01-23-2013 12:12 AM - edited 03-11-2019 05:51 PM
Hi
I want to make ipsec vpn between ASA and Cisco 877 Router,
crypto isakmp and crypto ipsec ACTIVE state its works fine but
Cisco 877 can not ping ASA internet interface but can ping behind ASA PC,
PC can ping 192.168.2.1 but Cisco877 can ping only behind ASA PC thats ip 172.20.1.18
Ex:
192.168.2.0(Cisco877) =====ASA(172.20.1.0)-------172.20.1.18 PC
ASA IP : 172.20.1.2.54
C877 IP 192.168.2.1
--
show crypto enginee connection active
--
sh run
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key cclojistik address x.x.x.x
!
!
crypto ipsec transform-set TS esp-3des esp-sha-hmac
!
crypto map VPN local-address Dialer0
crypto map VPN 1 ipsec-isakmp
set peer 213.243.56.146
set transform-set TS
match address VPN_ACL
!
!
!
interface ATM0
no ip address
no ip mroute-cache
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
ip directed-broadcast
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address 192.168.2.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
!
interface Dialer0
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1300
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname 23r32r32@xxx
ppp chap password 7 345431
ppp pap sent-username 435435@xxxpassword 743t34tt49
crypto map VPN
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 172.20.1.0 255.255.255.0 Dialer0
!
ip http server
ip http secure-server
ip nat inside source route-map NAT_MAP interface Dialer0 overload
!
ip access-list extended NO_NAT_ACL
deny ip 192.168.2.0 0.0.0.255 172.20.1.0 0.0.0.255
permit ip any any
deny ip 192.168.2.0 0.0.0.255 213.243.58.0 0.0.0.255
ip access-list extended VPN_ACL
permit ip 192.168.2.0 0.0.0.255 172.20.1.0 0.0.0.255
permit ip host x.x.x.x any
!
dialer-list 1 protocol ip permit
route-map NAT_MAP permit 10
match ip address NO_NAT_ACL
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
password 7 sswswdw
!
scheduler max-task-time 5000
end
Interface: Dialer0
Session status: UP-ACTIVE
Peer: 213.243.56.146 port 500
IKE SA: local 7.8.8.8./500 remote 5.5.5.5/500 Active
IPSEC FLOW: permit ip 192.168.2.0/255.255.255.0 172.20.1.0/255.255.255.0
Active SAs: 2, origin: crypto map
IPSEC FLOW: permit ip host x.x.x.x 0.0.0.0/0.0.0.0
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 192.168.2.0/255.255.255.0 172.20.1.0/255.255.255.0
Active SAs: 2, origin: crypto map
IPSEC FLOW: permit ip host 29.9.9.9 0.0.0.0/0.0.0.0
Active SAs: 0, origin: crypto map
interface: Dialer0
Crypto map tag: VPN, local addr x.x.x.x
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.20.1.0/255.255.255.0/0/0)
current_peer y.y.y.y port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 54314, #pkts encrypt: 54314, #pkts digest: 54314
#pkts decaps: 72351, #pkts decrypt: 72351, #pkts verify: 72351
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 6, #recv errors 0
local crypto endpt.: x..x.x,x remote crypto endpt.: 9.9.9.9
path mtu 1492, ip mtu 1492
current outbound spi: 0x9A269542(2586219842)
inbound esp sas:
spi: 0xEAB6AD24(3937840420)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 17, flow_id: C87X_MBRD:17, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4440174/1544)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
01-23-2013 01:27 AM
so, the VPN between the two attached networks is working, the only problem is that the router can't ping the ASA?
First change your NO_NAT_ACL to the following:
ip access-list extended NO_NAT_ACL
deny ip 192.168.2.0 0.0.0.255 172.20.1.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 any
The config from the ASA could also be of interest.
And unrelated to your problem, you could change your Phase1-crypto to something that is more state of the art (AES, SHA-1, Group5).
Sent from Cisco Technical Support iPad App
01-23-2013 03:02 AM
I changed NO_NAT_ACL from the above , I dont receive send error but i can not ping from router to asa,
everything same asa and cisco 877 for ipsec credential, but PC can ping router interface , router can ping only PC,
01-23-2013 03:06 AM
Show your ASA-config. And how do you ping *exactly*?
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
01-23-2013 04:07 AM
I can ping from behind ASA Firewall PC cisco router 192.168.2.1
I think phase 1 correct but im not sure phase 2
dst src state conn-id slot status
8.8.8.8 38.2.2.2 QM_IDLE 1004 0 ACTIVE
IPv6 Crypto ISAKMP SA
01-23-2013 04:18 AM
I changed below enteries again,
ip nat inside source route-map NAT_MAP interface Dialer0 overload
!
ip access-list extended NO_NAT_ACL
deny ip 192.168.2.0 0.0.0.255 172.20.1.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 any
ip access-list extended VPN_ACL
permit ip 192.168.2.0 0.0.0.255 172.20.1.0 0.0.0.255
!
dialer-list 1 protocol ip permit
route-map NAT_MAP permit 10
match ip address NO_NAT_ACL
!
!
Now,
I can see IPsec session up and there are two IPsec sa,
Interface: Dialer0
Session status: UP-ACTIVE
Peer: 212.2.4.5 port 500
IKE SA: local 78.8.8.8/500 remote 3.3.2.5/500 Active
IPSEC FLOW: permit ip 192.168.2.0/255.255.255.0 172.20.1.0/255.255.255.0
Active SAs: 2, origin: crypto map
IPSEC FLOW: permit ip 192.168.2.0/255.255.255.0 172.20.1.0/255.255.255.0
Active SAs: 2, origin: crypto map
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide