VPN on ASA5510

IPsec, L2TP, Split tunneling, PPTP and all other VPN related posts.
Guest

VPN on ASA5510

Post by Guest » Fri Dec 31, 2010 8:40 am

We have 2 locations with ASA5510 and would like to configure VPN tunnel for data.  Right now we have mpls that we like get rid of. I see in our configuration there is already VPN tunnel configured but its not working.  Because we stoped mpls and data between both sides stop working. Following is he configs from one of ASA5510, please let me know if you see VPN configured...i am new to firewall... Please help...  ASA Version 8.03!hostname homedomain-name none.comnames name 10.10.10.10 Exchange2010name 1.1.1.1.1 Exchange2010outsidedns-guard!interface Ethernet0/0 speed 100 duplex full nameif outside security-level 0 ip address Exchange2010outside 255.255.255.248!interface Ethernet0/1 nameif inside security-level 100 ip address 10.10.10.2255.255.255.0!interface Ethernet0/2 nameif mpls security-level 100 ip address 10.10.10.2 255.255.255.240!interface Ethernet0/3 nameif temp security-level 0 no ip address!interface Management0/0 shutdown nameif management security-level 100 no ip address management-only! ftp mode passivedns server-group DefaultDNS domain-name none.comsame-security-traffic permit inter-interfaceobject-group protocol TCPUDP protocol-object udp protocol-object tcpaccess-list 101 extended permit icmp any any echo-replyaccess-list 101 extended permit icmp any any source-quenchaccess-list 101 extended permit icmp any any unreachableaccess-list 101 extended permit icmp any any time-exceededaccess-list 101 extended permit tcp any interface outside eq 3390access-list 101 extended permit tcp any interface outside eq 3391access-list 101 extended permit tcp any interface outside eq 3392access-list 101 extended permit tcp any interface outside eq 3393access-list 101 extended permit tcp any interface outside eq 3394access-list 101 extended permit tcp any interface outside eq 3395access-list 101 extended permit tcp any interface outside eq 3396access-list 101 extended permit tcp any interface outside eq 3397access-list 101 extended permit tcp any interface outside eq 3398access-list 101 extended permit tcp any interface outside eq 3399access-list 101 remark OWA 2010access-list 101 extended permit tcp any host Exchange2010outside eq 3389access-list 101 extended permit tcp any host Exchange2010outside eq wwwaccess-list 101 extended permit tcp host 64.92.220.155 host Exchange2010outsideeq smtpaccess-list 101 extended permit tcp host 64.92.220.156 host Exchange2010outsideeq smtpaccess-list 101 extended permit tcp host 64.92.220.157 host Exchange2010outsideeq smtpaccess-list 101 extended permit tcp host 64.92.220.158 host Exchange2010outsideeq smtpaccess-list 101 extended permit tcp host 64.92.220.159 host Exchange2010outsideeq smtpaccess-list 101 extended permit tcp host 64.92.220.160 host Exchange2010outsideeq smtpaccess-list 101 extended permit tcp host 64.92.220.161 host Exchange2010outsideeq smtpaccess-list 101 extended permit tcp host 64.92.220.162 host Exchange2010outsideeq smtpaccess-list 101 extended permit tcp host 64.92.220.163 host Exchange2010outsideeq smtpaccess-list 101 extended permit tcp host 64.92.220.164 host Exchange2010outsideeq smtpaccess-list 101 extended permit tcp host 64.92.220.165 host Exchange2010outsideeq smtpaccess-list 101 extended permit tcp host 64.92.220.166 host Exchange2010outsideeq smtpaccess-list 101 extended permit tcp host 208.82.145.85 host Exchange2010outsideeq smtpaccess-list 101 extended permit tcp host 208.82.145.86 host Exchange2010outsideeq smtpaccess-list 101 extended permit tcp host 208.82.145.87 host Exchange2010outsideeq smtpaccess-list 101 extended permit tcp host 208.82.145.88 host Exchange2010outsideeq smtpaccess-list 101 extended permit tcp host 208.82.145.89 host Exchange2010outsideeq smtpaccess-list 101 extended permit tcp host 208.82.145.90 host Exchange2010outsideeq smtpaccess-list 101 extended permit tcp host 208.82.145.91 host Exchange2010outsideeq smtpaccess-list 101 extended permit tcp host 208.82.145.92 host Exchange2010outsideeq smtpaccess-list 101 extended permit tcp host 208.78.240.245 host Exchange2010outside eq smtpaccess-list 101 extended permit tcp host 208.78.240.246 host Exchange2010outside eq smtpaccess-list 101 extended permit tcp host 208.78.240.247 host Exchange2010outside eq smtpaccess-list 101 extended permit tcp host 208.78.240.248 host Exchange2010outside eq smtpaccess-list 101 extended permit tcp host 208.78.240.249 host Exchange2010outside eq smtpaccess-list 101 extended permit tcp host 208.78.240.250 host Exchange2010outside eq smtpaccess-list 101 extended permit tcp host 208.78.240.251 host Exchange2010outside eq smtpaccess-list 101 extended permit tcp host 208.78.240.252 host Exchange2010outside eq smtpaccess-list 101 extended permit tcp 64.18.0.0 255.255.240.0 host Exchange2010outside eq smtpaccess-list 101 extended permit tcp any host Exchange2010outside eq httpsaccess-list 101 extended permit object-group TCPUDP any host Exchange2010 eq www access-list Home-Remote extended permit ip 10.10.10.0 255.255.255.0 10.10.11.0 255.255.255.0access-list Home-Remote extended permit ip 10.10.10.0 255.255.255.0 10.10.12.0 255.255.255.0access-list Home-Remote extended permit ip 10.10.10.0 255.255.255.0 10.10.13.0 255.255.255.0access-list Home-Remote extended permit ip 10.10.10.0 255.255.255.0 10.10.14.0 255.255.255.0access-list cap extended permit tcp any eq 3391 anyaccess-list cap extended permit tcp any eq 3394 anyaccess-list home-remoteNONAT extended permit ip 10.10.10.0 255.255.255.0 10.10.11.0 255.255.255.0access-list home-remoteNONAT extended permit ip 10.10.10.0 255.255.255.0 10.10.12.0 255.255.255.0access-list Home-RemoteNONAT extended permit ip 10.10.10.0 255.255.255.0 10.10.13.0 255.255.255.0access-list Home-RemoteNONAT extended permit ip 10.10.10.0 255.255.255.0 10.10.14.0 255.255.255.0access-list cap1 extended permit tcp any any eq smtppager lines 24logging enablelogging asdm informationalmtu outside 1500mtu inside 1500mtu mpls 1500mtu temp 1500mtu management 1500no failovericmp unreachable rate-limit 1 burst-size 1asdm image disk0:/asdm-613.binno asdm history enablearp timeout 14400global (outside) 1 interfacenat (inside) 0 access-list Home-RemoteNONATnat (inside) 1 10.10.1.0 255.255.255.0 tcp 50 20nat (inside) 1 10.10.2.0 255.255.255.0 tcp 50 20nat (inside) 1 10.10.3.0 255.255.255.0 tcp 50 20nat (inside) 1 10.10.4.0 255.255.255.0 tcp 50 20nat (inside) 1 10.10.5.0 255.255.255.0 tcp 50 20nat (inside) 1 10.10.6.0 255.255.255.0 tcp 50 20nat (inside) 1 10.10.7.0 255.255.255.0 tcp 50 20nat (inside) 1 10.10.8.0 255.255.255.0 tcp 50 20nat (inside) 1 10.10.9.0 255.255.255.0 tcp 50 20nat (inside) 1 10.10.10.0 255.255.255.0 tcp 50 20static (inside,outside) tcp interface smtp Exchange2010 smtp netmask 255.255.255.255static (inside,outside) tcp interface https Exchange2010 https netmask 255.255.255.255 access-group 101 in interface outsideroute outside 0.0.0.0 0.0.0.0 111.111.11.111 1 (side note 111.111.11.111 believe is isp gateway) route inside 10.10.4.0 255.255.255.0 10.10.4.1 1route inside 10.10.5.0 255.255.255.0 10.10.5.1 1route inside 10.10.6.0 255.255.255.0 10.10.6.1 1route inside 10.10.7.0 255.255.255.0 10.10.7.1 1route inside 10.10.8.0 255.255.255.0 10.10.8.1 1route inside 10.10.9.0 255.255.255.0 10.10.9.1 1route mpls 10.10.11.0 255.255.255.0 10.10.20.1 1route mpls 10.10.12.0 255.255.255.0 10.10.20.1 1route mpls 10.10.13.0 255.255.255.0 10.10.20.1 1route mpls 10.10.14.0 255.255.255.0 10.10.20.1 1route mpls 10.10.21.0 255.255.255.0 10.10.20.1 1timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout uauth 0:05:00 absolutedynamic-access-policy-record DfltAccessPolicyhttp server enablehttp 0.0.0.0 0.0.0.0 outsidehttp 10.10.11.0 255.255.255.0 insidehttp 10.10.10.0 255.255.255.0 insideno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstartcrypto ipsec transform-set Home_Tunnel esp-aes-256 esp-sha-hmaccrypto map maptoREMOTE 10 match address Home-Remotecrypto map maptoREMOTE 10 set transform-set Home_Tunnelcrypto map maptoREMOTE interface outsidecrypto isakmp identity addresscrypto isakmp enable outsidecrypto isakmp policy 11 authentication pre-share encryption aes-256 hash sha group 2 lifetime 28800crypto isakmp policy 30 authentication pre-share encryption aes hash sha group 2 lifetime 86400crypto isakmp nat-traversal 30telnet 10.10.10.0 255.255.255.0 insidetelnet 10.10.11.0 255.255.255.0 insidetelnet timeout 60ssh 0.0.0.0 0.0.0.0 outsidessh 0.0.0.0 0.0.0.0 insidessh timeout 60console timeout 0threat-detection basic-threatthreat-detection statisticsusername admin password id6XqXzHqVdjWpuR encrypted privilege 15tunnel-group 38.1.1.1 type ipsec-l2l ( side note this is remote asa ip address)tunnel-group 38.1.1.1 ipsec-attributes (side note this is remote asa ip address) pre-shared-key *!class-map inspection_default match default-inspection-trafficclass-map pptp-port match port tcp eq pptp!!policy-map type inspect dns migrated_dns_map_1 parameters  message-length maximum 512policy-map global_policy class inspection_default  inspect dns migrated_dns_map_1  inspect ftp  inspect h323 h225  inspect h323 ras  inspect rsh  inspect rtsp  inspect sqlnet  inspect skinny  inspect sunrpc  inspect xdmcp  inspect sip  inspect netbios  inspect tftppolicy-map pptp_policy class pptp-port  inspect pptppolicy-map pptp-policy class pptp-port  inspect pptp!service-policy global_policy globalservice-policy pptp_policy interface outsideprompt hostname context

Guest

Re:VPN on ASA5510

Post by Guest » Fri Dec 31, 2010 10:18 am

Hi Gurpreet, From the configuration, i see that there is a vpn configuration for a site to site tunnel, but it is incomplete. the missing statement are marked in RED: crypto ipsec transform-set Home_Tunnel esp-aes-256 esp-sha-hmaccrypto map maptoREMOTE 10 set peer <ip address of the remote site>crypto map maptoREMOTE 10 match address Home-Remotecrypto map maptoREMOTE 10 set transform-set Home_Tunnelcrypto map maptoREMOTE interface outside --Now i see a tunnel group configuration with ip address 38.1.1.1, so most probably this is the ip address of your remote peer. So please verify if this is the ip address of your remote site, and then apply this ip address in the above config set to complete the vpn configuration. So following is probably is what needs ot be addred crypto map maptoREMOTE 10 set peer 38.1.1.1 But as i said, apply the set peer only after you are sure this ip address is that of your intended remote site. Rest of the vpn config seems fine. Let me know if this helps, Cheers,Rudresh V

Guest

Re:VPN on ASA5510

Post by Guest » Fri Dec 31, 2010 11:34 am

Thanks Rudresh, I have made that change.  Now i am checking my remote asa configs and see tunnel is ponting to our old ISP(home isp) ip address and that need be changed: following are lines i am seeing pointing to old ip address that need to be changed.  I don want to make mistake please advise how should i chagne them.  Also if you see anything else need to changed in there.  Again thank you very much. crypto map outside_map 20 set peer 64.1.1.1 tunnel-group 64.1.1.1 type ipsec-l2l tunnel-group 64.1.1.1 ipsec-attributes   sh runm   : Saved:ASA Version 8.0(4) !hostname ASA-homedomain-name none.com namesdns-guard!interface Ethernet0/0 nameif outside security-level 0 ip address 38.1.1.1255.255.255.224 !interface Ethernet0/1 speed 1000 duplex full nameif inside security-level 100 ip address 10.10.11.250 255.255.255.0 !interface Ethernet0/2 nameif mpls security-level 100 ip address 10.10.1.1255.255.255.0 !interface Ethernet0/3 shutdown no nameif no security-level no ip address!interface Management0/0 shutdown no nameif security-level 100 no ip address management-only!boot system disk0:/asa804-k8.binftp mode passiveclock timezone EST -5clock summer-time EDT recurringdns server-group DefaultDNS domain-name none.comsame-security-traffic permit inter-interfaceaccess-list 100 extended permit tcp any host 38.1.1.2eq www access-list 100 extended permit tcp any host 38.1.1.2eq https access-list 100 extended permit tcp any host 38.1.1.2eq 3389 access-list 100 extended permit tcp any host 38.1.1.2range 3230 3235 access-list 100 extended permit tcp any host 38.1.1.2eq h323 access-list 100 extended permit udp any host 38.1.1.2range 3230 3253 access-list vpn extended permit ip 10.10.10.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list vpn extended permit ip 10.10.11.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list remote-homeNONAT extended permit ip 10.10.11.0 255.255.255.0 10.10.10.0 255.255.255.0 access-list remote-homeNONAT extended permit ip 10.10.12.0 255.255.255.0 10.10.10.0 255.255.255.0 access-list remote-homeNONAT extended permit ip 10.10.13.0 255.255.255.0 10.10.10.0 255.255.255.0 access-list remote-homeNONAT extended permit ip 10.10.14.0 255.255.255.0 10.10.10.0 255.255.255.0 access-list 101 extended permit icmp any any echo-reply access-list 101 extended permit icmp any any source-quench access-list 101 extended permit icmp any any unreachable access-list 101 extended permit icmp any any time-exceeded access-list remote-home extended permit ip 10.10.11.0 255.255.255.0 10.10.10.0 255.255.255.0 access-list remote-home extended permit ip 10.10.12.0 255.255.255.0 10.10.10.0 255.255.255.0 access-list remote-home  extended permit ip 10.10.13.0 255.255.255.0 10.10.10.0 255.255.255.0 access-listremote-home  extended permit ip 10.10.14.0 255.255.255.0 10.10.10.0 255.255.255.0 no pagerlogging enablelogging asdm informationalmtu outside 1500mtu inside 1500mtu mpls 1500ip local pool Remote-Pool 192.168.10.1-192.168.10.25 mask 255.255.255.0no failovericmp unreachable rate-limit 1 burst-size 1asdm image disk0:/asdm-613.binno asdm history enablearp timeout 14400global (outside) 1 interfacenat (inside) 0 access-list remote-homeNONATnat (inside) 1 10.10.11.0 255.255.255.0 tcp 50 20 nat (inside) 1 10.10.12.0 255.255.255.0 tcp 50 20 nat (inside) 1 10.10.13.0 255.255.255.0 tcp 50 20 nat (inside) 1 10.10.14.0 255.255.255.0 tcp 50 20 static (inside,outside) 38.1.1.2 10.10.1.15 netmask 255.255.255.255 static (inside,outside) 10.10.11.154 38.1.1.3netmask 255.255.255.255 access-group 100 in interface outsideroute outside 0.0.0.0 0.0.0.0 38.1.1.0 1route mpls 10.10.1.0 255.255.255.0 10.10.21.1 1route mpls 10.10.2.0 255.255.255.0 10.10.21.1 1route mpls 10.10.3.0 255.255.255.0 10.10.21.1 1route mpls 10.10.4.0 255.255.255.0 10.10.21.1 1route mpls 10.10.5.0 255.255.255.0 10.10.21.1 1route mpls 10.10.6.0 255.255.255.0 10.10.21.1 1route mpls 10.10.7.0 255.255.255.0 10.10.21.1 1route mpls 10.10.8.0 255.255.255.0 10.10.21.1 1route mpls 10.10.9.0 255.255.255.0 10.10.21.1 1route mpls 10.10.10.0 255.255.255.0 10.10.21.1 1route inside 10.10.12.0 255.255.255.0 10.10.12.1 1route inside 10.10.13.0 255.255.255.0 10.10.13.1 1route inside 10.10.14.0 255.255.255.0 10.10.14.1 1route mpls 10.10.20.0 255.255.255.0 10.10.21.1 1timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutedynamic-access-policy-record DfltAccessPolicyhttp server enablehttp 10.10.11.0 255.255.255.0 insidehttp 10.10.10.0 255.255.255.0 insidehttp 0.0.0.0 0.0.0.0 outsideno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstartcrypto ipsec transform-set NJ_Tunnel esp-aes-256 esp-sha-hmac crypto ipsec security-association lifetime seconds 28800crypto ipsec security-association lifetime kilobytes 4608000crypto dynamic-map dynmap 10 set security-association lifetime seconds 28800crypto dynamic-map dynmap 10 set security-association lifetime kilobytes 4608000crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000crypto map mymap 10 ipsec-isakmp dynamic dynmapcrypto map outside_map 20 set pfs crypto map outside_map 20 set peer 64.1.1.1crypto map outside_map 20 set security-association lifetime seconds 28800crypto map outside_map 20 set security-association lifetime kilobytes 4608000crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAPcrypto map maptohome 10 match address remote-homecrypto map maptohome 10 set transform-set remote_homecrypto map maptohome 10 set security-association lifetime seconds 28800crypto map maptohome 10 set security-association lifetime kilobytes 4608000crypto map maptohome interface outsidecrypto isakmp identity address crypto isakmp enable outsidecrypto isakmp policy 10 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400crypto isakmp policy 11 authentication pre-share encryption aes-256 hash sha group 2 lifetime 28800crypto isakmp policy 30 authentication pre-share encryption aes hash sha group 2 lifetime 86400crypto isakmp nat-traversal 30no vpn-addr-assign aaano vpn-addr-assign dhcptelnet 10.10.10.0 255.255.255.0 insidetelnet 10.10.11.0 255.255.255.0 insidetelnet 10.10.12.0 255.255.255.0 insidetelnet timeout 60ssh 0.0.0.0 0.0.0.0 outsidessh timeout 60console timeout 0threat-detection basic-threatthreat-detection statistics portthreat-detection statistics protocolthreat-detection statistics access-listno threat-detection statistics tcp-interceptusername admin password id6XqXzHqVdjWpuR encrypted privilege 15tunnel-group Supp0Rt type remote-accesstunnel-group Supp0Rt general-attributes address-pool Remote-Pooltunnel-group Supp0Rt ipsec-attributes pre-shared-key *tunnel-group 64.1.1.1 type ipsec-l2ltunnel-group 64.1.1.1 ipsec-attributes pre-shared-key *!class-map inspection_default match default-inspection-traffic!!policy-map type inspect dns migrated_dns_map_1 parameters  message-length maximum 512policy-map global_policy class inspection_default  inspect dns migrated_dns_map_1   inspect ftp   inspect h323 h225   inspect h323 ras   inspect rsh   inspect rtsp   inspect sqlnet   inspect skinny    inspect sunrpc   inspect xdmcp   inspect sip    inspect netbios   inspect tftp   inspect pptp !service-policy global_policy globalprompt hostname context : end

Guest

Re:VPN on ASA5510

Post by Guest » Fri Dec 31, 2010 12:52 pm

Hi Gurpreet, Yes, following vpn configuration will work: crypto map outside_map 20 set pfs crypto map outside_map 20 set peer 64.1.1.1 tunnel-group 64.1.1.1 type ipsec-l2ltunnel-group 64.1.1.1 ipsec-attributes pre-shared-key * --Now in the above config, we are missing the access-list defining the interesting traffic, for this you need to identify the interesting traffic (probably) by checking the remote vpn end point configuration, and apply this here. We also need to apply the crypto map to the interface. So the complete vpn config should look like this:  crypto map outside_map 20 match address <crypto-access-list>crypto map outside_map 20 set pfs crypto map outside_map 20 set peer 64.1.1.1 tunnel-group 64.1.1.1 type ipsec-l2ltunnel-group 64.1.1.1 ipsec-attributespre-shared-key  <passwored same as on remote side> crypto map outside_map interface outside Cheers,Rudresh V

Guest

Re:VPN on ASA5510

Post by Guest » Fri Dec 31, 2010 1:15 pm

Thank you very much, Rudres.  Its working now.

Post Reply