Daniel Voicu Mon, 08/11/2008 - 23:06
User Badges:
  • Silver, 250 points or more

Hi,


On the ASA the VPN tunnels are created by matching a specific access-list (source, destination, ports).


Can you elaborate a bit what you are trying to achieve?


Regards,

Daniel


r-barbosa Tue, 08/12/2008 - 06:42
User Badges:

Hi Daniel,


I'have a IP phone in a remote site, but the generated packets created from the remote site using the IP phone did NOT create the VPN tunnel, only the packets generated by the PING command... any ideias?


regards.

Farrukh Haroon Tue, 08/12/2008 - 11:37
User Badges:
  • Red, 2250 points or more

Can you post your configs? Specially the Crypto ACL?


Cisco IP Phone (SCCP /SIP what protocol?)


Regards


Farrukh

r-barbosa Tue, 08/12/2008 - 12:46
User Badges:

hi


my settings


ipsec - site A

crypto map outside_map 2 match address outside_cryptomap

crypto map outside_map 2 set peer 201.10.10.10

crypto map outside_map 2 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside


acl - site A

access-list outside_cryptomap extended permit ip 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0


ipsec - site B

crypto map outside_map0 2 match address outside_cryptomap_1

crypto map outside_map0 2 set peer 202.10.10.10

crypto map outside_map0 2 set transform-set ESP-3DES-SHA

crypto map outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map0 interface outside

crypto isakmp enable outside


acl - site B

access-list outside_cryptomap_1 extended permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0


The protocol is H323.


regards.


Farrukh Haroon Tue, 08/12/2008 - 18:21
User Badges:
  • Red, 2250 points or more

Configuration seems OK. Do the following;


debug crypto isakmp 127

debug crypto engine


And then the following (on both sides)


clear crypto isakmp sa

clear crypto ipsec sa


Then initiate the voice traffic and see if VPN kicks in.


Is there any NAT? how is the NAT 0 config look like?


Regards


Farrukh


Actions

This Discussion