ASA to Cisco 877 IPsec VPN Problem

KY_ · ‎01-23-2013

Hi

I want to make ipsec vpn between ASA and Cisco 877 Router,

crypto isakmp and crypto ipsec ACTIVE state its works fine but

Cisco 877 can not ping ASA internet interface but can ping behind ASA PC,

PC can ping 192.168.2.1 but Cisco877 can ping only behind ASA PC thats ip 172.20.1.18

Ex:

192.168.2.0(Cisco877) =====ASA(172.20.1.0)-------172.20.1.18 PC

ASA IP : 172.20.1.2.54

C877 IP 192.168.2.1

--

show crypto enginee connection active

--

sh run

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

lifetime 28800

crypto isakmp key cclojistik address x.x.x.x

!

crypto ipsec transform-set TS esp-3des esp-sha-hmac

!

crypto map VPN local-address Dialer0

crypto map VPN 1 ipsec-isakmp

set peer 213.243.56.146

set transform-set TS

match address VPN_ACL

!

interface ATM0

no ip address

no ip mroute-cache

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0.1 point-to-point

ip directed-broadcast

pvc 8/35

pppoe-client dial-pool-number 1

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Vlan1

ip address 192.168.2.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

!

interface Dialer0

ip address negotiated

ip mtu 1492

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip tcp adjust-mss 1300

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap pap callin

ppp chap hostname 23r32r32@xxx

ppp chap password 7 345431

ppp pap sent-username 435435@xxxpassword 743t34tt49

crypto map VPN

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer0

ip route 172.20.1.0 255.255.255.0 Dialer0

!

ip http server

ip http secure-server

ip nat inside source route-map NAT_MAP interface Dialer0 overload

!

ip access-list extended NO_NAT_ACL

deny ip 192.168.2.0 0.0.0.255 172.20.1.0 0.0.0.255

permit ip any any

deny ip 192.168.2.0 0.0.0.255 213.243.58.0 0.0.0.255

ip access-list extended VPN_ACL

permit ip 192.168.2.0 0.0.0.255 172.20.1.0 0.0.0.255

permit ip host x.x.x.x any

!

dialer-list 1 protocol ip permit

route-map NAT_MAP permit 10

match ip address NO_NAT_ACL

!

control-plane

!

line con 0

no modem enable

line aux 0

line vty 0 4

privilege level 15

password 7 sswswdw

!

scheduler max-task-time 5000

end

Interface: Dialer0

Session status: UP-ACTIVE

Peer: 213.243.56.146 port 500

IKE SA: local 7.8.8.8./500 remote 5.5.5.5/500 Active

IPSEC FLOW: permit ip 192.168.2.0/255.255.255.0 172.20.1.0/255.255.255.0

Active SAs: 2, origin: crypto map

IPSEC FLOW: permit ip host x.x.x.x 0.0.0.0/0.0.0.0

Active SAs: 0, origin: crypto map

IPSEC FLOW: permit ip 192.168.2.0/255.255.255.0 172.20.1.0/255.255.255.0

Active SAs: 2, origin: crypto map

IPSEC FLOW: permit ip host 29.9.9.9 0.0.0.0/0.0.0.0

Active SAs: 0, origin: crypto map

interface: Dialer0

Crypto map tag: VPN, local addr x.x.x.x

protected vrf: (none)

local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (172.20.1.0/255.255.255.0/0/0)

current_peer y.y.y.y port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 54314, #pkts encrypt: 54314, #pkts digest: 54314

#pkts decaps: 72351, #pkts decrypt: 72351, #pkts verify: 72351

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 6, #recv errors 0

local crypto endpt.: x..x.x,x remote crypto endpt.: 9.9.9.9

path mtu 1492, ip mtu 1492

current outbound spi: 0x9A269542(2586219842)

inbound esp sas:

spi: 0xEAB6AD24(3937840420)

transform: esp-3des esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 17, flow_id: C87X_MBRD:17, crypto map: VPN

sa timing: remaining key lifetime (k/sec): (4440174/1544)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

Karsten Iwen · ‎01-23-2013

so, the VPN between the two attached networks is working, the only problem is that the router can't ping the ASA?

First change your NO_NAT_ACL to the following:

ip access-list extended NO_NAT_ACL

deny ip 192.168.2.0 0.0.0.255 172.20.1.0 0.0.0.255

permit ip 192.168.2.0 0.0.0.255 any

The config from the ASA could also be of interest.

And unrelated to your problem, you could change your Phase1-crypto to something that is more state of the art (AES, SHA-1, Group5).

Sent from Cisco Technical Support iPad App

KY_ · ‎01-23-2013

I changed NO_NAT_ACL from the above , I dont receive send error but i can not ping from router to asa,

everything same asa and cisco 877 for ipsec credential, but PC can ping router interface , router can ping only PC,

Karsten Iwen · ‎01-23-2013

Show your ASA-config. And how do you ping *exactly*?

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

KY_ · ‎01-23-2013

I can ping from behind ASA Firewall PC cisco router 192.168.2.1

I think phase 1 correct but im not sure phase 2

dst src state conn-id slot status

8.8.8.8 38.2.2.2 QM_IDLE 1004 0 ACTIVE

IPv6 Crypto ISAKMP SA

KY_ · ‎01-23-2013

I changed below enteries again,

ip nat inside source route-map NAT_MAP interface Dialer0 overload

!

ip access-list extended NO_NAT_ACL

deny ip 192.168.2.0 0.0.0.255 172.20.1.0 0.0.0.255

permit ip 192.168.2.0 0.0.0.255 any

ip access-list extended VPN_ACL

permit ip 192.168.2.0 0.0.0.255 172.20.1.0 0.0.0.255

!

dialer-list 1 protocol ip permit

route-map NAT_MAP permit 10

match ip address NO_NAT_ACL

!

Now,

I can see IPsec session up and there are two IPsec sa,

Interface: Dialer0

Session status: UP-ACTIVE

Peer: 212.2.4.5 port 500

IKE SA: local 78.8.8.8/500 remote 3.3.2.5/500 Active

IPSEC FLOW: permit ip 192.168.2.0/255.255.255.0 172.20.1.0/255.255.255.0

Active SAs: 2, origin: crypto map

IPSEC FLOW: permit ip 192.168.2.0/255.255.255.0 172.20.1.0/255.255.255.0

Active SAs: 2, origin: crypto map