Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN RV042 to ASA 5505 Manual Key

Hey all,

I've got an RV042 and an ASA 5505 that between which I'm trying to create a site-to-site VPN tunnel.  As per the the instructions I was given by the tech manager where I work, I may only configure the ASA -- I can pull configs from the RV042 but cannot change any of its configurations.  The problem is, I cannot figure out how to get the VPN tunnel up since the RV042 is using a manual key exchange opposed to public key.  I've attached the configs of both devices -- removing most of the IP addresses -- since I figure that would help.  If anyone has an idea of how to fix it, I'd be extremely grateful.

VPN Info from RV042:

Tunnel No. 2

Tunnel Name: Test_VPN

Interface: Wan1

Enable: (Checked)

Local Security Gateway Type: IP Only

IP Address: 173.x.x.153

Local Security Type: IP

IP Address: 192.x.x.10

Remote Security Gateway Type: IP Only

IP Address: 74.x.x.249

Remote Security Group Type: Subnet

IP Address: 192.x.x.0

Subnet Mask: 255.255.255.0

Keyring Mode: Manual

Incoming SPI: 9R834D

Outgoing SPI: 4G2A5DE

Encryption: 3DES

Authentication: MD5

Encryption Key: 123000000000000000       <--- example

Authentication Key: 321000000000000000  <--- example

From here, I'm not too sure where to start on the ASA.  Here's what I've got going on on the ASA:

ASA Version 7.2(4) 
!
hostname MISASA
domain-name digilogelectronics.com
enable password uTKDm72tC2ItqXf0 encrypted
passwd uTKDm72tC2ItqXf0 encrypted
names
name 8.8.4.4 Google description Primary DNS Server
name 192.168.10.0 N-Compass description N-Compass Test Subnet
name 173.167.148.153 N-Compass_Firewall description Firewall
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.x.x.6 255.255.255.0 
!
interface Vlan2
 description Comcast
 nameif outside
 security-level 0
 ip address 74.x.x.249 255.255.255.252 
!
interface Vlan3
 description TowerStream
 nameif outside2
 security-level 0
 ip address 204.x.x.228 255.255.255.248 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 3
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
banner login WARNING: THIS ASSET BELONGS TO MIS COMPUTER CORP.   IF YOU ARE NOT AN AUTHORIZED USER, LOG OUT NOW.
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name digilogelectronics.com
object-group service RDP_T tcp
 description Terminal Service
 port-object eq 3390
object-group service PCA tcp
 description PC Anywhere
 port-object eq pcanywhere-data
access-list outside_access_in remark Internal Webserver
access-list outside_access_in extended permit tcp any 74.x.x.248 255.255.255.252 eq www 
access-list outside_access_in remark Terminal Server
access-list outside_access_in extended permit tcp any 74.x.x.248 255.255.255.252 object-group RDP_T 
access-list outside_access_in remark PCA
access-list outside_access_in extended permit tcp any 74.x.x.248 255.255.255.252 object-group PCA 
access-list outside_access_in remark Allow ping to google dns server
access-list outside_access_in extended permit icmp host Google any 
access-list inside_nat0_outbound extended permit ip any 172.x.x.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip interface inside host N-Compass_Firewall 
access-list inside_access_in extended permit ip any any 
access-list inside_access_in extended permit tcp any eq ssh any eq ssh 
access-list outside_1_cryptomap extended permit ip interface inside host N-Compass_Firewall 
access-list outside2_access_in remark Allow ping to google dns server
access-list outside2_access_in extended permit icmp host Google any 
access-list DefaultRAGroup_splitTunnelAcl standard permit 192.x.x.0 255.255.255.0 
access-list DefaultRAGroup_splitTunnelAcl_1 standard permit 192.x.x.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
logging host inside 192.x.x.15
mtu inside 1500
mtu outside 1500
mtu outside2 1500
ip local pool VPN-Pool 172.x.x.100-172.x.x.150 mask 255.255.255.0
no failover
monitor-interface inside
monitor-interface outside
monitor-interface outside2
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside2) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www 192.x.x.4 www netmask 255.255.255.255 
static (inside,outside) tcp interface 3390 192.x.x.15 3390 netmask 255.255.255.255 
static (inside,outside) tcp interface pcanywhere-data 192.x.x.7 pcanywhere-data netmask 255.255.255.255 
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group outside2_access_in in interface outside2
route outside 0.0.0.0 0.0.0.0 74.x.x.250 1 track 1
route outside2 0.0.0.0 0.0.0.0 204.x.x.225 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.x.x.0 255.255.255.0 inside
snmp-server host inside 192.x.x.15 poll community public
snmp-server location 2nd Floor
snmp-server contact (removed)
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
 type echo protocol ipIcmpEcho Google interface outside
 num-packets 3
 frequency 10
sla monitor schedule 123 life forever start-time now
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer N-Compass_Firewall 
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp enable outside2
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash md5
 group 1
 lifetime 86400
crypto isakmp nat-traversal  20
!
track 1 rtr 123 reachability
telnet timeout 5
ssh 192.x.x.0 255.255.255.255 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.x.x.7-192.x.x.254 inside
!

ntp server 208.x.x.3 source outside prefer
ntp server 169.x.x.201 source outside2
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 wins-server value 192.x.x.3
 dns-server value 192.x.x.3
 vpn-tunnel-protocol IPSec l2tp-ipsec 
group-policy VPN_Test2 internal
group-policy VPN_Test2 attributes
 wins-server value 192.x.x.3
 dns-server value 192.x.x.3
 vpn-idle-timeout 30
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
username hibbitts password gdwH9yJZ8y5WQR0I encrypted privilege 15
username hibbitts attributes
 vpn-group-policy VPN_Test2
username padilla password TDDHqQJBROU8qhsD encrypted privilege 15
username padilla attributes
 vpn-group-policy VPN_Test2
tunnel-group DefaultRAGroup general-attributes
 address-pool VPN-Pool
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
 no authentication chap
 authentication ms-chap-v2
tunnel-group VPN_Test2 type ipsec-ra
tunnel-group VPN_Test2 general-attributes
 address-pool VPN-Pool
 default-group-policy VPN_Test2
tunnel-group VPN_Test2 ipsec-attributes
 pre-shared-key *
tunnel-group-map default-group DefaultL2LGroup
!
!
prompt hostname context 
Cryptochecksum:7ab19d5eac7a7f38161d8440a6104280
: end
asdm image disk0:/asdm-524.bin
asdm location Google 255.255.255.255 inside
asdm location N-Compass_Firewall 255.255.255.255 inside
asdm location N-Compass 255.255.255.0 inside
no asdm history enable
Everyone's tags (4)
1292
Views
0
Helpful
0
Replies