Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

VPN to ASA with Static Block

Greetings,

 

I am having an issue connecting a site-to-site VPN on an ASA 5520.  Our setup is as follows:

ISP WAN IP: x.x.x.84 255.255.255.240 connected to GE0/0

CIDR WAN: y.y.y.145 255.255.255.240 connected to GE0/1

INSIDE LAN: 192.168.68.0 255.255.255.0 conencted to GE0/2

 

The CIDR block is our IP block provided by our ISP.

Our VPN endpoint should be the x.x.x.145 on GE0/1.  However I cannot get ISAKMP to complete phase 1 on this interface.  I have changed it to the x.x.x.84 on GE0/0 and it completed correctly, although with no access to the internal LAN.  What am I missing in this config:

********************

ASA Version 8.2(2) 
!
hostname rtr-<company>-city1-01

names
name 192.168.58.0 city3-net description city3
name 192.168.57.0 city2-net description city2
name 192.168.68.0 city1-net description city1
!
interface GigabitEthernet0/0
 description outside
 nameif outside
 security-level 0
 ip address x.x.x.84 255.255.255.240 
!
interface GigabitEthernet0/1
 description DMZ
 nameif DMZ
 security-level 0
 ip address y.y.y.145 255.255.255.240 
!
interface GigabitEthernet0/2
 description privateLAN
 nameif inside
 security-level 100
 ip address 192.168.68.2 255.255.255.0 
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended permit ip any any 
access-list DMZ_access_in extended permit ip any any 
access-list privateLAN_access_in extended permit ip any any 
access-list city1-city2 extended permit ip city1-net 255.255.255.0 city2-net 255.255.255.0 
access-list city1-city3 extended permit ip city1-net 255.255.255.0 city3-net 255.255.255.0 
access-list NONAT extended permit ip city1-net 255.255.255.0 city2-net 255.255.255.0 
access-list NONAT extended permit ip city1-net 255.255.255.0 city3-net 255.255.255.0 
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list NONAT
nat (inside) 101 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
access-group privateLAN_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 x.x.x.81 1
dynamic-access-policy-record DfltAccessPolicy
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map city1VPN 10 match address city1-city2
crypto map city1VPN 10 set peer 65.13.160.104 
crypto map city1VPN 10 set transform-set ESP-3DES-SHA
crypto map city1VPN 10 set security-association lifetime seconds 36000
crypto map city1VPN 20 match address city1-city3
crypto map city1VPN 20 set peer 184.178.17.50 
crypto map city1VPN 20 set transform-set ESP-3DES-SHA
crypto map city1VPN 20 set security-association lifetime seconds 36000
crypto map city1VPN interface DMZ
crypto isakmp identity address 
crypto isakmp enable DMZ
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 3600
!
tunnel-group 65.13.160.104 type ipsec-l2l
tunnel-group 65.13.160.104 ipsec-attributes
 pre-shared-key *****
tunnel-group 184.178.17.50 type ipsec-l2l
tunnel-group 184.178.17.50 ipsec-attributes
 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
asdm location city2-net 255.255.255.0 inside
asdm location city3-net 255.255.255.0 inside

********************

Everyone's tags (1)
3 REPLIES

Hi Modify or update below

Hi 

Modify or update below config to initate ISKAMP on outside interface

crypto map city1VPN interface outside
crypto isakmp enable outside

 

HTH

Sandy

New Member

Thanks for the quick response

Thanks for the quick response.  I applied the crypto map to both interfaces and enabled isakmp on both interfaces:

crypto map city1VPN interface DMZ
crypto map city1VPN interface outside
crypto isakmp enable outside
crypto isakmp enable DMZ

It still fails phase 1.

Any ideas?

Thanks!

 

Hi, Remove:no crypto map

Hi,

 

Remove:

no crypto map city1VPN interface DMZ

no crypto isakmp enable DMZ

Since you want to enable vpn on the outside interface. So you need to add the below mentioned commands .

crypto map city1VPN interface outside

crypto isakmp enable outside

!

Modify your route commands accordingly if you have pointed default route over dmz.....

 

Make sure that you are able to reach the peer IP from the firewall..... from both the sides....

debug crypto isakmp 128 and initiate the traffic..... make sure you have matching rules for phase 1 and phase 2 at both the ends.....

 

check the preshared key @ both ends as well...

 

Regards

Karthik

 

 

70
Views
0
Helpful
3
Replies
CreatePlease to create content