Question
-
Topic
-
ASA 5505 VPN Problem
LockedHi i am trying to configure a site-to-site VPN between two Cisco ASA 5505 .I am able to ping
the outside interface from both ends and that’s it. No VPN tunnel comes up and i cannot access the inside host on HQ firewall from internet although in have static NAT/PAT with port redirection configured.The debug crypto isakmp comes up with the error
Error: Unable to remove the peer from peer tableBelow are the config’s :
HQ
ASA Version 7.2(2)
!
hostname HQ-WIN
enable password ************* encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.100.100.150 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp
!
interface Ethernet0/0
switchport access vlan 2
shutdown
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!passwd ********* encrypted
ftp mode passive
access-list 110 extended permit ip 192.100.100.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 110 extended permit ip 192.100.100.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list 110 extended permit ip 192.100.100.0 255.255.255.0 10.1.3.0 255.255.255.0
access-list 110 extended permit ip 192.100.100.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 110 extended permit ip 192.100.100.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list to-tisa extended permit ip 192.100.100.0 255.255.255.0 10.1.3.0 255.255.255.0
access-list inbound-access extended permit tcp any host *.*.71.38 eq ssh
access-list inbound-access extended permit tcp any host *.*.71.38 eq netbios-ssn
access-list inbound-access extended permit tcp any host *.*.71.38 eq 65222
access-list inbound-access extended permit udp any host *.*.71.38 eq 3027
access-list inbound-access extended permit tcp any host *.*.71.38 eq 3027
access-list inbound-access extended permit tcp any host *.*1.71.38 eq pop3
access-list inbound-access extended permit tcp any host *.*.71.38 eq imap4pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo outside
icmp permit any echo-reply outside
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 110
nat (inside) 1 192.100.100.0 255.255.255.0
static (inside,outside) tcp (External IP) ssh 192.100.100.0 ssh netmask 255.255.255.255
static (inside,outside) tcp (External IP) netbios-ssn 192.100.100.0 netbios-ssn netmask 255.255.255.255
static (inside,outside) tcp (External IP) 65222 192.100.100.10 ssh netmask 255.255.255.255
static (inside,outside) tcp (External IP) 62145 192.100.100.4 telnet netmask 255.255.255.255
static (inside,outside) tcp (External IP)3027 192.100.100.4 3027 netmask 255.255.255.255
static (inside,outside) udp (External IP) 3027 192.100.100.4 3027 netmask 255.255.255.255
static (inside,outside) tcp (External IP) 8764 192.100.100.4 8764 netmask 255.255.255.255
static (inside,outside) tcp (External IP) 8765 192.100.100.4 8765 netmask 255.255.255.255
static (inside,outside) tcp (External IP)pop3 192.100.100.10 pop3 netmask 255.255.255.255
static (inside,outside) tcp (External IP) imap4 192.100.100.10 imap4 netmask 255.255.255.255
static (inside,outside) tcp (External IP) https 192.100.100.10 https netmask 255.255.255.255
static (inside,outside) tcp (External IP) domain 192.100.100.10 domain netmask 255.255.255.255
static (inside,outside) udp (External IP) domain 192.100.100.10 domain netmask 255.255.255.255
static (inside,outside) tcp (External IP) www 192.100.100.10 8080 netmask 255.255.255.255
static (inside,outside) tcp (External IP) smtp 192.100.100.10 smtp netmask 255.255.255.255
static (inside,outside) tcp (External IP) 63123 192.100.100.4 ssh netmask 255.255.255.255
access-group inbound-access in interface outside
route outside 0.0.0.0 0.0.0.0 (External IP)
route outside 10.1.3.0 255.255.255.0 *.*.6.66 (VPN peer address)
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set win1 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 1000
crypto map cpvpn 10 match address to-tisa
crypto map cpvpn 10 set peer *.*.6.66 (VPN peer address)
crypto map cpvpn 10 set transform-set win1
crypto map cpvpn interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
tunnel-group *.*.6.66 type ipsec-l2l
tunnel-group *.*.6.66 ipsec-attributes
pre-shared-key ***********
telnet timeout 5
ssh timeout 5
console timeout 0!
!
prompt hostname context
Cryptochecksum:6d01c641509c96826a6cd18d1911b573
: endRemote Firewall:-
: Saved
: Written by enable_15 at 12:12:13.514 UTC Fri May 30 2008
!
ASA Version 8.0(2)
!
hostname tisa
enable password ******** encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.3.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address pppoe
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2passwd ********** encrypted
ftp mode passive
access-list no_nat extended permit ip 10.1.3.0 255.255.255.0 192.100.100.0 255.255.255.0
access-list to_win_asa extended permit ip 10.1.3.0 255.255.255.0 192.100.100.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo outside
icmp permit any echo-reply outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no_nat
nat (inside) 1 10.1.3.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route outside 192.100.100.0 255.255.255.0 *.*.*.* (VPN Peer Address)
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set set1 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 1000
crypto map tisavpn 10 match address to_win_asa
crypto map tisavpn 10 set peer *.*.*.* (VPN Peer Address)
crypto map tisavpn 10 set transform-set set1
crypto map tisavpn interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group pppoeb request dialout pppoe
vpdn group pppoebl localname *********
vpdn group pppoebl ppp authentication pap
vpdn username ******* password *********
dhcpd auto_config outside
!
dhcpd address 10.1.3.10-10.1.3.41 inside
dhcpd dns 67.69.184.199 67.69.184.7 interface inside
dhcpd enable inside
!threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
tunnel-group *.*.*.38 type ipsec-l2l
tunnel-group *.*.*.38 ipsec-attributes
pre-shared-key **********
prompt hostname context
Cryptochecksum:3fb6cce34795dde56baf9f853a90f952
: end
