Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ASA 5505 behind 837 ADSL Private IPs

Hi there,

I am trying to set up a branch site using a 5505 behind an 837 ADSL router, without static/public IPs. The ADSL connection is a standard PPPOE, unbridged, and the 837 is providing private IPs as such: 837 is 172.16.1.1, 5505 is 172.16.1.11. The lone public IP is the one the 837 receives from the Provider, which is a.a.a.192

This is connecting to my Head Office 5520, currently working, using standard public IPs. The 5520 is b.b.b.62, and the gateway is c.c.c.57.

From the branch ASA, I can ping office Gateway, and the 5520 Outside interface. I can only assume there is some issue with the ASA behind the 837, and the crypto/ipsec/isakmp isn't going through.

I'm not sure what/where I'm wrong, but please let me know what details are required and I will provide them.

Thanks

EDIT: here is the config of the 837 ADSL Router

=====================================================

LAB-INTERNET-837#sh run

Building configuration...

Current configuration : 3092 bytes

!

version 12.3

no service pad

service timestamps debug uptime

service timestamps log datetime msec localtime show-timezone

no service password-encryption

!

hostname LAB-INTERNET-837

!

boot-start-marker

boot-end-marker

!

memory-size iomem 5

logging buffered 16384 debugging

!

username admin privilege 15 password

no aaa new-model

ip subnet-zero

ip dhcp excluded-address 172.16.1.1 172.16.1.10

ip dhcp excluded-address 172.16.1.13 172.16.1.254

!

ip dhcp pool DHCP-POOL

   network 172.16.1.0 255.255.255.0

   default-router 172.16.1.1

   dns-server 8.8.8.8

   lease 0 0 10

!

!

ip inspect name ALLOW tcp

ip inspect name ALLOW tftp

ip inspect name ALLOW udp

ip inspect name ALLOW ftp

ip inspect name ALLOW icmp

ip audit po max-events 100

no ftp-server write-enable

!

!

!

!

no crypto isakmp enable

!

!

!

interface Ethernet0

ip address 172.16.1.1 255.255.255.0

ip nat inside

ip inspect ALLOW in

ip tcp adjust-mss 1452

hold-queue 32 in

hold-queue 100 out

!

interface ATM0

no ip address

ip mtu 1492

no atm ilmi-keepalive

dsl operating-mode auto

pvc 0/35

  pppoe-client dial-pool-number 1

!

!

interface Dialer1

ip address negotiated

ip access-group BLOCK in

ip mtu 1492

ip nat outside

encapsulation ppp

dialer pool 1

dialer persistent

ppp pap sent-username   password

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

no ip http server

no ip http secure-server

ip nat inside source list INTERNET interface Dialer1 overload

!

!

ip access-list standard TELNET

permit 0.0.0.0 255.255.255.0

!

ip access-list extended BLOCK

permit gre any host a.a.a.192

permit esp any host 172.16.1.11

permit udp any host 172.16.1.11 eq isakmp

permit udp any host 172.16.1.11 eq non500-isakmp

deny   ip any any

permit ip any any

ip access-list extended INTERNET

permit ip 172.16.1.0 0.0.0.255 any

permit esp any host 172.16.1.11

permit udp any host 172.16.1.11 eq isakmp

permit udp any host 172.16.1.11 eq non500-isakmp

deny   ip any any

!

control-plane

!

banner login ^C

                    WARNING

THE PROGRAMS AND DATA STORED ON THIS SYSTEM ARE

LICENSED TO OR ARE PRIVATE PROPERTY OF THIS COMPANY

AND ARE LAWFULLY AVAILABLE ONLY TO AUTHORIZED USERS

FOR APPROVED PURPOSES. UNAUTHORIZED ACCESS TO ANY

PROGRAM OR DATA ON THIS SYSTEM IS NOT PERMITTED, AND

ANY UNAUTHORIZED ACCESS BEYOND THIS POINT MAY LEAD

TO PROSECUTION. THIS SYSTEM MAY BE MONITORED AT ANY

TIME FOR OPERATIONAL REASONS, THEREFORE, IF YOU ARE

NOT AN AUTHORIZED USER, DO NOT ATTEMPT TO LOG ON^C

alias exec c config t

alias exec w write mem

alias exec r sh running

alias exec i sh ip int brief

alias exec a sh ip access-list

alias exec ir sh ip route

alias exec cr clear ip route *

!

line con 0

exec-timeout 15 0

logging synchronous

login local

no modem enable

transport preferred all

transport output all

line aux 0

transport preferred all

transport output all

line vty 0 4

access-class TELNET in

exec-timeout 15 0

logging synchronous

login local

transport preferred all

transport input all

transport output all

!

scheduler max-task-time 5000

!

end      

And here is the config of the 5505

=====================================================

ASA Version 8.3(1)

!

hostname ciscoasa

enable password

passwd

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.106.254 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!            

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network NETWORK_OBJ_192.168.106.0_24

subnet 192.168.106.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.106.0 255.255.255.0 any

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside,outside) source static NETWORK_OBJ_192.168.106.0_24 NETWORK_OBJ_192.168.106.0_24

!

object network obj_any

nat (inside,outside) dynamic interface

route outside 0.0.0.0 0.0.0.0 172.16.1.11 1

route outside 192.168.200.0 255.255.255.0 b.b.b.62 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.106.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map0 1 match address outside_1_cryptomap

crypto map outside_map0 1 set pfs group1

crypto map outside_map0 1 set peer b.b.b.62

crypto map outside_map0 1 set transform-set ESP-3DES-SHA

crypto map outside_map0 interface outside

crypto isakmp enable outside

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

tunnel-group b.b.b.62 type ipsec-l2l

tunnel-group b.b.b.62 ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:

: end

ciscoasa# 

858
Views
0
Helpful
0
Replies
CreatePlease to create content