Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

criteria for create vpn tunel site-a-site

is it possible to create a vpn tunnel using a pre-defined criteria? in the ASA 5505, IOS Version 8.0(3).

regards.

5 REPLIES

Re: criteria for create vpn tunel site-a-site

Hi,

On the ASA the VPN tunnels are created by matching a specific access-list (source, destination, ports).

Can you elaborate a bit what you are trying to achieve?

Regards,

Daniel

New Member

Re: criteria for create vpn tunel site-a-site

Hi Daniel,

I'have a IP phone in a remote site, but the generated packets created from the remote site using the IP phone did NOT create the VPN tunnel, only the packets generated by the PING command... any ideias?

regards.

Re: criteria for create vpn tunel site-a-site

Can you post your configs? Specially the Crypto ACL?

Cisco IP Phone (SCCP /SIP what protocol?)

Regards

Farrukh

New Member

Re: criteria for create vpn tunel site-a-site

hi

my settings

ipsec - site A

crypto map outside_map 2 match address outside_cryptomap

crypto map outside_map 2 set peer 201.10.10.10

crypto map outside_map 2 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

acl - site A

access-list outside_cryptomap extended permit ip 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0

ipsec - site B

crypto map outside_map0 2 match address outside_cryptomap_1

crypto map outside_map0 2 set peer 202.10.10.10

crypto map outside_map0 2 set transform-set ESP-3DES-SHA

crypto map outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map0 interface outside

crypto isakmp enable outside

acl - site B

access-list outside_cryptomap_1 extended permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0

The protocol is H323.

regards.

Re: criteria for create vpn tunel site-a-site

Configuration seems OK. Do the following;

debug crypto isakmp 127

debug crypto engine

And then the following (on both sides)

clear crypto isakmp sa

clear crypto ipsec sa

Then initiate the voice traffic and see if VPN kicks in.

Is there any NAT? how is the NAT 0 config look like?

Regards

Farrukh

206
Views
0
Helpful
5
Replies
CreatePlease login to create content