Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Problem with VPN between 5510 and 881

Hi I setup a vpn lan to lan between a cisco 5510 and 881.

I setup both box using the wizzard assiten and I see the vpn up but  i can make a ping between lans.

I try using difernte configuration and i see alway the same.

I can acces to ASA but in it it're work some other vpn and i dont know were're the problem and i need to be sure that my setup at my cisco 881 it's ok.

The diagagram of my vpn is :      : C881: --- Internet --- : ASA5510 :                                                                                          

The setup and some show are :

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key 1234567890 address



crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

mode tunnel

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

mode tunnel

crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac

mode tunnel




crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to90.11.11.202

set peer

set transform-set ESP-3DES-SHA2

match address 103






interface FastEthernet0

no ip address


interface FastEthernet1

no ip address


interface FastEthernet2

no ip address


interface FastEthernet3

no ip address


interface FastEthernet4

description $ETH-WAN$

ip address

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

crypto map SDM_CMAP_1


interface Vlan1

description $ETH_LAN$

ip address

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452


ip forward-protocol nd

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000


ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload

ip route


ip sla auto discovery

access-list 1 remark CCP_ACL Category=2

access-list 1 permit

access-list 23 permit

access-list 100 remark CCP_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip

access-list 101 remark CCP_ACL Category=2

access-list 101 remark IPSec Rule

access-list 101 deny   ip

access-list 101 permit ip any

access-list 102 remark CCP_ACL Category=4

access-list 102 remark IPSec Rule

access-list 102 permit ip

access-list 103 remark CCP_ACL Category=4

access-list 103 remark IPSec Rule

access-list 103 permit ip

no cdp run


route-map SDM_RMAP_1 permit 1

match ip address 101



banner exec ^C




line con 0

login local

no modem enable

line aux 0

line vty 0 4

access-class 23 in

privilege level 15

login local

transport input telnet ssh






MCQ#sh cry session detail

Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection

K - Keepalives, N - NAT-traversal, T - cTCP encapsulation

X - IKE Extended Authentication, F - IKE Fragmentation

Interface: FastEthernet4

Uptime: 02:19:33

Session status: UP-ACTIVE

Peer: port 500 fvrf: (none) ivrf: (none)


      Desc: (none)

  IKEv1 SA: local remote Active

          Capabilities:(none) connid:2001 lifetime:21:40:26

  IPSEC FLOW: permit ip

        Active SAs: 2, origin: crypto map

        Inbound:  #pkts dec'ed 2643 drop 0 life (KB/Sec) 4210590/2043

        Outbound: #pkts enc'ed 5410 drop 0 life (KB/Sec) 4210567/2043



MCQ#sh crypto ipsec sa detail

interface: FastEthernet4

    Crypto map tag: SDM_CMAP_1, local addr

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (

   remote ident (addr/mask/prot/port): (

   current_peer port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 5422, #pkts encrypt: 5422, #pkts digest: 5422

    #pkts decaps: 2643, #pkts decrypt: 2643, #pkts verify: 2643

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #pkts no sa (send) 0, #pkts invalid sa (rcv) 0

    #pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0

    #pkts invalid prot (recv) 0, #pkts verify failed: 0

    #pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0

    #pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0

    ##pkts replay failed (rcv): 0

    #pkts tagged (send): 0, #pkts untagged (rcv): 0

    #pkts not tagged (send): 0, #pkts not untagged (rcv): 0

    #pkts internal err (send): 0, #pkts internal err (recv) 0

     local crypto endpt.:, remote crypto endpt.:

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4

     current outbound spi: 0xA9082DFD(2835885565)

     PFS (Y/N): N, DH group: none

     inbound esp sas:

      spi: 0x9C615383(2623624067)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 5, flow_id: Onboard VPN:5, sibling_flags 80000040, crypto map: SDM_CMAP_1

        sa timing: remaining key lifetime (k/sec): (4210590/1988)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0xA9082DFD(2835885565)



MCQ#sh crypto route

No VPN routes to display



MCQ#sh crypto isakmp sa detail

Codes: C - IKE configuration mode, D - Dead Peer Detection

       K - Keepalives, N - NAT-traversal

       T - cTCP encapsulation, X - IKE Extended Authentication

       psk - Preshared key, rsig - RSA signature

       renc - RSA encryption


C-id  Local           Remote          I-VRF  Status Encr Hash   Auth DH Lifetime Cap.

2001          ACTIVE 3des sha    psk  2  21:38:21

       Engine-id:Conn-id =  SW:1




MCQ#sh crypto ruleset detail


199 VRF 0  11 ANY Forward, Forward

299 VRF 0  11 ANY Forward, Forward

200000199 VRF 0  11 ANY/848 ANY Forward, Forward

200000299 VRF 0  11 ANY ANY/848 Forward, Forward

100000000000101 VRF 0 IP Discard/notify, Encrypt

100000000000199 VRF 0 IP Discard/notify, Discard/notify



MCQ#sh crypto map interface FastEthernet4

Crypto Map IPv4 "SDM_CMAP_1" 1 ipsec-isakmp

        Description: Tunnel to90.11.11.202

        Peer =

        Extended IP access list 103

            access-list 103 permit ip

        Current peer:

        Security association lifetime: 4608000 kilobytes/3600 seconds

        Responder-Only (Y/N): N

        PFS (Y/N): N

        Transform sets={

                ESP-3DES-SHA2:  { esp-3des esp-sha-hmac  } ,


        Interfaces using crypto map SDM_CMAP_1:


Everyone's tags (5)

Problem with VPN between 5510 and 881

Can you check for a NAT exemption on the ASA? Using ASDM you should see some logs when you ping from 881-LAN to ASA-LAN


Please rate all helpful posts

Michael Please rate all helpful posts
New Member

Problem with VPN between 5510 and 881

Hi, i found the problem, i check a setup in ASA and found that the default in ASA is other GW  than the gateway of peer.

I create a route that send all traficto fo to gateway of ASA peer and it work.

Thanks for you help.

CreatePlease to create content