Can't establish VPN to ASA 5505

Answered Question
May 17th, 2007

I am trying to set up a Site-to-Site VPN network. Right now I am trying to make this work in the lab. I have the Internet port on the Linksys connected directly to port 0 on the cisco which was set up as the internet port.

My setup is as follows:

Remote Site

Laptop 1 - IP Address 192.168.2.100 255.255.255.0 GW 192.168.2.1

Router 1 (Linksys BEFSX41) - LAN IP Address 192.168.2.1 255.255.255.0

WAN IP Address 209.168.145.49 255.255.255.0 GW 209.168.145.50

Host Site

Laptop 2 - IP Address 192.168.1.100 255.255.255.0 GW 192.168.1.1

Router 2 (Cisco ASA 5505) - LAN 0 IP Address 192.168.1.1 255.255.255.0

WAN IP Address (Port 0) 209.168.145.50 255.255.255.0

My problems:

I am using ASDM 5.2 to configure the ASA router. With the configuration I currently have my linksys is not able to establish a VPN connection. The ASA Log reported via the ASDM is as shown in the ciscolog.txt attachment.

My linksys log is as shown in the linksyslog.txt attachment.

I also tried to create a Cisco VPN client connection using the cisco client software and connected one of the laptops directly to the internet port (port 0) on the cisco router and was not able to make a connection with that either. I used the ASDM VPN wizard to attempt to set up both the Site-to-site as well as the remote connection scenarios. This has been unsuccesful in both instances.

The only one I am really concerned with getting to work is the site-to-site.

My current cisco configuration is shown in the cisco.txt attachment.

If anyone has any input I would greatly appreciate it. I have been through the cisco manuals as well as scouring the internet and am unable to find an answer.

I have attached 3 files, the cisco log (ciscolog.txt), linksys log (linksyslog.txt) and cisco config (cisco.txt) as text files.

Thanks.

Sean

I have this problem too.
0 votes
Correct Answer by ggilbert about 9 years 6 months ago

I hope that route statement fixes your issue.

- Gilbert

Nice work, Adam!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.8 (5 ratings)
Loading.
ggilbert Thu, 05/17/2007 - 07:07

Hello Sean,

Can you please send me the config of the ASA. I will take a look at the config and let you know. In the mean time, will look into the logs on the ASA.

Thanks

Gilbert

citnetworks Thu, 05/17/2007 - 07:13

Hi Gilbert,

Do you want the actual config file as obtained via ftp or just the text printout of the config? I have attached the text printout of the config for the ASA to the post.

Thanks for your help.

Sean

ggilbert Thu, 05/17/2007 - 07:13

I did look into the config attached to this case. Here is what you need to do.

Look at the Access-list configured on the ASA.

access-list outside_20_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list outside_20_cryptomap extended permit ip any 192.168.2.0 255.255.255.0

It should be the just one access-list as given below:

access-list outside_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

And the access-list given below:

access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

Should be changed to:

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

Let me know if this helps and fixes your problem.

Rate this post.

Cheers

Gilbert

acomiskey Thu, 05/17/2007 - 07:21

Get rid of these entries...

no access-list outside_20_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

no access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

no access-list outside_20_cryptomap extended permit ip any 192.168.2.0 255.255.255.0

Add these...

access-list outside_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

Interesting traffic on the linksys should be 192.168.2.0 to 192.168.1.0, or the mirror of what it is on the ASA.

Can you post more details of the linksys config?

edit: Sorry gilbert, simultaneous post, good to see we both think alike.

citnetworks Thu, 05/17/2007 - 08:54

Thanks guys. Still no go. I am attaching the new cisco config which includes a new error message I am now getting. I am also attaching the screenshots of my Linksys config. I was not sure how to get that in text format.

Sean

acomiskey Thu, 05/17/2007 - 09:12

Are you trying to bring up the tunnel by going from 192.168.2.x on linksys side to 209.168.145.50 on ASA?

This traffic is not defined in the crypto acl on the ASA. Only traffic between 192.168.2.0 and 192.168.1.0 is defined. Try adding...

access-list outside_cryptomap_20 extended permit ip host 209.168.145.50 192.168.2.0 255.255.255.0

ggilbert Thu, 05/17/2007 - 09:27

As Adam said, if you are trying to bring up the tunnel from 192.168.2.x to 209.168.145.50/32 then you would need to have that access-list, if not, please change the Remote SEcure Group information on the linksys side to 192.168.1.0 and make sure you change it as Subnet and not IP address.

Also, Change your proposal 1 lifetime to 86400 on the linksys side.

Also you need to enable PFS on the key management section since you have PFS enabled on the ASA side. Or take the command "crypto map outside_map 20 set pfs" out of the ASA.

Along with that, you do not have by-pass NAT on the ASA.

Add the statement

nat (inside) 0 access-l inside_nat0_outbound

Let me know how it pans out. :)

Good luck!!

Cheers

Gilbert

citnetworks Thu, 05/17/2007 - 10:53

Thanks guys. That looks like that almost has it. I made these changes but those changes by themselves did not correct the problem. However, under the advanced settings section on the linksys, I changed the group dropdown on the Proposal section of both of the phases to 1024-bit instead of the 768 it was set to and the tunnel was established.

Now I have one last issue which I know is just my routing tables but could still use some help...

Laptop1 with ip address 192.168.2.100 on the remote linksys network cannot ping laptop2 with ip address 192.168.1.20 on the host cisco network. Nor can i establish a remote desktop session between the two.

When I try to ping from the remote laptop it is telling me that "no translation group for icmp src outside 209.168.145.49 dst inside: 192.168.1.20". When I try to ping from the host laptop to the remote i get "deny inbound icmp src inside 192.168.1.20 dst inside 192.168.2.100".

I set the Remote Secure Group on the linksys to the internet ip address on the cisco, 209.168.145.50.

Thanks again.

Sean

acomiskey Thu, 05/17/2007 - 11:08

I would think, as gilbert said, that the "remote secure group" on the linksys should be subnet 192.168.1.0.

Post your new asa config.

"no translation group for icmp src outside 209.168.145.49 dst inside: 192.168.1.20"

This one is becuase your remote secure group is not configured as 192.168.1.0, so that traffic from the linksys is not crossing the tunnel, it is arriving at the ASA and the ASA doesn't like it.

"deny inbound icmp src inside 192.168.1.20 dst inside 192.168.2.100"

The only route you should have is this, since these devices are directly connected. The ASA thinks 192.168.2.x is inside, which is incorrect.

route outside 0 0 209.168.145.49

citnetworks Thu, 05/17/2007 - 12:34

Okay. I made the change to my remote secure group on the linksys and added that route to the cisco.

Now I get the same message for both the ping from the remote laptop to the host laptop as well as from the host laptop to the remote.

"deny inbound icmp src inside 192.168.1.20 dst inside 192.168.2.100"

I am attaching my latest cisco configuration. I also added several ICMP access rules but they did not help.

Sean

acomiskey Thu, 05/17/2007 - 13:12

no route inside 192.168.2.0 255.255.255.0 209.168.145.50 1

and you do not need to allow the traffic in an access-list, it is denying it becuase you have told the ASA with a route statement that 192.168.2.0 is inside, when in fact it is not. By default, traffic cannot enter and exit the same interface, that is why you get "deny inbound". Also, all the traffic will pass becuase of "sysopt connection permit-ipsec" which you will not see in the config but will see if you do a "show run sysopt". This command allows all tunnel traffic to bypass the interface access-lists.

Correct Answer
ggilbert Fri, 05/18/2007 - 02:15

I hope that route statement fixes your issue.

- Gilbert

Nice work, Adam!

citnetworks Thu, 05/31/2007 - 07:10

Thanks guys. What I found out was...

When I ran the ASDM wizard to initially configure the ASA5505, I had my network ip addresses backwards as you pointed out. My second issue was improper configuration of my Linksys router which was also corrected with your suggestions.

The last issue that I was having with actually seeing devices on each network from the other was strictly routes and ACL's which I worked through.

Thank you both for your help.

Sean

Actions

This Discussion