Need Urgent help for configuring VPN

asfar.zaidi — Mon, 11 Mar 2019 12:51:19 GMT

Hi there

I have ASA 5510 in the Headoffice with static IP and ASA 5505 in the remote site behind ADSL router , trying to establish VPN but its failing in phase 1

Config of Head Office

interface Ethernet0/0

description Link to LeaseLine Router

nameif outside

security-level 0

ip address x.x.x.x 255.255.255.248

interface Ethernet0/1

description Link to Internal LAN

nameif inside

security-level 100

ip address 172.17.1.15 255.255.255.0

access-list inside_nat0_outbound_1 extended permit ip 172.17.1.0 255.255.255.0 172.20.1.0 255.255.255.0

access-list inside_nat0_outbound_1 extended permit ip 172.17.1.0 255.255.255.0 172.19.1.0 255.255.255.0

access-list vpn_to_remote extended permit ip 172.17.1.0 255.255.255.0 172.19.1.0 255.255.255.0

access-list VPN extended permit ip 172.17.1.0 255.255.255.0 172.20.1.0 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound_1

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

crypto ipsec transform-set esp-aes-256-md5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto dynamic-map cisco 1 match address VPN

crypto dynamic-map cisco 1 set transform-set ESP-AES-256-SHA

crypto map outside_map 10 match address vpn_to_remote

crypto map outside_map 10 set pfs

crypto map outside_map 10 set peer y.y.y.y

crypto map outside_map 10 set transform-set esp-aes-256-md5

crypto map outside_map 10 set reverse-route

crypto map outside_map 30 ipsec-isakmp dynamic cisco

crypto map outside_map interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash md5

group 5

lifetime 86400

crypto isakmp policy 20

authentication pre-share

encryption aes

hash md5

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 20

tunnel-group y.y.y.y type ipsec-l2l

tunnel-group y.y.y.y ipsec-attributes

pre-shared-key *

tunnel-group parkplace type ipsec-l2l

tunnel-group parkplace ipsec-attributes

pre-shared-key *

Config of Remote Site

interface Vlan1

nameif inside

security-level 100

ip address 172.20.1.1 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address 192.168.1.2 255.255.255.0

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

access-list ICMP extended permit icmp any any

access-list NONAT extended permit ip 172.20.1.0 255.255.255.0 172.17.1.0 255.255.255.0

access-list VPN extended permit ip 172.20.1.0 255.255.255.0 172.17.1.0 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list NONAT

nat (inside) 1 0.0.0.0 0.0.0.0 outside

access-group ICMP in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto map outside_map 1 match address VPN

crypto map outside_map 1 set peer 83.111.252.242

crypto map outside_map 1 set transform-set ESP-AES-256-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 20

tunnel-group fairmount type ipsec-l2l

tunnel-group fairmount ipsec-attributes

pre-shared-key *

Regards/Asfar

Re: Need Urgent help for configuring VPN

Alan Huseyin Kayahan — Wed, 28 May 2008 14:18:29 GMT

Hi Asfar

1)Remote site has a tunnel-group name called "fairmount". Assuming that you refer to your head office with faimount, Tunnel-group name must be same with peer ip, so you should do the following modification

clear config tunnel-group fairmount type ipsec-l2l

tunnel-group 83.111.252.242 type ipsec-l2l

tunnel-group fairmount ipsec-attributes

pre-shared-key *

2)If doesnt work after above suggestion, try using a transform set different than ESP-AES-SHA in both locations

3)Change pre shraed key to 1 and keep like that untill you resolve the connectivity problem. Then you can change to a more secure value.

4) If still no joy, ensure that UDP port 4500 tcp port 10000 and udp/tcp 500 are forwarded to 192.168.1.2 in router 192.168.1.1 in remote office

Regards

Re: Need Urgent help for configuring VPN

asfar.zaidi — Thu, 29 May 2008 22:40:08 GMT

Thanks the problem is resolved

Re: Need Urgent help for configuring VPN

Alan Huseyin Kayahan — Thu, 29 May 2008 23:39:07 GMT

Hi asfar,

Why did you rate 2?

topic Need Urgent help for configuring VPN in Network Security

Need Urgent help for configuring VPN

Re: Need Urgent help for configuring VPN

Re: Need Urgent help for configuring VPN

Re: Need Urgent help for configuring VPN