Cisco – Site-to-site VPN between 5505 and 5512x

I am trying to setup a site-to-site vpn IPsec tunnel between an ASA 5512x and 5505 on an isolated network.

I ran through the IPsec VPN wizard on both devices and used the same configuration but they don't appear to ever try to talk with each other.

5512

outside interface: 172.16.1.1
inside interface: 10.10.254.254

5505

outside interface 172.16.1.2
inside interface: 192.168.1.1

I currently just have a network cable running between the outside interface on each device, I am able to ping the 172.16.1.x IP's from each device.

Is there something that I'm missing? Sorry if it's obvious but I've never worked with site-to-site setup before.

The 5512 is running ASA 8.6(1)2 and the 5505 is running ASA 8.2(5)…I'm not sure if these are simply incompatible, I was not able to find an answer online. I would try to upgrade the 5505 but I currently don't have access to a Cisco account download images, I'm waiting to hear back from a colleague with the credentials.

Here is the configs for both devices:

5512 config:

: Saved  
:  
ASA Version 8.6(1)2   
!  
hostname asa5512  
domain-name test.com  
enable password 8Ry2YjIyt7RRXU24 encrypted  
passwd 2KFQnbNIdI.2KYOU encrypted  
names  
!  
interface GigabitEthernet0/0  
 nameif outside  
 security-level 0  
 ip address 172.16.1.2 255.255.255.0   
!  
interface GigabitEthernet0/1  
 nameif inside  
 security-level 100  
 ip address 10.10.254.254 255.255.0.0   
!  
interface GigabitEthernet0/2  
 shutdown  
 no nameif  
 no security-level  
 no ip address  
!  
interface GigabitEthernet0/3  
 shutdown  
 no nameif  
 no security-level  
 no ip address  
!  
interface GigabitEthernet0/4  
 shutdown  
 no nameif  
 no security-level  
 no ip address  
!  
interface GigabitEthernet0/5  
 shutdown  
 no nameif  
 no security-level  
 no ip address  
!  
interface Management0/0  
 nameif management  
 security-level 0  
 ip address 192.168.1.1 255.255.255.0   
!  
ftp mode passive  
dns server-group DefaultDNS  
 domain-name test.com  
object network 192.168.1.0_24  
 subnet 192.168.1.0 255.255.255.0  
access-list outside_cryptomap extended permit ip object 192.168.1.0_24 host 172.16.1.2   
pager lines 24  
mtu management 1500  
mtu inside 1500  
mtu outside 1500  
icmp unreachable rate-limit 1 burst-size 1  
no asdm history enable  
arp timeout 14400  
timeout xlate 3:00:00  
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02  
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00  
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00  
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute  
timeout tcp-proxy-reassembly 0:01:00  
timeout floating-conn 0:00:00  
dynamic-access-policy-record DfltAccessPolicy  
user-identity default-domain LOCAL  
http server enable  
http 192.168.1.15 255.255.255.255 management  
no snmp-server location  
no snmp-server contact  
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart  
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac   
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac   
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac   
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac   
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac   
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac   
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac   
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac   
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac   
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac   
crypto ipsec ikev2 ipsec-proposal DES  
 protocol esp encryption des  
 protocol esp integrity sha-1 md5  
crypto ipsec ikev2 ipsec-proposal 3DES  
 protocol esp encryption 3des  
 protocol esp integrity sha-1 md5  
crypto ipsec ikev2 ipsec-proposal AES  
 protocol esp encryption aes  
 protocol esp integrity sha-1 md5  
crypto ipsec ikev2 ipsec-proposal AES192  
 protocol esp encryption aes-192  
 protocol esp integrity sha-1 md5  
crypto ipsec ikev2 ipsec-proposal AES256  
 protocol esp encryption aes-256  
 protocol esp integrity sha-1 md5  
crypto map outside_map1 1 match address outside_cryptomap  
crypto map outside_map1 1 set peer 172.16.1.2   
crypto map outside_map1 1 set ikev1 transform-set ESP-3DES-SHA  
crypto map outside_map1 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES  
crypto map outside_map1 interface outside  
crypto ikev2 policy 1  
 encryption aes-256  
 integrity sha  
 group 5 2  
 prf sha  
 lifetime seconds 86400  
crypto ikev2 policy 10  
 encryption aes-192  
 integrity sha  
 group 5 2  
 prf sha  
 lifetime seconds 86400  
crypto ikev2 policy 20  
 encryption aes  
 integrity sha  
 group 5 2  
 prf sha  
 lifetime seconds 86400  
crypto ikev2 policy 30  
 encryption 3des  
 integrity sha  
 group 5 2  
 prf sha  
 lifetime seconds 86400  
crypto ikev2 policy 40  
 encryption des  
 integrity sha  
 group 5 2  
 prf sha  
 lifetime seconds 86400  
crypto ikev1 policy 120  
 authentication pre-share  
 encryption 3des  
 hash sha  
 group 2  
 lifetime 86400  
telnet timeout 5  
ssh timeout 5  
console timeout 0  
threat-detection basic-threat  
threat-detection statistics access-list  
no threat-detection statistics tcp-intercept  
webvpn  
tunnel-group 172.16.1.2 type ipsec-l2l  
tunnel-group 172.16.1.2 ipsec-attributes  
 ikev1 pre-shared-key *****  
 ikev2 remote-authentication pre-shared-key *****  
 ikev2 local-authentication pre-shared-key *****  
!  
class-map inspection_default  
 match default-inspection-traffic  
!  
!  
policy-map type inspect dns preset_dns_map  
 parameters  
  message-length maximum client auto  
  message-length maximum 512  
policy-map global_policy  
 class inspection_default  
  inspect dns preset_dns_map   
  inspect ftp   
  inspect h323 h225   
  inspect h323 ras   
  inspect ip-options   
  inspect netbios   
  inspect rsh   
  inspect rtsp   
  inspect skinny    
  inspect esmtp   
  inspect sqlnet   
  inspect sunrpc   
  inspect tftp   
  inspect sip    
  inspect xdmcp   
!  
service-policy global_policy global  
prompt hostname context   
no call-home reporting anonymous  
call-home  
 profile CiscoTAC-1  
  no active  
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService  
  destination address email callhome@cisco.com  
  destination transport-method http  
  subscribe-to-alert-group diagnostic  
  subscribe-to-alert-group environment  
  subscribe-to-alert-group inventory periodic monthly 27  
  subscribe-to-alert-group configuration periodic monthly 27  
  subscribe-to-alert-group telemetry periodic daily  
Cryptochecksum:aafae49415856e6cd5c44dedd3984999  
: end  
no asdm history enable

5505 config:

: Saved

:

ASA Version 8.2(5) 

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 192.168.1.1 255.255.255.0 

!

interface Vlan2

 nameif outside

 security-level 0

 ip address 172.16.1.1 255.255.255.0 

!

ftp mode passive

access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 host 172.16.1.2 

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 any 

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer 172.16.1.2 

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable inside

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.5-192.168.1.132 inside

!



threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

tunnel-group 172.16.1.2 type ipsec-l2l

tunnel-group 172.16.1.2 ipsec-attributes

 pre-shared-key *****

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny  

  inspect sunrpc 

  inspect xdmcp 

  inspect sip  

  inspect netbios 

  inspect tftp 

  inspect ip-options 

!

service-policy global_policy global

prompt hostname context 

no call-home reporting anonymous

Cryptochecksum:6a787924fbd2678c0c41685cbbf16b81

: end

no asdm history enable

Any help would be greatly appreciated, thanks!

Best Answer

An ASA won't try to establish a tunnel until traffic tries to use the tunnel (by matching the crypto ACL).

There are some changes needed to your current configuration before you get to that point.

Change the inside interface subnets. They're both on 192.168.1.0/24 right now, so they'd never be able to communicate with the nodes in the same-numbered subnet on the other side of the VPN.
Change your crypto ACL to where on each ASA, the source is the inside network and the destination is the remote inside network.

So, for example if you changed the inside network on the 5505 to be 192.168.2.0, then you'd want to set up your cryto ACLs like this:

5512:
```
access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
```
5505:
```
access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
```

Then, then tunnel should attempt to establish when traffic is sent from one subnet to the other - so from a node in 192.168.1.0/24, try to ping 192.168.2.1. Alternately, you can use the packet-tracer command to simulate traffic - a simulated packet from one to the other should also get the tunnel to light up.

Best Answer

Related Solutions

Cisco – pix 501 – site to site vpn subnet problem

Firewall – Cisco PIX 8.0.4, static address mapping not working

Related Topic