No announcement yet.

Help - site-to-site betw ASA 5505 and Cisco IOS Router

  • Filter
  • Time
  • Show
Clear All
new posts

  • Help - site-to-site betw ASA 5505 and Cisco IOS Router

    I've been trying to establish a site to site VPN with a client. Remote site has an ASA 5505 and I have a 3725 running IOS 12.4(18e).

    We have gone over the configuration a number of times and can't seem to get the vpn up. He is using ASDM to configure and we have matched all necessary parameters.

    The endpoints are able to ping one another. When testing tunnel from IOS Router all is successful but Tunnel Status does not come up.

    Can anyone eyeball these configs and give some insight.


    Here is the configuration on the ASA:

    ASA# sh run

    : Saved
    ASA Version 7.2(4)
    hostname ASA
    domain-name default.domain.invalid
    enable password 4IBweWjJzRt9eRPd encrypted
    passwd 4IBweWjJzRt9eRPd encrypted
    name inside-network
    name outside-network
    name net1
    name net2
    name Public description VPN Endpoint
    interface Vlan1
    nameif inside
    security-level 100
    ip address
    interface Vlan2
    nameif outside
    security-level 0
    ip address
    interface Vlan3
    no forward interface Vlan1
    nameif dmz
    security-level 50
    no ip address
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    ftp mode passive
    clock timezone EST -5
    clock summer-time EDT recurring
    dns server-group DefaultDNS
    domain-name default.domain.invalid
    same-security-traffic permit intra-interface
    object-group network RemoteSite
    description Internal Network
    network-object net1
    network-object net2
    access-list inside_nat0_outbound extended permit ip inside-network object-group RemoteSite
    access-list outside_1_cryptomap extended permit ip inside-network object-group RemoteSite
    access-list inside_access_in extended permit ip any any log disable
    access-list outside_access_in extended permit ip Public any log disable
    access-list outside_access_in extended permit tcp any any eq ssh
    pager lines 24
    logging monitor debugging
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    mtu dmz 1500
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-524.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1
    access-group inside_access_in in interface inside
    access-group outside_access_in in interface outside
    route outside 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    aaa authentication ssh console LOCAL
    http server enable
    http inside-network inside
    http outside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto map outside_map 1 match address outside_1_cryptomap
    crypto map outside_map 1 set pfs
    crypto map outside_map 1 set peer
    crypto map outside_map 1 set transform-set ESP-3DES-MD5
    crypto map outside_map 1 set phase1-mode aggressive group2
    crypto map outside_map 1 set reverse-route
    crypto map outside_map interface outside
    crypto isakmp policy 1
    authentication pre-share
    encryption 3des
    hash md5
    group 2
    lifetime 86400
    telnet timeout 5
    ssh outside
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    dhcpd address inside
    dhcpd enable inside
    ntp server source outside
    group-policy DfltGrpPolicy attributes
    banner none
    wins-server none
    dns-server none
    dhcp-network-scope none
    vpn-access-hours none
    vpn-simultaneous-logins 3
    vpn-idle-timeout 30
    vpn-session-timeout none
    vpn-filter none
    vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
    password-storage disable
    ip-comp disable
    re-xauth enable
    group-lock value
    pfs disable
    ipsec-udp disable
    ipsec-udp-port 10000
    split-tunnel-policy tunnelall
    split-tunnel-network-list none
    default-domain none
    split-dns none
    intercept-dhcp disable
    secure-unit-authentication disable
    user-authentication disable
    user-authentication-idle-timeout 30
    ip-phone-bypass disable
    leap-bypass disable
    nem disable
    backup-servers keep-client-config
    msie-proxy server none
    msie-proxy method no-modify
    msie-proxy except-list none
    msie-proxy local-bypass disable
    nac disable
    nac-sq-period 300
    nac-reval-period 36000
    nac-default-acl none
    address-pools none
    smartcard-removal-disconnect enable
    client-firewall none
    client-access-rule none
    functions url-entry
    html-content-filter none
    homepage none
    keep-alive-ignore 4
    http-comp gzip
    filter none
    url-list none
    customization value DfltCustomization
    port-forward none
    port-forward-name value Application Access
    sso-server none
    deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
    svc none
    svc keep-installer installed
    svc keepalive none
    svc rekey time none
    svc rekey method none
    svc dpd-interval client none
    svc dpd-interval gateway none
    svc compression deflate
    username xxx password /T.njxIy.UUm9Hch encrypted
    tunnel-group 64.31.x.x type ipsec-l2l
    tunnel-group 64.31.x.x ipsec-attributes
    pre-shared-key *
    peer-id-validate nocheck
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    service-policy global_policy global
    prompt hostname context
    : end

    IOSRouter# show crypto map

    Crypto Map "dynmap" 5 ipsec-isakmp
    Description: DR - ACTS Cryptomap
    Peer =
    Extended IP access list 165
    access-list 165 permit ip
    access-list 165 permit ip
    Current peer:
    Security association lifetime: 4608000 kilobytes/3600 seconds
    PFS (Y/N): Y
    DH group: group2
    Transform sets={
    CCNA, MCSE, MCP, Network+, CNA, A+

  • #2
    Re: Help - site-to-site betw ASA 5505 and Cisco IOS Router

    Kind of hard to offer much site-to-site advice with only one of the configs...