Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

VPN between ASA 5510 and Cisco 1721 router

Hi there,

I have a little problem. Advice me to resolve it pls.

I created IPSec VPN between ASA 5510 and Cisco 1721 and those config is following :

---------------------

ASA 5510 configuration

---------------------

interface Ethernet0/2

speed 100

duplex full

nameif inside

security-level 90

ip address 192.168.1.11 255.255.255.0

ospf cost 10

!

interface Ethernet0/3

speed 10

duplex full

nameif vpn

security-level 0

ip address 172.16.1.1 255.255.255.240

ospf cost 10

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service TCP_Service_Group tcp

description Well known TCP ports

port-object eq pop3

port-object eq sqlnet

port-object eq ftp-data

port-object eq ftp

port-object eq ssh

port-object eq telnet

port-object eq smtp

port-object eq https

port-object eq www

port-object eq domain

port-object range 5050 5050

port-object eq imap4

object-group service IPSec_Ports udp

port-object eq isakmp

object-group service vpn tcp

port-object range netbios-ssn netbios-ssn

port-object range 445 445

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0 object-group vpn

access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 any object-group TCP_Service_Group

access-list vpn_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

ip verify reverse-path interface outside

ip verify reverse-path interface dmz

ip verify reverse-path interface inside

ip verify reverse-path interface vpn

icmp unreachable rate-limit 1 burst-size 1

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 2 192.168.1.0 255.255.255.0

nat (vpn) 2 172.16.1.0 255.255.255.240

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map vpn_map 20 match address vpn_20_cryptomap

crypto map vpn_map 20 set peer 172.16.1.3

crypto map vpn_map 20 set transform-set ESP-3DES-SHA

crypto map vpn_map interface vpn

crypto isakmp enable vpn

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group 172.16.1.3 type ipsec-l2l

tunnel-group 172.16.1.3 ipsec-attributes

pre-shared-key *

----

Cisco 1721 routers configuration

----

crypto isakmp policy 11

encr 3des

authentication pre-share

group 2

crypto isakmp key cisco123 address 172.16.1.1

crypto ipsec transform-set 1st esp-3des esp-sha-hmac

crypto map nolan 11 ipsec-isakmp

set peer 172.16.1.1

set transform-set 1st

match address 120

interface Ethernet0

ip address 172.16.1.3 255.255.255.240

ip nat outside

full-duplex

crypto map nolan

interface FastEthernet0

ip address 192.168.3.1 255.255.255.0

ip nat inside

full-duplex

speed 100

ip nat pool branch 172.16.1.3 172.16.1.3 netmask 255.255.255.

ip nat inside source route-map nonat pool branch overload

ip route 0.0.0.0 0.0.0.0 172.16.1.1

access-list 120 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 130 deny ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 130 permit ip 10.2.2.0 0.0.0.255 any

route-map nonat permit 10

match ip address 130

!

----------

And now, I can access from 192.168.3.0/24 to any windows share in network 192.168.1.0/24 network like following:

Start\Run \\192.168.1.2

and also Internet access is OK.

And I can access to Internet from 192.168.1.0/24, but I can`t access to 192.168.3.0/24.

For example:

Start\Run \\192.168.3.2

Error is "The network path is not found."

__________

Is it clear?

where is problem? What should I do?

Help me pls,

Tnx a lot.

374
Views
0
Helpful
0
Replies
CreatePlease to create content