Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    site to site vpn configuration between pfsense and cisco asa 5505

    Scheduled Pinned Locked Moved General pfSense Questions
    29 Posts 3 Posters 2.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • stephenw10S
      stephenw10 Netgate Administrator
      last edited by

      OK great. So that ping should match the ipsec policy and be carried.
      If you run a packet capture on the ipsec interface you would see the requests leave.

      It looks like you are missing a rule on the other side to pass it.

      Steve

      F 1 Reply Last reply Reply Quote 0
      • F
        franco22 @stephenw10
        last edited by

        @stephenw10 daadc513-eb62-4a2e-b7c8-9f9dd9669c79-image.png .

        Below I have mentioned the cli of asa

        ASA Version 8.4(2)
        !
        hostname ciscoasa
        enable password 8Ry2YjIyt7RRXU24 encrypted
        passwd 2KFQnbNIdI.2KYOU encrypted
        names
        !
        interface Ethernet0/0
        switchport access VLAN 2
        !
        interface Ethernet0/1
        !
        interface Ethernet0/2
        !
        interface Ethernet0/3
        !
        interface Ethernet0/4
        !
        interface Ethernet0/5
        !
        interface Ethernet0/6
        !
        interface Ethernet0/7
        !
        interface Vlan1
        nameif inside
        security-level 100
        ip address 192.168.30.150 255.255.255.0
        !
        interface Vlan2
        nameif outside
        security-level 0
        ip address 192.168.10.150 255.255.255.0
        !
        ftp mode passive
        clock timezone GMT 0
        object network NETWORK_OBJ_192.168.20.0_24
        subnet 192.168.20.0 255.255.255.0
        object network NETWORK_OBJ_192.168.30.0_24
        subnet 192.168.30.0 255.255.255.0
        object-group service DM_INLINE_SERVICE_1
        service-object ip
        service-object icmp
        service-object icmp echo
        service-object icmp echo-reply
        object-group service DM_INLINE_SERVICE_2
        service-object ip
        service-object icmp
        service-object icmp echo-reply
        access-list outside_cryptomap_10 remark ACL to encrypt traffic from ASA to pfSense
        access-list outside_cryptomap_10 extended permit ip 192.168.30.0 255.255.255.0 192.168.20.0 255.255.255.0
        access-list outside-in extended permit ip any any
        access-list outside_access_in remark icmp reply to vpn
        access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 host 192.168.30.0 host 192.168.20.0
        access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_2 192.168.30.0 255.255.255.0 192.168.20.0 255.255.255.0
        access-list inside_access_in extended permit ip host 192.168.20.175 host 192.168.30.0
        access-list global_access extended permit ip any any
        access-list OUTSIDE_IN extended permit icmp any any echo-reply
        pager lines 24
        logging enable
        logging asdm informational
        mtu inside 1500
        mtu outside 1500
        icmp unreachable rate-limit 1 burst-size 1
        asdm image disk0:/asdm-731.bin
        no asdm history enable
        arp timeout 14400
        nat (inside,outside) source static NETWORK_OBJ_192.168.30.0_24 NETWORK_OBJ_192.168.30.0_24 destination static NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 no-proxy-arp route-lookup
        !
        nat (inside,outside) after-auto source dynamic NETWORK_OBJ_192.168.30.0_24 interface
        access-group inside_access_in in interface inside
        access-group OUTSIDE_IN in interface outside
        access-group global_access global
        route outside 0.0.0.0 0.0.0.0 192.168.10.1 1
        timeout xlate 3:00:00
        timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
        timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
        timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
        timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
        timeout tcp-proxy-reassembly 0:01:00
        timeout floating-conn 0:00:00
        dynamic-access-policy-record DfltAccessPolicy
        user-identity default-domain LOCAL
        http server enable
        http 192.168.30.0 255.255.255.0 inside
        no snmp-server location
        no snmp-server contact
        snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
        crypto ipsec ikev1 transform-set pfSense esp-aes esp-sha-hmac
        crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
        crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
        crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
        crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
        crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
        crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
        crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
        crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
        crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
        crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
        crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
        crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
        crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
        crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
        crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
        crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
        crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
        crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
        crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
        crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
        crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
        crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
        crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
        crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
        crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
        crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
        crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
        crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
        crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
        crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
        crypto ipsec ikev2 ipsec-proposal DES
        protocol esp encryption des
        protocol esp integrity sha-1 md5
        crypto ipsec ikev2 ipsec-proposal 3DES
        protocol esp encryption 3des
        protocol esp integrity sha-1 md5
        crypto ipsec ikev2 ipsec-proposal AES
        protocol esp encryption aes
        protocol esp integrity sha-1 md5
        crypto ipsec ikev2 ipsec-proposal AES192
        protocol esp encryption aes-192
        protocol esp integrity sha-1 md5
        crypto ipsec ikev2 ipsec-proposal AES256
        protocol esp encryption aes-256
        protocol esp integrity sha-1 md5
        crypto map outside_map 10 match address outside_cryptomap_10
        crypto map outside_map 10 set peer 192.168.10.175
        crypto map outside_map 10 set ikev1 transform-set pfSense
        crypto map outside_map 10 set reverse-route
        crypto map outside_map interface outside
        crypto ikev1 enable outside
        crypto ikev1 policy 1
        authentication pre-share
        encryption aes
        hash sha
        group 2
        lifetime 86400
        telnet timeout 5
        ssh timeout 5
        console timeout 0

        threat-detection basic-threat
        threat-detection statistics port
        threat-detection statistics protocol
        threat-detection statistics access-list
        no threat-detection statistics tcp-intercept
        webvpn
        group-policy DfltGrpPolicy attributes
        vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
        username franco password rkfkSGltksT7dMZG encrypted
        tunnel-group 192.168.10.175 type ipsec-l2l
        tunnel-group 192.168.10.175 ipsec-attributes
        ikev1 pre-shared-key *****
        !
        class-map inspection_default
        match default-inspection-traffic
        !
        !
        policy-map type inspect dns preset_dns_map
        parameters
        message-length maximum client auto
        message-length maximum 512
        policy-map global_policy
        class inspection_default
        inspect dns preset_dns_map
        inspect ftp
        inspect h323 h225
        inspect h323 ras
        inspect ip-options
        inspect netbios
        inspect rsh
        inspect rtsp
        inspect skinny
        inspect esmtp
        inspect sqlnet
        inspect sunrpc
        inspect tftp
        inspect sip
        inspect xdmcp
        inspect icmp
        !
        service-policy global_policy global
        prompt hostname context
        no call-home reporting anonymous
        call-home
        profile CiscoTAC-1
        no active
        destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
        destination address email callhome@cisco.com
        destination transport-method http
        subscribe-to-alert-group diagnostic
        subscribe-to-alert-group environment
        subscribe-to-alert-group inventory periodic monthly
        subscribe-to-alert-group configuration periodic monthly
        subscribe-to-alert-group telemetry periodic daily
        Cryptochecksum:ad5e08543ca85592802a161b0b39c406
        : end

        1 Reply Last reply Reply Quote 0
        • stephenw10S
          stephenw10 Netgate Administrator
          last edited by

          It could also be the host at 192.168.30.1 rejecting it.

          You should use a non-default password on the ASA. ๐Ÿ˜‰

          Steve

          F 1 Reply Last reply Reply Quote 0
          • F
            franco22 @stephenw10
            last edited by

            @stephenw10 b01c20fe-5cd7-4bdf-a80f-7f58dd42785b-image.png

            1 Reply Last reply Reply Quote 0
            • stephenw10S
              stephenw10 Netgate Administrator
              last edited by

              Ok, why is it configured as mobile IPSec? That's a site-to-site tunnel.

              In that screenshot it is up at phase1 only. You need phase2 to be up to carry any traffic.
              But you said you could ping from the ASA to pfSense so it must have been up then.

              What exactly are you showing us there?

              Steve

              F 1 Reply Last reply Reply Quote 0
              • F
                franco22 @stephenw10
                last edited by

                @stephenw10 sorry bro i have completed the site to site VPN this was ipsec remote VPN config so you able to help with this plz..

                1 Reply Last reply Reply Quote 0
                • stephenw10S
                  stephenw10 Netgate Administrator
                  last edited by

                  Ok, well it's not connected at phase 2 so check the IPSec logs for errors.

                  How is it configured? What are you connecting to it with?

                  Did you follow a guide for this?

                  Steve

                  F 1 Reply Last reply Reply Quote 0
                  • F
                    franco22 @stephenw10
                    last edited by

                    @stephenw10
                    ASA and Pfsence connected in a same switch I want to do sla can u able to help with this

                    1 Reply Last reply Reply Quote 0
                    • stephenw10S
                      stephenw10 Netgate Administrator
                      last edited by

                      So you are still doing the site to site tunnel? Not mobile IPSec? (which is what I thought you meant by 'ipsec remote VPN').

                      Check the logs for errors on both sides.

                      Either the phase 2s do not match or you have no traffic there to bring them up.

                      Steve

                      1 Reply Last reply Reply Quote 0
                      • F
                        franco22 @JKnott
                        last edited by

                        @jknott hello How are You Can you Able to help with this issue pls asa and pfsence in same vlan and i have to do sla

                        1 Reply Last reply Reply Quote 0
                        • stephenw10S
                          stephenw10 Netgate Administrator
                          last edited by

                          In pfSense it should be no more difficult than adding firewall rule in IPSec to allow echo requests from whatever IP the ASA is using to send them.

                          Steve

                          F 1 Reply Last reply Reply Quote 0
                          • F
                            franco22 @stephenw10
                            last edited by

                            @stephenw10
                            Did You know about Haywire

                            1 Reply Last reply Reply Quote 0
                            • stephenw10S
                              stephenw10 Netgate Administrator
                              last edited by

                              Umm, probably not.
                              The film? I enjoyed it. ๐Ÿ˜‰

                              Steve

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.