I am struggling getting this site to site VPN up. I have verified my settings and have check varies publications for my accuracy. I have nothing, no activity at all, I show a “show crypto isakmp sa” gives me nothing active. To make it even more confusion I am getting no errors in the ASDM logs on both ASA’s.
This is my first "Cisco" vpn so i do not have anything in production as an example
I am seriously missing something. Both scrubbed configs are listed below.
Your expertise is greatly apreciated.
ASA1
********************
pullmanasa# sh run
: Saved
:
ASA Version 8.0(2)
!
hostname pullmanasa
domain-name domain.com
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 207.246.X.X 255.255.255.248
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
no ip address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group CoxDNS
name-server 68.4.16.30
name-server 68.6.16.30
dns server-group DefaultDNS
domain-name domain.com
access-list outside_access_in extended permit tcp host 207.X.X.13 host 207.246.X.X eq 5900
access-list outside_access_in extended permit tcp host 207.X.X.16 host 207.246.X.X eq 5900
access-list outside_access_in extended permit tcp host 207.X.X.19 host 207.246.X.X eq 5900
access-list outside_access_in extended permit tcp any host 207.246.X.X eq 4709
access-list outside_access_in extended permit tcp any host 207.246.X.X eq 18772
access-list NONAT extended permit ip 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list PULLMAN-ZODIAC extended permit ip 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip verify reverse-path interface inside
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (outside) 2 207.246.X.X
global (outside) 3 207.246.X.X
nat (inside) 0 access-list NONAT
nat (inside) 2 10.1.1.3 255.255.255.255
nat (inside) 3 10.1.1.60 255.255.255.255
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 207.246.X.X 5900 10.1.1.3 5900 netmask 255.255.255.255
static (inside,outside) tcp 207.246.X.X 4709 10.1.1.60 4709 netmask 255.255.255.255
static (inside,outside) tcp 207.246.X.X 18772 10.1.1.60 18772 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 207.246.X.X 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 207.X.X.19 255.255.255.255 outside
http 207.X.X.16 255.255.255.255 outside
http 207.X.X.13 255.255.255.255 outside
http 10.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetinbound interface inside
service resetinbound interface outside
crypto ipsec transform-set ASA1TS esp-3des esp-sha-hmac
crypto map PULLMANVPN 10 match address PULLMAN-ZODIAC
crypto map PULLMANVPN 10 set peer 63.98.X.X
crypto map PULLMANVPN 10 set transform-set ASA1TS
crypto map PULLMANVPN 10 set security-association lifetime seconds 36000
crypto map PULLMANVPN interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 10.1.1.0 255.255.255.0 inside
ssh 207.X.X.13 255.255.255.255 outside
ssh 207.X.X.16 255.255.255.255 outside
ssh 207.X.X.19 255.255.255.255 outside
ssh timeout 30
ssh version 2
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection scanning-threat shun
threat-detection statistics
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
!
service-policy global_policy global
ntp server 131.107.1.10 source outside prefer
tunnel-group 63.98.X.X type ipsec-l2l
tunnel-group 63.98.X.X ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 30 retry 5
prompt hostname context
Cryptochecksum:4a8429ee8fbc598850a43deb84affa2f
: end
ASA2
***********************************
zodiacasa# sh run
: Saved
:
ASA Version 8.0(2)
!
hostname zodiacasa
domain-name domain.com
enable password XSYTK6jbWp8NcaCN encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 63.98.X.X 255.255.255.224
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone ct -6
clock summer-time MDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 198.6.100.38
name-server 198.6.1.5
domain-name domain.com
access-list ZODIAC-PULLMAN extended permit ip 10.0.0.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list NONAT extended permit ip 10.0.0.0 255.255.255.0 10.1.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 63.98.X.X 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.0.0.0 255.255.255.0 inside
http 207.X.X.19 255.255.255.255 outside
http 207.X.X.16 255.255.255.255 outside
http 207.X.X.13 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ASA2TS esp-3des esp-sha-hmac
crypto map ZODIACVPN 10 match address ZODIAC-PULLMAN
crypto map ZODIACVPN 10 set peer 207.246.X.X
crypto map ZODIACVPN 10 set transform-set ASA2TS
crypto map ZODIACVPN 10 set security-association lifetime seconds 36000
crypto map ZODIACVPN interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh 10.0.0.0 255.255.255.0 inside
ssh 207.X.X.16 255.255.255.255 outside
ssh 207.X.X.13 255.255.255.255 outside
ssh 207.X.X.19 255.255.255.255 outside
ssh timeout 3
ssh version 2
console timeout 0
dhcpd address 10.0.0.100-10.0.0.200 inside
dhcpd dns 198.6.100.38 198.6.1.5 interface inside
dhcpd auto_config outside interface inside
dhcpd update dns both override interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
ntp server 132.163.4.101 source outside
tunnel-group 207.246.X.X type ipsec-l2l
tunnel-group 207.246.X.X ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:11fc6f4d2bf1a228f56982de4b76427b
: end
Thanks for your help
This is my first "Cisco" vpn so i do not have anything in production as an example
I am seriously missing something. Both scrubbed configs are listed below.
Your expertise is greatly apreciated.
ASA1
********************
pullmanasa# sh run
: Saved
:
ASA Version 8.0(2)
!
hostname pullmanasa
domain-name domain.com
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 207.246.X.X 255.255.255.248
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
no ip address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group CoxDNS
name-server 68.4.16.30
name-server 68.6.16.30
dns server-group DefaultDNS
domain-name domain.com
access-list outside_access_in extended permit tcp host 207.X.X.13 host 207.246.X.X eq 5900
access-list outside_access_in extended permit tcp host 207.X.X.16 host 207.246.X.X eq 5900
access-list outside_access_in extended permit tcp host 207.X.X.19 host 207.246.X.X eq 5900
access-list outside_access_in extended permit tcp any host 207.246.X.X eq 4709
access-list outside_access_in extended permit tcp any host 207.246.X.X eq 18772
access-list NONAT extended permit ip 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list PULLMAN-ZODIAC extended permit ip 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip verify reverse-path interface inside
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (outside) 2 207.246.X.X
global (outside) 3 207.246.X.X
nat (inside) 0 access-list NONAT
nat (inside) 2 10.1.1.3 255.255.255.255
nat (inside) 3 10.1.1.60 255.255.255.255
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 207.246.X.X 5900 10.1.1.3 5900 netmask 255.255.255.255
static (inside,outside) tcp 207.246.X.X 4709 10.1.1.60 4709 netmask 255.255.255.255
static (inside,outside) tcp 207.246.X.X 18772 10.1.1.60 18772 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 207.246.X.X 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 207.X.X.19 255.255.255.255 outside
http 207.X.X.16 255.255.255.255 outside
http 207.X.X.13 255.255.255.255 outside
http 10.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetinbound interface inside
service resetinbound interface outside
crypto ipsec transform-set ASA1TS esp-3des esp-sha-hmac
crypto map PULLMANVPN 10 match address PULLMAN-ZODIAC
crypto map PULLMANVPN 10 set peer 63.98.X.X
crypto map PULLMANVPN 10 set transform-set ASA1TS
crypto map PULLMANVPN 10 set security-association lifetime seconds 36000
crypto map PULLMANVPN interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 10.1.1.0 255.255.255.0 inside
ssh 207.X.X.13 255.255.255.255 outside
ssh 207.X.X.16 255.255.255.255 outside
ssh 207.X.X.19 255.255.255.255 outside
ssh timeout 30
ssh version 2
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection scanning-threat shun
threat-detection statistics
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
!
service-policy global_policy global
ntp server 131.107.1.10 source outside prefer
tunnel-group 63.98.X.X type ipsec-l2l
tunnel-group 63.98.X.X ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 30 retry 5
prompt hostname context
Cryptochecksum:4a8429ee8fbc598850a43deb84affa2f
: end
ASA2
***********************************
zodiacasa# sh run
: Saved
:
ASA Version 8.0(2)
!
hostname zodiacasa
domain-name domain.com
enable password XSYTK6jbWp8NcaCN encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 63.98.X.X 255.255.255.224
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone ct -6
clock summer-time MDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 198.6.100.38
name-server 198.6.1.5
domain-name domain.com
access-list ZODIAC-PULLMAN extended permit ip 10.0.0.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list NONAT extended permit ip 10.0.0.0 255.255.255.0 10.1.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 63.98.X.X 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.0.0.0 255.255.255.0 inside
http 207.X.X.19 255.255.255.255 outside
http 207.X.X.16 255.255.255.255 outside
http 207.X.X.13 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ASA2TS esp-3des esp-sha-hmac
crypto map ZODIACVPN 10 match address ZODIAC-PULLMAN
crypto map ZODIACVPN 10 set peer 207.246.X.X
crypto map ZODIACVPN 10 set transform-set ASA2TS
crypto map ZODIACVPN 10 set security-association lifetime seconds 36000
crypto map ZODIACVPN interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh 10.0.0.0 255.255.255.0 inside
ssh 207.X.X.16 255.255.255.255 outside
ssh 207.X.X.13 255.255.255.255 outside
ssh 207.X.X.19 255.255.255.255 outside
ssh timeout 3
ssh version 2
console timeout 0
dhcpd address 10.0.0.100-10.0.0.200 inside
dhcpd dns 198.6.100.38 198.6.1.5 interface inside
dhcpd auto_config outside interface inside
dhcpd update dns both override interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
ntp server 132.163.4.101 source outside
tunnel-group 207.246.X.X type ipsec-l2l
tunnel-group 207.246.X.X ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:11fc6f4d2bf1a228f56982de4b76427b
: end
Thanks for your help
