Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IP-sec site-to-site problem ASA ver 9.1 vs IOS

Hi all,

 

I'm trying to set up site-to-site vpn between ASA and IOS router, but unsuccessful,

logs are :

1) this end is not behind a nat device

2) Received encrypted packet with no matching SA

the networks are:

172.25.0.0 (inside of ASA) A.A.A.A (outside of ASA) is needed to connect to IOS Router B.B.B.B address with 192.168.1.0 inside network

Below are configs:

ASA:

ASA-5505# sh run
: Saved
:
ASA Version 9.0(1)
!
hostname ASA-5505
domain-name 1.kz
names
ip local pool vpn_pool_ASA-5505 192.168.172.2-192.168.172.100 mask 255.255.255.0
ip local pool SAME_NET_ALA 172.25.66.200-172.25.66.210 mask 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
 speed 10
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.25.66.15 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address A.A.A.A 255.255.255.252
!
ftp mode passive
clock timezone ALMST 6
clock summer-time ALMDT recurring last Sun Mar 0:00 last Sun Oct 0:00
dns server-group DefaultDNS
 domain-name 1.kz
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_172.25.66.0_24
 subnet 172.25.66.0 255.255.255.0
object network NETWORK_OBJ_192.168.172.0_25
 subnet 192.168.172.0 255.255.255.128
object network NETWORK_OBJ_172.25.66.192_27
 subnet 172.25.66.192 255.255.255.224
object network ALA_office
 subnet 192.168.1.0 255.255.255.0
object network NETWORK_OBJ_172.25.0.0_16
 subnet 172.25.0.0 255.255.0.0
access-list SAME_NET_ALA_splitTunnelAcl standard permit 172.25.66.0 255.255.255.0
access-list SAME_NET_ALA_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
access-list SAME_NET_ALA_splitTunnelAcl standard permit 172.0.0.0 255.0.0.0
access-list VPN-OUT-INS extended permit ip 192.168.172.0 255.255.255.0 any log
access-list VPN-IN-INS extended permit ip any any log
access-list VPN-OUT-OUT extended permit ip any 192.168.172.0 255.255.255.0 log
access-list VPN-OUT-ALL standard permit any4
access-list net172 standard permit 172.25.0.0 255.255.0.0
access-list net10 standard permit 10.0.0.0 255.0.0.0
access-list outside_cryptomap extended permit ip object NETWORK_OBJ_172.25.66.0_24 object ALA_office
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static NETWORK_OBJ_172.25.66.0_24 NETWORK_OBJ_172.25.66.0_24 destination static NETWORK_OBJ_192.168.172.0_25 NETWORK_OBJ_192.168.172.0_25 no-proxy-arp route-lookup
nat (inside,outside) source static obj_any obj_any destination static NETWORK_OBJ_172.25.66.192_27 NETWORK_OBJ_172.25.66.192_27 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_172.25.66.0_24 NETWORK_OBJ_172.25.66.0_24 destination static ALA_office ALA_office no-proxy-arp route-lookup
!
object network obj_any
 nat (inside,outside) dynamic interface
!
nat (inside,outside) after-auto source dynamic any interface
access-group VPN-IN-INS in interface inside
access-group VPN-IN-INS out interface inside
route outside 0.0.0.0 0.0.0.0 88.204.136.165 1
route inside 10.0.0.0 255.0.0.0 172.25.66.1 2
route inside 172.0.0.0 255.0.0.0 172.25.66.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 172.25.66.16 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set Alma-set esp-aes esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer B.B.B.B
crypto map outside_map 1 set ikev1 transform-set Alma-set
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpool policy
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto ikev1 policy 5
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 10
 authentication crack
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 40
 authentication crack
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 70
 authentication crack
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 100
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 130
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0

dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 enable outside
 no anyconnect-essentials
group-policy web_access internal
group-policy web_access attributes
 vpn-tunnel-protocol ssl-clientless
 webvpn
  url-list value PRTG
group-policy SAME_NET_ALA internal
group-policy SAME_NET_ALA attributes
 dns-server value 8.8.8.8
 vpn-tunnel-protocol ikev1
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SAME_NET_ALA_splitTunnelAcl
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
 vpn-tunnel-protocol ikev1
group-policy GroupPolicy_to_ALA internal
tunnel-group SAME_NET_ALA type remote-access
tunnel-group SAME_NET_ALA general-attributes
 address-pool SAME_NET_ALA
 default-group-policy SAME_NET_ALA
tunnel-group SAME_NET_ALA ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group web_access type remote-access
tunnel-group web_access general-attributes
 default-group-policy web_access
tunnel-group B.B.B.B type ipsec-l2l
tunnel-group B.B.B.B general-attributes
 default-group-policy GroupPolicy1
tunnel-group B.B.B.B ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
  inspect http
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:932099620805dc22d9e48a5e04314887
: end

 

and IOS Router:

 

R1921_center#sh run
Building configuration...

Current configuration : 6881 bytes
!
! Last configuration change at 12:22:45 UTC Fri Aug 29 2014 by yerzhan
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1921_center
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
!
!
!
!
aaa session-id common
!
ip cef
!
!
!
!


!
!
!
!
ip domain name yourdomain.com
no ipv6 cef
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-260502430
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-260502430
 revocation-check none
 rsakeypair TP-self-signed-260502430
!
!
crypto pki certificate chain TP-self-signed-260502430
 certificate self-signed 01
  30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32363035 30323433 30301E17 0D313331 31323630 35343131
  355A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3236 30353032
  34333030 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  C178A16C 26637A32 E2FE6EB2 DE63FC5D 2F4096D2 1A223CAF 52A122A1 F152F0E0
  D2305008 FA312D36 E055D09C 730111B6 487A01D5 629F8DE4 42FF0444 4B3B107A
  F6439BA2 970EFE71 C9127F72 F93603E0 11B3F622 73DB1D7C 1889D57C 88C3B141
  ED39B0EA 377CE1F7 610F9C76 FC9C843F A81AEFFE 07917A4B 2946032B 207160B9
  02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
  23041830 1680146B B9F671FA BDD822DF 76802EEA 161D18D6 9B8C4030 1D060355
  1D0E0416 04146BB9 F671FABD D822DF76 802EEA16 1D18D69B 8C40300D 06092A86
  4886F70D 01010505 00038181 00B0C56F F1F4F85C 5FE7BF24 27D1DF41 7E9BB9CE
  0447910A 07209827 E780FA0D 3A969CD0 12929830 14AAA496 0D17F684 7F841261
  56365D9C AA15019C ABC74D0A 3CD4E002 F63AA181 B3CC4461 4E56E58D C8237899
  29F48CFA 67C4B84B 95D456C3 F0CF858D 43C758C3 C285FEF1 C002E2C5 DCFB9A8A
  6A1DF7E3 EE675EAF 7A608FB7 88
        quit
license udi pid CISCO1921/K9 sn FCZ1748C14U
!
redundancy
!
!
!
!
!
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 3
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 5
 encr aes 256
 authentication pre-share
 group 2
crypto isakmp key PSK-KEY address A.A.A.A
crypto isakmp key 6 PSK-KEY address 0.0.0.0
!
crypto isakmp client configuration group ALA-EMP-VPN
 key *.*.*.*
 dns 8.8.8.8
 domain cisco.com
 pool ippool
 acl 101
 netmask 255.255.255.0
!
!
crypto ipsec transform-set dmvpn_alad esp-3des esp-md5-hmac
 mode transport
crypto ipsec transform-set myset esp-3des esp-md5-hmac
 mode tunnel
crypto ipsec transform-set TRIPSECMAX esp-3des esp-md5-hmac
 mode transport
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
 mode tunnel
!
crypto ipsec profile MAXPROFILE
 set transform-set TRIPSECMAX
!
!
crypto ipsec profile dmvpn_profile
 set transform-set dmvpn_alad
!
!
crypto dynamic-map dynmap 10
 set transform-set myset
 reverse-route
!
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 20 ipsec-isakmp
 set peer A.A.A.A
 set transform-set AES-SHA
 match address VPN_ASA_PAV
!
!
!
!
!
interface Loopback1
 ip address 10.10.10.10 255.255.255.255
!

interface Tunnel2
 ip address 192.168.101.1 255.255.255.240
 no ip redirects
 ip nhrp authentication NHRPMAX
 ip nhrp map multicast dynamic
 ip nhrp network-id 4679
 ip ospf network broadcast
 ip ospf hello-interval 30
 ip ospf priority 10
 tunnel source GigabitEthernet0/1
 tunnel mode gre multipoint
 tunnel key 4679
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description to_LAN
 ip address 192.168.1.253 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description to_ISP
 ip address B.B.B.B 255.255.255.252
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map clientmap
!
router ospf 100
 auto-cost reference-bandwidth 1000
 area 0 authentication message-digest
 area 192.168.1.0 authentication message-digest
 redistribute static subnets
 passive-interface default
 no passive-interface Tunnel1
 network 10.10.10.10 0.0.0.0 area 192.168.1.0
 network 192.168.1.0 0.0.0.255 area 192.168.1.0
 network 192.168.222.0 0.0.0.15 area 0
!
router ospf 1
 router-id 1.1.1.1
 redistribute static subnets
 passive-interface default
 no passive-interface Tunnel2
 network 10.10.10.10 0.0.0.0 area 192.168.1.0
 network 192.168.1.0 0.0.0.255 area 192.168.1.0
 network 192.168.101.0 0.0.0.15 area 0
!
ip local pool ippool 192.168.33.1 192.168.33.20
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 111 interface GigabitEthernet0/1 overload
ip nat inside source static tcp 192.168.1.11 22 B.B.B.B 8022 extendable
ip route 0.0.0.0 0.0.0.0 B.B.B.C
!
ip access-list extended ACL-NAT
 deny   ip 192.168.1.0 0.0.0.255 172.25.0.0 0.0.255.255
 permit ip any any
ip access-list extended ACL-VPN
 permit ip 192.168.1.0 0.0.0.255 172.25.0.0 0.0.255.255
ip access-list extended VPN_ASA_PAV
 permit ip 192.168.1.0 0.0.0.255 172.25.66.0 0.0.0.255
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.33.0 0.0.0.255
access-list 111 deny   ip 192.168.1.0 0.0.0.255 192.168.33.0 0.0.0.255
access-list 111 permit ip any any
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 exec-timeout 0 0
 privilege level 15
 transport input telnet ssh
line vty 5 15
 exec-timeout 0 0
 privilege level 15
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

  • VPN
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

The biggest problem is the

The biggest problem is the mismatch in access lists for the VPN.

The ASA says this

access-list outside_cryptomap extended permit ip object NETWORK_OBJ_172.25.66.0_24 object ALA_office

The router says this

 permit ip 192.168.1.0 0.0.0.255 172.25.0.0 0.0.255.255

 

Make them match. If it still does not work then please post the revised configurations.

 

HTH

 

Rick

4 REPLIES

Have you checked this

Have you checked this document?

http://www.cisco.com/c/en/us/support/docs/routers/3800-series-integrated-services-routers/110198-sdm-vpn-asa-router-config.html

The CLI config is towards the bottom.

New Member

Yes, indeed, many times.I

Yes, indeed, many times.

I think problem with NAT, but cannot find where is exactly.

Take a look with fresh idea.

 

Hall of Fame Super Silver

The biggest problem is the

The biggest problem is the mismatch in access lists for the VPN.

The ASA says this

access-list outside_cryptomap extended permit ip object NETWORK_OBJ_172.25.66.0_24 object ALA_office

The router says this

 permit ip 192.168.1.0 0.0.0.255 172.25.0.0 0.0.255.255

 

Make them match. If it still does not work then please post the revised configurations.

 

HTH

 

Rick

New Member

Dear Richard,they are

Dear Richard,

they are mirrorly matches from both sides.

ASA:

access-list outside_cryptomap extended permit ip object NETWORK_OBJ_172.25.66.0_24 object ALA_office

 

object network NETWORK_OBJ_172.25.66.0_24
 subnet 172.25.66.0 255.255.255.0

object network ALA_office
 subnet 192.168.1.0 255.255.255.0

 

 

IOS:

ip access-list extended VPN_ASA_PAV
 permit ip 192.168.1.0 0.0.0.255 172.25.66.0 0.0.0.255

 

453
Views
0
Helpful
4
Replies