IOS-to-ASA VPN troubles

Unanswered Question

Hi All!

Found strange issue with LAN-to-LAN VPN between Cisco 2821 and ASA 5500.

On 2821 we have 4 GRE-over-IPSec tunnels ("tunnel mode ipsec") between IOS boxces, that work fine.

Trying to added on this router next VPN to ASA. Doing it a standard way:

- create crypto map

- assign this crypto map on Loopback0 interface, and on external interface too.

- add static route for this VPN: ip route Loopback0

For verify this vpn created another Loopback51 interface with address from our local LAN.

Ping remote side using Loppback51 as a source-address - all works fine, crypto session on Loopback0 goes to UP-Active, sa counters shown same amount of enc. & decrypted packets.

Trying to ping remote side from inside local LAN. Result - nothing.

Traceroute show that packets come to 2821, next hops not resolved.

SA counters for crypto session not increases. And after timeout period crypto session goes to DOWN.

Can anyone push me in right way?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jsivulka Tue, 02/05/2008 - 07:13

Your network connection has not established so ping command is not working for remote side from inside local LAN. The router is configured for a normal LAN-to-LAN tunnel, because the router knows the destination IP address for the VPN tunnel.

In order to configure a LAN-to-LAN tunnel between a Cisco IOS? router and an Adaptive Security Appliance (ASA), these configurations are required on the ASA:

1.Configure the crypto ipsec command in Phase 2.

2.Configure the isakmp policy command.

3.Configure the nat 0 command and the access-list command in order to bypass NATting.

4.Configure the crypto-map command.

5.Configure the tunnel-group DefaultL2LGroup command with group information.


This Discussion