because 1.0.0.1 is ASA2's own outside
interface IP and there is no reason for this to be in the config.

tunnel-group 1.0.0.1 type ipsec-l2l
tunnel-group 1.0.0.1 ipsec-attributes

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Manouchehr Omari
Sent: Friday, September 30, 2011 2:02 PM
To: Dinesh Patel
Cc: ccielab_at_groupstudy.com
Subject: Re: ASA Site to Site IP Sec tunnel problem

Try to simulate a host by connecting two routers through ethernet switch
to
the inside interface of ASAs and then ping from the router.

On Thu, Sep 29, 2011 at 3:14 PM, Dinesh Patel
<jedidinesh_at_googlemail.com>wrote:

> Hi Group
>
> I've decided to go back to my CCIE studies after a few years. Can
someone
> help me with an ASA problem. I'm trying to build an site to site IPSec
> tunnel between 2 ASA connected back to back (using GNS3). I can't seem
to
> get the tunnel up after trying all day. Below is the config
>
> I have 2 ASAs called ASA2 and ASS3 (sorry asa1 does not exist).
> I have an ethernet cable between them acting like my outside WAN:
>
>
> LAN is 20.0.0.0/24------------*ASA2* (e0/0) 1.0.0.1/24 --------- WAN
> -------- *ASA2* (e0/0) 1.0.0.2/24------------LAN is 20.0.0.0/24
>
>
> asa2# sh crypto isakmp sa
> There are no isakmp sas
>
> asa2#
> asa2# sh run
> : Saved
> :
> ASA Version 8.0(2)
> !
> hostname asa2
> enable password 8Ry2YjIyt7RRXU24 encrypted
> names
> !
> interface Ethernet0/0
> nameif outside
> security-level 0
> ip address 1.0.0.1 255.0.0.0
> !
> interface Ethernet0/1
> nameif inside
> security-level 100
> ip address 10.0.0.1 255.255.255.0
> !
> interface Ethernet0/2
> shutdown
> no nameif
> no security-level
> no ip address
> !
> interface Ethernet0/3
> shutdown
> no nameif
> no security-level
> no ip address
> !
> interface Ethernet0/4
> shutdown
> no nameif
> no security-level
> no ip address
> !
> interface Ethernet0/5
> shutdown
> no nameif
> no security-level
> no ip address
> !
> passwd 2KFQnbNIdI.2KYOU encrypted
> ftp mode passive
> object-group network net-local
> network-object 10.0.0.0 255.255.255.0
> access-list 101 extended permit ip 10.0.0.0 255.255.255.0 20.0.0.0
> 255.255.255.0
> access-list natacl extended permit ip 10.0.0.0 255.255.255.0 20.0.0.0
> 255.255.255.0
> pager lines 24
> mtu outside 1500
> mtu inside 1500
> no failover
> icmp unreachable rate-limit 1 burst-size 1
> no asdm history enable
> arp timeout 14400
> nat (inside) 0 access-list natacl
> route outside 0.0.0.0 0.0.0.0 1.0.0.2 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
> timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
> 0:05:00
> timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00
sip-disconnect
> 0:02:00
> timeout uauth 0:05:00 absolute
> dynamic-access-policy-record DfltAccessPolicy
> no snmp-server location
> no snmp-server contact
> snmp-server enable traps snmp authentication linkup linkdown coldstart
> crypto ipsec transform-set VPNNAME esp-3des esp-sha-hmac
> crypto map VPNNAMEMAP 1 match address 101
> crypto map VPNNAMEMAP 1 set pfs group1
> crypto map VPNNAMEMAP 1 set peer 1.0.0.2
> crypto map VPNNAMEMAP 1 set transform-set VPNNAME
> crypto map VPNNAMEMAP interface outside
> crypto isakmp enable outside
> crypto isakmp policy 10
> authentication pre-share
> encryption 3des
> hash sha
> group 2
> lifetime 86400
> crypto isakmp policy 65535
> authentication pre-share
> encryption 3des
> hash sha
> group 2
> lifetime 86400
> no crypto isakmp nat-traversal
> telnet timeout 5
> ssh timeout 5
> console timeout 0
> threat-detection basic-threat
> threat-detection statistics access-list
> !
> !
> tunnel-group 1.0.0.2 type ipsec-l2l
> tunnel-group 1.0.0.2 ipsec-attributes
> pre-shared-key *
> tunnel-group 1.0.0.1 type ipsec-l2l
> tunnel-group 1.0.0.1 ipsec-attributes
> pre-shared-key *
> prompt hostname context
> Cryptochecksum:00000000000000000000000000000000
> : end
> asa2#
>
>
>
>
> asa3# sh run
> : Saved
> :
> ASA Version 8.0(2)
> !
> hostname asa3
> enable password 8Ry2YjIyt7RRXU24 encrypted
> names
> !
> interface Ethernet0/0
> nameif outside
> security-level 0
> ip address 1.0.0.2 255.0.0.0
> !
> interface Ethernet0/1
> nameif inside
> security-level 100
> ip address 20.0.0.1 255.255.255.0
> !
> interface Ethernet0/2
> shutdown
> no nameif
> no security-level
> no ip address
> !
> interface Ethernet0/3
> shutdown
> no nameif
> no security-level
> no ip address
> !
> interface Ethernet0/4
> shutdown
> no nameif
> no security-level
> no ip address
> !
> interface Ethernet0/5
> shutdown
> no nameif
> no security-level
> no ip address
> !
> passwd 2KFQnbNIdI.2KYOU encrypted
> ftp mode passive
> access-list 101 extended permit ip 20.0.0.0 255.255.255.0 10.0.0.0
> 255.255.255.0
> access-list natacl extended permit ip 20.0.0.0 255.255.255.0 10.0.0.0
> 255.255.255.0
> pager lines 24
> mtu outside 1500
> mtu inside 1500
> no failover
> icmp unreachable rate-limit 1 burst-size 1
> no asdm history enable
> arp timeout 14400
> nat (inside) 0 access-list natacl
> route outside 0.0.0.0 0.0.0.0 1.0.0.1 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
> timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
> 0:05:00
> timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00
sip-disconnect
> 0:02:00
> timeout uauth 0:05:00 absolute
> dynamic-access-policy-record DfltAccessPolicy
> no snmp-server location
> no snmp-server contact
> snmp-server enable traps snmp authentication linkup linkdown coldstart
> crypto ipsec transform-set VPNNAME esp-3des esp-sha-hmac
> crypto map VPNNAMEMAP 1 match address 101
> crypto map VPNNAMEMAP 1 set pfs group1
> crypto map VPNNAMEMAP 1 set peer 1.0.0.1
> crypto map VPNNAMEMAP 1 set transform-set VPNNAME
> crypto map VPNNAMEMAP interface outside
> crypto isakmp enable outside
> crypto isakmp policy 10
> authentication pre-share
> encryption 3des
> hash sha
> group 2
> lifetime 86400
> crypto isakmp policy 65535
> authentication pre-share
> encryption 3des
> hash sha
> group 2
> lifetime 86400
> no crypto isakmp nat-traversal
> telnet timeout 5
> ssh timeout 5
> console timeout 0
> threat-detection basic-threat
> threat-detection statistics access-list
> !
> !
> tunnel-group 1.0.0.1 type ipsec-l2l
> tunnel-group 1.0.0.1 ipsec-attributes
> pre-shared-key *
> prompt hostname context
> Cryptochecksum:00000000000000000000000000000000
> : end
> asa3#
> asa3#
> asa3#
>
> Any help would be appreciated.
>
> thanks
> D.
>
>
> Blogs and organic groups at http://www.ccie.net
>
>
Received on Fri Sep 30 2011 - 14:25:32 ART

This archive was generated by hypermail 2.2.0 : Sat Oct 01 2011 - 07:26:26 ART