site to site tunnel and remotes access on an ASA5505

Discussion in 'Cisco' started by aty, Jan 18, 2008.

  1. aty

    aty

    Joined:
    Jan 18, 2008
    Messages:
    2
    Hi

    Hope someone can help me out with this,

    I have setup a ASA5505 and have remote access working on it.

    I now want to setup a IPsec tunnel between two offices, when i do this i noticed the tunnel comes up but the remote access has stopped working.

    I am using the CLi not ASDM to configure the ASA5505,
    the config i have is as follows.



    :
    ASA Version 7.2(2)
    !
    hostname HW
    domain-name HW.com
    enable password BpmZJHJZUBLVIfng encrypted
    names
    !
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.1.2 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    ip address 135.xxx.xxx.xxx 255.255.255.192
    !
    interface Vlan10
    no nameif
    security-level 50
    ip address 172.16.1.1 255.255.255.0
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    shutdown
    !
    interface Ethernet0/4
    shutdown
    !
    interface Ethernet0/5
    shutdown
    !
    interface Ethernet0/6
    shutdown
    !
    interface Ethernet0/7
    switchport access vlan 10
    !
    passwd BpmZJHJZUBLVIfng encrypted
    ftp mode passive
    dns server-group DefaultDNS
    domain-name safestone.com
    access-list 101 extended permit ip 192.168.1.0 255.255.255.0 192.168.130.0 255.255.255.0
    access-list Split_Tunnel_List standard permit 192.168.1.0 255.255.255.0
    access-list acl_outside extended permit icmp any any echo
    access-list acl_outside extended permit icmp any any echo-reply
    access-list acl_outside extended permit icmp any any traceroute
    access-list acl_outside extended permit icmp any any time-exceeded
    access-list acl_outside extended permit icmp any any unreachable
    access-list acl_outside extended permit tcp any any eq www
    access-list acl_outside extended permit tcp any any eq smtp
    access-list acl_outside extended permit tcp any any eq pop3
    access-list acl_outside extended deny ip any any
    access-list acl_inside extended permit tcp any any eq www
    access-list acl_inside extended permit tcp any any eq https
    access-list acl_inside extended permit tcp any any eq domain
    access-list acl_inside extended permit udp any any eq domain
    access-list acl_inside extended permit tcp any any eq smtp
    access-list acl_inside extended permit tcp any any eq pop3
    access-list acl_inside extended permit tcp any any eq ftp
    access-list acl_inside extended permit icmp any any echo
    access-list acl_inside extended permit icmp any any echo-reply
    access-list acl_inside extended permit icmp any any traceroute
    access-list acl_inside extended permit icmp any any time-exceeded
    access-list acl_inside extended permit icmp any any unreachable
    access-list acl_inside extended permit tcp any any eq netbios-ssn
    access-list acl_inside extended permit tcp any any eq 3389
    access-list acl_inside extended permit tcp any any eq telnet
    access-list acl_inside extended deny ip any any
    access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0
    access-list outside_cryptomap_20 extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool safestonevpnpool 192.168.130.100-192.168.130.199 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-522.bin
    asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    static (inside,outside) 217.205.xxx.xxx 192.168.127.100 netmask 255.255.255.255
    access-group acl_inside in interface inside
    access-group acl_outside in interface outside
    route outside 0.0.0.0 0.0.0.0 135.196.xxx.xxx 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server vpnradius protocol radius
    aaa-server vpnradius host 192.168.1.100
    key safestone123
    group-policy safestonevpn internal
    group-policy safestonevpn attributes
    dns-server value 192.168.1.100
    vpn-tunnel-protocol IPSec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value Split_Tunnel_List
    default-domain value HW.com
    username sad password 7fhJkho4jUajszE/ encrypted
    username azas password E3nRwvfjKRY5Ff9o encrypted
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    http 192.168.127.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto dynamic-map Outside_dyn_map 10 set transform-set ESP-3DES-SHA
    crypto dynamic-map Outside_dyn_map 10 set reverse-route
    crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 288000
    crypto map Outside_map 10 ipsec-isakmp dynamic Outside_dyn_map
    crypto map outside_map 20 match address outside_cryptomap_20
    crypto map outside_map 20 set peer 217.205.xxx.xxx
    crypto map outside_map 20 set transform-set ESP-AES-256-SHA
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 1
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 43200
    crypto isakmp policy 10
    authentication pre-share
    encryption aes-256
    hash sha
    group 5
    lifetime 86400
    crypto isakmp policy 65535
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp nat-traversal 20
    tunnel-group safestonevpn type ipsec-ra
    tunnel-group safestonevpn general-attributes
    address-pool safestonevpnpool
    authentication-server-group vpnradius LOCAL
    default-group-policy safestonevpn
    tunnel-group safestonevpn ipsec-attributes
    pre-shared-key *
    tunnel-group 217.205.xxx.xxx type ipsec-l2l
    tunnel-group 217.205.xxx.xxx ipsec-attributes
    pre-shared-key *
    telnet 192.168.1.0 255.255.255.0 inside
    telnet 192.168.100.0 255.255.255.0 inside
    telnet timeout 30
    ssh 0.0.0.0 0.0.0.0 outside
    ssh timeout 30
    console timeout 0
    dhcprelay timeout 60

    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    !
    service-policy global_policy global
    tftp-server inside 192.168.127.10 atidasa
    prompt hostname context
    Cryptochecksum:2695cf84f0ec83bba072b98fdcf84004
    : end





    These are the lines I have added for the tunnel


    access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

    access-list outside_cryptomap_20 extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

    nat (inside) 0 access-list inside_nat0_outbound

    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

    crypto map outside_map 20 match address outside_cryptomap_20

    crypto map outside_map 20 set peer 217.205.xxx.xxx

    crypto map outside_map 20 set transform-set ESP-AES-256-SHA

    crypto map outside_map interface outside


    isakmp enable outside
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption aes-256
    isakmp policy 10 hash sha
    isakmp policy 10 group 5
    isakmp policy 10 lifetime 86400


    isakmp policy 65535 authentication pre-share
    isakmp policy 65535 encryption 3des
    isakmp policy 65535 hash sha
    isakmp policy 65535 group 2
    isakmp policy 65535 lifetime 86400

    tunnel-group 217.205.xxx.xxx type ipsec-l2l

    tunnel-group 217.205.xxx.xxx ipsec-attributes
    pre-shared-key abcdefgh





    I have noticed that the remote access only stops when i add the line

    crypto map outside_map interface outside



    Can someone help me out on this

    thx in advance
     
    aty, Jan 18, 2008
    #1
    1. Advertising

  2. aty

    aty

    Joined:
    Jan 18, 2008
    Messages:
    2
    i have worked it OUT :)
     
    aty, Jan 23, 2008
    #2
    1. Advertising

  3. aty

    drjones

    Joined:
    Mar 16, 2009
    Messages:
    1
    Site-to-site VPN ASA 5505

    Hi Aty,

    I am having the same issues, I'm interested how you worked it out.

    Basically, I have set all the recommended parameters (mirroring ACLs, Crypto Maps, Tunnel Groups, etc), it does seem that neither of each ASA wouldnt even initiate a connection. If you were able to resolve your issue, I hope you wouldnt mind sharing because I've hit a brick wall at this point.

    Thanks,
    drjones
     
    drjones, Mar 16, 2009
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. a.nonny mouse
    Replies:
    2
    Views:
    1,116
  2. shumway

    panasonic remotes

    shumway, Oct 14, 2005, in forum: DVD Video
    Replies:
    2
    Views:
    384
    shumway
    Oct 14, 2005
  3. Trouble
    Replies:
    0
    Views:
    650
    Trouble
    Aug 4, 2006
  4. Trouble
    Replies:
    1
    Views:
    556
  5. chip_paige
    Replies:
    1
    Views:
    1,051
    peter
    Jan 10, 2009
Loading...

Share This Page