ASA-to-Router VPN, Private to Public

Answered Question
Oct 9th, 2009

I have a setup where a customer will be sending calls from a UCM, sourced from a private address, through a VPN tunnel terminating at a 2811. The call needs to hit an SBC that is publicly addressed and sits right behind the router on FE0/1. (See attached picture)

The traffic going through the ASA is being exempted from NAT.

Since this is all public on my end and my default route points to my ISP's router, I would assume that I do not need anything other than a default route. (i'm not running any routing protocols - just a static route outbound)

The tunnel does not come up. In fact, I never see any traffic hit my side at all. Does anyone have any experience doing a private-to-public VPN, or know of a config example anywhere?

Here's my end of the config:

crypto isakmp policy 4

encr 3des

hash md5

authentication pre-share

group 2

lifetime 28800

crypto isakmp key XXXXXXXXXX address (public address #1) no-xauth

crypto ipsec transform-set XXXSET esp-3des esp-md5-hmac

crypto map XXXMAP 4 ipsec-isakmp

set peer (public address #1)

set security-association idle-time 3600

set transform-set XXXSET

set pfs group2

match address 170

access-list 170 permit ip host (public address #3) host 10.0.0.5

interface FastEthernet0/0

ip address (public address #2) 255.255.255.252

load-interval 30

speed 100

full-duplex

no cdp enable

crypto map XXXMAP

service-policy output AutoQoS-Policy-UnTrust

Thank you,

paul

Attachment: 
I have this problem too.
0 votes
Correct Answer by auraza about 7 years 1 month ago

Your configuration looks fine.

Does Phase 1 come up when you try to pass traffic through? "show cry isa sa"

If P1 comes up, does P2 come up? "show crypto ipsec sa | i ident|spi|encr|decr"

If neither is coming up, run a debug:

debug cry isa

debug cry ips

See if the tunnel is being initiated when traffic is sent. As long as you have a default route pointing outbound, and have no other routes, you should be fine. Looks like everything else will be a connected network.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
auraza Fri, 10/09/2009 - 12:22

Your configuration looks fine.

Does Phase 1 come up when you try to pass traffic through? "show cry isa sa"

If P1 comes up, does P2 come up? "show crypto ipsec sa | i ident|spi|encr|decr"

If neither is coming up, run a debug:

debug cry isa

debug cry ips

See if the tunnel is being initiated when traffic is sent. As long as you have a default route pointing outbound, and have no other routes, you should be fine. Looks like everything else will be a connected network.

pstebner10 Fri, 10/09/2009 - 12:53

Auraza-

Thank you for the reply. Phase I never completes, so I am checking with the guys on the other end as to what the discrepencies between our configs may be. I'll post back when I have more info.

Paul

pstebner10 Fri, 10/09/2009 - 13:46

Problem solved. It was a Phase I issue on the ASA side.

Thanks again,

Paul

auraza Fri, 10/09/2009 - 13:53

Great! Glad to know its working!

Thanks for the rating!

Actions

This Discussion