Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
440
Views
0
Helpful
1
Replies

simple vpn connection issue

fran19422
Level 1
Level 1

‎03-05-2014 12:42 PM

Hello, I am having trouble getting this site to site VPN established between an 867VAE router and an ASA5505 firewall.

It will be something really simple as this is my first attempt at a VPN. I am doing this in a lab environment using 192.168.200.1-2 to interface the two devices. My internal network on the 867 router side is 192.168.100.0 and the internal inetwork on the ASA5505 side is 192.168.0.0. I used the asa5505 wizard to set up the VPN.

This is the VPN topology:

LAN 192.168.100.0 -----867Router external interface(Fa0) 192.168.200.1 ----------ASA5505 external interface(Fa0) 192.168.200.2 ---------LAN 192.168.0.0

Can anyone see what is going wrong ?

Thanks kindly for any help.

867VAE router configuration (manually configured):

version 15.1

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname phils867

!

boot-start-marker

boot-end-marker

!

enable secret 5 xxxxx

!

aaa new-model

!

aaa authentication login default local

!

aaa session-id common

wan mode dsl

no ipv6 cef

ip source-route

!

ip dhcp pool WIRED

import all

network 192.168.200.0 255.255.255.0

default-router 192.168.200.1

dns-server 4.2.2.2 8.8.8.8

!

no ip domain lookup

ip domain name phil867

ip name-server 4.2.2.2

ip name-server 8.8.8.8

!

crypto pki token default removal timeout 0

!

username doug privilege 15 secret 5 xxxxxx

username phil privilege 15 secret 5 xxxx

!

controller VDSL 0

!

ip ssh version 2

!

crypto isakmp policy 10

authentication pre-share

crypto isakmp key mysecretkey address 192.168.200.2

!

crypto ipsec transform-set vpnset esp-aes esp-sha-hmac

!

crypto map vpnset 10 ipsec-isakmp

set peer 192.168.200.2

set transform-set vpnset

match address 100

!

interface ATM0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

no atm ilmi-keepalive

!

interface ATM0.1 point-to-point

description DSL

pvc 0/100

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!

interface Ethernet0

no ip address

shutdown

!

interface FastEthernet0

switchport access vlan 200

no ip address

crypto map vpnset

spanning-tree portfast

!

interface FastEthernet1

switchport access vlan 100

no ip address

spanning-tree portfast

!

interface FastEthernet2

switchport access vlan 200

no ip address

spanning-tree portfast

!

interface FastEthernet3

switchport access vlan 200

no ip address

spanning-tree portfast

!

interface GigabitEthernet0

no ip address

!

interface GigabitEthernet1

no ip address

shutdown

duplex auto

speed auto

!

interface Vlan1

no ip address

!

interface Vlan100

ip address 192.168.100.1 255.255.255.0

!

interface Vlan200

description Wired

ip address 192.168.200.1 255.255.255.0

ip virtual-reassembly in

!

interface Dialer0

ip address negotiated

ip access-group blockPING in

no ip redirects

ip mtu 1480

ip virtual-reassembly in

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication pap callin

ppp pap sent-username xxxxx password 0 xxxxxx

ppp ipcp dns request

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

!

ip route 0.0.0.0 0.0.0.0 192.168.200.2

!

ip access-list extended SSHAllowedIP

permit ip host 192.168.200.2 any

ip access-list extended blockPING

deny   icmp any any echo

permit ip any any

!

access-list 100 permit ip 192.168.100.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 101 permit ip 192.168.200.0 0.0.0.255 any

dialer-list 1 protocol ip permit

!

line con 0

exec-timeout 0 0

logging synchronous

no modem enable

terminal-type mon

length 20

line aux 0

line vty 0 4

access-class SSHAllowedIP in

exec-timeout 0 0

logging synchronous

transport input ssh

!

scheduler allocate 60000 1000

end

ASA5505 running config:

ASA Version 8.0(2)

!

hostname philASA5505

domain-name phil.home

enable password xxxxxxx encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.0.254 255.255.255.0

ospf cost 10

!

interface Vlan2

no forward interface Vlan5

nameif outside

security-level 0

ip address 192.168.200.2 255.255.255.0

ospf cost 10

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

switchport access vlan 5

!

passwd ma.B/.HgoVfoLiCL encrypted

ftp mode passive

clock timezone NZST 12

clock summer-time NZDT recurring 1 Sun Oct 2:00 3 Sun Mar 3:00

dns server-group DefaultDNS

domain-name phil.home

object-group network lan

description lan

network-object host 192.168.100.0

access-list outside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.200.0 255.255.255.0

access-list outside_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.44.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.0.0 255.255.255.0 host 192.168.100.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 host 192.168.100.0

pager lines 24

logging enable

logging asdm errors

mtu inside 1500

mtu outside 1500

ip local pool philpool 192.168.0.1-192.168.0.99 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-602.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 192.168.0.0 255.255.255.0

nat (outside) 0 access-list outside_nat0_outbound

route outside 0.0.0.0 0.0.0.0 192.168.200.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa authentication http console LOCAL

aaa authentication serial console LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.0.0 255.255.255.0 inside

http 101.0.0.0 255.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

snmp-server enable traps syslog

snmp-server enable traps ipsec start stop

snmp-server enable traps entity config-change fru-insert fru-remove

snmp-server enable traps remote-access session-threshold-exceeded

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer 192.168.200.1

crypto map outside_map 1 set transform-set ESP-AES-128-SHA

crypto map outside_map 2 match address outside_cryptomap

crypto map outside_map 2 set peer 121.98.116.2

crypto map outside_map 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable inside

crypto isakmp enable outside

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 28800

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 28800

crypto isakmp policy 50

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

no crypto isakmp nat-traversal

telnet timeout 5

ssh 123.100.82.198 255.255.255.255 outside

ssh timeout 5

console timeout 0

management-access inside

dhcpd auto_config outside

!

dhcpd address 192.168.0.100-192.168.0.120 inside

dhcpd dns 8.8.8.8 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

!

class-map global-class

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global-policy

class global-class

  inspect ctiqbe

  inspect dcerpc

  inspect dns

  inspect esmtp

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect http

  inspect icmp

  inspect icmp error

  inspect ils

  inspect ipsec-pass-thru

  inspect mgcp

  inspect netbios

  inspect pptp

  inspect rsh

  inspect rtsp

  inspect sip 

  inspect skinny 

  inspect snmp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect xdmcp

!

service-policy global-policy global

webvpn

enable outside

svc image disk0:/anyconnect-win-2.0.0343-k9.pkg 1

svc enable

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec l2tp-ipsec

group-policy philtunnel internal

group-policy philtunnel attributes

dns-server value 4.2.2.2 8.8.8.8

vpn-tunnel-protocol IPSec

username phil password DfN1FSNE/PrGENWQ encrypted privilege 15

tunnel-group mmc-rytech type ipsec-l2l

tunnel-group mmc-rytech ipsec-attributes

pre-shared-key *

tunnel-group 192.168.200.1 type ipsec-l2l

tunnel-group 192.168.200.1 ipsec-attributes

pre-shared-key *

Labels:
0 Helpful
1 Reply 1

Jeff Van Houten
Level 5
Level 5

‎03-05-2014 08:10 PM

On the Asa access-list outside-1-crypto map is wrong. You have host 192.168.0.0 and what you want is a subnet. Look at the other statements and you'll see.

Sent from Cisco Technical Support iPad App

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents