Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
340
Views
0
Helpful
3
Replies

VPN Router to ASA problem

Go to solution
cpartsenidis
Level 1
Level 1

‎09-06-2008 01:23 AM

Hi everyone.

I'm trying to complete a VPN between a Router and an ASA5500 series and experiencing difficulties.

The router part is 100% correct as its a everyday task, but I'm missing something on the ASA side of things.

The ASA also has IPsec tunnels from remote clients as you'll see below, so I need to ensure that continues to work!

This is a fairly urgent issue. If any help or advise can be provided, it would be much appreciated!

Here's the router part:

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key **** address ASA-PUBLIC-IP

crypto isakmp keepalive 100

!

!

crypto ipsec transform-set transform-set esp-3des esp-md5-hmac

!

crypto map clients 10 ipsec-isakmp

set peer ASA-PUBLIC-IP

set transform-set transform-set

match address 102

qos pre-classify

!

!

access-list 100 remark [==NAT Control==]

access-list 100 deny ip 192.168.2.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 100 permit ip 192.168.2.0 0.0.0.255 any

access-list 102 remark ==[VPN ACCESS LISTS]==

access-list 102 permit ip 192.168.2.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 102 remark

(Crypto map has been applied to relevant interface)

ASA SIDE:

access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.1.1.192 255.255.255.224

access-list prevpn_splitTunnelAcl standard permit 10.1.1.0 255.255.255.0

access-list inside-access-in extended permit ip 10.1.1.0 255.255.255.0 any

access-list inside-access-in extended permit icmp 10.1.1.0 255.255.255.0 any

access-list remote-network extended permit ip 10.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0

global (outside) 1 ASA-PUBLIC-IP

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 10.1.1.0 255.255.255.0

nat (inside) 0 192.168.2.0 255.255.255.0

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 40 match address remote-network

crypto map outside_map 40 set peer REMOTE-Router-IP

crypto map outside_map 40 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

tunnel-group prevpn type ipsec-ra

tunnel-group prevpn general-attributes

address-pool VPN-Pool

default-group-policy prevpn

tunnel-group prevpn ipsec-attributes

pre-shared-key *

tunnel-group REMOTE-Router-IP type ipsec-l2l

tunnel-group REMOTE-Router-IP ipsec-attributes

pre-shared-key *

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marwan ALshawi
VIP Alumni
VIP Alumni

‎09-06-2008 01:41 AM

hi Chris

first on the router do this littil change which u ned to add md5 as th hashing whil u use in the asa and in the router u didnt put so the default is sha !

do

crypto isakmp policy 1

hash md5

now on the ASA as i see there is a problem in nat0 u need line for l2l tunnel

as well so u need them to look like:

access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0

also u need a permit for the ipsec traffic the following command will allow all ipsec traffic if u want the traffic to be filtered dont use this command and use ACLs on the outside interface instead, but the following one to permit all traffic from ur L2L and remote access vpn:

sysopt connection permit-ipsec

then please, do :

clear xlate and reload the ASA then try it to let the new NAT expmtion take effects

good luck

if helpful Rate

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Marwan ALshawi
VIP Alumni
VIP Alumni

‎09-06-2008 01:41 AM

hi Chris

first on the router do this littil change which u ned to add md5 as th hashing whil u use in the asa and in the router u didnt put so the default is sha !

do

crypto isakmp policy 1

hash md5

now on the ASA as i see there is a problem in nat0 u need line for l2l tunnel

as well so u need them to look like:

access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0

also u need a permit for the ipsec traffic the following command will allow all ipsec traffic if u want the traffic to be filtered dont use this command and use ACLs on the outside interface instead, but the following one to permit all traffic from ur L2L and remote access vpn:

sysopt connection permit-ipsec

then please, do :

clear xlate and reload the ASA then try it to let the new NAT expmtion take effects

good luck

if helpful Rate

0 Helpful

Go to solution
cpartsenidis
Level 1
Level 1
In response to Marwan ALshawi

‎09-06-2008 02:40 AM

marwanshawi,

I saw the missing hash md5 and added it later on.

I also applied your suggested access-lists and everything seems to be working fine !

Thank you so much for your help and time!

0 Helpful

Go to solution
Marwan ALshawi
VIP Alumni
VIP Alumni
In response to cpartsenidis

‎09-06-2008 03:30 AM

hi Chris

i'm glad its working

u welcome mate :)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents