Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Trouble completing phase 1 of site-to-site tunnel.

I have a Cisco 1921 (config) and an ASA 5505 (config) which I'm trying to establish a site-to-site tunnel between.

I believe I should be able to see the tunnel when I type show crypto isakmp sa, but it doesn't show up at all.

Cisco 1921 Outside IP: <ip_3eb62ab9db>
ASA 5505 Outside IP: <ip_afbae7f7ac>

I have tried pinging from the inside network of the ASA, to the inside network of the 1921. It doesn't bring up the tunnel.

How come the tunnel is not finishing phase 1?

Everyone's tags (1)
2 ACCEPTED SOLUTIONS

Accepted Solutions

Can you please post

Can you please post information regarding the configuration?  Crypto maps, ACLs, etc.

I believe the problem is in

I believe the problem is in your NAT configuration.  Your PAT route-map ISP1 matches access-list 130, which does not DENY traffic from 10.70.0.0 to 10.45.0.0, so I would assume your traffic is going through the NAT process thus not matching the encryption domain to bring up the VPN tunnel.

 

Try adding access-list 130 deny ip 10.70.0.0 0.0.255.255 10.45.0.0 0.0.255.255.  If you're not familiar with IOS based ACLs, you're going to have to negate the ACL from the configuration, edit the ACL in notepad to insert the line, then paste in the ACL.

access-list 130 deny   ip 10.70.2.0 0.0.0.255 10.70.12.0 0.0.0.255
access-list 130 deny   ip 10.70.2.0 0.0.0.255 10.99.99.0 0.0.0.255
access-list 130 deny   ip 10.70.0.0 0.0.255.255 10.20.0.0 0.0.255.255
access-list 130 deny   ip 10.70.0.0 0.0.255.255 <ip_131a232c9d> 0.255.255.255
access-list 130 deny   ip 10.70.0.0 0.0.255.255 10.80.0.0 0.0.255.255
access-list 130 deny   ip 10.70.0.0 0.0.255.255 10.40.0.0 0.0.255.255
access-list 130 permit ip 10.70.0.0 0.0.255.255 any

 

 

4 REPLIES

Can you please post

Can you please post information regarding the configuration?  Crypto maps, ACLs, etc.

New Member

Yes. Here's the configuration

Yes. Here's the configuration for the Cisco 1921:
pastebin.com/raw.php?i=fkie4CVq

And here's the configuration for the ASA 5505:
pastebin.com/raw.php?i=8pNqSMR7

Basically though, the following is what I added to each device with the intention of setting up the tunnel:

Cisco 1921:

crypto isakmp key <removed> address <removed> no-xauth
crypto map SDM_CMAP_1 5 ipsec-isakmp
 description SAM_TUNNEL
 set peer <removed>
 set transform-set ESP-3DES-SHA
 match address 102
access-list 102 permit ip 10.70.0.0 0.0.255.255 10.45.0.0 0.0.255.255

ASA 5505:

access-list 100 extended permit ip 10.45.0.0 255.255.0.0 10.70.0.0 255.255.0.0
access-list NONAT extended permit ip 10.45.0.0 255.255.0.0 10.70.0.0 255.255.0.0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map PG_TUNNEL_MAP 11 match address 100
crypto map PG_TUNNEL_MAP 11 set peer <removed>
crypto map PG_TUNNEL_MAP 11 set transform-set ESP-3DES-SHA
crypto map PG_TUNNEL_MAP interface outside
crypto isakmp policy 11
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
tunnel-group <removed> type ipsec-l2l
tunnel-group <removed> ipsec-attributes
 pre-shared-key <removed>

I believe the problem is in

I believe the problem is in your NAT configuration.  Your PAT route-map ISP1 matches access-list 130, which does not DENY traffic from 10.70.0.0 to 10.45.0.0, so I would assume your traffic is going through the NAT process thus not matching the encryption domain to bring up the VPN tunnel.

 

Try adding access-list 130 deny ip 10.70.0.0 0.0.255.255 10.45.0.0 0.0.255.255.  If you're not familiar with IOS based ACLs, you're going to have to negate the ACL from the configuration, edit the ACL in notepad to insert the line, then paste in the ACL.

access-list 130 deny   ip 10.70.2.0 0.0.0.255 10.70.12.0 0.0.0.255
access-list 130 deny   ip 10.70.2.0 0.0.0.255 10.99.99.0 0.0.0.255
access-list 130 deny   ip 10.70.0.0 0.0.255.255 10.20.0.0 0.0.255.255
access-list 130 deny   ip 10.70.0.0 0.0.255.255 <ip_131a232c9d> 0.255.255.255
access-list 130 deny   ip 10.70.0.0 0.0.255.255 10.80.0.0 0.0.255.255
access-list 130 deny   ip 10.70.0.0 0.0.255.255 10.40.0.0 0.0.255.255
access-list 130 permit ip 10.70.0.0 0.0.255.255 any

 

 

New Member

Thank you. I'm able to

Thank you. I'm able to complete phase 1 now.

77
Views
0
Helpful
4
Replies