I am followed ASA-to-ASA Dynamic-to-Static IKEv1/IPsec Configuration Example
step by step, currently I am using IP address 10.0.0.1 for the static peer and 10.0.0.2 for the dynamic peer, but seems the tunnel doesn't works:
ASA1(config)# sh cry ipsec sa
There are no ipsec sas
ASA1(config)# sh cry isakmp sa
There are no IKEv1 SAs
There are no IKEv2 SAs
ASA2(config)# sh cry ipsec sa
There are no ipsec sas
ASA2(config)# sh cry isakmp sa
There are no IKEv1 SAs
There are no IKEv2 SAs
Configuration of ASA1:
hostname ASA1
names
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 10.0.0.1 255.255.255.0
no shutdown
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
no shutdown
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
same-security-traffic permit inter-interface
object network 192.168.2.0-remote_network
subnet 192.168.2.0 255.255.255.0
object network 192.168.0.0-inside_network
subnet 192.168.0.0 255.255.255.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
access-list outside_access_in extended permit ip any any
access-list outside_cryptomap extended permit ip object 192.168.0.0-inside_network object 192.168.2.0-remote_network
access-list outside_cryptomap extended permit icmp object 192.168.0.0-inside_network object 192.168.2.0-remote_network
access-list internet_access extended permit ip object 192.168.0.0-inside_network any
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static 192.168.0.0-inside_network 192.168.0.0-inside_network destination static 192.168.2.0-remote_network 192.168.2.0-remote_network no-proxy-arp route-lookup
!
object network obj_any
nat (any,outside) dynamic interface
!
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev1 transform-set tset esp-aes-256 esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map outside_dyn_map 1 set ikev1 transform-set tset
crypto dynamic-map outside_dyn_map 1 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key cisco123
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Configuration of ASA2:
hostname ASA2
names
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 10.0.0.2 255.255.255.0
no shutdown
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
no shutdown
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
object network 192.168.2.0-inside_network
subnet 192.168.2.0 255.255.255.0
object network 192.168.0.0-remote_network
subnet 192.168.0.0 255.255.255.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
access-list outside_cryptomap extended permit ip object 192.168.2.0-inside_network object 192.168.0.0-remote_network
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static 192.168.2.0-inside_network 192.168.2.0-inside_network destination static 192.168.0.0-remote_network 192.168.0.0-remote_network no-proxy-arp route-lookup
!
object network obj_any
nat (any,outside) dynamic interface
!
nat (inside,outside) after-auto source dynamic any interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 10.0.0.1
crypto map outside_map 1 set ikev1 transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
tunnel-group 10.0.0.1 type ipsec-l2l
tunnel-group 10.0.0.1 ipsec-attributes
ikev1 pre-shared-key cisco123
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
Any ideas?
packet-tracer result:
ASA2(config)# packet-tracer input inside tcp 192.168.2.100 56789 192.168.0.100 443
Result:
input-interface: inside
input-status: up
input-line-status: up
Action: drop
Drop-reason: (no-route) No route to host
Best Answer
On ASA2 (dynamic peer), you did not set the VPN peer - 10.0.0.1 in your
crypto map outside_map 1
.Please try the followings on ASA2:
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 10.0.0.1
In addition, on ASA2, you may need to create an interface access-list on inside interface for traffic from ASA2 inside network to reach ASA1 network/subnet at the other end of VPN tunnel.
With dynamic Site-to-Site IPSec VPN, you can initiate the traffic ONLY from dynamic site. Therefore, you need to generate traffic from ASA2 to bring up the tunnel.
If it still does not work, run the packet-tracer command (using CLI) on ASA2 as below and update your question with the output. I will check and update my answer accordingly:
packet-tracer input inside tcp 192.168.2.100 56789 192.168.0.100 443
Updated answer:
The output of packet-tracer told us that ASA2 did not know where to route/forward the traffic to ASA1 inside network (192.168.0.100 in 192.168.0.0/24) because it does not have anything in its routing table.
Please add the followings for testing purposes in this particular setup/lab, then try packet-tracer (and ping) again few times:
route outside 0.0.0.0 0.0.0.0 10.0.0.1
route outside 0.0.0.0 0.0.0.0 10.0.0.2
In this setup/lab, ASA2 is not an actual dynamic peer as you have static IP address configured on outside interface. therefore, you need a static default route on ASA2, and the same on ASA1.
In the real world/scenario, when ASA2 is a dynamic peer (dynamic IP address on outside interface), ASA2 will/should have its own default route thanks to the command
ip address dhcp setroute
orip address pppoe setroute
.I hope it is helpful and you can solve the issue.