Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN between IOS and ASA

Hello my friends,

I have been trying to establish VPN connectivity between IOS cisco router and ASA firewall over the internet - no luck so far. I think I am missing some important bit of the configuration.

 

Here are my configuration commands:

 

Router:

crypto isakmp policy 20
encryption 3des
auth pre-share
hash md5
group 2

crypto isakmp key XXX address 103.252.AAA.AAA

crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac

crypto map MAP 5 ipsec-isakmp
set transform 3DES-MD5
match address VPN
set peer 103.252.AAA.AAA

ip access-list extended VPN
 permit ip 10.110.25.0 0.0.0.255 10.10.0.0 0.0.255.255
 permit icmp 10.110.25.0 0.0.0.255 10.10.0.0 0.0.255.255

ASA commands:

 

sysopt connection permit-vpn

crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5

tunnel-group 203.167.BBB.BBB type ipsec-l2l
tunnel-group 203.167.BBB.BBB ipsec-attributes
pre-shared-key XXX

access-list LIST permit ip 10.10.0.0 255.255.0.0 10.110.25.0 255.255.255.0

access-list LIST permit icmp 10.10.0.0 255.255.0.0 10.110.25.0 255.255.255.0

crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac

crypto map VPN 10 set transform-set 3DES-MD5
crypto map VPN 10 match address LIST
crypto map VPN 10 set peer 203.167.BBB.BBB

crypto map VPN interface outside

 

Do you have any idea what is wrong? Thank you a lot in advance.

Everyone's tags (1)
8 REPLIES

where is router interface

where is router interface config?

 

and post from router and asa

 

sh cry isa sa

sh cry ips sa

 

New Member

Hi ttemir,Here you go: ASA#

Hi ttemir,

Here you go:

 

ASA# sh cry ips sa

There are no ipsec sas

 

RT01#sh cry ips sa | include 103.252
RT01#

(there is output for sh cry ips sa but not a single paragraph  related to 103.252 VPN)

 

router interface:

interface GigabitEthernet0/1
 description Internet
 ip address 203.167.BBB.BBB 255.255.255.252
 ip access-group outside_access_in in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip virtual-reassembly in
 no ip route-cache
 duplex full
 speed 100
  no clns route-cache
 crypto map MAP

 

 

ip access-list extended outside_access_in

 permit esp host 103.252.AAA.AAA host 203.167.BBB.BBB
 permit udp host 103.252.AAA.AAA host 203.167.BBB.BBB eq isakmp
 permit udp host 103.252.AAA.AAA host 203.167.BBB.BBB range 1 65535
 permit tcp host 103.252.AAA.AAA host 203.167.BBB.BBB range 1 65535
 permit icmp host 103.252.AAA.AAA host 203.167.BBB.BBB

 

 

 

thank you!

 

 

 

 

 

 

 

Cisco Employee

Hi Thomas, Have you excluded

Hi Thomas,

 
Have you excluded ipsec traffic from being getting Natted.

 

Best Regards,

Bheem

New Member

Hi Bhnegi, Yes I did. Also,

Hi Bhnegi,

 

Yes I did.

 

Also, when I am trying to enable ikev1 on the outside interface I am getting this error:

 

crypto ikev1 enable outside
ERROR: Unable to configure IKEv1 on interface 'outside' as ipsec-over-tcp is enabled on port 45, which is currently in use by another service. Please choose a different port for ipsec-over-tcp.

 

But from the show run i can see that it is enabled:

 

ASA# show run | include enable\ outside
crypto ikev2 enable outside client-services port 443
crypto ikev1 enable outside
 enable outside

 

 

Thank you, I am stuck.

Cisco Employee

Are you using NAT on ASA? If

Are you using NAT on ASA? If yes please see workaround of bug below where

TCP Port 10000 was reserved as a fix of

CSCtl74435     VPN ports not removed from PAT pool

UDP Port 10000 was reserved as a fix of

CSCtn69941     VPN ports not removed from PAT pool (UDP cases)

Best Regards,

Bheem

New Member

Hi Bheem, 'Topic not found'

Hi Bheem,

 

'Topic not found' when I try to open these links :-(

 

I am using NAT for normal internet access and no NAT for the VPN connectivity.

 

Does this bug mean that

crypto isakmp enable outside

is not enabled?

New Member

I managed to get this from

I managed to get this from the show crypto ipsec sa

 

     local crypto endpt.: 203.167.BBB.BBB, remote crypto endpt.: 103.252.AAA.AAA
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

     local crypto endpt.: 203.167.BBB.BBB, remote crypto endpt.: 103.252.AAA.AAA
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

 

 

And  details from show crypto session detail

 

Interface: GigabitEthernet0/1
Session status: DOWN
Peer: 103.252.AAA.AAA port 500 fvrf: (none) ivrf: (none)
      Desc: (none)
      Phase1_id: (none)
  IPSEC FLOW: permit 1 10.110.25.0/255.255.255.0 10.10.0.0/255.255.0.0
        Active SAs: 0, origin: crypto map
        Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
        Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0

 

 

http://www.cisco.com/c/en/us

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/9353-39.html

65
Views
11
Helpful
8
Replies