Site to site VPN troubleshooting

steele84steele84 Member Posts: 62 ■■□□□□□□□□
in CCNA Security


Hey all, I'm having a problem with a test site to site vpn lab that I have set up in gns3. I followed a mock of a configuration from this video and I think I have the syntax configured correctly but I cannot get connectivity to work. I feel like it's something to do the nat proccess. I set up network objects for local and remote lans on both asa's but it's defined to the network and not a host. Please look at the configs below and help me figure out what I did wrong. Thanks! **edit** Fixed missing config but I'm still having a problem. Thanks

ASA 8.42-1
DCHFW# sh run
: Saved
:
ASA Version 8.4(2) 
!
hostname DCHFW
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
 nameif outside
 security-level 0
 ip address 68.171.1.2 255.255.255.0 
!
interface GigabitEthernet1
 nameif inside
 security-level 100
 ip address 192.168.4.30 255.255.255.0 
!
interface GigabitEthernet2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
object network RemoteLAN
 subnet 192.168.1.0 255.255.255.0
object network LocalLAN
 subnet 192.168.4.0 255.255.255.0
access-list S2S_VPN extended permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0 
access-list S2S_VPN extended permit icmp 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0 
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 68.171.1.10 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set Site-2-Site esp-aes esp-sha-hmac 
crypto map Remote 1 match address S2S_VPN
crypto map Remote 1 set peer 68.171.2.2 
crypto map Remote 1 set ikev1 transform-set Site-2-Site
crypto map Remote interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 84600
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 68.171.2.2 type ipsec-l2l
tunnel-group 68.171.2.2 ipsec-attributes
 ikev1 pre-shared-key *****
!
!
prompt hostname context 
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:672fba588cb834ab465b870cdd39385d
: end
DCHFW#

ASA 8.42-2
: Saved
:
ASA Version 8.4(2) 
!
hostname RemoteFW
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
 nameif outside
 security-level 0
 ip address 68.171.2.2 255.255.255.0 
!
interface GigabitEthernet1
 nameif inside
 security-level 100
 ip address 192.168.1.30 255.255.255.0 
!
interface GigabitEthernet2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
object network RemoteLan
 subnet 192.168.4.0 255.255.255.0
object network Local_LAN
 subnet 192.168.1.0 255.255.255.0
access-list S2S_VPN extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0 
access-list S2S_VPN extended permit icmp 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0 
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static Local_LAN Local_LAN destination static RemoteLan any
route outside 0.0.0.0 0.0.0.0 68.171.2.20 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set Site-to-Site esp-aes esp-sha-hmac 
crypto map Remote 1 match address S2S_VPN
crypto map Remote 1 set peer 68.171.1.2 
crypto map Remote 1 set ikev1 transform-set Site-to-Site
crypto map Remote interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 84600
crypto ikev1 policy 65535
 authentication pre-share
 encryption 3des
 hash sha     
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 68.171.1.2 type ipsec-l2l
tunnel-group 68.171.1.2 ipsec-attributes
 ikev1 pre-shared-key *****
!
!
prompt hostname context 
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:48a1e79b024c2a37932e3d4c92e2ec61
: end
“What lies behind us and what lies before us are tiny matters compared to what lies within us.”

Ralph Waldo Emerson
· Share on FacebookShare on Twitter

Comments

  • steele84steele84 Member Posts: 62 ■■□□□□□□□□
    **EDIT**
    Figured it out. So as suspected I had my nat all wrong. I had nat statements on my local network object instead of the remote network object.
    “What lies behind us and what lies before us are tiny matters compared to what lies within us.”

    Ralph Waldo Emerson
    · Share on FacebookShare on Twitter
Sign In or Register to comment.