Site-to-Site VPN: 2691 router and ASA 5510

jj27 · ‎11-12-2007

Hello,

I am having trouble getting my site-to-site VPN to work. Below is the configuration of the two devices.

I am getting the error:

713061 Group = 12.x.x.217, IP = 12.x.x.217, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy 10.153.8.0/255.255.255.0/0/0 on interface outside

Cisco 2691 Router running advanced security and IP Services (Local Network: 10.117.0.0/18)

-------------------------------------------

crypto map vpn 200 ipsec-isakmp

description VPN to Remote Site

set peer 74.x.x.178

set transform-set vpn

set pfs group1

match address 110

access-list 110 permit ip any 10.153.8.0 0.0.0.255

============================================

ASA 5510 running 8.0 code (Local Network: 10.153.8.0/24)

----------------------------------------------

crypto map outside_map1 1 match address outside_cryptomap_1

crypto map outside_map1 1 set pfs group1

crypto map outside_map1 1 set peer 12.x.x.217

crypto map outside_map1 1 set transform-set ESP-3DES-MD5

crypto map outside_map1 interface outside

access-list outside_cryptomap_1 line 1 extended permit ip any 10.117.0.0 255.255.255.0

ajagadee · ‎11-12-2007

Always make sure that the crypto access-lists are mirror images of each other.

For example, the access-list 110 permit ip any 10.153.8.0 0.0.0.255

should be

access-list 110 permit ip 10.117.0.0 0.0.0.255 any

And keep in mind, since you have configured the VPN Traffic with "ANY" in the access-list, all traffic sourced from 10.117.0.0/24 and destined to any address will be sent over this IPSEC Tunnel.

Regards,

Arul

jj27 · ‎11-13-2007

Arul,

Thank you for the reply. If I understand what you typed correctly about the access lists being mirrors, I should revise them.

At the local site (10.117.0.0/18) I should have

access-list 110 permit ip 10.117.0.0 0.0.255.255 10.153.8.0 0.0.0.255.

At the remote site(10.153.8.0/24) I should have

access-list outside_cryptomap_1 extended permit ip 10.153.8.0 255.255.255.0 10.117.0.0 255.255.192.0.

Also, what about the nonat access list. Should it also have a permit in the same format on both sites?

Is this correct?

Thank you in advance.

ajagadee · ‎11-13-2007

Yes, your understanding is correct. Also, configure the No-NAT ACL in a similar fashion.

No biggie but just want to make sure that you dont run into any surprises during implementation of the IPSEC Tunnel. The ACL's that you posted are still not mirror images. The 10.117.0.0 in the first one has a /16 and the second one has /18. You need to make sure that the network to be encrypted matches on both the sides. /16 and /16 or /18 and /18.

access-list 110 permit ip 10.117.0.0 0.0.255.255 10.153.8.0 0.0.0.255.

access-list outside_cryptomap_1 extended permit ip 10.153.8.0 255.255.255.0 10.117.0.0 255.255.192.0.

Regards,

Arul

jj27 · ‎11-13-2007

Awesome, I understand now. Yes, I realized after I posted that I had /16 and /18..typo :)

Can you help me with one more thing? I was just informed that instead we are going to use GRE tunnels at both locations with IP addresses of 10.117.98.1 and 10.117.98.2.

With this, I assume the access list should be permitting host 98.1 to host 98.2, and host 98.2 to host 98.1 at the other site.

tgurney · ‎11-16-2007

HI, I've ben reading this thread. Did you come up with the config for the GRE tunnels? Specifically the config on the ASA side? I would like to do the same thing and use the GRE tunnel for routing. I've got the router config ok, but the ASA side eludes me.

jj27 · ‎11-16-2007

We got it working. My configuration involves a WAN router and VPN router on one side and a WAN router and ASA on the other side.

The ASA and VPN router have no tunnel configs. The tunnels are setup in the WAN routers and properly routed into the ASA which then sends the traffic across the tunnel.

If you are interested, I can post some configuration details so you can see how it works, but I don't know if it will relate to your current setup and environment.

tgurney · ‎11-16-2007

Sure, post your config. That would be your basic GRE tunnel config on the WAN routers. That I have a handle on, it's this dog gone ASA that frustrates me with the GRE tunnel config part.

Thanks

jj27 · ‎11-16-2007

Site A: WAN Router and VPN Router

WAN Router

------------

interface Tunnel2

bandwidth 512

ip address 10.117.98.5 255.255.255.252

keepalive 10 5

tunnel source Loopback2

tunnel destination 10.117.98.9

!

interface Loopback2

ip address 10.117.98.1 255.255.255.252

ip route 10.117.98.8 255.255.255.252 10.117.10.2 (This is the VPN Router's IP Address)

============

VPN Router

-----------------------

ip route 10.117.98.0 255.255.255.252 10.117.10.1 (Route local tunnel traffic to the WAN router locally)

ip route 10.117.98.8 255.255.255.252 12.x.x.209 (Route other side of tunnel to Internet Router to initiate site-to-site VPN)

=======================================================

Site B: WAN Router and ASA 5510

WAN Router

---------------------

interface Tunnel2

bandwidth 512

ip address 10.117.98.6 255.255.255.252

keepalive 10 5

tunnel source Loopback2

tunnel destination 10.117.98.1

!

interface Loopback2

ip address 10.117.98.9 255.255.255.252

ip route 10.117.98.0 255.255.255.252 10.153.8.9 (Route the other tunnel to the ASA)

=====================

ASA

------------

route outside 10.117.98.0 255.255.255.252 74.x.x.177 1 (Route other side of the tunnel to the internet)

route inside 10.117.98.8 255.255.255.252 10.153.8.1 1 (Route local tunnel traffic to the WAN router locally)

That's it.