Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Problem with VPN between 5510 and 881

Hi I setup a vpn lan to lan between a cisco 5510 and 881.

I setup both box using the wizzard assiten and I see the vpn up but  i can make a ping between lans.

I try using difernte configuration and i see alway the same.

I can acces to ASA but in it it're work some other vpn and i dont know were're the problem and i need to be sure that my setup at my cisco 881 it's ok.

The diagagram of my vpn is :

10.57.88.1      : C881: 181.81.57.47 --- Internet --- 90.11.11.202 : ASA5510 : 10.57.1.10

10.57.88.0/27                                                                                                    10.57.0.0/18

The setup and some show are :

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key 1234567890 address 90.11.11.202

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

mode tunnel

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

mode tunnel

crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac

mode tunnel

!

!

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to90.11.11.202

set peer 90.11.11.202

set transform-set ESP-3DES-SHA2

match address 103

!

!

!

!

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface FastEthernet4

description $ETH-WAN$

ip address 181.81.57.47 255.255.248.0

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

crypto map SDM_CMAP_1

!

interface Vlan1

description $ETH_LAN$

ip address 10.57.88.1 255.255.255.224

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

!

ip forward-protocol nd

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload

ip route 0.0.0.0 0.0.0.0 186.80.64.1

!

ip sla auto discovery

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 10.57.88.0 0.0.0.31

access-list 23 permit 10.57.88.0 0.0.0.31

access-list 100 remark CCP_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip 10.57.88.0 0.0.0.31 10.57.0.0 0.0.63.255

access-list 101 remark CCP_ACL Category=2

access-list 101 remark IPSec Rule

access-list 101 deny   ip 10.57.88.0 0.0.0.31 10.57.0.0 0.0.63.255

access-list 101 permit ip 10.57.88.0 0.0.0.31 any

access-list 102 remark CCP_ACL Category=4

access-list 102 remark IPSec Rule

access-list 102 permit ip 186.80.56.0 0.0.7.255 10.57.0.0 0.0.63.255

access-list 103 remark CCP_ACL Category=4

access-list 103 remark IPSec Rule

access-list 103 permit ip 10.57.88.0 0.0.0.31 10.57.0.0 0.0.63.255

no cdp run

!

route-map SDM_RMAP_1 permit 1

match ip address 101

!

!

banner exec ^C

^C.

^C

!

line con 0

login local

no modem enable

line aux 0

line vty 0 4

access-class 23 in

privilege level 15

login local

transport input telnet ssh

!

!

end

******************************************************************************

******************************************************************************

MCQ#sh cry session detail

Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection

K - Keepalives, N - NAT-traversal, T - cTCP encapsulation

X - IKE Extended Authentication, F - IKE Fragmentation

Interface: FastEthernet4

Uptime: 02:19:33

Session status: UP-ACTIVE

Peer: 90.11.11.202 port 500 fvrf: (none) ivrf: (none)

      Phase1_id: 90.11.11.202

      Desc: (none)

  IKEv1 SA: local 181.81.57.47/500 remote 90.11.11.202/500 Active

          Capabilities:(none) connid:2001 lifetime:21:40:26

  IPSEC FLOW: permit ip 10.57.88.0/255.255.255.224 10.57.0.0/255.255.192.0

        Active SAs: 2, origin: crypto map

        Inbound:  #pkts dec'ed 2643 drop 0 life (KB/Sec) 4210590/2043

        Outbound: #pkts enc'ed 5410 drop 0 life (KB/Sec) 4210567/2043

******************************************************************************

******************************************************************************

MCQ#sh crypto ipsec sa detail

interface: FastEthernet4

    Crypto map tag: SDM_CMAP_1, local addr 181.81.57.47

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (10.57.88.0/255.255.255.224/0/0)

   remote ident (addr/mask/prot/port): (10.57.0.0/255.255.192.0/0/0)

   current_peer 90.11.11.202 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 5422, #pkts encrypt: 5422, #pkts digest: 5422

    #pkts decaps: 2643, #pkts decrypt: 2643, #pkts verify: 2643

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #pkts no sa (send) 0, #pkts invalid sa (rcv) 0

    #pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0

    #pkts invalid prot (recv) 0, #pkts verify failed: 0

    #pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0

    #pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0

    ##pkts replay failed (rcv): 0

    #pkts tagged (send): 0, #pkts untagged (rcv): 0

    #pkts not tagged (send): 0, #pkts not untagged (rcv): 0

    #pkts internal err (send): 0, #pkts internal err (recv) 0

     local crypto endpt.: 181.81.57.47, remote crypto endpt.: 90.11.11.202

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4

     current outbound spi: 0xA9082DFD(2835885565)

     PFS (Y/N): N, DH group: none

     inbound esp sas:

      spi: 0x9C615383(2623624067)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 5, flow_id: Onboard VPN:5, sibling_flags 80000040, crypto map: SDM_CMAP_1

        sa timing: remaining key lifetime (k/sec): (4210590/1988)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0xA9082DFD(2835885565)

******************************************************************************

******************************************************************************

MCQ#sh crypto route

No VPN routes to display

******************************************************************************

******************************************************************************

MCQ#sh crypto isakmp sa detail

Codes: C - IKE configuration mode, D - Dead Peer Detection

       K - Keepalives, N - NAT-traversal

       T - cTCP encapsulation, X - IKE Extended Authentication

       psk - Preshared key, rsig - RSA signature

       renc - RSA encryption

IPv4 Crypto ISAKMP SA

C-id  Local           Remote          I-VRF  Status Encr Hash   Auth DH Lifetime Cap.

2001  181.81.57.47    90.11.11.202          ACTIVE 3des sha    psk  2  21:38:21

       Engine-id:Conn-id =  SW:1

IPv6 Crypto ISAKMP SA

******************************************************************************

******************************************************************************

MCQ#sh crypto ruleset detail

Mtree:

199 VRF 0  11 181.81.57.47/500 ANY Forward, Forward

299 VRF 0  11 181.81.57.47/4500 ANY Forward, Forward

200000199 VRF 0  11 ANY/848 ANY Forward, Forward

200000299 VRF 0  11 ANY ANY/848 Forward, Forward

100000000000101 VRF 0 IP 10.57.88.0/27 10.57.0.0/18 Discard/notify, Encrypt

100000000000199 VRF 0 IP 10.57.88.0/27 10.57.0.0/18 Discard/notify, Discard/notify

******************************************************************************

******************************************************************************

MCQ#sh crypto map interface FastEthernet4

Crypto Map IPv4 "SDM_CMAP_1" 1 ipsec-isakmp

        Description: Tunnel to90.11.11.202

        Peer = 90.11.11.202

        Extended IP access list 103

            access-list 103 permit ip 10.57.88.0 0.0.0.31 10.57.0.0 0.0.63.255

        Current peer: 90.11.11.202

        Security association lifetime: 4608000 kilobytes/3600 seconds

        Responder-Only (Y/N): N

        PFS (Y/N): N

        Transform sets={

                ESP-3DES-SHA2:  { esp-3des esp-sha-hmac  } ,

        }

        Interfaces using crypto map SDM_CMAP_1:

                FastEthernet4

Everyone's tags (5)
2 REPLIES

Problem with VPN between 5510 and 881

Can you check for a NAT exemption on the ASA? Using ASDM you should see some logs when you ping from 881-LAN to ASA-LAN

Michael

Please rate all helpful posts

Michael Please rate all helpful posts
New Member

Problem with VPN between 5510 and 881

Hi, i found the problem, i check a setup in ASA and found that the default in ASA is other GW  than the gateway of peer.

I create a route that send all traficto fo 10.57.88.0/27 to gateway of ASA peer and it work.

Thanks for you help.

462
Views
3
Helpful
2
Replies
CreatePlease to create content