Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
353
Views
0
Helpful
4
Replies

Help with VPN to ASA 5520

whiteford
Level 1
Level 1

‎04-22-2009 06:07 AM

Hi,

I have a Cisco 2621 router that is required to be used as a VPN between to a Cisco ASA.

Below I have started to build the config on the router, but have stalled. I can ping the peer address of the firewall and have been told the ASA is all configured. I have set up VPN's using a DSL router like an 877 to a ASA before but not a 2621 ethernet based router.

ASA is 192.168.82.5 (example peer)

My crypto map MYCRYPTOMAP is not bound to an interface yet, would this need to go on the FE0/0 (outside)

I'm sure there are many gaps to be added.

C2621XM#sh run

Building configuration...

Current configuration : 1350 bytes

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname C2621XM

!

boot-start-marker

boot-end-marker

!

logging buffered 8192 notifications

!

no network-clock-participate slot 1

no network-clock-participate wic 0

no aaa new-model

ip subnet-zero

ip cef

!

!

no ip domain lookup

ip dhcp excluded-address 10.10.10.1 10.10.10.10

!

ip dhcp pool LAN

network 10.10.10.0 255.255.255.0

default-router 10.10.10.1

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 5

crypto isakmp key tottenham address 192.168.82.5

!

!

crypto ipsec transform-set MYSET esp-aes 256 esp-sha-hmac

!

crypto map MYCRYPTOMAP 1 ipsec-isakmp

set peer 192.168.82.5

set security-association lifetime seconds 86400

set transform-set MYSET

set pfs group5

match address 100

!

!

!

!

interface FastEthernet0/0

ip address 192.168.82.6 255.255.255.240

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 10.10.10.1 255.255.255.0

duplex auto

speed auto

!

ip http server

no ip http secure-server

ip classless

!

!

logging trap notifications

access-list 100 permit ip 10.10.10.0 0.0.0.255 any

!

!

!

!

!

!

!

!

!

line con 0

password cisco

logging synchronous

line aux 0

line vty 0 4

password ****

logging synchronous

login

!

!

end

C2621XM#

Labels:
0 Helpful
4 Replies 4

Ivan Martinon
Level 7
Level 7

‎04-22-2009 09:49 AM

Are you sure this settings match the ASA? PFS? match address? does the ASA have any as the source for this tunnel? Can you enabled ipsec and isakmp debugs and post them here?

0 Helpful

whiteford
Level 1
Level 1
In response to Ivan Martinon

‎04-22-2009 11:02 AM

They do seem to match, well I am told they do as I don't control the ASA which is another company.

The only thing I haven't done is bind my crypto map "MYCRYPTOMAP" to anything, what interface should I bind this too, as I have only ever worked with DSL routers like the 877 and I bind these cryptomaps to the dialer interface.

0 Helpful

Ivan Martinon
Level 7
Level 7
In response to whiteford

‎04-22-2009 12:20 PM

Yeah you need to apply the crypto map to the interface that connects to interface.

0 Helpful

johnnykman
Level 1
Level 1

‎07-23-2009 07:17 AM

disregaurd

0 Helpful
Customers Also Viewed These Support Documents