Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1124
Views
0
Helpful
1
Replies

837 Router to ASA 5510 IPsec VPN

Brian Reed
Level 1
Level 1

‎03-20-2012 09:25 AM - edited ‎02-21-2020 05:57 PM

I have a 5510 running 8.42 code with multiple site to site tunnels coming into it.  Sites vary from ASA 5505's, 1841 and 1921 routers which all work perfectly.  That being said I think the ASA side is good.  I have an 837 running 12.4 code, Cisco IOS Software, C837 Software (C837-K9O3SY6-M), Version 12.4(5b), I'm trying to configure it for site to site VPN back to the ASA.  When I ping from the E0 interface I get the following debug output and nothing else.  I've made a lot of changes to no avail in getting closer to a successful configuration.  I know this has to be something simple.  Configuration is below if anyone has any ideas.

*Mar 19 19:54:19.536: IP: tableid=0, s=99.143.114.71 (local), d=207.203.161.25 (Dialer0), routed via RIB

*Mar 19 19:54:19.536: IP: s=99.143.114.71 (local), d=207.203.161.25 (Dialer0), len 172, sending

*Mar 19 19:54:20.984: IP: tableid=0, s=10.130.1.1 (local), d=10.226.254.25 (Dialer0), routed via RIB

*Mar 19 19:54:20.984: IP: s=10.130.1.1 (local), d=10.226.254.25 (Dialer0), len 100, sending

*Mar 19 19:54:20.988: IP: s=10.130.1.1 (local), d=10.226.254.25 (Dialer0), len 100, output crypto map check failed..

Clanton800#sho run
Building configuration...

Current configuration : 3132 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Clanton800
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
!
!
!
!
ip cef
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key Notmyrealkey address 207.203.161.25 no-xauth
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map outside_cryptomap 10 ipsec-isakmp
set peer 207.203.161.25
set transform-set ESP-3DES-SHA
match address vpn_to_ASA
!
!
!
interface Ethernet0
ip address 10.130.1.1 255.255.0.0
ip helper-address 10.225.10.4
ip helper-address 10.225.10.7
ip policy route-map clear-df
no cdp enable
hold-queue 100 out
!
interface Ethernet2
no ip address
shutdown
hold-queue 100 out
!
interface ATM0
no ip address
load-interval 30
atm ilmi-keepalive
dsl operating-mode auto
hold-queue 224 in
pvc 8/35
  pppoe-client dial-pool-number 1
!
!
interface FastEthernet1
duplex auto
speed auto
!
interface FastEthernet2
duplex auto
speed auto
!
interface FastEthernet3
duplex auto
speed auto
!
interface FastEthernet4
duplex auto
speed auto
!
interface Dialer0
mtu 1492
ip address negotiated
encapsulation ppp
no ip route-cache cef
no ip route-cache
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp chap refuse
ppp pap sent-username somenamehere password 0 notmyrealpassword
crypto map outside_cryptomap
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
no ip http server
no ip http secure-server
ip dns server
!
!
!
ip access-list extended vpn_to_ASA
permit ip 10.130.0.0 0.0.255.255 any
access-list 23 permit 10.0.0.0 0.255.255.255
dialer-list 1 protocol ip permit
!
!
control-plane
!
banner login ^CCCCCCCC
-----------------------------------------------------------------------
SYSTEM ACCESS WARNING : THIS IS A PRIVATE COMPUTER SYSTEM

This computer system including all related equipment, network devices
(specifically including Internet access), are provided only for
authorized use.

All computer systems may be monitored for all lawful purposes, including
to ensure that their use is authorized, for management of the system, to
facilitate protection against unauthorized access, and to verify security
procedures, survivability and operational security.


Unauthorized access to this system is forbidden and will be
prosecuted by law. By accessing this system, you agree that your
actions may be monitored if unauthorized usage is suspected.

-----------------------------------------------------------------------^C
privilege exec level 15 clear line
privilege exec level 15 clear
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
password 7 00074215070B1C0E5F
login
transport input all
!
scheduler max-task-time 5000
end

Labels:
0 Helpful
1 Reply 1

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎03-20-2012 10:03 AM

Hi,

One problem I see is the ACL used for the VPN traffic:

ip access-list extended vpn_to_ASA

permit ip 10.130.0.0 0.0.255.255 any

You should not use the ''any'' keyword because that's not mirrored on the ASA side. Please check if you could be more specific or if the ASA has the ''any'' as the source for the VPN traffic to this router (ACLs are mirrored on both sides).

Also, just out of curiosity I see no NAT configured (is this tunnel going through the Internet)?

One useful trick is to check the status of phase 1 on both sides with the command: ''sh cry isa sa'' and the status of phase 2 ''sh cry ipsec sa''.

Hope it helps.

Federico.

0 Helpful
Customers Also Viewed These Support Documents