04-16-2008 01:19 AM - edited 03-03-2019 09:34 PM
We have existing cisco hardware ASA 5510 and cisco router 1800. The ASA 5510 are installed in main office while the 1800 is planned to setup in remote sites for VPN tunnel. Are they compatible or we need purchase another hardware for ASA5510 to match?
Thanks in advance,
Noel
Solved! Go to Solution.
04-20-2008 01:11 PM
Noel
I have looked at the new cofig that you posted and see that there are some changes. You have added PFS which is good. And you have changed the access list from 106 to 104. But the access list is still incorrect. Please remove the line that has:
access-list 104 permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0
and replace these 2 lines:
access-list 104 permit ip host 192.168.0.0 host 192.168.10.0
access-list 104 permit ip host 192.168.10.0 host 192.168.0.0
with this:
access-list 104 permit ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255
HTH
Rick
04-21-2008 03:09 AM
Noel
I am not sure what you changed. And I am not sure where MD5 came from. In the config files that you posted for both the router and the ASA it is showing SHA. The router and the ASA do need to agree on this parameter.
Perhaps it would help if you run debug for the crypto isakmp negotiation. It would also be helpful if you post current config for the router and the ASA.
HTH
Rick
04-16-2008 01:51 AM
Noel
Providing you have the right feature set on your 1811 to create VPN's then yes they are compatible although the configuration will obviously be different. See attached link for a configuration example.
Jon
04-16-2008 09:27 AM
Noel,
As long as the router 1800 has crypto IOS version, it will compatible to setup L2L.
Thanks,
Ken
04-16-2008 09:51 PM
Hi Ken,
Thanks for the info, just additional request what would be the recommended crypto IOS version for both ASA 5510 and 1800, i may need to download in any case.
Thanks again,
Noel
04-16-2008 10:14 PM
hi,
refer this link for feature comparison & IOS versions.
04-18-2008 04:22 AM
thanks guys
we manage to setup but vpn tunnel still down. its pinging on both ends. The IOS for remote cisco 1812W is 12.4(6) T9 is not available in comparison feature, Kindly advise the compatible IOS version for ASA5510.
Thanks in advance,
Noel
04-18-2008 04:36 AM
Noel
There is no issue of which release has crypto for the ASA5510. All versions of the code for ASA automatically include crypto. So the issue is for the 1800. And it is not a question of version but is a question of feature set. You would probably want the Advanced Security feature set or the Advanced Services feature set on the 1800. If you will post the full file name of your IOS image it will show what feature set you already have.
If you were able to enter the crypto map commands on the 1800 then it has a feature set with support for crypto. In which case if the VPN tunnel does not work then there is probably some mismatch between what is configured on the ASA and what is configured on the router. Please post the configs from both devices so that we can see what is preventing it from working.
HTH
Rick
04-18-2008 06:49 PM
04-19-2008 06:27 AM
Noel
There is the possibility that there is more than 1 problem. But I found a significant problem and have not looked much further. fix this and if it still does not work we will look again.
Here is the access list used to identify traffic to be protected on the router:
access-list 106 permit ip 192.168.0.0 0.0.0.255 xx.xxx.98.24 0.0.0.7
and here is the access list from the ASA:
access-list Outside_20_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.0.0 255.255.255.0
The access lists should be mirror images of each other and they are not. It looks to me like the access list on the router should have 192.168.10.0 as the destination address.
[edit] I also notice that the ASA specifies PFS in its crypto map and the router does not. I believe that this should also match - either add it on the router (which would be my suggestion) or remove it on the ASA.
HTH
Rick
04-20-2008 06:18 AM
04-20-2008 01:11 PM
Noel
I have looked at the new cofig that you posted and see that there are some changes. You have added PFS which is good. And you have changed the access list from 106 to 104. But the access list is still incorrect. Please remove the line that has:
access-list 104 permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0
and replace these 2 lines:
access-list 104 permit ip host 192.168.0.0 host 192.168.10.0
access-list 104 permit ip host 192.168.10.0 host 192.168.0.0
with this:
access-list 104 permit ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255
HTH
Rick
04-20-2008 09:05 PM
Hi Rick,
We did few changes as instructed via SDM but still no luck.
I have also noticed that in IKE policies showing MD5, so we change it SHA_1, the problem is the in ASA5510, it is showing just SHA. Is this the reason why it is still down?
Or should we put both MD5?
Thanks again,
Noel
04-21-2008 03:09 AM
Noel
I am not sure what you changed. And I am not sure where MD5 came from. In the config files that you posted for both the router and the ASA it is showing SHA. The router and the ASA do need to agree on this parameter.
Perhaps it would help if you run debug for the crypto isakmp negotiation. It would also be helpful if you post current config for the router and the ASA.
HTH
Rick
04-22-2008 09:03 AM
Hi Rick,
Thank you very much for your continuous technical support. We solved the connection/VPN Tunnel between ASA 5510 and Cisco 1800. We basically checked IPSEC setup on both ASA 5510 and 1800 per guidlines.
Thanks again,
Noel
04-22-2008 10:16 AM
Noel
I am glad that you got the problem resolved and got the VPN working. Thank you for posting back to the forum and indicating that the problem was solved and how you solved it. Thank you for using the rating system to indicate that your problem was solved (and thanks for the rating). It makes the forum more useful when people can read about a problem and can know that they will read how the problem was successfully solved.
The forum is an excellent place to learn about Cisco networking. I encourage you to continue your participation in the forum.
HTH
Rick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: