Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

site to site vpn behind nat: ASA5520 (8.3.1) to Cisco 1841 (AdvSecurity 12.4(24)T5)

Hello All,

I am having difficulty with site-to-site VPN between Cisco ASA 5520 running ASA Version 8.3.1 and Cisco 1841 running Version 12.4(24)T5.

The short end of the problem is I supposed a NAT issue on the 1841. When I have my crypto maps set with matching "interesting traffic" on both ends. I do not see any isakmp nor ipsec traffic between both ends. When I enable my crypto maps on both ends to: ip any any I get phase 1 but phase 2 fails. 

1841:

interface FastEthernet0/0
 description INTFCE0
 ip address X.X.X.X 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map VPN2_ASA5520
!
interface FastEthernet0/1
 description INTFCE1
 ip address 10.10.63.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto

Crypto Map "VPN2_ASA5520" 1 ipsec-isakmp
        Peer = X.X.X.X
        Extended IP access list 100
            access-list 100 permit ip 10.10.63.0 0.0.0.255 10.10.12.0 0.0.0.255
        Current peer: X.X.X.X
        Security association lifetime: 4608000 kilobytes/3600 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): Y
        DH group:  group2
        Transform sets={
                #$!default_transform_set_1:  { esp-aes esp-sha-hmac  } ,
                #$!default_transform_set_0:  { esp-3des esp-sha-hmac  } ,
        }
        Interfaces using crypto map VPN2_ASA5520:
                FastEthernet0/0

 

Extended IP access list 100
    10 permit ip 10.10.63.0 0.0.0.255 10.10.12.0 0.0.0.255
Extended IP access list 110
    10 deny ip 10.10.63.0 0.0.0.255 10.10.12.0 0.0.0.255
    20 permit ip 10.10.63.0 0.0.0.255 any (5365 matches)

ip nat inside source route-map nonat interface FastEthernet0/0 overload

route-map nonat permit 10
 match ip address 110

_____________________________________________________________

ASA 5520 (8.3.1)

interface GigabitEthernet0/0
 speed 1000
 nameif OutSide
 security-level 0
 ip address X.X.X.X 255.255.255.240
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 10.10.12.248 255.255.255.0

 

object network NETWORK_OBJ_10.10.12.0_24
 subnet 10.10.12.0 255.255.255.0

object network NETWORK_OBJ_10.10.63.0_24
 subnet 10.10.63.0 255.255.255.0

access-list OutSide_1_cryptomap extended permit ip object NETWORK_OBJ_10.10.12.0_24 object NETWORK_OBJ_10.10.63.0_24
 

nat (inside,OutSide) source static NETWORK_OBJ_10.10.12.0_24 NETWORK_OBJ_10.10.12.0_24 destination static NETWORK_OBJ_10.10.63.0_24 NETWORK_OBJ_10.10.63.0_24

 

crypto map OutSide_map 1 match address OutSide_1_cryptomap
crypto map OutSide_map 1 set pfs
crypto map OutSide_map 1 set peer X.X.X.X
crypto map OutSide_map 1 set transform-set ESP-3DES-SHA
crypto map OutSide_map interface OutSide
crypto isakmp enable OutSide

 

tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X ipsec-attributes
 pre-shared-key *****

 

 

 

 

 

 

 

 

 

Everyone's tags (1)
114
Views
0
Helpful
0
Replies