Site to Site VPN Problem

[ndinc]

I am struggling getting this site to site VPN up. I have verified my settings and have check varies publications for my accuracy. I have nothing, no activity at all, I show a “show crypto isakmp sa” gives me nothing active. To make it even more confusion I am getting no errors in the ASDM logs on both ASA’s.

This is my first "Cisco" vpn so i do not have anything in production as an example

I am seriously missing something. Both scrubbed configs are listed below.

Your expertise is greatly apreciated.

ASA1

********************

pullmanasa# sh run
: Saved
:
ASA Version 8.0(2)
!
hostname pullmanasa
domain-name domain.com
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 207.246.X.X 255.255.255.248
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
no ip address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group CoxDNS
name-server 68.4.16.30
name-server 68.6.16.30
dns server-group DefaultDNS
domain-name domain.com
access-list outside_access_in extended permit tcp host 207.X.X.13 host 207.246.X.X eq 5900
access-list outside_access_in extended permit tcp host 207.X.X.16 host 207.246.X.X eq 5900
access-list outside_access_in extended permit tcp host 207.X.X.19 host 207.246.X.X eq 5900
access-list outside_access_in extended permit tcp any host 207.246.X.X eq 4709
access-list outside_access_in extended permit tcp any host 207.246.X.X eq 18772
access-list NONAT extended permit ip 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list PULLMAN-ZODIAC extended permit ip 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip verify reverse-path interface inside
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (outside) 2 207.246.X.X
global (outside) 3 207.246.X.X
nat (inside) 0 access-list NONAT
nat (inside) 2 10.1.1.3 255.255.255.255
nat (inside) 3 10.1.1.60 255.255.255.255
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 207.246.X.X 5900 10.1.1.3 5900 netmask 255.255.255.255
static (inside,outside) tcp 207.246.X.X 4709 10.1.1.60 4709 netmask 255.255.255.255
static (inside,outside) tcp 207.246.X.X 18772 10.1.1.60 18772 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 207.246.X.X 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 207.X.X.19 255.255.255.255 outside
http 207.X.X.16 255.255.255.255 outside
http 207.X.X.13 255.255.255.255 outside
http 10.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetinbound interface inside
service resetinbound interface outside
crypto ipsec transform-set ASA1TS esp-3des esp-sha-hmac
crypto map PULLMANVPN 10 match address PULLMAN-ZODIAC
crypto map PULLMANVPN 10 set peer 63.98.X.X
crypto map PULLMANVPN 10 set transform-set ASA1TS
crypto map PULLMANVPN 10 set security-association lifetime seconds 36000
crypto map PULLMANVPN interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 10.1.1.0 255.255.255.0 inside
ssh 207.X.X.13 255.255.255.255 outside
ssh 207.X.X.16 255.255.255.255 outside
ssh 207.X.X.19 255.255.255.255 outside
ssh timeout 30
ssh version 2
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection scanning-threat shun
threat-detection statistics
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
!
service-policy global_policy global
ntp server 131.107.1.10 source outside prefer
tunnel-group 63.98.X.X type ipsec-l2l
tunnel-group 63.98.X.X ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 30 retry 5
prompt hostname context
Cryptochecksum:4a8429ee8fbc598850a43deb84affa2f
: end


ASA2

***********************************

zodiacasa# sh run
: Saved
:
ASA Version 8.0(2)
!
hostname zodiacasa
domain-name domain.com
enable password XSYTK6jbWp8NcaCN encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 63.98.X.X 255.255.255.224
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone ct -6
clock summer-time MDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 198.6.100.38
name-server 198.6.1.5
domain-name domain.com
access-list ZODIAC-PULLMAN extended permit ip 10.0.0.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list NONAT extended permit ip 10.0.0.0 255.255.255.0 10.1.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 63.98.X.X 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.0.0.0 255.255.255.0 inside
http 207.X.X.19 255.255.255.255 outside
http 207.X.X.16 255.255.255.255 outside
http 207.X.X.13 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ASA2TS esp-3des esp-sha-hmac
crypto map ZODIACVPN 10 match address ZODIAC-PULLMAN
crypto map ZODIACVPN 10 set peer 207.246.X.X
crypto map ZODIACVPN 10 set transform-set ASA2TS
crypto map ZODIACVPN 10 set security-association lifetime seconds 36000
crypto map ZODIACVPN interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh 10.0.0.0 255.255.255.0 inside
ssh 207.X.X.16 255.255.255.255 outside
ssh 207.X.X.13 255.255.255.255 outside
ssh 207.X.X.19 255.255.255.255 outside
ssh timeout 3
ssh version 2
console timeout 0
dhcpd address 10.0.0.100-10.0.0.200 inside
dhcpd dns 198.6.100.38 198.6.1.5 interface inside
dhcpd auto_config outside interface inside
dhcpd update dns both override interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
ntp server 132.163.4.101 source outside
tunnel-group 207.246.X.X type ipsec-l2l
tunnel-group 207.246.X.X ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:11fc6f4d2bf1a228f56982de4b76427b
: end



Thanks for your help

 

[unclerico]

unless I'm totally missing something (which has and will happen ) your config looks good. The only think I can think of would be a fat-fingered key. Post the results of the following:
- debug crypto isakmp

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[ndinc]

Heres an odd one, I go into CLI and type the exactly what you tell me and I still got nothing. Should I get an output?

I am at a loss.

pullmanasa> en
Password: *******
pullmanasa# debug crypto isakmp
pullmanasa# debug crypto isakmp
pullmanasa# config t
pullmanasa(config)# debug crypto isakmp
pullmanasa(config)# exit
pullmanasa# debug crypto isakmp
pullmanasa#


Thanks for your help

 

[ndinc]

Same wiht ASA2

zodiacasa> en
Password: ********
zodiacasa# debug crypto isakmp
zodiacasa# debug crypto isakmp
zodiacasa#


Thanks for your help

 

[unclerico]

with debugging turned on try and ping from a host on either side of the tunnel to a host on the other side. It's interesting that you see absolutely nothing in the debug or the show output.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[North323]

from the ASA, can you ping the gateway of last resort?

 

[ndinc]

From within the ASA's I am able to ping to both host IP's!

I.E.

ASA 1 can ping to 63.X.X.162

ASA 2 can ping to 207.X.X.98

ASA 1 CANNOT ping to 10.0.0.0/24

ASA 2 CANNOT ping to 10.1.1.0/24

Does this mean the VPN is up?

I activated logging, logs are filling up. Dumb question, what is the CLI command to activate debugg on the VPN?





Thanks for your help

 

[ndinc]

I still get nothing when I type this.

pullmanasa# debug crypto isakmp
pullmanasa# sh crypto isakmp sa

There are no isakmp sas
pullmanasa# sh crypto ipsec sa

There are no ipsec sas
pullmanasa#

Thanks for your help

 

[North323]

post this:
sh crypto debug-condition

sh crypto isa sa
should see something like this:
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE

 

[unclerico]

Pinging from ASA1 to a host on 10.0.0.0/24 will not work (and vice versa). You need to actually get on a host whether it is your PC or a server on the 10.0.1.0/24 network and ping to something on 10.0.0.0/24. I hope I'm making sense.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[ndinc]

pullmanasa# sh crypto debug-condition

Crypto conditional debug is turned OFF
IKE debug context unmatched flag: OFF
IPSec debug context unmatched flag: OFF
IKE debug context error flag: OFF
IPSec debug context error flag: OFF

How do I "flip the switch on"

Thanks for your help

 

[ndinc]

Holy smokes, I VNC into one of the servers at ASA 1 and I ping to 10.0.0.100 and then I ran a scanner and picked up many systems on the same subnet. Its connected, well at least one way.

How can I tell its being encrypted? And how come nothing shows up in "Sh" or ASDM?

Very strange.

Thanks for your help

 

[North323]

what about sh crypto isa sa

need to get into config t mode
debug ?

 

[ndinc]

pullmanasa(config)# sh crypto isa sa

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: 63.x.x.162
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE

pullmanasa(config)# sh crypto debug-condition

Crypto conditional debug is turned OFF
IKE debug context unmatched flag: OFF
IPSec debug context unmatched flag: OFF
IKE debug context error flag: OFF
IPSec debug context error flag: OFF

pullmanasa(config)#

Thanks for your help

 

[unclerico]

There HAS to be something in the show or debug now, right?? I mean the tunnel is up. If there is still nothing showing I would reboot the devices.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[unclerico]

yep, you're good. The only thing that I can think of as to why no output was shown in the debug and show commands before is because no interesting traffic triggered the tunnel to establish.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[North323]

i agree with the above statement, your tunnel is up because you have: State : MM_ACTIVE

 

[ndinc]

everything looks good on the VPN side,

We just dont have active NAT on the ASA1 10.1.1.x side.



Thanks for your help

 

[ndinc]

Its working fine now, reboot asa, reboot server. All is well.
2 short questions.

1) Can I also program a VPN connection using the VPN client software without causing a problem with existing site-to site? For individual users outside of the offices.

2) Can I add a second Site to site to ASA1, I.E. another remote office? On another subnet 10.2.2.0?

You guys are the greatest!


Thanks for your help

 

[unclerico]

yes and yes. post back if you need assistance.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)