11-03-2009 10:11 AM
i have ASA 8.0 with static ip address and remote site has a ADSL ROuter with dynamic IP address.
I am not able to make the Site to site vpn connection. I have tried dynamic map and standard site to site vpn
connection but nothing is working for me.
Please help me out. I am tottally stuck.I have attached the router and firewall configuration and below error I am getting.
Nov 3 18:08:34.606: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 83.110.195.120, remote= x.x.x.x,
local_proxy= 172.17.245.210/255.255.255.255/0/0 (type=1),
remote_proxy= 192.168.0.0/255.255.0.0/0/0 (type=4)
Nov 3 18:08:34.606: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 83.110.195.120, remote= x.x.x.x,
local_proxy= 172.17.245.210/255.255.255.255/0/0 (type=1),
remote_proxy= 192.168.0.0/255.255.0.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
RISTAR-JXB#
RISTAR-JXB#
Nov 3 18:08:34.810: IPSEC(key_engine): got a queue event with 1 KMI message(s)
11-03-2009 10:27 AM
If i will give 0.0.0.0 in tunnel group configration I am getting following error.
ENOCDC-FW03(config)# tunnel-group 0.0.0.0 type ipsec-l2l
WARNING: L2L tunnel-groups that have names which are not an IP
address may only be used if the tunnel authentication
method is Digitial Certificates and/or The peer is
configured to use Aggressive Mode
I have changed the Router configurationto aggressive mode but still not luck.
11-03-2009 11:31 AM
Here's a simple example of using a statically-assigned ASA or PIX and a dynamically assigned router gateway-to-gateway VPN with NAT.
HTH
11-04-2009 07:25 AM
Thanks for the reply, I tried again all the steps but still not working. SO many times I changed the configuration but still not working.Attached the Logs from Router and Firewall logs.
I even directly connected on computer with the firewall to avoid any routing but still not working.
11-04-2009 10:57 AM
Did you change your router configuration at all from what you first posted? If so, could you post the updated router configuration? thx
11-04-2009 11:18 AM
Another question: Is your ADSL coming up on your remote router? Can you access the Internet from that router?
11-04-2009 01:15 PM
I set up the lab associated with that URL in my home lab.
I found that the PIX configuration was not quite complete.
First, the statement "crypto isakmp enable outside" is missing. Second, it is not clear that you do have to add the shared secret key under the tunnel group. This does not show up in the configuration.
# config t
(config)# tunnel-group DefaultL2LGroup ipsec-attributes
(config-tunnel-ipsec)# pre-shared-key cisco123
Also, the "ip nat outside" is missing from the router's outside interface.
11-05-2009 12:38 AM
Internet is working on the remote site router. ASA firewall has mulitple site to site vpn connections along with the remote access vpn connection. So crypto isakmp enable outside is already enable on this.
crypto map ENOCMAP 17 ipsec-isakmp dynamic TRI_MAP
crypto map ENOCMAP interface outside
crypto ipsec transform-set TRI_SET esp-3des esp-md5-hmac
crypto dynamic-map TRI_MAP 17 set transform-set TRI_SET
crypto dynamic-map TRI_MAP 17 set security-association lifetime seconds 28800
crypto dynamic-map TRI_MAP 17 set security-association lifetime kilobytes 4608000
crypto dynamic-map TRI_MAP 17 set reverse-route
crypto map ENOCMAP 17 ipsec-isakmp dynamic TRI_MAP
I have once again entered the key
ENOCDC-FW03(config)# tunnel-group DefaultL2LGroup ipsec-attributes
ENOCDC-FW03(config-tunnel-ipsec)# pre-shared-key cisco123
access-list acl-nonat extended permit ip 16.1.1.0 255.255.255.0 17.1.1.0 255.255.255.0
access-list acl-nonat extended permit ip 16.1.1.0 255.255.255.0 host 172.17.245.7
access-list acl-nonat extended permit ip 16.1.1.0 255.255.255.0 host 172.17.245.150
access-list acl-nonat extended permit ip 16.1.1.0 255.255.255.0 host 10.1.1.56
access-list acl-nonat extended permit ip 16.1.1.0 255.255.255.0 10.1.0.0 255.255.0.0
nat (inside) 0 access-list acl-nonat
nat (test-dugas) 0 access-list acl-nonat
Please let me know what i m missig.
11-05-2009 06:33 AM
I'm assuming your isakmp policy is still in the firewall configuration. I don't see all the NAT statements in your configuration, for example:
global (outside) 1 interface
nat (inside) 0 access-list acl-nonat
nat (inside) 1 0.0.0.0 0.0.0.0
HTH
11-05-2009 06:40 AM
I would also look at the nonat-acl. These entries should be the mirror image of the crypto access list on the remote router. You don't want to NAT anything that is supposed to be encrypted and sent over the VPN tunnel.
11-05-2009 07:42 AM
I have the same configuration for nonat and remote site router access list for VPN interesting traffic.
nat (inside) 0 access-list acl-nonat
nat (test-dugas) 0 access-list acl-nonat
access-list acl-nonat extended permit ip 16.1.1.0 255.255.255.0 host 6.1.1.1
access-list acl-nonat extended permit ip 192.168.0.0 255.255.0.0 host 6.1.1.1
access-list acl-nonat extended permit ip 16.1.1.0 255.255.255.0 17.1.1.0 255.255.255.0
access-list acl-nonat extended permit ip 16.1.1.0 255.255.255.0 host 172.17.245.7
access-list acl-nonat extended permit ip 16.1.1.0 255.255.255.0 host 172.17.245.150
access-list acl-nonat extended permit ip 192.168.0.0 255.255.0.0 host 172.17.245.150
access-list acl-nonat extended permit ip 192.168.0.0 255.255.0.0 host 172.17.245.7
But i dont know what is missing.
11-05-2009 09:00 AM
First, make sure your policies match. Based on the prior listings of the router and ASA configurations, they look slightly different. Please make sure they are exactly the same. Here's what's on the ASA.
crypto isakmp policy 17
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
The nonat-acl on the ASA is not the mirror image of the crypto access list on the router. Any networks that are in nonat-acl are those you want to encrypt. They should match (in a mirror image) what is on the remote router.
HTH
11-05-2009 12:26 PM
Exact copy from the firewall nonat acl
access-list acl-nonat extended permit ip 16.1.1.0 255.255.255.0 host 6.1.1.1
access-list acl-nonat extended permit ip 192.168.0.0 255.255.0.0 host 6.1.1.1
access-list acl-nonat extended permit ip 16.1.1.0 255.255.255.0 17.1.1.0 255.255.255.0
access-list acl-nonat extended permit ip 16.1.1.0 255.255.255.0 host 172.17.245.7
access-list acl-nonat extended permit ip 16.1.1.0 255.255.255.0 host 172.17.245.150
access-list acl-nonat extended permit ip 192.168.0.0 255.255.0.0 host 172.17.245.150
access-list acl-nonat extended permit ip 192.168.0.0 255.255.0.0 host 172.17.245.7
Exact acl copy from the Router
access-list 101 deny ip 172.17.245.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 101 deny ip 17.1.1.0 0.0.0.255 16.1.1.0 0.0.0.255
access-list 101 deny ip 172.17.245.0 0.0.0.255 16.1.1.0 0.0.0.255
access-list 101 permit ip 172.17.245.0 0.0.0.255 any
access-list 115 permit ip host 172.17.245.210 192.168.0.0 0.0.255.255
access-list 115 permit ip host 172.17.245.150 192.168.0.0 0.0.255.255
access-list 115 permit ip host 172.17.245.150 16.1.1.0 0.0.0.255
access-list 115 permit ip host 17.1.1.1 16.1.1.0 0.0.0.255
dialer-list 1 protocol ip list 101
!
11-05-2009 12:48 PM
Your ASA may have other peers to which it sends VPN traffic, but there should be nonat entries that are mirror images of all the crypto access list entries configured on the router.
Did you have a chance to check to see if the policies were identical?
11-05-2009 02:12 PM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: