No connection between Site to Site VPN 5505/5510

[motorsport123]

Hi,

I'm just trying to connect VPN beween 2 sites using ASA5505 and 5510. Both encryption domain network has private IP address of 192.168.68.xxx and 192.168.78.xxxx.
ASA5505 (Warehouse) has a static DSL IP address and ASA5510 (Office) has a static IP address from MCI.
I did not use NAT and I wasn't sure if I should use it in order for them to connect VPN.
When I do 'show cryp ip sa' and 'show cryp is sa' both of them said 'There are no ipsec sas' or 'There are no isakmp sas'.
Please take a look at both configuration and let me know if there's anything I can do to run VPN connection between 2 sites.

Thanks

ASA 5505
ASA Version 8.0(3)
!
terminal width 511
hostname Warehouse-VPN
domain-name *******
enable password ********
names
dns-guard
!
interface Vlan1
nameif management
security-level 100
ip address 192.168.68.100 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 71.222.123.2 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd *******************
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name ******
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list OFFICE-VPN extended permit ip 192.168.68.0 255.255.255.0 192.168.78.0 255.255.255.0
pager lines 60
logging enable
logging timestamp
logging list loglist level critical
logging list loglist message 605005
logging buffer-size 40960
logging buffered debugging
logging trap loglist
mtu management 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 71.222.123.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server RADIUS protocol radius
aaa-server RADIUS (management) host 192.168.***.****
key systems
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (management) host 192.168.***.***
key systems
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.0.0 255.255.0.0 management
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps entity config-change
crypto ipsec transform-set 3dessha esp-3des esp-sha-hmac
crypto ipsec transform-set 3desmd5 esp-3des esp-md5-hmac
crypto ipsec transform-set aessha esp-aes esp-sha-hmac
crypto map mymap 20 match address SYSTEMVPN
crypto map mymap 20 set peer 65.111.222.10
crypto map mymap 20 set transform-set 3dessha
crypto map mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 management
telnet timeout 30
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 10
ssh version 2
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
username ****** password *******
tunnel-group 65.111.222.10 type ipsec-l2l
tunnel-group 65.111.222.10 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
: end
Warehouse-VPN#




ASA5510

ASA Version 8.0(3)
!
terminal width 511
hostname OFFICE-VPN
domain-name *********
enable password ************
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 65.111.222.10 255.255.255.128
!
interface Ethernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.78.100 255.255.255.0
!
passwd Q7vQmdYWBD.DW6Jd encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name locus.net
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list OFFICE-VPN extended permit ip 192.168.78.0 255.255.255.0 192.168.68.0 255.255.255.0
pager lines 60
logging enable
logging timestamp
logging list loglist level critical
logging list loglist message 605005
logging buffer-size 40960
logging buffered debugging
logging trap loglist
mtu outside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 65.111.222.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server RADIUS protocol radius
aaa-server RADIUS (management) host 192.168.***.****
key systems
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (management) host 192.168.***.***
key systems
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.0.0 255.255.0.0 management
http 10.10.100.0 255.255.255.0 management
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps entity config-change
crypto ipsec transform-set 3dessha esp-3des esp-sha-hmac
crypto ipsec transform-set 3desmd5 esp-3des esp-md5-hmac
crypto ipsec transform-set aessha esp-aes esp-sha-hmac
crypto map mymap 10 match address OFFICE-VPN
crypto map mymap 10 set pfs
crypto map mymap 10 set peer 71.222.123.2
crypto map mymap 10 set transform-set 3dessha
crypto map mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 management
telnet timeout 30
ssh ***.***.***.0 255.255.255.0 outside
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 10
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
username *********** password *************
tunnel-group 71.222.123.2 type ipsec-l2l
tunnel-group 71.222.123.2 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
: end
OFFICE-VPN#

 

[unclerico]

on both devices:
1) add global (outside) 1 interface, nat (inside) 1 <local_lan> 255.255.255.0, access-list nat0_inside extended permit ip <local_subnet> 255.255.255.0 <remote_subnet> 255.255.255.0, nat (inside) 0 access-list nat0_inside
2) don't use the management interface. that is for management traffic only (well, there is a command to enable it otherwise, but don't)

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[motorsport123]

Office VPN is being used and I do not want to loose connection by remove management and replace it with inside.
so, I'll use another 5505 (back up which is not being used at all) to set up just as you mention and will test to see if it works between 2 ASA5505.
Thanks and I'll keep you posted.

 

[motorsport123]

Tried below 2 steps on both ASA 5505 and I still can't connect VPN on both sites. I ran show cryp is sa and show cryp ip sa but no connections.

1) add global (outside) 1 interface,
nat (inside) 1 <local_lan> 255.255.255.0,
access-list nat0_inside extended permit ip <local_subnet> 255.255.255.0 <remote_subnet> 255.255.255.0,
nat (inside) 0 access-list nat0_inside
2) don't use the management interface. that is for management traffic only (well, there is a command to enable it otherwise, but don't)

 

[unclerico]

ok, post new scrubbed configs

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[motorsport123]

Instead of setting up ASA5505 and ASA5510. I used a spare ASA5505. So now VPN setup is between 2 ASA5505s.
I removed managment and also tried to set up as simple as possible.
Here is new configs for 2 ASA5505.


ASA Version 8.0(2)
!
hostname Warehouse-VPN
enable password *****************
names
!
interface Vlan1
nameif inside
no security-level 100
ip address 192.168.68.100 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 71.222.123.2 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
passwd ********************************
boot **************
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name ******
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list OFFICE-VPN extended permit ip 192.168.68.0 255.255.255.0 192.168.78.0 255.255.255.0
access-list nat0_inside extended permit ip 192.168.68.0 255.255.255.0 192.168.78.0 255.255.255.0
pager lines 60
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list nat0_inside
nat (inside) 1 0.0.0.0 0.0.0.0
nat (inside) 1 192.168.68.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 71.222.123.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:0
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto map outside_map 20 match address OFFICE-VPN
crypto map outside_map 20 set peer 65.111.222.10
crypto map outside_map 20 set transform-set myset
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
tunnel-group 65.111.222.10 type ipsec-l2l
tunnel-group 65.111.222.10 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:68eba159fd8e4c893f24185ffb40bb6f
: end
Warehouse-VPN#



SA Version 8.0(2)
!
hostname OFFICE-VPN
enable password *************
names
!
interface Vlan1
nameif inside
no security-level 100
ip address 192.168.78.100 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 65.111.222.10 255.255.255.128
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
passwd ********************************
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name ******
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list Warehouse-VPN extended permit ip 192.168.78.0 255.255.255.0 192.168.68.0 255.255.255.0
access-list nat0_inside extended permit ip 192.168.78.0 255.255.255.0 192.168.68.0 255.255.255.0
pager lines 60
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list nat0_inside
nat (inside) 1 0.0.0.0 0.0.0.0
nat (inside) 1 192.168.68.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 65.111.222.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:0
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto map outside_map 20 match address Warehouse-VPN
crypto map outside_map 20 set peer 71.222.123.2
crypto map outside_map 20 set transform-set myset
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
tunnel-group 71.222.123.2 type ipsec-l2l
tunnel-group 71.222.123.2 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:68eba159fd8e4c893f24185ffb40bb6f
: end
Warehouse-VPN#

 

[unclerico]

run some debugs and post back the results
debug crypto isakmp sa
debug crypto ipsec sa

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[NetRx]

In your recent config post, I noticed you had these statements

interface Vlan1
nameif inside
no security-level 100
ip address 192.168.78.100 255.255.255.0

interface Vlan1
nameif inside
no security-level 100
ip address 192.168.68.100 255.255.255.0

What does 'show nameif' show?

Rich
Network Engineer - CCNA

 

[motorsport123]

Sorry I removed 'no' so now it is security-level 100

when I ran

debug crypto isakmp sa
debug crypto ipsec sa

I don't see any outcome.

Strange thing is we have other running VPN (ASA5505) and it's running perfectly fine with other partner's VPN.
But when I try to connect VPN (site to site) between 2 sites (2 branches) I do not get anything.

 

[NetRx]

Can you post output of the following, keep the debugs running:

-Enable console/buffered logging on both ASAs and generate interesting traffic
logging enable
logging timestamp
logging buffer-size 40960
logging buffered debugging
-Attempt a ping to each outside interface
-Temporarily enter 'management-access inside' and do an extended ping. Make sure the source is the inside interface and the destination is the inside interface of the other ASA
-Re-enter the pre-shared keys (might be a typo)
-Run:
clear crypto isakmp sa
clear crypto ipsec sa
-Make sure the security levels are right, show nameif

Keep checking the logs/debugs to track down what is happening on both ends. That is going to be the key.

Rich
Network Engineer - CCNA