Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

ASA 5510 and 1800 are they compatible to use for VPN tunnel?

We have existing cisco hardware ASA 5510 and cisco router 1800. The ASA 5510 are installed in main office while the 1800 is planned to setup in remote sites for VPN tunnel. Are they compatible or we need purchase another hardware for ASA5510 to match?

Thanks in advance,

Noel

2 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Gold

Re: ASA 5510 and 1800 are they compatible to use for VPN tunnel?

Noel

I have looked at the new cofig that you posted and see that there are some changes. You have added PFS which is good. And you have changed the access list from 106 to 104. But the access list is still incorrect. Please remove the line that has:

access-list 104 permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0

and replace these 2 lines:

access-list 104 permit ip host 192.168.0.0 host 192.168.10.0

access-list 104 permit ip host 192.168.10.0 host 192.168.0.0

with this:

access-list 104 permit ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255

HTH

Rick

Hall of Fame Super Gold

Re: ASA 5510 and 1800 are they compatible to use for VPN tunnel?

Noel

I am not sure what you changed. And I am not sure where MD5 came from. In the config files that you posted for both the router and the ASA it is showing SHA. The router and the ASA do need to agree on this parameter.

Perhaps it would help if you run debug for the crypto isakmp negotiation. It would also be helpful if you post current config for the router and the ASA.

HTH

Rick

16 REPLIES
Hall of Fame Super Blue

Re: ASA 5510 and 1800 are they compatible to use for VPN tunnel?

Noel

Providing you have the right feature set on your 1811 to create VPN's then yes they are compatible although the configuration will obviously be different. See attached link for a configuration example.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805e8c80.shtml

Jon

Community Member

Re: ASA 5510 and 1800 are they compatible to use for VPN tunnel?

Noel,

As long as the router 1800 has crypto IOS version, it will compatible to setup L2L.

Thanks,

Ken

Community Member

Re: ASA 5510 and 1800 are they compatible to use for VPN tunnel?

Hi Ken,

Thanks for the info, just additional request what would be the recommended crypto IOS version for both ASA 5510 and 1800, i may need to download in any case.

Thanks again,

Noel

Re: ASA 5510 and 1800 are they compatible to use for VPN tunnel?

hi,

refer this link for feature comparison & IOS versions.

http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp

Community Member

Re: ASA 5510 and 1800 are they compatible to use for VPN tunnel?

thanks guys

we manage to setup but vpn tunnel still down. its pinging on both ends. The IOS for remote cisco 1812W is 12.4(6) T9 is not available in comparison feature, Kindly advise the compatible IOS version for ASA5510.

Thanks in advance,

Noel

Hall of Fame Super Gold

Re: ASA 5510 and 1800 are they compatible to use for VPN tunnel?

Noel

There is no issue of which release has crypto for the ASA5510. All versions of the code for ASA automatically include crypto. So the issue is for the 1800. And it is not a question of version but is a question of feature set. You would probably want the Advanced Security feature set or the Advanced Services feature set on the 1800. If you will post the full file name of your IOS image it will show what feature set you already have.

If you were able to enter the crypto map commands on the 1800 then it has a feature set with support for crypto. In which case if the VPN tunnel does not work then there is probably some mismatch between what is configured on the ASA and what is configured on the router. Please post the configs from both devices so that we can see what is preventing it from working.

HTH

Rick

Community Member

Re: ASA 5510 and 1800 are they compatible to use for VPN tunnel?

Thanks Rick,

Please find attached both ASA config and 1812W router.

Thanks again,

Noel

Hall of Fame Super Gold

Re: ASA 5510 and 1800 are they compatible to use for VPN tunnel?

Noel

There is the possibility that there is more than 1 problem. But I found a significant problem and have not looked much further. fix this and if it still does not work we will look again.

Here is the access list used to identify traffic to be protected on the router:

access-list 106 permit ip 192.168.0.0 0.0.0.255 xx.xxx.98.24 0.0.0.7

and here is the access list from the ASA:

access-list Outside_20_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.0.0 255.255.255.0

The access lists should be mirror images of each other and they are not. It looks to me like the access list on the router should have 192.168.10.0 as the destination address.

[edit] I also notice that the ASA specifies PFS in its crypto map and the router does not. I believe that this should also match - either add it on the router (which would be my suggestion) or remove it on the ASA.

HTH

Rick

Community Member

Re: ASA 5510 and 1800 are they compatible to use for VPN tunnel?

hi Rick,

We did few changes in 1812 but no luck, see attached config for your reference.

Thanks again,

Noel

Hall of Fame Super Gold

Re: ASA 5510 and 1800 are they compatible to use for VPN tunnel?

Noel

I have looked at the new cofig that you posted and see that there are some changes. You have added PFS which is good. And you have changed the access list from 106 to 104. But the access list is still incorrect. Please remove the line that has:

access-list 104 permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0

and replace these 2 lines:

access-list 104 permit ip host 192.168.0.0 host 192.168.10.0

access-list 104 permit ip host 192.168.10.0 host 192.168.0.0

with this:

access-list 104 permit ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255

HTH

Rick

Community Member

Re: ASA 5510 and 1800 are they compatible to use for VPN tunnel?

Hi Rick,

We did few changes as instructed via SDM but still no luck.

I have also noticed that in IKE policies showing MD5, so we change it SHA_1, the problem is the in ASA5510, it is showing just SHA. Is this the reason why it is still down?

Or should we put both MD5?

Thanks again,

Noel

Hall of Fame Super Gold

Re: ASA 5510 and 1800 are they compatible to use for VPN tunnel?

Noel

I am not sure what you changed. And I am not sure where MD5 came from. In the config files that you posted for both the router and the ASA it is showing SHA. The router and the ASA do need to agree on this parameter.

Perhaps it would help if you run debug for the crypto isakmp negotiation. It would also be helpful if you post current config for the router and the ASA.

HTH

Rick

Community Member

Re: ASA 5510 and 1800 are they compatible to use for VPN tunnel?

Hi Rick,

Thank you very much for your continuous technical support. We solved the connection/VPN Tunnel between ASA 5510 and Cisco 1800. We basically checked IPSEC setup on both ASA 5510 and 1800 per guidlines.

Thanks again,

Noel

Hall of Fame Super Gold

Re: ASA 5510 and 1800 are they compatible to use for VPN tunnel?

Noel

I am glad that you got the problem resolved and got the VPN working. Thank you for posting back to the forum and indicating that the problem was solved and how you solved it. Thank you for using the rating system to indicate that your problem was solved (and thanks for the rating). It makes the forum more useful when people can read about a problem and can know that they will read how the problem was successfully solved.

The forum is an excellent place to learn about Cisco networking. I encourage you to continue your participation in the forum.

HTH

Rick

Community Member

Re: ASA 5510 and 1800 are they compatible to use for VPN tunnel?

As mention above the ASA5510 supports site to site VPNs out of the box 250 in fact with the base license, the IOS you are using for the 1800 should support crypto, do you know the feature set your using which is the important thing.

Feature Sets that support crypto are

Advanced Security

Advanced IP Services

Advanced Enterprise Services

Can you post the configs for both devices?

Regards

Community Member

Re: ASA 5510 and 1800 are they compatible to use for VPN tunnel?

hi, thanks

I'm realy new to this appliance. Really appreaciated if you could just guide me to finalize the VPN tunnel

Thanks again,

Noel

308
Views
0
Helpful
16
Replies
CreatePlease to create content