Hello, NAT is anabled on

ngtransge · ‎08-07-2014

Hello,

I have problem in VPN between ASA5505 Easy VPN Server and 881G Router as Easy VPN Client. ASA 5505 have 7.2.3 software and 881G router have 15.1 software.

881G is configured as hardware client in network exstention mode, and it is placed behind NAT. ASA5505 is working as server. Same VPN Group works correctly from VPN software clients.

When I send traffic from 881G client side, in show cryto sessin detail I see encrypted packets. But with same command I dont see decrypted packet on ASA5505 side. On both devices Phase 1 and Phase 2 are UP.

VPN is working when I replace ASA5505 with ASA5510 correctly with have 8.4.6 software. But problem is that i need to do this VPN between ASA5505 and 881G.

Can you help me, how can I debug or troubleshoot this problem ?

I am unable to update software on ASA5505 side.

nkarthikeyan · ‎08-07-2014

Hi,

If the packets are not getting decrypted at other end, then traffic itself is not reaching at there... have you enabled NAT-T if your device is behing the NAT device? Can you do check on that?

If you want to update OS from 7.2 to 8.4, then you need to go with first upgrade to 8.2 and then to 8.4 version..... delete the unwanted OS to free up the space..... if space is the constraint.....

Regards

Karthik

ngtransge · ‎08-08-2014

Hello,

NAT is anabled on ASA5505 side, but there are exemps rules, and they are working correctly. because when i ping from one site to another in crypro sesseinos i see that ASA performas packet encryption. They problem is that I downt see packet decryption on router side. and vice versa.

nkarthikeyan · ‎08-09-2014

Hi,

can you post the configs of asa 5505 and router????

Regards

Karthik

ngtransge · ‎08-11-2014

Hello,

Hire is what my config look like:

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set pfs
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 120 set pfs
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 140 set pfs
crypto dynamic-map outside_dyn_map 140 set transform-set ESP-AES-128-SHA
crypto dynamic-map outside_dyn_map 160 set pfs
crypto dynamic-map outside_dyn_map 160 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 180 set pfs
crypto dynamic-map outside_dyn_map 180 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 200 set pfs
crypto dynamic-map outside_dyn_map 200 set transform-set ESP-AES-256-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside

crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

crypto isakmp policy 2
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400

crypto isakmp policy 3
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400

tunnel-group HW-CLIENT-GROUPR type ipsec-ra
tunnel-group HW-CLIENT-GROUP general-attributes
address-pool HW-CLIENT-GROUP-POOL
default-group-policy HW-CLIENT-GROUP

tunnel-group HW-CLIENT-GROUP ipsec-attributes
pre-shared-key *******

group-policy HW-CLIENT-GROUP internal
group-policy HW-CLIENT-GROUP attributes
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value cisco_splitTunnelAcl
nem enable
!

nkarthikeyan · ‎08-11-2014

Hi,

You have pasted one end config alone... can you post other end config as well....

please mention the acl created for this as well.... and NAT statements

Regards

Karthik

ngtransge · ‎08-11-2014

hire is NAT on ASA5505
!
nat (inside) 0 access-list inside_nat0_outbound
access-list inside_nat0_outbound line 20 extended permit ip 192.168.68.0 255.255.255.0 192.168.69.0 255.255.255.0
!
access-list cisco_splitTunnelAcl line 1 standard permit 192.168.68.0 255.255.255.0
!

hire is config of remoute 881 client

!
aaa session-id common
memory-size iomem 10
!
!
!
!
!
!

!
ip dhcp excluded-address 192.168.111.1 192.168.111.100
!

username user password 0 123
!
crypto isakmp policy 69
encr aes
group 2
!
crypto ipsec client ezvpn HW-CLIENT-GROUPR
connect auto
group HW-CLIENT-GROUPR key 123
mode network-extension
peer x.x.x.x
username user password 123
xauth userid mode local
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
ip address dhcp
duplex auto
speed auto
!
interface Cellular0
no ip address
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer in-band
dialer pool-member 1
async mode interactive
!
interface Vlan1
description LAN
ip address 192.168.69.1 255.255.255.0
crypto ipsec client ezvpn HW-CLIENT-GROUPR inside
!
interface Dialer1
ip address negotiated
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer string gsm
dialer persistent
ppp authentication chap callin
ppp chap hostname grps123
ppp chap password 0 asdasd
ppp ipcp dns request
no cdp enable
crypto ipsec client ezvpn HW-CLIENT-GROUPR
!
!
ip route 0.0.0.0 0.0.0.0 Dialer1

nkarthikeyan · ‎08-11-2014

tunnel-group HW-CLIENT-GROUPR type ipsec-ra
tunnel-group HW-CLIENT-GROUP general-attributes
address-pool HW-CLIENT-GROUP-POOL
default-group-policy HW-CLIENT-GROUP

I guess you have misconfigured. is that a correct one or typo error while pasting?

Regards

Karthik

ngtransge · ‎08-11-2014

it is just mistake during configuration paste hire.

nkarthikeyan · ‎08-11-2014

Hi,

You have not pasted the complete configuration in place.... you have copy pasted, which doesn't have all the required information.

can you post the complete configurations to my email id or through personal message option in csc forum?

because i do see nat commands is missing in vlan/interface.... nat commands is missing @ router end.....

http://www.alfredtong.com/cisco/cisco-ezvpn-cisco-asa-and-ios-router/

http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/68815-ezvpn-asa-svr-871-rem.html

Regards

Karthik

Regards

Karthik