Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN ISSUE

Hi,

My vpn tunnel is not working nor anything shows in debug, please check my config if I am doing anything wrong.

--------

on ASA

crypto ipsec transform-set ESP_3DES_SHA esp-3des esp-sha-hmac

crypto map test_120 match address internet_cryptomap_120

crypto map test_120set peer 20.5.9.12

crypto map test_120 set transform-set ESP-3DES-SHA

crypto map test_120 interface internet

crypto map test_120 set security-association lifetime seconds 3600

isakmp enable internet

!

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption 3des

isakmp policy 30 hash sha

isakmp policy 30 group 2

isakmp policy 30 lifetime 86400

pre-shared-key *

tunnel-group 20.5.9.12 type ipsec-l2l

tunnel-group 20.5.9.12 ipsec-attributes

pre-shared-key *

access-list nat0_outbound extended permit ip host 10.10.12.14 host 192.168.1.1

access-list internet_cryptomap_120 extended permit tcp host 10.10.12.14 host 192.168.1.1 eq www

access-list internet_cryptomap_120 extended permit icmp host 10.10.12.14 host 192.168.1.1

nat (optfir) 0 access-list optfir_nat0_outbound

-----------------------------------------------------------------------------------------

on PIX

crypto map vpn 70 match address outside_70_cryptomap_1

crypto map vpn 70 set pfs

crypto map vpn 70 set peer 143.22.1.1

crypto map vpn 70 set transform-set ESP-3DES-SHA

crypto map vpn 70 set security-association lifetime seconds 3600

crypto isakmp enable outside

tunnel-group 143.22.1.1 type ipsec-l2l

tunnel-group 143.22.1.1 ipsec-attributes

pre-shared-key *

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

access-list outside_70_cryptomap_1 extended permit tcp 10.10.12.14 host 192.168.1.1

access-list inside_nat_outbound extended permit ip 10.10.12.14 host 192.168.1.1

global (outside) 3 192.168.1.1 netmask 255.255.255.0 <<<----here i am natting all internal to 192.168.1.1

nat (inside) 3 access-list inside_nat_outbound

5 REPLIES
Silver

Re: VPN ISSUE

You have several things wrong here..

1. You have pfs on the PIX, but not the ASA

2. Your ACLs on the PIX are not a mirror of the ASA. Basically, you must switch the source and destination IPs in the crypto ACL and NAT 0 ACL.

3. You need to change your NAT command to a NAT 0. Like ...

nat (inside) 0 access-list inside_nat_outbound

** Please rate ***

New Member

Re: VPN ISSUE

3. You need to change your NAT command to a NAT 0. Like ...

nat (inside) 0 access-list

inside_nat_outbound

IS this will mean, do not nat,Please advice , that do need all internal ips to nat to 192.168.1.1 and then go to ASA.

Regards,

Silver

Re: VPN ISSUE

You will need one nat/global pair for outbound access. You will need a second nat for the VPN.

here is an example

for outbound traffic:

nat (inside) 3 192.168.1.0 255.255.255.0

global (outside) 3 172.16.1.1

for vpn:

access-list vpn_access extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

nat (inside) 0 access-list vpn_access

THIS MUST BE DONE ON BOTH FIREWALLS, AND MAKE SURE IT IS MIRRORED.

New Member

Re: VPN ISSUE

Thanks for advice, just quick question , that we do not want to do natting on ASA.so do we still need vpn access-list on ASA?

Regards,

Silver

Re: VPN ISSUE

What do you mean? For the VPN to work properly, you need the NAT 0 as I described. Also, you will need some for of NAT to get to the internet. This can also be done several other ways than I described, but that is the the most common (PAT).

*** Please rate ***

103
Views
4
Helpful
5
Replies