VPN Router to ASA problem

Answered Question
Sep 6th, 2008

Hi everyone.

I'm trying to complete a VPN between a Router and an ASA5500 series and experiencing difficulties.

The router part is 100% correct as its a everyday task, but I'm missing something on the ASA side of things.

The ASA also has IPsec tunnels from remote clients as you'll see below, so I need to ensure that continues to work!

This is a fairly urgent issue. If any help or advise can be provided, it would be much appreciated!

Here's the router part:

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key **** address ASA-PUBLIC-IP

crypto isakmp keepalive 100

!

!

crypto ipsec transform-set transform-set esp-3des esp-md5-hmac

!

crypto map clients 10 ipsec-isakmp

set peer ASA-PUBLIC-IP

set transform-set transform-set

match address 102

qos pre-classify

!

!

access-list 100 remark [==NAT Control==]

access-list 100 deny ip 192.168.2.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 100 permit ip 192.168.2.0 0.0.0.255 any

access-list 102 remark ==[VPN ACCESS LISTS]==

access-list 102 permit ip 192.168.2.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 102 remark

(Crypto map has been applied to relevant interface)

ASA SIDE:

access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.1.1.192 255.255.255.224

access-list prevpn_splitTunnelAcl standard permit 10.1.1.0 255.255.255.0

access-list inside-access-in extended permit ip 10.1.1.0 255.255.255.0 any

access-list inside-access-in extended permit icmp 10.1.1.0 255.255.255.0 any

access-list remote-network extended permit ip 10.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0

global (outside) 1 ASA-PUBLIC-IP

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 10.1.1.0 255.255.255.0

nat (inside) 0 192.168.2.0 255.255.255.0

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 40 match address remote-network

crypto map outside_map 40 set peer REMOTE-Router-IP

crypto map outside_map 40 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

tunnel-group prevpn type ipsec-ra

tunnel-group prevpn general-attributes

address-pool VPN-Pool

default-group-policy prevpn

tunnel-group prevpn ipsec-attributes

pre-shared-key *

tunnel-group REMOTE-Router-IP type ipsec-l2l

tunnel-group REMOTE-Router-IP ipsec-attributes

pre-shared-key *

Correct Answer by Marwan ALshawi about 8 years 5 months ago

hi Chris

first on the router do this littil change which u ned to add md5 as th hashing whil u use in the asa and in the router u didnt put so the default is sha !

do

crypto isakmp policy 1

hash md5

now on the ASA as i see there is a problem in nat0 u need line for l2l tunnel

as well so u need them to look like:

access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0

also u need a permit for the ipsec traffic the following command will allow all ipsec traffic if u want the traffic to be filtered dont use this command and use ACLs on the outside interface instead, but the following one to permit all traffic from ur L2L and remote access vpn:

sysopt connection permit-ipsec

then please, do :

clear xlate and reload the ASA then try it to let the new NAT expmtion take effects

good luck

if helpful Rate

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Marwan ALshawi Sat, 09/06/2008 - 01:41

hi Chris

first on the router do this littil change which u ned to add md5 as th hashing whil u use in the asa and in the router u didnt put so the default is sha !

do

crypto isakmp policy 1

hash md5

now on the ASA as i see there is a problem in nat0 u need line for l2l tunnel

as well so u need them to look like:

access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0

also u need a permit for the ipsec traffic the following command will allow all ipsec traffic if u want the traffic to be filtered dont use this command and use ACLs on the outside interface instead, but the following one to permit all traffic from ur L2L and remote access vpn:

sysopt connection permit-ipsec

then please, do :

clear xlate and reload the ASA then try it to let the new NAT expmtion take effects

good luck

if helpful Rate

cpartsenidis Sat, 09/06/2008 - 02:40

marwanshawi,

I saw the missing hash md5 and added it later on.

I also applied your suggested access-lists and everything seems to be working fine !

Thank you so much for your help and time!

Actions

This Discussion