07-31-2007 06:53 AM - edited 03-11-2019 03:51 AM
Hi,
My vpn tunnel is not working nor anything shows in debug, please check my config if I am doing anything wrong.
--------
on ASA
crypto ipsec transform-set ESP_3DES_SHA esp-3des esp-sha-hmac
crypto map test_120 match address internet_cryptomap_120
crypto map test_120set peer 20.5.9.12
crypto map test_120 set transform-set ESP-3DES-SHA
crypto map test_120 interface internet
crypto map test_120 set security-association lifetime seconds 3600
isakmp enable internet
!
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
pre-shared-key *
tunnel-group 20.5.9.12 type ipsec-l2l
tunnel-group 20.5.9.12 ipsec-attributes
pre-shared-key *
access-list nat0_outbound extended permit ip host 10.10.12.14 host 192.168.1.1
access-list internet_cryptomap_120 extended permit tcp host 10.10.12.14 host 192.168.1.1 eq www
access-list internet_cryptomap_120 extended permit icmp host 10.10.12.14 host 192.168.1.1
nat (optfir) 0 access-list optfir_nat0_outbound
-----------------------------------------------------------------------------------------
on PIX
crypto map vpn 70 match address outside_70_cryptomap_1
crypto map vpn 70 set pfs
crypto map vpn 70 set peer 143.22.1.1
crypto map vpn 70 set transform-set ESP-3DES-SHA
crypto map vpn 70 set security-association lifetime seconds 3600
crypto isakmp enable outside
tunnel-group 143.22.1.1 type ipsec-l2l
tunnel-group 143.22.1.1 ipsec-attributes
pre-shared-key *
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
access-list outside_70_cryptomap_1 extended permit tcp 10.10.12.14 host 192.168.1.1
access-list inside_nat_outbound extended permit ip 10.10.12.14 host 192.168.1.1
global (outside) 3 192.168.1.1 netmask 255.255.255.0 <<<----here i am natting all internal to 192.168.1.1
nat (inside) 3 access-list inside_nat_outbound
07-31-2007 07:01 AM
You have several things wrong here..
1. You have pfs on the PIX, but not the ASA
2. Your ACLs on the PIX are not a mirror of the ASA. Basically, you must switch the source and destination IPs in the crypto ACL and NAT 0 ACL.
3. You need to change your NAT command to a NAT 0. Like ...
nat (inside) 0 access-list inside_nat_outbound
** Please rate ***
07-31-2007 07:11 AM
3. You need to change your NAT command to a NAT 0. Like ...
nat (inside) 0 access-list
inside_nat_outbound
IS this will mean, do not nat,Please advice , that do need all internal ips to nat to 192.168.1.1 and then go to ASA.
Regards,
07-31-2007 07:18 AM
You will need one nat/global pair for outbound access. You will need a second nat for the VPN.
here is an example
for outbound traffic:
nat (inside) 3 192.168.1.0 255.255.255.0
global (outside) 3 172.16.1.1
for vpn:
access-list vpn_access extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
nat (inside) 0 access-list vpn_access
THIS MUST BE DONE ON BOTH FIREWALLS, AND MAKE SURE IT IS MIRRORED.
07-31-2007 07:28 AM
Thanks for advice, just quick question , that we do not want to do natting on ASA.so do we still need vpn access-list on ASA?
Regards,
07-31-2007 07:33 AM
What do you mean? For the VPN to work properly, you need the NAT 0 as I described. Also, you will need some for of NAT to get to the internet. This can also be done several other ways than I described, but that is the the most common (PAT).
*** Please rate ***
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: