Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco ASA and Cisco Router ipsec vpn NO PING

Site to site vpn is connect between Cisco Asa  Cisco Router.  But we can not ping to remote site. Can you help me please. 

Cisco Router 870 Configuration is as below.

sh crypto isakmp sa, sh crypto session, sh crypto ipsec sa cammands as below too.

 


Cisco Router Configuration;

Building configuration...

Current configuration : 2545 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname yener
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
ip cef
!
!
!
!
ip ips po max-events 100
vpdn enable
!
vpdn-group 1
request-dialin
  protocol pppoe
!
no ftp-server write-enable
!
!
!
!
controller DSL 0
line-term cpe
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key cisco123 address 90.158.xx.xx
!
!
crypto ipsec transform-set myset esp-aes esp-sha-hmac
!
crypto map yener_to_karel 10 ipsec-isakmp
set peer 90.158.xx.xx
set transform-set myset
match address 101
!
!
!
interface BRI0
no ip address
shutdown
no cdp enable
!
interface FastEthernet0
no ip address
no cdp enable
!
interface FastEthernet1
switchport access vlan 2
no ip address
no cdp enable
!
interface FastEthernet2
no ip address
shutdown
no cdp enable
!
interface FastEthernet3
no ip address
shutdown
no cdp enable
!
interface Vlan1
description WAN
no ip address
ip nat outside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
pppoe enable
pppoe-client dial-pool-number 1
!
interface Vlan2
description LOCAL LAN
ip address 10.10.10.8 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Dialer1
description Logical ADSL Interface
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname xx@ttnet
ppp chap password 0 yy
ppp pap sent-username xx@ttnet password 0 yy
ppp ipcp dns request accept
ppp ipcp address accept
crypto map yener_to_karel
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
no ip http server
no ip http secure-server
ip nat pool pool1 10.10.10.0 10.10.10.255 netmask 255.255.255.0
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source list acl1 pool pool1
!
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 101 permit ip 10.10.10.0 0.0.0.255 192.168.0.0 0.0.255.255
dialer-list 1 protocol ip permit
snmp-server community public RO
no cdp run
!
!
control-plane
!
!
line con 0
no modem enable
transport preferred all
transport output all
line aux 0
transport preferred all
transport output all
line vty 0 4
login
transport preferred all
transport input all
transport output all
!
scheduler max-task-time 5000
end

 

sh crypto session

Crypto session current status

Interface: Dialer1
Session status: UP-NO-IKE
Peer: 90.158.24.11 port 500
  IPSEC FLOW: permit ip 10.10.10.0/255.255.255.0 192.168.0.0/255.255.0.0
        Active SAs: 2, origin: crypto map

Interface: Virtual-Access1
Session status: DOWN
Peer: 90.158.24.11 port 500
  IPSEC FLOW: permit ip 10.10.10.0/255.255.255.0 192.168.0.0/255.255.0.0
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 10.10.10.0/255.255.255.0 192.168.0.0/255.255.0.0
        Active SAs: 0, origin: crypto map

Interface: Dialer1
Session status: UP-IDLE
Peer: 90.158.24.11 port 500
  IKE SA: local 85.105.xx.xx/500 remote 90.158.xx.xx/500 Active

 

sh crypto ipsec sa

interface: Dialer1
    Crypto map tag: yener_to_karel, local addr 85.105.xx.xx

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
   current_peer 90.158.24.11 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 85.105.xx.xx, remote crypto endpt.: 90.158.xx.xx
     path mtu 1492, ip mtu 1492
     current outbound spi: 0xF3A406C(255475820)

     inbound esp sas:
      spi: 0x256257B0(627201968)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2002, flow_id: C87X_MBRD:2, crypto map: yener_to_karel
        sa timing: remaining key lifetime (k/sec): (4441867/3417)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xF3A406C(255475820)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2001, flow_id: C87X_MBRD:1, crypto map: yener_to_karel
        sa timing: remaining key lifetime (k/sec): (4441867/3416)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

 

 


sh crypto isakmp sa


dst             src             state          conn-id slot status
85.105.xx.xx  90.158.xx.xx    QM_IDLE              2    0 ACTIVE

1 REPLY

hello, I just see the

hello,

 

I just see the configuration, and it appears that the phase 1 can establish just fine, though phase 2, you can send traffic or receive, this is happening because you are missing a NAT 0 statement on the router. 

To accomplish on sending traffic across and receive it from this router perspective you will need to do the following:

 

access-list 110 deny   ip 10.10.10.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 110 permit ip 10.10.10.0 0.0.0.255 any 

 

route-map nonat permit 10 
  match ip address 110 

 

ip nat inside source route-map nonat interface Dialer1 overload

 

With these you are avoiding the router to translate the inside hosts when going to --> 192.168.0.0 /16.

 

Also make sure the other side of the tunnel meet with these, so you won't run into conflicts.

 

Let me know how it works out.

 

Please don't forget to rate.

 

Best Regards,

 

David Castro,

 

263
Views
5
Helpful
1
Replies
CreatePlease login to create content