11-17-2008 09:39 AM
Hello, please see attached configs for HQ (ASA) and Brach (877). I must be missing something simple but can't see it
The connection does'nt appear to try and establish at all
Solved! Go to Solution.
11-18-2008 11:04 AM
Looking at this now, here's what I can see so far.
ASA -
Change NAT Statement to be:
nat (inside) 0 access-list nonat
Change ACL Statement to be:
access-list nonat extended permit ip 10.135.5.0 255.255.255.128 10.135.14.0 255.255.255.248
Create a new crypto map
access-list CryptoMap extended permit ip 10.135.5.0 255.255.255.128 10.135.14.0 255.255.255.248
Router
Change crypto List to read
ip access-list extended Crypto-list
permit ip 10.135.14.0 0.0.0.7 10.135.5.0 0.0.0.127
Route Map and ACL work that needs to be done
route-map nonat isn't applied anywhere and it also references the same crypto statement (not recommended)
So first things first
route-map nonat permit 10
match ip address 101
access-list 101 deny ip 10.135.14.0 0.0.0.7 10.135.5.0 0.0.0.127
access-list 101 permit ip 10.135.14.0 0.0.0.7 any
Add route-map to nat config
ip nat inside source route-map nonat int dialer0 overload
That clears up the routing/nat issues. As for the IPSEC/ISAKMP config...
ASA
no crypto ipsec security-association lifetime seconds 28800
no crypto ipsec security-association lifetime kilobytes 4608000
no crypto map outside_map 1 set security-association lifetime seconds 28800
no crypto map outside_map 1 set security-association lifetime kilobytes 4608000
no crypto map outside_map0 1 set pfs group5
no crypto map outside_map0 1 set security-association lifetime seconds 28800
no crypto map outside_map0 1 set security-association lifetime kilobytes 4608000
crypto map outside_map0 1 match address Crypto-list
That should get you a little closer. Make the appropriate changes and resubmit the config. Couple things that hindered you, subnet masking would never bring the tunnel up. Another would be the security-association statements, not really needed if you have one remote site.
From here with the changes you should start to see some progress with the following show commands.
show crypto isakmp sa
show crypto ipsec sa
Also some debugs to run would be debug crypto ipsec 255 and debug crypto isakp 255 on the ASA.
As for the router debug crypto ipsec and debug crypto isakmp.
Great link from Cisco to help.
http://cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml
Hope this helps, rate if it does!
JB
11-18-2008 11:04 AM
Looking at this now, here's what I can see so far.
ASA -
Change NAT Statement to be:
nat (inside) 0 access-list nonat
Change ACL Statement to be:
access-list nonat extended permit ip 10.135.5.0 255.255.255.128 10.135.14.0 255.255.255.248
Create a new crypto map
access-list CryptoMap extended permit ip 10.135.5.0 255.255.255.128 10.135.14.0 255.255.255.248
Router
Change crypto List to read
ip access-list extended Crypto-list
permit ip 10.135.14.0 0.0.0.7 10.135.5.0 0.0.0.127
Route Map and ACL work that needs to be done
route-map nonat isn't applied anywhere and it also references the same crypto statement (not recommended)
So first things first
route-map nonat permit 10
match ip address 101
access-list 101 deny ip 10.135.14.0 0.0.0.7 10.135.5.0 0.0.0.127
access-list 101 permit ip 10.135.14.0 0.0.0.7 any
Add route-map to nat config
ip nat inside source route-map nonat int dialer0 overload
That clears up the routing/nat issues. As for the IPSEC/ISAKMP config...
ASA
no crypto ipsec security-association lifetime seconds 28800
no crypto ipsec security-association lifetime kilobytes 4608000
no crypto map outside_map 1 set security-association lifetime seconds 28800
no crypto map outside_map 1 set security-association lifetime kilobytes 4608000
no crypto map outside_map0 1 set pfs group5
no crypto map outside_map0 1 set security-association lifetime seconds 28800
no crypto map outside_map0 1 set security-association lifetime kilobytes 4608000
crypto map outside_map0 1 match address Crypto-list
That should get you a little closer. Make the appropriate changes and resubmit the config. Couple things that hindered you, subnet masking would never bring the tunnel up. Another would be the security-association statements, not really needed if you have one remote site.
From here with the changes you should start to see some progress with the following show commands.
show crypto isakmp sa
show crypto ipsec sa
Also some debugs to run would be debug crypto ipsec 255 and debug crypto isakp 255 on the ASA.
As for the router debug crypto ipsec and debug crypto isakmp.
Great link from Cisco to help.
http://cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml
Hope this helps, rate if it does!
JB
11-19-2008 02:01 AM
Thank you very much for this, excellent post and great link
all now working fine
Thanks again
Jonathan
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: