Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

L2L between Cisco Router 1841 and Cisco Asa 5505

I'd like to configure a VPN Lan To Lan between my customer and my office. My customer have Cisco Router 1841 and I have Cisco ASA 5505.

I've 3 vlan on my switch L3 Cisco:

Server -> 192.168.33.254

Client -> 192.168.30.254

Wireless -> 192.168.31.254

My ASA have an Ip only on two Vlan:

Client -> 192.168.30.253

Wireless Guest -> 192.168.32.253

Every Computer on each Vlan has 192.168.xx.254 as default gateway and on my L3 Switch I have "0.0.0.0 0.0.0.0 192.168.30.253".

The tunnel does not want come up and I have this error on my ASA:

Jan 03 09:41:08 [IKEv1]Group = Public_IP_Customer, IP = Public_IP_Customer, QM FSM error (P2 struct &0xcc49d048, mess id 0xc361618)!

Jan 03 09:41:08 [IKEv1]Group = Public_IP_Customer, IP = Public_IP_Customer, Removing peer from correlator table failed, no match!

Jan 03 09:41:08 [IKEv1]Group = Public_IP_Customer, IP = Public_IP_Customer, Session is being torn down. Reason: Lost Service

My customer have only 1 lan, 10.0.0.0/16 but it have 2 Outside interface on router. This is a very large subnet then I nat that with subnet: 172.0.101.0/24. This is the router configuration:

Building configuration...

Current configuration : 7978 bytes

!

version 12.4

service nagle

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec

service timestamps log datetime msec localtime

service password-encryption

service sequence-numbers

no service dhcp

!

hostname XXXXXXXXXX

!

boot-start-marker

boot-end-marker

!

logging exception 100000

logging count

logging message-counter syslog

logging userinfo

logging queue-limit 10000

logging buffered 50000000 informational

enable secret 5 XXXXXXXXX

!

aaa new-model

!

!

aaa authentication login AuthUtenti group radius local

aaa authorization network AuthGroup local

!

!

aaa session-id common

clock timezone Italy 1

clock summer-time Ora-Legale recurring last Sun Mar 3:00 last Sun Oct 3:00

dot11 syslog

no ip source-route

no ip gratuitous-arps

!

!

!

!

ip cef

ip domain name XXXXXXXXXXX

ip name-server 8.8.8.8

ip name-server 8.8.4.4

login on-failure log

login on-success log

no ipv6 cef

!

multilink bundle-name authenticated

!

vpdn enable

!

vpdn-group 1

request-dialin

  protocol pppoe

!

!

!

!

!

username XXXXXXXXXXX privilege 15 secret 5 XXXXXXXXXXX

username XXXXXXXXXXX secret 5 XXXXXXXXXXX

username XXXXXXXXXXX secret 5 XXXXXXXXXXX

username XXXXXXXXXXX secret 5 XXXXXXXXXXX

archive

log config

  hidekeys

!

crypto logging session

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

lifetime 3600

crypto isakmp key XXXXXXXXXXX address XXXXXXXXXXX

crypto isakmp keepalive 10

crypto isakmp nat keepalive 20

crypto isakmp xauth timeout 90

!

crypto isakmp client configuration group VPN-Client-1

key XXXXXXXXXXX

dns 10.0.0.4

domain XXXXXXXXXXX

pool VPN-Client-Pool-1

acl 198

save-password

max-users 20

max-logins 10

!

crypto isakmp client configuration group VPN-Client-2

key XXXXXXXXXXX

dns 10.0.0.4

domain XXXXXXXXXXX

pool VPN-Client-Pool-2

acl 199

save-password

max-users 20

max-logins 10

!

crypto ipsec security-association idle-time 3600

!

crypto ipsec transform-set VPN-Client-Set esp-3des esp-sha-hmac

crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac

!

crypto dynamic-map VPN-Client-Map 10

set transform-set VPN-Client-Set

!

!

crypto map VPN-1 local-address Dialer1

crypto map VPN-1 client authentication list AuthUtenti

crypto map VPN-1 isakmp authorization list AuthGroup

crypto map VPN-1 client configuration address respond

crypto map VPN-1 10 ipsec-isakmp

description L2L_Backup_Data

set peer XXXXXXXXXXX

set transform-set 3DES-SHA

set pfs group2

match address 114

crypto map VPN-1 65535 ipsec-isakmp dynamic VPN-Client-Map

!

crypto map VPN-2 local-address FastEthernet0/1

crypto map VPN-2 client authentication list AuthUtenti

crypto map VPN-2 isakmp authorization list AuthGroup

crypto map VPN-2 client configuration address respond

crypto map VPN-2 65535 ipsec-isakmp dynamic VPN-Client-Map

!

!

!

!

!

!

interface FastEthernet0/0

description "Ponte"

no ip address

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

!

interface FastEthernet0/1

description "Verso Router ADSL"

ip address 192.168.80.2 255.255.255.252

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map VPN-2

!

interface FastEthernet0/0/0

description "VLAN 1 Switched Interface"

!

interface FastEthernet0/0/1

description "VLAN 1 Switched Interface"

!

interface FastEthernet0/0/2

description "VLAN 1 Switched Interface"

!

interface FastEthernet0/0/3

description "VLAN 1 Switched Interface"

!

interface Vlan1

description "LAN"

ip address 10.0.0.100 255.255.0.0

ip nat inside

ip virtual-reassembly

!

interface Dialer1

description "Dialer PPPoE"

ip address negotiated

ip access-group 100 in

ip mtu 1492

ip nat outside

ip virtual-reassembly

encapsulation ppp

no ip mroute-cache

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication pap callin

ppp pap sent-username XXXXXXXXXXX password 7 XXXXXXXXXXX

crypto map VPN-1

!

ip local pool VPN-Client-Pool-1 192.168.250.1 192.168.250.20

ip local pool VPN-Client-Pool-2 192.168.251.1 192.168.251.20

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer1

ip route 192.168.250.0 255.255.255.0 Dialer1 name Rotta-VPN-Client-1

ip route 192.168.251.0 255.255.255.0 FastEthernet0/1 name Rotta-VPN-Client-2

no ip http server

no ip http secure-server

!

!

ip nat translation timeout 4800

ip nat translation tcp-timeout 300

ip nat translation udp-timeout 180

ip nat translation finrst-timeout 300

ip nat translation syn-timeout 120

ip nat translation dns-timeout 300

ip nat translation icmp-timeout 120

ip nat pool PolicyNat-Data 172.0.101.1 172.0.101.1 netmask 255.255.255.0

ip nat inside source list 190 pool PolicyNat-Data overload

ip nat inside source route-map NAT_EO interface Dialer1 overload

!

access-list 23 remark *** ACCESSO TELNET ***

access-list 23 permit XXXXXXXXXXX

access-list 23 permit XXXXXXXXXXX

access-list 23 permit 10.0.0.0 0.0.255.255

access-list 23 permit 192.168.250.0 0.0.0.255

access-list 23 permit 192.168.251.0 0.0.0.255

access-list 100 remark *** ACL OUTSIDE ***

access-list 100 permit tcp host My_Public_Ip host Dialer1_Public_ip

access-list 100 permit ip any any

access-list 110 remark *** NAT DINAMICO ***

access-list 110 deny   ip 10.0.0.0 0.0.255.255 192.168.250.0 0.0.0.255

access-list 110 deny   ip 10.0.0.0 0.0.255.255 192.168.251.0 0.0.0.255

access-list 110 deny   ip 10.0.0.0 0.0.255.255 192.168.33.0 0.0.0.255

access-list 110 permit ip 10.0.0.0 0.0.255.255 any

access-list 111 remark *** NAT DINAMICO 2 ***

access-list 111 deny   ip 10.0.0.0 0.0.255.255 192.168.250.0 0.0.0.255

access-list 111 deny   ip 10.0.0.0 0.0.255.255 192.168.251.0 0.0.0.255

access-list 111 permit ip 10.0.0.0 0.0.255.255 any

access-list 114 remark *** VPN per DataBackup Interesting Traffic ***

access-list 114 permit ip 172.0.101.0 0.0.0.255 192.168.33.0 0.0.0.255

access-list 190 remark *** Policy NAT per DataBackup ***

access-list 190 permit ip 10.0.0.0 0.0.0.255 192.168.33.0 0.0.0.255

access-list 198 remark *** SPLIT TUNNEL VPN CLIENT POOL 1 ***

access-list 198 permit ip 10.0.0.0 0.0.255.255 192.168.250.0 0.0.0.255

access-list 199 remark *** SPLIT TUNNEL VPN CLIENT POOL 2 ***

access-list 199 permit ip 10.0.0.0 0.0.255.255 192.168.251.0 0.0.0.255

dialer-list 1 protocol ip permit

!

!

!

!

route-map NAT_EO permit 10

match ip address 110

match interface Dialer1

!

route-map NAT_ADSL permit 10

match ip address 111

match interface FastEthernet0/1

!

!

radius-server host 10.0.0.4 auth-port 1645 acct-port 1646 key 7 XXXXXXXXXXX

radius-server retry method reorder

!

control-plane

!

line con 0

line aux 0

line vty 0 4

access-class 23 in

transport input telnet ssh

line vty 5 15

access-class 23 in

transport input telnet ssh

!

scheduler allocate 20000 1000

end

-------------------------------------------------------------------

And this is my Cisco ASA Configuration:

ASA Version 9.1(2)

!

hostname Cisco-ASA5505

domain-name XXXXXXXXXXX

enable password XXXXXXXXXXX encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd DGrtOVd7PidQSHZ. encrypted

names

ip local pool VPNIPSec-Client-Pool 192.168.36.1-192.168.36.14 mask 255.255.255.240

ip local pool VPNSSL-Client-Pool 192.168.36.17-192.168.36.30 mask 255.255.255.240

!

interface Ethernet0/0

description OUTSIDE

switchport access vlan 10

!

interface Ethernet0/1

description INSIDE

switchport trunk allowed vlan 11,1003

switchport trunk native vlan 11

switchport mode trunk

!

interface Ethernet0/2

shutdown

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan10

description OUTSIDE

nameif OUTSIDE

security-level 0

ip address XXXXXXXXXXX 255.255.255.248

!

interface Vlan11

description INSIDE

nameif INSIDE

security-level 100

ip address 192.168.30.253 255.255.255.0

!

interface Vlan1003

description Wireless-Guest

nameif Wireless-Guest

security-level 50

ip address 192.168.32.253 255.255.255.0

!

boot system disk0:/asa912-k8.bin

boot system disk0:/asa841-k8.bin

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns server-group DefaultDNS

domain-name XXXXXXXXXXX

object network outside-range

range XXXXXXXXXXX XXXXXXXXXXX

object network inside-network

subnet 192.168.30.0 255.255.255.0

object network wireless-network

subnet 192.168.31.0 255.255.255.0

object network wireless_guest-network

subnet 192.168.32.0 255.255.255.0

object network server-network

subnet 192.168.33.0 255.255.255.0

object network Webcam_Balcone

host 192.168.30.250

object network vpnipsec-client-network

subnet 192.168.36.0 255.255.255.240

object network vpnssl-client-network

subnet 192.168.36.16 255.255.255.240

object network vpn_l2l_XXXXXXXXXXX_remote

subnet 172.0.101.0 255.255.255.0

access-list outside extended permit icmp any4 any4 echo-reply

access-list outside extended permit tcp any4 object Webcam_Balcone eq www

access-list outside extended permit ip object vpnipsec-client-network object server-network

access-list outside extended permit ip object vpnipsec-client-network object inside-network

access-list outside extended permit ip object vpnipsec-client-network object wireless-network

access-list inside extended deny ip object inside-network object wireless_guest-network

access-list inside extended permit icmp any4 any4

access-list inside extended permit ip object inside-network any4

access-list inside extended permit ip object wireless-network any4

access-list inside extended permit ip object server-network any4

access-list inside extended permit ip object server-network object vpn_l2l_XXXXXXXXXXX_remote

access-list wireless-guest extended deny ip object wireless_guest-network 192.168.0.0 255.255.0.0

access-list wireless-guest extended permit tcp object wireless_guest-network any4 eq https

access-list wireless-guest extended permit udp object wireless_guest-network any4 eq domain

access-list wireless-guest extended permit tcp object wireless_guest-network any4 eq www

access-list wireless-guest extended permit tcp object wireless_guest-network any4 eq pop3

access-list wireless-guest extended permit tcp object wireless_guest-network any4 eq imap4

access-list wireless-guest extended permit tcp object wireless_guest-network any4 eq ftp

access-list wireless-guest extended permit tcp object wireless_guest-network any4 eq 993

access-list wireless-guest extended permit tcp object wireless_guest-network any4 eq 465

access-list wireless-guest extended permit tcp object wireless_guest-network any4 eq 587

access-list wireless-guest extended permit tcp object wireless_guest-network any4 eq smtp

access-list wireless-guest extended permit tcp object wireless_guest-network any4 eq 995

access-list wireless-guest extended deny ip any4 any4

access-list split-tunnel standard permit 192.168.30.0 255.255.255.0

access-list split-tunnel standard permit 192.168.31.0 255.255.255.0

access-list split-tunnel standard permit 192.168.33.0 255.255.255.0

access-list split-tunnel standard permit 172.0.101.0 255.255.255.0

access-list cryptoacl_XXXXXXXXXXX extended permit ip 192.168.33.0 255.255.255.0 172.0.101.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu OUTSIDE 1500

mtu INSIDE 1500

mtu Wireless-Guest 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-713.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (INSIDE,any) source static inside-network inside-network destination static vpnipsec-client-network vpnipsec-client-network no-proxy-arp

nat (INSIDE,any) source static server-network server-network destination static vpnipsec-client-network vpnipsec-client-network no-proxy-arp

nat (INSIDE,any) source static wireless-network wireless-network destination static vpnipsec-client-network vpnipsec-client-network no-proxy-arp

nat (INSIDE,any) source static inside-network inside-network destination static vpnssl-client-network vpnssl-client-network no-proxy-arp

nat (INSIDE,any) source static server-network server-network destination static vpnssl-client-network vpnssl-client-network no-proxy-arp

nat (INSIDE,any) source static wireless-network wireless-network destination static vpnssl-client-network vpnssl-client-network no-proxy-arp

nat (INSIDE,OUTSIDE) source static server-network server-network destination static vpn_l2l_XXXXXXXXXXX_remote vpn_l2l_XXXXXXXXXXX_remote no-proxy-arp

!

object network inside-network

nat (INSIDE,OUTSIDE) dynamic interface

object network wireless-network

nat (INSIDE,OUTSIDE) dynamic interface

object network wireless_guest-network

nat (Wireless-Guest,OUTSIDE) dynamic interface

object network server-network

nat (INSIDE,OUTSIDE) dynamic interface

object network Webcam_Balcone

nat (INSIDE,OUTSIDE) static interface service tcp www 435

access-group outside in interface OUTSIDE

access-group inside in interface INSIDE

access-group wireless-guest in interface Wireless-Guest

route OUTSIDE 0.0.0.0 0.0.0.0 XXXXXXXXXXX 1

route INSIDE 192.168.31.0 255.255.255.0 192.168.30.254 1

route INSIDE 192.168.33.0 255.255.255.0 192.168.30.254 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server RADIUS protocol radius

aaa-server RADIUS (INSIDE) host 192.168.33.102

retry-interval 2

timeout 2

key *****

user-identity default-domain LOCAL

http server enable

http 192.168.31.0 255.255.255.0 INSIDE

http 192.168.33.0 255.255.255.0 INSIDE

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association pmtu-aging infinite

crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set ESP-3DES-SHA

crypto map outside_map 1 match address cryptoacl_XXXXXXXXXXX

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer XXXXXXXXXXX

crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface OUTSIDE

crypto ca trustpoint localtrust

enrollment self

fqdn XXXXXXXXXXX

subject-name CN=XXXXXXXXXXX

keypair sslvpnkey

crl configure

crypto ca trustpoint _SmartCallHome_ServerCA

crl configure

crypto ca trustpool policy

crypto ca certificate chain localtrust

XXXXXXXXXXX

  quit

crypto ca certificate chain _SmartCallHome_ServerCA

certificate ca XXXXXXXXXXX

  quit

crypto isakmp identity hostname

crypto isakmp nat-traversal 3600

crypto ikev1 enable OUTSIDE

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 192.168.30.0 255.255.255.0 INSIDE

telnet 192.168.31.0 255.255.255.0 INSIDE

telnet 192.168.33.0 255.255.255.0 INSIDE

telnet timeout 5

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd dns 8.8.8.8 8.8.4.4

dhcpd option 3 ip 192.168.32.253

!

dhcpd address 192.168.32.1-192.168.32.20 Wireless-Guest

dhcpd enable Wireless-Guest

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 193.204.114.232 source OUTSIDE prefer

ssl trust-point localtrust OUTSIDE

webvpn

enable OUTSIDE

anyconnect image disk0:/anyconnect-win-2.4.1012-k9.pkg 1

anyconnect enable

tunnel-group-list enable

group-policy VPNIPSec-Client internal

group-policy VPNIPSec-Client attributes

wins-server value 192.168.33.102

dns-server value 192.168.33.102

vpn-idle-timeout 30

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split-tunnel

default-domain value XXXXXXXXXXX

group-policy VPNSSL-Client internal

group-policy VPNSSL-Client attributes

wins-server value 192.168.33.102

dns-server value 192.168.33.102

vpn-tunnel-protocol ssl-client

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split-tunnel

default-domain value XXXXXXXXXXX

address-pools value VPNSSL-Client-Pool

username leo password YJwugwJ/v7jT7qRY encrypted

tunnel-group VPNIPSec-Client type remote-access

tunnel-group VPNIPSec-Client general-attributes

address-pool VPNIPSec-Client-Pool

authentication-server-group RADIUS LOCAL

accounting-server-group RADIUS

default-group-policy VPNIPSec-Client

tunnel-group VPNIPSec-Client ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group VPNSSL-Client type remote-access

tunnel-group VPNSSL-Client general-attributes

address-pool VPNSSL-Client-Pool

authentication-server-group RADIUS

accounting-server-group RADIUS

default-group-policy VPNSSL-Client

tunnel-group VPNSSL-Client webvpn-attributes

group-alias VPNSSL-Client enable

tunnel-group XXXXXXXXXXX type ipsec-l2l

tunnel-group XXXXXXXXXXX ipsec-attributes

ikev1 pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

  inspect icmp

  inspect pptp

!

service-policy global_policy global

prompt hostname context

call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:15e368d4e41b8b7f1a2139ab0b94d75b

: end

Thank you everybody.

Leonardo

Everyone's tags (6)
361
Views
0
Helpful
0
Replies
CreatePlease login to create content