Hi Ken,

Thanks for the info, just additional request what would be the recommended crypto IOS version for both ASA 5510 and 1800, i may need to download in any case.

Thanks again,

Noel

hi,

refer this link for feature comparison & IOS versions.

http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp

thanks guys

we manage to setup but vpn tunnel still down. its pinging on both ends. The IOS for remote cisco 1812W is 12.4(6) T9 is not available in comparison feature, Kindly advise the compatible IOS version for ASA5510.

Thanks in advance,

Noel

Noel

There is no issue of which release has crypto for the ASA5510. All versions of the code for ASA automatically include crypto. So the issue is for the 1800. And it is not a question of version but is a question of feature set. You would probably want the Advanced Security feature set or the Advanced Services feature set on the 1800. If you will post the full file name of your IOS image it will show what feature set you already have.

If you were able to enter the crypto map commands on the 1800 then it has a feature set with support for crypto. In which case if the VPN tunnel does not work then there is probably some mismatch between what is configured on the ASA and what is configured on the router. Please post the configs from both devices so that we can see what is preventing it from working.

HTH

Rick

Thanks Rick,

Please find attached both ASA config and 1812W router.

Thanks again,

Noel

Noel

There is the possibility that there is more than 1 problem. But I found a significant problem and have not looked much further. fix this and if it still does not work we will look again.

Here is the access list used to identify traffic to be protected on the router:

access-list 106 permit ip 192.168.0.0 0.0.0.255 xx.xxx.98.24 0.0.0.7

and here is the access list from the ASA:

access-list Outside_20_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.0.0 255.255.255.0

The access lists should be mirror images of each other and they are not. It looks to me like the access list on the router should have 192.168.10.0 as the destination address.

[edit] I also notice that the ASA specifies PFS in its crypto map and the router does not. I believe that this should also match - either add it on the router (which would be my suggestion) or remove it on the ASA.

HTH

Rick

hi Rick,

We did few changes in 1812 but no luck, see attached config for your reference.

Thanks again,

Noel

Hi Rick,

We did few changes as instructed via SDM but still no luck.

I have also noticed that in IKE policies showing MD5, so we change it SHA_1, the problem is the in ASA5510, it is showing just SHA. Is this the reason why it is still down?

Or should we put both MD5?

Thanks again,

Noel

Hi Rick,

Thank you very much for your continuous technical support. We solved the connection/VPN Tunnel between ASA 5510 and Cisco 1800. We basically checked IPSEC setup on both ASA 5510 and 1800 per guidlines.

Thanks again,

Noel

Noel

I am glad that you got the problem resolved and got the VPN working. Thank you for posting back to the forum and indicating that the problem was solved and how you solved it. Thank you for using the rating system to indicate that your problem was solved (and thanks for the rating). It makes the forum more useful when people can read about a problem and can know that they will read how the problem was successfully solved.

The forum is an excellent place to learn about Cisco networking. I encourage you to continue your participation in the forum.

HTH

Rick