Announcement

Collapse
No announcement yet.

Help - site-to-site betw ASA 5505 and Cisco IOS Router

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Help - site-to-site betw ASA 5505 and Cisco IOS Router

    I've been trying to establish a site to site VPN with a client. Remote site has an ASA 5505 and I have a 3725 running IOS 12.4(18e).

    We have gone over the configuration a number of times and can't seem to get the vpn up. He is using ASDM to configure and we have matched all necessary parameters.

    The endpoints are able to ping one another. When testing tunnel from IOS Router all is successful but Tunnel Status does not come up.

    Can anyone eyeball these configs and give some insight.

    Thanks

    Here is the configuration on the ASA:

    +++++++++++++++++++++++++++
    ASA# sh run

    : Saved
    :
    ASA Version 7.2(4)
    !
    hostname ASA
    domain-name default.domain.invalid
    enable password 4IBweWjJzRt9eRPd encrypted
    passwd 4IBweWjJzRt9eRPd encrypted
    names
    name 192.168.3.0 inside-network
    name 173.8.xxx.xxx outside-network
    name 172.16.4.0 net1
    name 172.16.6.0 net2
    name 64.31.xxx.xxx Public description VPN Endpoint
    !
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.3.1 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    ip address 173.8.xxx.xxx 255.255.255.248
    !
    interface Vlan3
    shutdown
    no forward interface Vlan1
    nameif dmz
    security-level 50
    no ip address
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    ftp mode passive
    clock timezone EST -5
    clock summer-time EDT recurring
    dns server-group DefaultDNS
    domain-name default.domain.invalid
    same-security-traffic permit intra-interface
    object-group network RemoteSite
    description Internal Network
    network-object net1 255.255.255.0
    network-object net2 255.255.255.0
    access-list inside_nat0_outbound extended permit ip inside-network 255.255.255.0 object-group RemoteSite
    access-list outside_1_cryptomap extended permit ip inside-network 255.255.255.0 object-group RemoteSite
    access-list inside_access_in extended permit ip any any log disable
    access-list outside_access_in extended permit ip Public 255.255.255.252 any log disable
    access-list outside_access_in extended permit tcp any any eq ssh
    pager lines 24
    logging monitor debugging
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    mtu dmz 1500
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-524.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 192.168.3.1-192.168.3.254
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    access-group inside_access_in in interface inside
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 173.8.xxx.xxx 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    aaa authentication ssh console LOCAL
    http server enable
    http inside-network 255.255.255.0 inside
    http 0.0.0.0 0.0.0.0 outside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto map outside_map 1 match address outside_1_cryptomap
    crypto map outside_map 1 set pfs
    crypto map outside_map 1 set peer 64.31.xxx.xxx
    crypto map outside_map 1 set transform-set ESP-3DES-MD5
    crypto map outside_map 1 set phase1-mode aggressive group2
    crypto map outside_map 1 set reverse-route
    crypto map outside_map interface outside
    crypto isakmp policy 1
    authentication pre-share
    encryption 3des
    hash md5
    group 2
    lifetime 86400
    telnet timeout 5
    ssh 0.0.0.0 0.0.0.0 outside
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    !
    dhcpd address 192.168.3.2-192.168.3.33 inside
    dhcpd enable inside
    !
    ntp server 67.220.194.133 source outside
    group-policy DfltGrpPolicy attributes
    banner none
    wins-server none
    dns-server none
    dhcp-network-scope none
    vpn-access-hours none
    vpn-simultaneous-logins 3
    vpn-idle-timeout 30
    vpn-session-timeout none
    vpn-filter none
    vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
    password-storage disable
    ip-comp disable
    re-xauth enable
    group-lock value 64.31.xxx.xxx
    pfs disable
    ipsec-udp disable
    ipsec-udp-port 10000
    split-tunnel-policy tunnelall
    split-tunnel-network-list none
    default-domain none
    split-dns none
    intercept-dhcp 255.255.255.255 disable
    secure-unit-authentication disable
    user-authentication disable
    user-authentication-idle-timeout 30
    ip-phone-bypass disable
    leap-bypass disable
    nem disable
    backup-servers keep-client-config
    msie-proxy server none
    msie-proxy method no-modify
    msie-proxy except-list none
    msie-proxy local-bypass disable
    nac disable
    nac-sq-period 300
    nac-reval-period 36000
    nac-default-acl none
    address-pools none
    smartcard-removal-disconnect enable
    client-firewall none
    client-access-rule none
    webvpn
    functions url-entry
    html-content-filter none
    homepage none
    keep-alive-ignore 4
    http-comp gzip
    filter none
    url-list none
    customization value DfltCustomization
    port-forward none
    port-forward-name value Application Access
    sso-server none
    deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
    svc none
    svc keep-installer installed
    svc keepalive none
    svc rekey time none
    svc rekey method none
    svc dpd-interval client none
    svc dpd-interval gateway none
    svc compression deflate
    username xxx password /T.njxIy.UUm9Hch encrypted
    tunnel-group 64.31.x.x type ipsec-l2l
    tunnel-group 64.31.x.x ipsec-attributes
    pre-shared-key *
    peer-id-validate nocheck
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    !
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:efd58c9fc94511933e596751bf362a81
    : end
    +++++++++++++++++++++++++++

    IOSRouter# show crypto map


    +++++++++++++++++++++++++++
    Crypto Map "dynmap" 5 ipsec-isakmp
    Description: DR - ACTS Cryptomap
    Peer = 173.8.xxx.xxx
    Extended IP access list 165
    access-list 165 permit ip 172.16.6.0 0.0.0.255 192.168.3.0 0.0.0.255
    access-list 165 permit ip 172.16.4.0 0.0.0.255 192.168.3.0 0.0.0.255
    Current peer: 173.8.xxx.xxx
    Security association lifetime: 4608000 kilobytes/3600 seconds
    PFS (Y/N): Y
    DH group: group2
    Transform sets={
    checkpoint,
    }
    Verbalh
    CCNA, MCSE, MCP, Network+, CNA, A+

  • #2
    Re: Help - site-to-site betw ASA 5505 and Cisco IOS Router

    Kind of hard to offer much site-to-site advice with only one of the configs...

    Comment

    Working...
    X