Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
647
Views
0
Helpful
7
Replies

what is reason for not working even phase 1 of the vpn?

ronakpa
Level 1
Level 1

‎08-23-2012 10:27 AM - edited ‎03-11-2019 04:45 PM

i have router 3845 and then it's connected with pix and then its connected with vpn tunnel to the customer router. i am here trying to make vpn connectivity for devices. so on router i did static nat statements 10.124.90.124 10.200.200.1. this type of six statements i wrote for six devices. on the pix i did

isakmp key ******** address 208.39.107.230 netmask 255.255.255.255

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption 3des

isakmp policy 30 hash md5

isakmp policy 30 group 2

isakmp policy 30 lifetime 86400

crypto map outside_map 60 ipsec-isakmp

crypto map outside_map 60 match address outside_cryptomap_60

crypto map outside_map 60 set peer 208.39.107.230

crypto map outside_map 60 set transform-set ESP-3DES-SHA-1

i have one question that i need to use physical subnet or nat subnet for crypto map acl?

and also on the customer router which subnet they can use as well nat sunet or my router physical subnet?

Labels:
0 Helpful
7 Replies 7

Julio Carvajal
VIP Alumni
VIP Alumni

‎08-23-2012 11:27 AM

Hello Ronald,

I might not understand your question but let me try to answer this for you:

On the crypto ACL you will set the traffic that needs to be encrypted ( in this case the LOCAL area networks of each side)

Now remember that you need to exclude this traffic on each side to being natted ( so it should not get translated if its goes inside the tunnel unless desired)

Regards,

Rate the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

ronakpa
Level 1
Level 1
In response to Julio Carvajal

‎08-23-2012 11:33 AM

my  3845 router physical ip is 192.133.193.242 and subnet /29

so i have to make cryto map acl on my pix

access-list name permit ip 10.200.200.0/24 216.46.255.0/26           or

access-list name permit ip 192.133.193.242/29 216.46.255.0/26

i want to know also same for customer side.

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to ronakpa

‎08-23-2012 11:37 AM

Hello Ronak,

Please check the following diagram

192.168.12.0/24---Router----4.0.0.0-------ISP---------80.80.80.0---ASA------192.168.100.0/24

So the Crypto ACL on the router should be

ip access-list extended crypto_acl

permit ip 192.168.12.0 0.0.0.255 192.168.100.0 0.0.0.255

On the ASA

access-list crypto_acl permit ip 192.168.100.0 0.0.0.255 192.168.12.0 0.0.0.255

I hope this helps,

Rate all the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

ronakpa
Level 1
Level 1
In response to Julio Carvajal

‎08-23-2012 11:52 AM

my router is directly connected with pix

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to ronakpa

‎08-23-2012 12:17 PM

Hello Ronak,

It should be the same but just in case can you set up a diagram,

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

ronakpa
Level 1
Level 1
In response to ronakpa

‎08-23-2012 12:22 PM

router-pix-internet-customer router

tunnel is terminating on pix.

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to ronakpa

‎08-23-2012 12:26 PM

Hello Ronald,

Is the same than my topology.

Just that you need to include into the crypto ACL if required the traffic from the subnet behind the router ( behind the asa) to the other customer router.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card