Cisco ASA Site-to-Site IKEv1 IPsec VPN


(Rene Molenaar) #1

This topic is to discuss the following lesson:


Ipsec site to site VPN - NAT required? nat-t information?
(christopher c) #2

Rene,

Hello, that was very good! Is there any issue if there are two different versions of the ASA, one before 8.4 and one after with the keyword “ikev1” and “isakmp”, or is that just a local setting?

Thanks

Chris


(Rene Molenaar) #3

Hi Chris,

That shouldn’t be an issue, these are just local commands.

Rene


(Mohammad Taslim M) #4

Hi Rene,

Thank you for the explanation.

I’ve a question

As the traffic is coming from the OUTSIDE to INSIDE zones, do we need an inbound ACL in the Outside interface ( applicable for both ASAs) ?

Thank you

 

Taslim


(Rene Molenaar) #5

Hi Taslim,

There’s no need to do this, the ASA will permit the site-to-site traffic by default. One thing to remember when configuring site-to-site VPNs is to configure NAT excemption. By default the ASA will translate all packets from the INSIDE, even when the destination is on the other side of the tunnel.

Rene


(wilson T) #6

Hi Rene, Does the OUTSIDE firewall interfaces has to be on the same subnet as shown in your example? Also, do i need an access-group for the access-list?

Thanks


(Rene Molenaar) #7

Hi Wilson,

In my example the two ASAs are on the same subnet since they are directly connected but this is not a requirement. In a real world scenario, each of them will have a public IP address of a different subnet. As long as they can reach each other then you are fine.

You don’t need the access-group, in the crypto-map we refer directly to the access-list.

Rene


(wilson T) #8

Thanks Rene. Makes sense.


(Don D) #9

Hello Rene,

Can we double check the last part. Do we still need to configure the routing on 192.168.1.0/192.168.2.0? As long as both peers are reachable, it should build up a tunnel. Tried to lab it, and it doesn’t require to configure routes for the lan networks.

 

Cheers


(Oskar N) #10

Hi !

 

I am having trouble to get the ping to the outside of both ASA ??


(Oskar N) #11

i did a nat on inside

nat (inside.outside) dynamic interface

i took the nat away …

but from ASA1 can i not ping R2 interface 192.168.2.2 ?? any one that knows ??


(Oskar N) #12

Hi again!

i meant vice versa i can not ping from router 1 inside to outside ASA 1. Perhaps it is the security-level i put by old habit on the interfaces on the ASA.


(Rene Molenaar) #13

Hi Oskar,

You configured site-to-site IPsec VPN plus NAT or only NAT?

Rene


(Oskar N) #14

Hi !
I have configured IPsec VPN without NAT, but i tried with dynamic NAT also.

(inside,outside) dynamic interface

Should you Config seclevel on the interfaces ?

Oskar


(Syed A) #15

Hi Rene!

I tried about half a dozen times to make this exact same config work on GNS3, and so far it has not worked for me. I always get the message “There are no ikev1 SAs”.

I’m looking for ideas on how to troubleshoot my configuration. Any suggestions?

Thanks, Amin


(Rene Molenaar) #16

Hi Amin,

You can add your config files as attachments here, maybe I can quickly spot it.

Rene


(Oskar N) #17

Hi Rene !

nice to be here on the site…learn me real stuff. I will do the config tomorrow and then i will send it to you.

I didnt make any qemu-img in cmd for be able to save the config…

/Oskar


(Rene Molenaar) #18

Hi Amin,

I’ll take a look but I don’t see your attachments :slight_smile:

Rene


(Oskar N) #19

Hi !

i lab it up in virl

i did not do any object nat for inside to get outside, neither did i any nat exemption. i didnt do any access-group ehiter. I put sce-level on the interfaces. I can ping the gateways and outside addresses but not the gateway on the other side.


(Syed A) #20

I’ve copied and pasted the router configs below, instead of sending them as attachments.

Regards, Amin

 

amin_asa1.txt (2.8 KB)

amin_asa2.txt (2.8 KB)

amin_r1.txt (1.2 KB)

amin_r2.txt (1.5 KB)