L2L Dynamic VPN between 5510 and 5505

pertpert Member Posts: 250
Could you guys help me out with whats broken in here? I don't have much education on the VPN side. Config looks right to me, but it doesnt work and also breaks existing VPN connections.

ASA 5510 - HQ Firewall, Public IP 1.1.1.1 on Outside Interface
10.0.0.0 /13 private
192.168.0.0 /24 private
ASA 5505 - Remote Office Firewall, dynamic private IP on Outside Interface
10.100.100.0 /24 private


5510 HQ ASA Config
crypto isakmp policy 5
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp enable Outside

tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key Cisco


crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto dynamic-map TestCase-DYNMAP 1000 set transform-set ESP-AES-128-SHA
crypto map Outside_map 100 IPSec-isakmp dynamic TestCase-DYNMAP
crypto map Outside_map interface outside

no access-list TestCase-NONAT extended permit ip 10.0.0.0 255.248.0.0 10.110.110.0 255.255.255.0
no access-list TestCase-NONAT extended permit ip 192.168.0.0 255.255.255.0 10.110.110.0 255.255.255.0
nat (inside) 0 access-list TestCase-NONAT


route Outside 0.0.0.0 0.0.0.0 1.1.1.2 1
route Inside 10.4.0.0 255.248.0.0 10.3.3.3 1 !!! 10.3.3.1 is Interface on router behind ASA
route Inside 192.168.0.0 255.255.255.0 10.3.3.3 1 !!! 10.3.3.1 is Interface on router behind ASA






ASA 5505 Config
interface Vlan1
nameif inside
security-level 100
ip address 10.110.110.1 255.255.255.0

interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute

crypto isakmp policy 15
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp enable outside

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key Cisco

access-list TestCase_VPN permit ip 10.110.110.0 255.255.255.0 10.0.0.0 255.248.0.0
access-list TestCase_VPN permit ip 10.110.110.0 255.255.255.0 192.168.0.0 255.255.255.0

crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac
crypto map outside 100 match address TestCase_VPN
crypto map outside 100 set peer 1.1.1.1
crypto map outside 100 set transform-set ESP-AES128-SHA
crypto map outside interface outside

access-list TestCase_VPN-NONAT extended permit ip 10.110.110.0 255.255.255.0 10.0.0.0 255.248.0.0
access-list TestCase_VPN-NONAT extended permit ip 10.110.110.0 255.255.255.0 192.168.0.0 255.255.0
nat (inside) 0 access-list TestCase_VPN-NONAT

dhcpd address 10.110.110.2-10.110.110.20 inside
dhcpd enable inside

route outside 10.0.0.0 255.248.0.0 1.1.1.1 1
route outside 192.168.0.0 255.255.255.0 1.1.1.1 1

Comments

  • eteneten Member Posts: 67 ■■□□□□□□□□
    Kind of a late reply, but I've labbed this up on 8.4 and it seems to run perfectly with your setup. There are a few differences in terms of NAT exempt but the tunnels came up without any issues. One issue I've encountered on 5520/GNS3 was when using the "ip address dhcp setroute", it obtained a DHCP address but did not set a default route.

    Does your router behind your HQ ASA have routes for the remote site? Are you enable to run show commands to see if it is failing at phase1 / 2 or any debugs to see whats happening?
Sign In or Register to comment.