05-28-2008 06:09 AM - edited 03-11-2019 05:51 AM
Hi there
I have ASA 5510 in the Headoffice with static IP and ASA 5505 in the remote site behind ADSL router , trying to establish VPN but its failing in phase 1
Config of Head Office
interface Ethernet0/0
description Link to LeaseLine Router
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.248
!
interface Ethernet0/1
description Link to Internal LAN
nameif inside
security-level 100
ip address 172.17.1.15 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 172.17.1.0 255.255.255.0 172.20.1.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 172.17.1.0 255.255.255.0 172.19.1.0 255.255.255.0
access-list vpn_to_remote extended permit ip 172.17.1.0 255.255.255.0 172.19.1.0 255.255.255.0
access-list VPN extended permit ip 172.17.1.0 255.255.255.0 172.20.1.0 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
crypto ipsec transform-set esp-aes-256-md5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto dynamic-map cisco 1 match address VPN
crypto dynamic-map cisco 1 set transform-set ESP-AES-256-SHA
crypto map outside_map 10 match address vpn_to_remote
crypto map outside_map 10 set pfs
crypto map outside_map 10 set peer y.y.y.y
crypto map outside_map 10 set transform-set esp-aes-256-md5
crypto map outside_map 10 set reverse-route
crypto map outside_map 30 ipsec-isakmp dynamic cisco
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash md5
group 5
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption aes
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group y.y.y.y type ipsec-l2l
tunnel-group y.y.y.y ipsec-attributes
pre-shared-key *
tunnel-group parkplace type ipsec-l2l
tunnel-group parkplace ipsec-attributes
pre-shared-key *
Config of Remote Site
interface Vlan1
nameif inside
security-level 100
ip address 172.20.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.1.2 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
access-list ICMP extended permit icmp any any
access-list NONAT extended permit ip 172.20.1.0 255.255.255.0 172.17.1.0 255.255.255.0
access-list VPN extended permit ip 172.20.1.0 255.255.255.0 172.17.1.0 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0 outside
access-group ICMP in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 1 match address VPN
crypto map outside_map 1 set peer 83.111.252.242
crypto map outside_map 1 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group fairmount type ipsec-l2l
tunnel-group fairmount ipsec-attributes
pre-shared-key *
Regards/Asfar
Solved! Go to Solution.
05-28-2008 07:18 AM
Hi Asfar
1)Remote site has a tunnel-group name called "fairmount". Assuming that you refer to your head office with faimount, Tunnel-group name must be same with peer ip, so you should do the following modification
clear config tunnel-group fairmount type ipsec-l2l
tunnel-group 83.111.252.242 type ipsec-l2l
tunnel-group fairmount ipsec-attributes
pre-shared-key *
2)If doesnt work after above suggestion, try using a transform set different than ESP-AES-SHA in both locations
3)Change pre shraed key to 1 and keep like that untill you resolve the connectivity problem. Then you can change to a more secure value.
4) If still no joy, ensure that UDP port 4500 tcp port 10000 and udp/tcp 500 are forwarded to 192.168.1.2 in router 192.168.1.1 in remote office
Regards
05-28-2008 07:18 AM
Hi Asfar
1)Remote site has a tunnel-group name called "fairmount". Assuming that you refer to your head office with faimount, Tunnel-group name must be same with peer ip, so you should do the following modification
clear config tunnel-group fairmount type ipsec-l2l
tunnel-group 83.111.252.242 type ipsec-l2l
tunnel-group fairmount ipsec-attributes
pre-shared-key *
2)If doesnt work after above suggestion, try using a transform set different than ESP-AES-SHA in both locations
3)Change pre shraed key to 1 and keep like that untill you resolve the connectivity problem. Then you can change to a more secure value.
4) If still no joy, ensure that UDP port 4500 tcp port 10000 and udp/tcp 500 are forwarded to 192.168.1.2 in router 192.168.1.1 in remote office
Regards
05-29-2008 03:40 PM
Thanks the problem is resolved
05-29-2008 04:39 PM
Hi asfar,
Why did you rate 2?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide