problem with l2l vpn on asa 5505

Home Forums Networking Cisco Security – PIX/ASA/VPN problem with l2l vpn on asa 5505

Viewing 1 post (of 1 total)
  • Author
    Posts

  • gogi100
    Member
    #161499

    hi, i have a problem with my asa’s 5505 in l2l vpn.configuration of my network is

    LAN(192.168.5.0)>asa192.168.5.1>asa10.15.100.15>router10.15.100.1>8 routers>router10.13.74.1>asa10.13.74.50>asa192.168.0.15>LAN192.168.0.0

    configurations of asa

    Result of the command: “sh ru”
    ASA Version 8.4(2)
    hostname ciscoasa
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.5.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address 10.15.100.15 255.255.255.0
    ftp mode passive
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object network Makenzijeva-site
    subnet 192.168.0.0 255.255.255.0
    object network Palata-site
    subnet 192.168.5.0 255.255.255.0
    object network Sharepoint
    host 192.168.5.37
    access-list outside_cryptomap extended permit ip object Palata-site object Makenzijeva-site
    access-list inside_access_in extended permit ip object Palata-site any
    access-list outside_access_in extended permit ip any any
    pager lines 24
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    nat (inside,outside) source static Palata-site Palata-site destination static Makenzijeva-site Makenzijeva-site no-proxy-arp route-lookup
    object network obj_any
    nat (inside,outside) dynamic interface
    object network Sharepoint
    nat (inside,outside) static 10.15.100.20 dns
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    route outside 0.0.0.0 0.0.0.0 10.15.100.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    ….
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec ikev2 ipsec-proposal DES
    …..
    crypto map outside_map 1 match address outside_cryptomap
    crypto map outside_map 1 set pfs
    crypto map outside_map 1 set peer 10.13.74.50

    crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
    crypto map outside_map interface outside

    dhcpd address 192.168.5.5-192.168.5.132 inside
    dhcpd enable inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn

    group-policy GroupPolicy_10.13.74.50 internal
    group-policy GroupPolicy_10.13.74.50 attributes
    vpn-tunnel-protocol ikev1 ikev2
    tunnel-group 10.13.74.50 type ipsec-l2l
    tunnel-group 10.13.74.50 general-attributes
    default-group-policy GroupPolicy_10.13.74.50
    tunnel-group 10.13.74.50 ipsec-attributes
    ikev1 pre-shared-key *****
    ikev2 remote-authentication pre-shared-key *****
    ikev2 local-authentication pre-shared-key *****
    class-map inspection_default
    match default-inspection-traffic
    …..

    hostname asa-makenzijeva
    enable password csq7sfr0bQJqMGET encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names

    interface Ethernet0/0
    switchport access vlan 2

    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.0.15 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address 10.13.74.50 255.255.255.0
    ftp mode passive
    clock timezone CEST 1
    clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object network FIREWALL-MAKENZIJEVA-LAN
    host 192.168.0.15
    object network MAKENZIJEVA-site
    subnet 192.168.0.0 255.255.255.0
    object network PALATA-site
    subnet 192.168.5.0 255.255.255.0
    object network DRI-AD
    host 192.168.0.20
    object network DRI-VM
    host 192.168.0.28
    object network UPRAVA-Router
    host 10.13.74.1
    access-list outside_cryptomap extended permit ip object MAKENZIJEVA-site object PALATA-site
    access-list INTERESTING-VPN-TRAFFIC extended permit ip object MAKENZIJEVA-site object PALATA-site
    access-list inside_access_in extended permit ip object MAKENZIJEVA-site any
    access-list outside_access_in extended permit ip any any

    nat (inside,outside) source static MAKENZIJEVA-site MAKENZIJEVA-site destination static PALATA-site PALATA-site no-proxy-arp route-lookup
    object network obj_any
    nat (inside,outside) dynamic interface
    object network DRI-AD
    nat (inside,outside) static 10.13.74.51 dns
    access-group inside_access_in in interface inside
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 10.13.74.1 1

    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    http server enable
    http 10.13.74.0 255.255.255.0 outside
    http 10.15.100.0 255.255.255.0 outside
    http 192.168.5.0 255.255.255.0 outside
    http 192.168.0.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    …..
    crypto map outside_map 1 match address outside_cryptomap
    crypto map outside_map 1 set pfs
    crypto map outside_map 1 set peer 10.15.100.15
    crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
    crypto map outside_map interface outside
    ……
    dhcpd auto_config outside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy GroupPolicy_10.15.100.15 internal
    group-policy GroupPolicy_10.15.100.15 attributes
    vpn-tunnel-protocol ikev1 ikev2
    tunnel-group 10.15.100.15 type ipsec-l2l
    tunnel-group 10.15.100.15 general-attributes
    default-group-policy GroupPolicy_10.15.100.15
    tunnel-group 10.15.100.15 ipsec-attributes
    ikev1 pre-shared-key *****
    ikev2 remote-authentication pre-shared-key *****
    ikev2 local-authentication pre-shared-key *****
    class-map inspection_default
    match default-inspection-traffic
    ……

    i configured l2l vpn over site to site wizard, but traffic does not goes through tunnel. there’s tunnel

Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.

External Sharing and Guest User Access in Microsoft 365 and Teams

This eBook will dive into policy considerations you need to make when creating and managing guest user access to your Teams network, as well as the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

You will learn:

  • Who should be allowed to be invited as a guest?
  • What type of guests should be able to access files in SharePoint and OneDrive?
  • How should guests be offboarded?
  • How should you determine who has access to sensitive information in your environment?

Sponsored by: