03-05-2014 12:42 PM
Hello, I am having trouble getting this site to site VPN established between an 867VAE router and an ASA5505 firewall.
It will be something really simple as this is my first attempt at a VPN. I am doing this in a lab environment using 192.168.200.1-2 to interface the two devices. My internal network on the 867 router side is 192.168.100.0 and the internal inetwork on the ASA5505 side is 192.168.0.0. I used the asa5505 wizard to set up the VPN.
This is the VPN topology:
LAN 192.168.100.0 -----867Router external interface(Fa0) 192.168.200.1 ----------ASA5505 external interface(Fa0) 192.168.200.2 ---------LAN 192.168.0.0
Can anyone see what is going wrong ?
Thanks kindly for any help.
867VAE router configuration (manually configured):
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname phils867
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxx
!
aaa new-model
!
aaa authentication login default local
!
aaa session-id common
wan mode dsl
no ipv6 cef
ip source-route
!
ip dhcp pool WIRED
import all
network 192.168.200.0 255.255.255.0
default-router 192.168.200.1
dns-server 4.2.2.2 8.8.8.8
!
no ip domain lookup
ip domain name phil867
ip name-server 4.2.2.2
ip name-server 8.8.8.8
!
crypto pki token default removal timeout 0
!
username doug privilege 15 secret 5 xxxxxx
username phil privilege 15 secret 5 xxxx
!
controller VDSL 0
!
ip ssh version 2
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key mysecretkey address 192.168.200.2
!
crypto ipsec transform-set vpnset esp-aes esp-sha-hmac
!
crypto map vpnset 10 ipsec-isakmp
set peer 192.168.200.2
set transform-set vpnset
match address 100
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
description DSL
pvc 0/100
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
interface Ethernet0
no ip address
shutdown
!
interface FastEthernet0
switchport access vlan 200
no ip address
crypto map vpnset
spanning-tree portfast
!
interface FastEthernet1
switchport access vlan 100
no ip address
spanning-tree portfast
!
interface FastEthernet2
switchport access vlan 200
no ip address
spanning-tree portfast
!
interface FastEthernet3
switchport access vlan 200
no ip address
spanning-tree portfast
!
interface GigabitEthernet0
no ip address
!
interface GigabitEthernet1
no ip address
shutdown
duplex auto
speed auto
!
interface Vlan1
no ip address
!
interface Vlan100
ip address 192.168.100.1 255.255.255.0
!
interface Vlan200
description Wired
ip address 192.168.200.1 255.255.255.0
ip virtual-reassembly in
!
interface Dialer0
ip address negotiated
ip access-group blockPING in
no ip redirects
ip mtu 1480
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username xxxxx password 0 xxxxxx
ppp ipcp dns request
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 192.168.200.2
!
ip access-list extended SSHAllowedIP
permit ip host 192.168.200.2 any
ip access-list extended blockPING
deny icmp any any echo
permit ip any any
!
access-list 100 permit ip 192.168.100.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 permit ip 192.168.200.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
line con 0
exec-timeout 0 0
logging synchronous
no modem enable
terminal-type mon
length 20
line aux 0
line vty 0 4
access-class SSHAllowedIP in
exec-timeout 0 0
logging synchronous
transport input ssh
!
scheduler allocate 60000 1000
end
ASA5505 running config:
ASA Version 8.0(2)
!
hostname philASA5505
domain-name phil.home
enable password xxxxxxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.254 255.255.255.0
ospf cost 10
!
interface Vlan2
no forward interface Vlan5
nameif outside
security-level 0
ip address 192.168.200.2 255.255.255.0
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 5
!
passwd ma.B/.HgoVfoLiCL encrypted
ftp mode passive
clock timezone NZST 12
clock summer-time NZDT recurring 1 Sun Oct 2:00 3 Sun Mar 3:00
dns server-group DefaultDNS
domain-name phil.home
object-group network lan
description lan
network-object host 192.168.100.0
access-list outside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list outside_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.44.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.0.0 255.255.255.0 host 192.168.100.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 host 192.168.100.0
pager lines 24
logging enable
logging asdm errors
mtu inside 1500
mtu outside 1500
ip local pool philpool 192.168.0.1-192.168.0.99 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.0.0 255.255.255.0
nat (outside) 0 access-list outside_nat0_outbound
route outside 0.0.0.0 0.0.0.0 192.168.200.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.0.0 255.255.255.0 inside
http 101.0.0.0 255.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps remote-access session-threshold-exceeded
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 192.168.200.1
crypto map outside_map 1 set transform-set ESP-AES-128-SHA
crypto map outside_map 2 match address outside_cryptomap
crypto map outside_map 2 set peer 121.98.116.2
crypto map outside_map 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
crypto isakmp policy 50
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh 123.100.82.198 255.255.255.255 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd address 192.168.0.100-192.168.0.120 inside
dhcpd dns 8.8.8.8 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map global-class
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global-policy
class global-class
inspect ctiqbe
inspect dcerpc
inspect dns
inspect esmtp
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect icmp
inspect icmp error
inspect ils
inspect ipsec-pass-thru
inspect mgcp
inspect netbios
inspect pptp
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect snmp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
!
service-policy global-policy global
webvpn
enable outside
svc image disk0:/anyconnect-win-2.0.0343-k9.pkg 1
svc enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy philtunnel internal
group-policy philtunnel attributes
dns-server value 4.2.2.2 8.8.8.8
vpn-tunnel-protocol IPSec
username phil password DfN1FSNE/PrGENWQ encrypted privilege 15
tunnel-group mmc-rytech type ipsec-l2l
tunnel-group mmc-rytech ipsec-attributes
pre-shared-key *
tunnel-group 192.168.200.1 type ipsec-l2l
tunnel-group 192.168.200.1 ipsec-attributes
pre-shared-key *
03-05-2014 08:10 PM
On the Asa access-list outside-1-crypto map is wrong. You have host 192.168.0.0 and what you want is a subnet. Look at the other statements and you'll see.
Sent from Cisco Technical Support iPad App
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: