cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1026
Views
0
Helpful
15
Replies

DYNAMIC IP with SITE TO SITE VPN

wasiimcisco
Level 1
Level 1

i have ASA 8.0 with static ip address and remote site has a ADSL ROuter with dynamic IP address.

I am not able to make the Site to site vpn connection. I have tried dynamic map and standard site to site vpn

connection but nothing is working for me.

Please help me out. I am tottally stuck.I have attached the router and firewall configuration and below error I am getting.

Nov 3 18:08:34.606: IPSEC(key_engine): request timer fired: count = 1,

(identity) local= 83.110.195.120, remote= x.x.x.x,

local_proxy= 172.17.245.210/255.255.255.255/0/0 (type=1),

remote_proxy= 192.168.0.0/255.255.0.0/0/0 (type=4)

Nov 3 18:08:34.606: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= 83.110.195.120, remote= x.x.x.x,

local_proxy= 172.17.245.210/255.255.255.255/0/0 (type=1),

remote_proxy= 192.168.0.0/255.255.0.0/0/0 (type=4),

protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),

lifedur= 3600s and 4608000kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

RISTAR-JXB#

RISTAR-JXB#

Nov 3 18:08:34.810: IPSEC(key_engine): got a queue event with 1 KMI message(s)

15 Replies 15

wasiimcisco
Level 1
Level 1

If i will give 0.0.0.0 in tunnel group configration I am getting following error.

ENOCDC-FW03(config)# tunnel-group 0.0.0.0 type ipsec-l2l

WARNING: L2L tunnel-groups that have names which are not an IP

address may only be used if the tunnel authentication

method is Digitial Certificates and/or The peer is

configured to use Aggressive Mode

I have changed the Router configurationto aggressive mode but still not luck.

Here's a simple example of using a statically-assigned ASA or PIX and a dynamically assigned router gateway-to-gateway VPN with NAT.

HTH

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807ea936.shtml

Thanks for the reply, I tried again all the steps but still not working. SO many times I changed the configuration but still not working.Attached the Logs from Router and Firewall logs.

I even directly connected on computer with the firewall to avoid any routing but still not working.

Did you change your router configuration at all from what you first posted? If so, could you post the updated router configuration? thx

Another question: Is your ADSL coming up on your remote router? Can you access the Internet from that router?

I set up the lab associated with that URL in my home lab.

I found that the PIX configuration was not quite complete.

First, the statement "crypto isakmp enable outside" is missing. Second, it is not clear that you do have to add the shared secret key under the tunnel group. This does not show up in the configuration.

# config t

(config)# tunnel-group DefaultL2LGroup ipsec-attributes

(config-tunnel-ipsec)# pre-shared-key cisco123

Also, the "ip nat outside" is missing from the router's outside interface.

Internet is working on the remote site router. ASA firewall has mulitple site to site vpn connections along with the remote access vpn connection. So crypto isakmp enable outside is already enable on this.

crypto map ENOCMAP 17 ipsec-isakmp dynamic TRI_MAP

crypto map ENOCMAP interface outside

crypto ipsec transform-set TRI_SET esp-3des esp-md5-hmac

crypto dynamic-map TRI_MAP 17 set transform-set TRI_SET

crypto dynamic-map TRI_MAP 17 set security-association lifetime seconds 28800

crypto dynamic-map TRI_MAP 17 set security-association lifetime kilobytes 4608000

crypto dynamic-map TRI_MAP 17 set reverse-route

crypto map ENOCMAP 17 ipsec-isakmp dynamic TRI_MAP

I have once again entered the key

ENOCDC-FW03(config)# tunnel-group DefaultL2LGroup ipsec-attributes

ENOCDC-FW03(config-tunnel-ipsec)# pre-shared-key cisco123

access-list acl-nonat extended permit ip 16.1.1.0 255.255.255.0 17.1.1.0 255.255.255.0

access-list acl-nonat extended permit ip 16.1.1.0 255.255.255.0 host 172.17.245.7

access-list acl-nonat extended permit ip 16.1.1.0 255.255.255.0 host 172.17.245.150

access-list acl-nonat extended permit ip 16.1.1.0 255.255.255.0 host 10.1.1.56

access-list acl-nonat extended permit ip 16.1.1.0 255.255.255.0 10.1.0.0 255.255.0.0

nat (inside) 0 access-list acl-nonat

nat (test-dugas) 0 access-list acl-nonat

Please let me know what i m missig.

I'm assuming your isakmp policy is still in the firewall configuration. I don't see all the NAT statements in your configuration, for example:

global (outside) 1 interface

nat (inside) 0 access-list acl-nonat

nat (inside) 1 0.0.0.0 0.0.0.0

HTH

I would also look at the nonat-acl. These entries should be the mirror image of the crypto access list on the remote router. You don't want to NAT anything that is supposed to be encrypted and sent over the VPN tunnel.

I have the same configuration for nonat and remote site router access list for VPN interesting traffic.

nat (inside) 0 access-list acl-nonat

nat (test-dugas) 0 access-list acl-nonat

access-list acl-nonat extended permit ip 16.1.1.0 255.255.255.0 host 6.1.1.1

access-list acl-nonat extended permit ip 192.168.0.0 255.255.0.0 host 6.1.1.1

access-list acl-nonat extended permit ip 16.1.1.0 255.255.255.0 17.1.1.0 255.255.255.0

access-list acl-nonat extended permit ip 16.1.1.0 255.255.255.0 host 172.17.245.7

access-list acl-nonat extended permit ip 16.1.1.0 255.255.255.0 host 172.17.245.150

access-list acl-nonat extended permit ip 192.168.0.0 255.255.0.0 host 172.17.245.150

access-list acl-nonat extended permit ip 192.168.0.0 255.255.0.0 host 172.17.245.7

But i dont know what is missing.

First, make sure your policies match. Based on the prior listings of the router and ASA configurations, they look slightly different. Please make sure they are exactly the same. Here's what's on the ASA.

crypto isakmp policy 17

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

The nonat-acl on the ASA is not the mirror image of the crypto access list on the router. Any networks that are in nonat-acl are those you want to encrypt. They should match (in a mirror image) what is on the remote router.

HTH

Exact copy from the firewall nonat acl

access-list acl-nonat extended permit ip 16.1.1.0 255.255.255.0 host 6.1.1.1

access-list acl-nonat extended permit ip 192.168.0.0 255.255.0.0 host 6.1.1.1

access-list acl-nonat extended permit ip 16.1.1.0 255.255.255.0 17.1.1.0 255.255.255.0

access-list acl-nonat extended permit ip 16.1.1.0 255.255.255.0 host 172.17.245.7

access-list acl-nonat extended permit ip 16.1.1.0 255.255.255.0 host 172.17.245.150

access-list acl-nonat extended permit ip 192.168.0.0 255.255.0.0 host 172.17.245.150

access-list acl-nonat extended permit ip 192.168.0.0 255.255.0.0 host 172.17.245.7

Exact acl copy from the Router

access-list 101 deny ip 172.17.245.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 101 deny ip 17.1.1.0 0.0.0.255 16.1.1.0 0.0.0.255

access-list 101 deny ip 172.17.245.0 0.0.0.255 16.1.1.0 0.0.0.255

access-list 101 permit ip 172.17.245.0 0.0.0.255 any

access-list 115 permit ip host 172.17.245.210 192.168.0.0 0.0.255.255

access-list 115 permit ip host 172.17.245.150 192.168.0.0 0.0.255.255

access-list 115 permit ip host 172.17.245.150 16.1.1.0 0.0.0.255

access-list 115 permit ip host 17.1.1.1 16.1.1.0 0.0.0.255

dialer-list 1 protocol ip list 101

!

Your ASA may have other peers to which it sends VPN traffic, but there should be nonat entries that are mirror images of all the crypto access list entries configured on the router.

Did you have a chance to check to see if the policies were identical?

Please see the logs after enabling PFS on ASA and reconfiguration of Router with aggresssive mode.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: