VPN ISSUE

mohammedrafiq · ‎07-31-2007

Hi,

My vpn tunnel is not working nor anything shows in debug, please check my config if I am doing anything wrong.

--------

on ASA

crypto ipsec transform-set ESP_3DES_SHA esp-3des esp-sha-hmac

crypto map test_120 match address internet_cryptomap_120

crypto map test_120set peer 20.5.9.12

crypto map test_120 set transform-set ESP-3DES-SHA

crypto map test_120 interface internet

crypto map test_120 set security-association lifetime seconds 3600

isakmp enable internet

!

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption 3des

isakmp policy 30 hash sha

isakmp policy 30 group 2

isakmp policy 30 lifetime 86400

pre-shared-key *

tunnel-group 20.5.9.12 type ipsec-l2l

tunnel-group 20.5.9.12 ipsec-attributes

pre-shared-key *

access-list nat0_outbound extended permit ip host 10.10.12.14 host 192.168.1.1

access-list internet_cryptomap_120 extended permit tcp host 10.10.12.14 host 192.168.1.1 eq www

access-list internet_cryptomap_120 extended permit icmp host 10.10.12.14 host 192.168.1.1

nat (optfir) 0 access-list optfir_nat0_outbound

-----------------------------------------------------------------------------------------

on PIX

crypto map vpn 70 match address outside_70_cryptomap_1

crypto map vpn 70 set pfs

crypto map vpn 70 set peer 143.22.1.1

crypto map vpn 70 set transform-set ESP-3DES-SHA

crypto map vpn 70 set security-association lifetime seconds 3600

crypto isakmp enable outside

tunnel-group 143.22.1.1 type ipsec-l2l

tunnel-group 143.22.1.1 ipsec-attributes

pre-shared-key *

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

access-list outside_70_cryptomap_1 extended permit tcp 10.10.12.14 host 192.168.1.1

access-list inside_nat_outbound extended permit ip 10.10.12.14 host 192.168.1.1

global (outside) 3 192.168.1.1 netmask 255.255.255.0 <<<----here i am natting all internal to 192.168.1.1

nat (inside) 3 access-list inside_nat_outbound

jwalker · ‎07-31-2007

You have several things wrong here..

1. You have pfs on the PIX, but not the ASA

2. Your ACLs on the PIX are not a mirror of the ASA. Basically, you must switch the source and destination IPs in the crypto ACL and NAT 0 ACL.

3. You need to change your NAT command to a NAT 0. Like ...

nat (inside) 0 access-list inside_nat_outbound

** Please rate ***

mohammedrafiq · ‎07-31-2007

3. You need to change your NAT command to a NAT 0. Like ...

nat (inside) 0 access-list

inside_nat_outbound

IS this will mean, do not nat,Please advice , that do need all internal ips to nat to 192.168.1.1 and then go to ASA.

Regards,

jwalker · ‎07-31-2007

You will need one nat/global pair for outbound access. You will need a second nat for the VPN.

here is an example

for outbound traffic:

nat (inside) 3 192.168.1.0 255.255.255.0

global (outside) 3 172.16.1.1

for vpn:

access-list vpn_access extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

nat (inside) 0 access-list vpn_access

THIS MUST BE DONE ON BOTH FIREWALLS, AND MAKE SURE IT IS MIRRORED.

mohammedrafiq · ‎07-31-2007

Thanks for advice, just quick question , that we do not want to do natting on ASA.so do we still need vpn access-list on ASA?

Regards,

jwalker · ‎07-31-2007

What do you mean? For the VPN to work properly, you need the NAT 0 as I described. Also, you will need some for of NAT to get to the internet. This can also be done several other ways than I described, but that is the the most common (PAT).

*** Please rate ***