cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
336
Views
0
Helpful
2
Replies

Site to Site VPN Trouble

jmoss1
Level 1
Level 1

Hello, please see attached configs for HQ (ASA) and Brach (877). I must be missing something simple but can't see it

The connection does'nt appear to try and establish at all

1 Accepted Solution

Accepted Solutions

jpoplawski
Level 1
Level 1

Looking at this now, here's what I can see so far.

ASA -

Change NAT Statement to be:

nat (inside) 0 access-list nonat

Change ACL Statement to be:

access-list nonat extended permit ip 10.135.5.0 255.255.255.128 10.135.14.0 255.255.255.248

Create a new crypto map

access-list CryptoMap extended permit ip 10.135.5.0 255.255.255.128 10.135.14.0 255.255.255.248

Router

Change crypto List to read

ip access-list extended Crypto-list

permit ip 10.135.14.0 0.0.0.7 10.135.5.0 0.0.0.127

Route Map and ACL work that needs to be done

route-map nonat isn't applied anywhere and it also references the same crypto statement (not recommended)

So first things first

route-map nonat permit 10

match ip address 101

access-list 101 deny ip 10.135.14.0 0.0.0.7 10.135.5.0 0.0.0.127

access-list 101 permit ip 10.135.14.0 0.0.0.7 any

Add route-map to nat config

ip nat inside source route-map nonat int dialer0 overload

That clears up the routing/nat issues. As for the IPSEC/ISAKMP config...

ASA

no crypto ipsec security-association lifetime seconds 28800

no crypto ipsec security-association lifetime kilobytes 4608000

no crypto map outside_map 1 set security-association lifetime seconds 28800

no crypto map outside_map 1 set security-association lifetime kilobytes 4608000

no crypto map outside_map0 1 set pfs group5

no crypto map outside_map0 1 set security-association lifetime seconds 28800

no crypto map outside_map0 1 set security-association lifetime kilobytes 4608000

crypto map outside_map0 1 match address Crypto-list

That should get you a little closer. Make the appropriate changes and resubmit the config. Couple things that hindered you, subnet masking would never bring the tunnel up. Another would be the security-association statements, not really needed if you have one remote site.

From here with the changes you should start to see some progress with the following show commands.

show crypto isakmp sa

show crypto ipsec sa

Also some debugs to run would be debug crypto ipsec 255 and debug crypto isakp 255 on the ASA.

As for the router debug crypto ipsec and debug crypto isakmp.

Great link from Cisco to help.

http://cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

Hope this helps, rate if it does!

JB

View solution in original post

2 Replies 2

jpoplawski
Level 1
Level 1

Looking at this now, here's what I can see so far.

ASA -

Change NAT Statement to be:

nat (inside) 0 access-list nonat

Change ACL Statement to be:

access-list nonat extended permit ip 10.135.5.0 255.255.255.128 10.135.14.0 255.255.255.248

Create a new crypto map

access-list CryptoMap extended permit ip 10.135.5.0 255.255.255.128 10.135.14.0 255.255.255.248

Router

Change crypto List to read

ip access-list extended Crypto-list

permit ip 10.135.14.0 0.0.0.7 10.135.5.0 0.0.0.127

Route Map and ACL work that needs to be done

route-map nonat isn't applied anywhere and it also references the same crypto statement (not recommended)

So first things first

route-map nonat permit 10

match ip address 101

access-list 101 deny ip 10.135.14.0 0.0.0.7 10.135.5.0 0.0.0.127

access-list 101 permit ip 10.135.14.0 0.0.0.7 any

Add route-map to nat config

ip nat inside source route-map nonat int dialer0 overload

That clears up the routing/nat issues. As for the IPSEC/ISAKMP config...

ASA

no crypto ipsec security-association lifetime seconds 28800

no crypto ipsec security-association lifetime kilobytes 4608000

no crypto map outside_map 1 set security-association lifetime seconds 28800

no crypto map outside_map 1 set security-association lifetime kilobytes 4608000

no crypto map outside_map0 1 set pfs group5

no crypto map outside_map0 1 set security-association lifetime seconds 28800

no crypto map outside_map0 1 set security-association lifetime kilobytes 4608000

crypto map outside_map0 1 match address Crypto-list

That should get you a little closer. Make the appropriate changes and resubmit the config. Couple things that hindered you, subnet masking would never bring the tunnel up. Another would be the security-association statements, not really needed if you have one remote site.

From here with the changes you should start to see some progress with the following show commands.

show crypto isakmp sa

show crypto ipsec sa

Also some debugs to run would be debug crypto ipsec 255 and debug crypto isakp 255 on the ASA.

As for the router debug crypto ipsec and debug crypto isakmp.

Great link from Cisco to help.

http://cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

Hope this helps, rate if it does!

JB

Thank you very much for this, excellent post and great link

all now working fine

Thanks again

Jonathan

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: