Thursday, October 11, 2018

Newbie practicing ASA VPN on PT

Hello, /networking

newbie here practicing on PT.

so here's the scenario, I've got a remote network that i want to connect to the HQ via VPN. on my Remote network I'm using a router as the edge and HQ is an ASA 5505. so I've tried checking the connection from my HQ (VLAN 10 192.168.1.10) to the Remote network(192.168.8.0) without the VPN and it works. but when I'm testing icmp from a VLAN that is map to the VPN ACL. my packets get stuck at the ASA. Below is my code for my ASA and Remote Router. I have not setup any NAT for this as per my understanding I should only do NAT if my networks overlap. Correct me if I'm wrong

REMOTE#sh run Building configuration... Current configuration : 1549 bytes ! version 15.3 no service timestamps log datetime msec no service timestamps debug datetime msec no service password-encryption ! hostname REMOTE ! ! boot system flash c1900-universalk9-mz.SPA.155-3.M4a.bin ! ! ! ! ! ! ip cef no ipv6 cef ! ! ! ! license udi pid CISCO1941/K9 sn FTX15241TIS license boot module c1900 technology-package FoundationSuiteK9 ! ! ! crypto isakmp policy 10 encr aes authentication pre-share group 2 ! crypto isakmp key cisco12345 address 209.165.200.230 ! ! ! crypto ipsec transform-set VPN_SET esp-aes esp-sha-hmac ! crypto map VPN_MAP 10 ipsec-isakmp set peer 209.165.200.230 set transform-set VPN_SET match address VPN_ACL ! ! ! ! ! ! spanning-tree mode pvst ! ! ! ! ! ! interface GigabitEthernet0/0 ip address 1.1.1.1 255.0.0.0 duplex auto speed auto shutdown ! interface GigabitEthernet0/1 ip address 192.168.8.1 255.255.255.0 duplex auto speed auto ! interface Serial0/0/0 ip address 209.165.200.226 255.255.255.252 crypto map VPN_MAP ! interface Serial0/0/1 no ip address clock rate 2000000 ! interface Vlan1 no ip address shutdown ! ip classless ip route 0.0.0.0 0.0.0.0 209.165.200.225 ! ip flow-export version 9 ! ! ip access-list extended VPN_ACL permit ip 0.0.0.0 255.255.255.0 192.168.1.0 0.0.0.255 permit ip 0.0.0.0 255.255.255.0 192.168.2.0 0.0.0.255 permit ip 0.0.0.0 255.255.255.0 192.168.3.0 0.0.0.255 permit ip 0.0.0.0 255.255.255.0 192.168.4.0 0.0.0.255 permit ip 0.0.0.0 255.255.255.0 192.168.5.0 0.0.0.255 ! ! ! ! ! line con 0 ! line aux 0 ! line vty 0 4 login ! ! ! end 

..

ciscoasa#sh run : Saved : ASA Version 8.4(2) ! hostname ciscoasa names ! interface Ethernet0/0 switchport access vlan 3 ! interface Ethernet0/1 switchport access vlan 2 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 no nameif no security-level no ip address ! interface Vlan2 nameif inside security-level 0 ip address 192.168.5.1 255.255.255.0 ! interface Vlan3 nameif outside security-level 0 ip address 209.165.200.230 255.255.255.252 ! object network NET_REMOTE subnet 192.168.8.0 255.255.255.0 object network NET_VLAN10 subnet 192.168.1.0 255.255.255.0 object network NET_VLAN20 subnet 192.168.2.0 255.255.255.0 object network NET_VLAN30 subnet 192.168.3.0 255.255.255.0 object network NET_VLAN40 subnet 192.168.4.0 255.255.255.0 object network NET_VLAN50 subnet 192.168.5.0 255.255.255.0 ! route outside 0.0.0.0 0.0.0.0 209.165.200.229 1 route inside 192.168.1.0 255.255.255.0 192.168.5.2 1 route inside 192.168.2.0 255.255.255.0 192.168.5.2 1 route inside 192.168.3.0 255.255.255.0 192.168.5.2 1 route inside 192.168.4.0 255.255.255.0 192.168.5.2 1 ! access-list VPN_ACL extended permit ip object NET_VLAN20 object NET_REMOTE access-list VPN_ACL extended permit ip object NET_VLAN30 object NET_REMOTE access-list VPN_ACL extended permit ip object NET_VLAN40 object NET_REMOTE access-list VPN_ACL extended permit ip object NET_VLAN50 object NET_REMOTE ! ! ! ! ! ! ! ! ! telnet timeout 5 ssh timeout 5 ! dhcpd auto_config outside ! dhcpd enable ! ! ! ! crypto ipsec ikev1 transform-set VPN_SET esp-aes esp-sha-hmac ! crypto map VPN_MAP 10 match address VPN_ACL crypto map VPN_MAP 10 set peer 209.165.200.226 crypto map VPN_MAP 10 set ikev1 transform-set VPN_SET crypto map VPN_MAP interface outside crypto ikev1 enable outside crypto ikev1 policy 10 encr aes authentication pre-share group 2 ! tunnel-group 209.165.200.226 type ipsec-l2l tunnel-group 209.165.200.226 ipsec-attributes ikev1 pre-shared-key cisco12345 ! ciscoasa#sh cry ciscoasa#sh crypto ipsec sa There are no ipsec sas ciscoasa#sh cry ciscoasa#sh crypto isa ciscoasa#sh crypto isakmp sa There are no IKEv1 SAs There are no IKEv2 SAs ciscoasa# 

did I mess up the configuration? or is it just a newbie mistake of forgetting some configuration?

PS. I've set the sec level of the inside and outside Interface of the ASA so i can test the vpn connections first.



No comments:

Post a Comment