09-06-2008 01:23 AM
Hi everyone.
I'm trying to complete a VPN between a Router and an ASA5500 series and experiencing difficulties.
The router part is 100% correct as its a everyday task, but I'm missing something on the ASA side of things.
The ASA also has IPsec tunnels from remote clients as you'll see below, so I need to ensure that continues to work!
This is a fairly urgent issue. If any help or advise can be provided, it would be much appreciated!
Here's the router part:
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key **** address ASA-PUBLIC-IP
crypto isakmp keepalive 100
!
!
crypto ipsec transform-set transform-set esp-3des esp-md5-hmac
!
crypto map clients 10 ipsec-isakmp
set peer ASA-PUBLIC-IP
set transform-set transform-set
match address 102
qos pre-classify
!
!
access-list 100 remark [==NAT Control==]
access-list 100 deny ip 192.168.2.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 102 remark ==[VPN ACCESS LISTS]==
access-list 102 permit ip 192.168.2.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 102 remark
(Crypto map has been applied to relevant interface)
ASA SIDE:
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.1.1.192 255.255.255.224
access-list prevpn_splitTunnelAcl standard permit 10.1.1.0 255.255.255.0
access-list inside-access-in extended permit ip 10.1.1.0 255.255.255.0 any
access-list inside-access-in extended permit icmp 10.1.1.0 255.255.255.0 any
access-list remote-network extended permit ip 10.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0
global (outside) 1 ASA-PUBLIC-IP
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.1.1.0 255.255.255.0
nat (inside) 0 192.168.2.0 255.255.255.0
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 40 match address remote-network
crypto map outside_map 40 set peer REMOTE-Router-IP
crypto map outside_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group prevpn type ipsec-ra
tunnel-group prevpn general-attributes
address-pool VPN-Pool
default-group-policy prevpn
tunnel-group prevpn ipsec-attributes
pre-shared-key *
tunnel-group REMOTE-Router-IP type ipsec-l2l
tunnel-group REMOTE-Router-IP ipsec-attributes
pre-shared-key *
Solved! Go to Solution.
09-06-2008 01:41 AM
hi Chris
first on the router do this littil change which u ned to add md5 as th hashing whil u use in the asa and in the router u didnt put so the default is sha !
do
crypto isakmp policy 1
hash md5
now on the ASA as i see there is a problem in nat0 u need line for l2l tunnel
as well so u need them to look like:
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0
also u need a permit for the ipsec traffic the following command will allow all ipsec traffic if u want the traffic to be filtered dont use this command and use ACLs on the outside interface instead, but the following one to permit all traffic from ur L2L and remote access vpn:
sysopt connection permit-ipsec
then please, do :
clear xlate and reload the ASA then try it to let the new NAT expmtion take effects
good luck
if helpful Rate
09-06-2008 01:41 AM
hi Chris
first on the router do this littil change which u ned to add md5 as th hashing whil u use in the asa and in the router u didnt put so the default is sha !
do
crypto isakmp policy 1
hash md5
now on the ASA as i see there is a problem in nat0 u need line for l2l tunnel
as well so u need them to look like:
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0
also u need a permit for the ipsec traffic the following command will allow all ipsec traffic if u want the traffic to be filtered dont use this command and use ACLs on the outside interface instead, but the following one to permit all traffic from ur L2L and remote access vpn:
sysopt connection permit-ipsec
then please, do :
clear xlate and reload the ASA then try it to let the new NAT expmtion take effects
good luck
if helpful Rate
09-06-2008 02:40 AM
marwanshawi,
I saw the missing hash md5 and added it later on.
I also applied your suggested access-lists and everything seems to be working fine !
Thank you so much for your help and time!
09-06-2008 03:30 AM
hi Chris
i'm glad its working
u welcome mate :)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: