Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Help with my Cisco ASA VPN config shown below

Hi,

Wondered if I could use your knowledge.

Currently I have all my site-to-site VPN's and Cisco Client VPN's coming into a Cisco Concentrator. But now I have these ASA's I want to start moving all this over from the Concentrator.

I have managed to move the Cisco Client users over, but I am having a little trouble with a site-to-site. It only a test at the moment but I wondered if you can see what I need to add.

Here is the setup:

| |

--| |--

| +-----------+ /-^-^-^-^--\ +-----------+ |

|-----| London |=====| Internet |======| Remote |--------|

| LAN+-----------+Ext \--v-v-v-v-/ Ext+-----------+LAN |

--| 192.168.21.0 100.171.156.65 101.149.110.103 172.19.15.0 |--

| 192.168.20.0 |

The IKE Phase 1 parameters used are:

* Main mode

* AES-256

* SHA

* DH Group 5

* pre-shared secret of "123456789"

* SA lifetime of 28800 seconds (eight hours) with no kbytes rekeying

The IKE Phase 2 parameters used are:

* AES-256

* SHA

* DH Group 5

* Perfect forward secrecy for rekeying

* SA lifetime of 3600 seconds (one hour) with no kbytes rekeying

Trusted networks in London are 192.168.21.0/24 and 192.168.20.0/24 (known as London_VPN_Subnets) and at the remote site are 172.19.15.0/24

The firewalls outside is 100.x.x.66 and the Internet router is 100.x.x.65

I have added the following to the config:

access-list inside_outbound_nat0_acl extended permit ip object-group London_VPN_Subnets 172.19.15.0 255.255.255.0

sysopt noproxyarp inside

service resetoutside

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-256-SHA ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer 101.149.110.103

crypto map outside_map 1 set transform-set ESP-AES-256-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp identity hostname

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp ipsec-over-tcp port 10000

tunnel-group 101.149.110.103 type ipsec-l2l

tunnel-group 101.149.110.103 ipsec-attributes

pre-shared-key 123456789

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 100.171.156.65

What am I missing, it's seems I need a route to contact this remote network, plus some access lists, any ideas?

I don't want any/many ACE's as these create 2 undirectional IPSec SA's, using host-based ACE's are not recommend as these use resources.

Many thanks if you get a chance

2 REPLIES

Re: Help with my Cisco ASA VPN config shown below

try adding:-

access-list outside_1_cryptomap extended permit ip object-group London_VPN_Subnets 172.19.15.0 255.255.255.0

New Member

Re: Help with my Cisco ASA VPN config shown below

My fault I already have that.

I seem to be getting QM FSM error errors on either side too when I do debug crypto ipsec and isakmp.

Is this to do with the protected networks not matching?

142
Views
0
Helpful
2
Replies
CreatePlease login to create content