05-28-2008 06:09 AM - edited 03-11-2019 05:51 AM
Hi there
I have ASA 5510 in the Headoffice with static IP and ASA 5505 in the remote site behind ADSL router , trying to establish VPN but its failing in phase 1
Config of Head Office
interface Ethernet0/0
description Link to LeaseLine Router
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.248
!
interface Ethernet0/1
description Link to Internal LAN
nameif inside
security-level 100
ip address 172.17.1.15 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 172.17.1.0 255.255.255.0 172.20.1.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 172.17.1.0 255.255.255.0 172.19.1.0 255.255.255.0
access-list vpn_to_remote extended permit ip 172.17.1.0 255.255.255.0 172.19.1.0 255.255.255.0
access-list VPN extended permit ip 172.17.1.0 255.255.255.0 172.20.1.0 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
crypto ipsec transform-set esp-aes-256-md5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto dynamic-map cisco 1 match address VPN
crypto dynamic-map cisco 1 set transform-set ESP-AES-256-SHA
crypto map outside_map 10 match address vpn_to_remote
crypto map outside_map 10 set pfs
crypto map outside_map 10 set peer y.y.y.y
crypto map outside_map 10 set transform-set esp-aes-256-md5
crypto map outside_map 10 set reverse-route
crypto map outside_map 30 ipsec-isakmp dynamic cisco
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash md5
group 5
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption aes
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group y.y.y.y type ipsec-l2l
tunnel-group y.y.y.y ipsec-attributes
pre-shared-key *
tunnel-group parkplace type ipsec-l2l
tunnel-group parkplace ipsec-attributes
pre-shared-key *
Config of Remote Site
interface Vlan1
nameif inside
security-level 100
ip address 172.20.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.1.2 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
access-list ICMP extended permit icmp any any
access-list NONAT extended permit ip 172.20.1.0 255.255.255.0 172.17.1.0 255.255.255.0
access-list VPN extended permit ip 172.20.1.0 255.255.255.0 172.17.1.0 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0 outside
access-group ICMP in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 1 match address VPN
crypto map outside_map 1 set peer 83.111.252.242
crypto map outside_map 1 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group fairmount type ipsec-l2l
tunnel-group fairmount ipsec-attributes
pre-shared-key *
Regards/Asfar
Solved! Go to Solution.
05-28-2008 07:18 AM
Hi Asfar
1)Remote site has a tunnel-group name called "fairmount". Assuming that you refer to your head office with faimount, Tunnel-group name must be same with peer ip, so you should do the following modification
clear config tunnel-group fairmount type ipsec-l2l
tunnel-group 83.111.252.242 type ipsec-l2l
tunnel-group fairmount ipsec-attributes
pre-shared-key *
2)If doesnt work after above suggestion, try using a transform set different than ESP-AES-SHA in both locations
3)Change pre shraed key to 1 and keep like that untill you resolve the connectivity problem. Then you can change to a more secure value.
4) If still no joy, ensure that UDP port 4500 tcp port 10000 and udp/tcp 500 are forwarded to 192.168.1.2 in router 192.168.1.1 in remote office
Regards
05-28-2008 07:18 AM
Hi Asfar
1)Remote site has a tunnel-group name called "fairmount". Assuming that you refer to your head office with faimount, Tunnel-group name must be same with peer ip, so you should do the following modification
clear config tunnel-group fairmount type ipsec-l2l
tunnel-group 83.111.252.242 type ipsec-l2l
tunnel-group fairmount ipsec-attributes
pre-shared-key *
2)If doesnt work after above suggestion, try using a transform set different than ESP-AES-SHA in both locations
3)Change pre shraed key to 1 and keep like that untill you resolve the connectivity problem. Then you can change to a more secure value.
4) If still no joy, ensure that UDP port 4500 tcp port 10000 and udp/tcp 500 are forwarded to 192.168.1.2 in router 192.168.1.1 in remote office
Regards
05-29-2008 03:40 PM
Thanks the problem is resolved
05-29-2008 04:39 PM
Hi asfar,
Why did you rate 2?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: