11-03-2009 10:09 AM - edited 03-11-2019 09:35 AM
i have ASA 8.0 with static ip address and remote site has a ADSL ROuter with dynamic IP address.
I am not able to make the Site to site vpn connection. I have tried dynamic map and standard site to site vpn
connection but nothing is working for me.
Please help me out. I am tottally stuck.I have attached the router and firewall configuration and below error I am getting.
Nov 3 18:08:34.606: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 83.110.195.120, remote= x.x.x.x,
local_proxy= 172.17.245.210/255.255.255.255/0/0 (type=1),
remote_proxy= 192.168.0.0/255.255.0.0/0/0 (type=4)
Nov 3 18:08:34.606: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 83.110.195.120, remote= x.x.x.x,
local_proxy= 172.17.245.210/255.255.255.255/0/0 (type=1),
remote_proxy= 192.168.0.0/255.255.0.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
RISTAR-JXB#
RISTAR-JXB#
Nov 3 18:08:34.810: IPSEC(key_engine): got a queue event with 1 KMI message(s)
If I give 0.0.0.0 in tunnel group configuraion it gave me following error.
ENOCDC-FW03(config)# tunnel-group 0.0.0.0 type ipsec-l2l
WARNING: L2L tunnel-groups that have names which are not an IP
address may only be used if the tunnel authentication
method is Digitial Certificates and/or The peer is
configured to use Aggressive Mode
I have change the rotuer configuration to aggressive mode but still no luck
11-03-2009 01:43 PM
You want to use the DefaultL2LGroup for your tunnel group name, not 0.0.0.0.
11-04-2009 07:39 AM
11-05-2009 12:29 AM
Can anybody help me out.
11-05-2009 05:56 AM
First off, your crypto acl's should be mirrors of each other. This is how they are now...
Router
access-list 115 permit ip host 172.17.245.210 192.168.0.0 0.0.255.255
ASA
access-list TRJXB extended permit ip 192.168.0.0 255.255.0.0 172.17.245.0 255.255.255.0
This is what they should be...
Router
access-list 115 permit ip host 172.17.245.0 0.0.0.255 192.168.0.0 0.0.255.255
ASA
access-list TRJXB extended permit ip 192.168.0.0 255.255.0.0 172.17.245.0 255.255.255.0
11-05-2009 07:08 AM
On ASA firewall I am making dynamic map. like
Dynamic IPsec Between a Statically addressed PIX and a Dynamically addressed IOS Router with NAT Configuration Example
In dynanic map I dont have any option to recall the interesting traffic.
11-05-2009 07:12 AM
Sure you do, it's right here...
crypto dynamic-map TRJXB_MAP 151 match address TRJXB
11-05-2009 07:53 AM
I have configured this
crypto dynamic-map TRI_MAP 17 match address TRJXB
access-list TRJXB extended permit ip 192.168.0.0 255.255.0.0 17.1.1.0 255.255.255.0
access-list TRJXB extended permit ip 192.168.0.0 255.255.0.0 6.1.1.0 255.255.255.0
access-list TRJXB extended permit ip 16.1.1.0 255.255.255.0 6.1.1.0 255.255.255.0
access-list TRJXB extended permit ip 16.1.1.0 255.255.255.0 17.1.1.0 255.255.255.0
access-list TRJXB extended permit ip 16.1.1.0 255.255.255.0 172.17.245.0 255.255.255.0
access-list TRJXB extended permit ip 192.168.0.0 255.255.0.0 172.17.245.0 255.255.255.0
access-list acl-nonat extended permit ip 16.1.1.0 255.255.255.0 host 6.1.1.1
access-list acl-nonat extended permit ip 192.168.0.0 255.255.0.0 host 6.1.1.1
access-list acl-nonat extended permit ip 16.1.1.0 255.255.255.0 17.1.1.0 255.255.255.0
access-list acl-nonat extended permit ip 16.1.1.0 255.255.255.0 host 172.17.245.7
access-list acl-nonat extended permit ip 16.1.1.0 255.255.255.0 host 172.17.245.150
access-list acl-nonat extended permit ip 192.168.0.0 255.255.0.0 host 172.17.245.150
access-list acl-nonat extended permit ip 192.168.0.0 255.255.0.0 host 172.17.245.7
but still not working.
11-05-2009 08:05 AM
Those aren't exact mirrors of eachother and the crypto acl on your router isn't acl-nonat, it's acl 115.
11-05-2009 08:14 AM
Can you get the log from the ASA?
11-05-2009 08:26 AM
11-05-2009 08:40 AM
Try this on the ASA.
crypto dynamic-map TRJXB-MAP 151 set pfs
11-05-2009 01:49 PM
Tried but still not working. Even reconfigure the complete router. This time configure with the Aggressive mode on the router.
11-05-2009 02:13 PM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: