09-14-2011 09:39 PM
Hello,
I configured ASA5520 and RV042 for site-to-site IPSec VPN tunnel.
Tunnel get connected, but no ping, no traffic between both end network.
Network:
=======
192.168.113.0/24----------192.168.113.6 -ASA--------public, static IP address------Cisco 2821--------Internet
192.168.10.0/24-----------192.168.10.1 -RV042-----public, static IP address------Cisco 2821--------Internet
ASA5520 config:
----------------------
name 192.168.10.0 VPN
!
interface GigabitEthernet0/1
nameif NET
security-level 100
ip address 192.168.113.6 255.255.255.0
!
access-list com_cryptomap extended permit ip VPN 255.255.255.0 192.168.113.0 255.255.255.0
access-list com_nat_outbound extended permit ip 192.168.113.0 255.255.255.0 VPN 255.255.255.0
crypto map com_map0 1 match address com_cryptomap
crypto map com_map0 1 set peer x.x.x.x
crypto map com_map0 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map com_map0 1 set phase1-mode aggressive
crypto map com_map0 interface com
crypto isakmp enable com
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec
tunnel-group DefaultL2LGroup ipsec-attributes
peer-id-validate nocheck
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *****
peer-id-validate nocheck
!
RV042 config very simple.
Any particular reason or config missing?
09-15-2011 01:25 PM
Balgaa,
Also please post this thread on Enterprise Small Business forum. As ASA5500 devices are consider Small Business but are part of the Enterprise support gourp.
We don’t' support ASA @ Small Business group here or on this forum, I have ASA5505 connecting IPSec tunnel to SA500 and I'm having same exact problem. So if you find your problem please repost, our problem could possibly be the same. I will do the same!
Have you ran the packet tracer inside the ASDM (does it show you where the packet drops)
I have problems since I upgraded to new 8.4.x, trying to get use to new code/statements.
Also run ciscoasa (config)#management-access inside
See if you are able to ping from ASA interface to your RV042 interface?
Thanks,
Jasbryan
09-15-2011 08:00 PM
I cant find Enterprise Small Business forum.
Yes, I run packet tracer and it shows packet drop at access-list check.
Please find below my ASA information.
---------------------------------
ciscoasa# sh ver
Cisco Adaptive Security Appliance Software Version 8.2(2)
Device Manager Version 6.2(5)
Compiled on Mon 11-Jan-10 14:19 by builders
System image file is "disk0:/asa822-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 20 days 15 hours
Hardware: ASA5520-K8, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash AT49LW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Ext: GigabitEthernet0/0 : address is 001a.6de9.32a8, irq 9
1: Ext: GigabitEthernet0/1 : address is 001a.6de9.32a9, irq 9
2: Ext: GigabitEthernet0/2 : address is 001a.6de9.32aa, irq 9
3: Ext: GigabitEthernet0/3 : address is 001a.6de9.32ab, irq 9
4: Ext: Management0/0 : address is 001a.6de9.32ac, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
SSL VPN Peers : 2
Total VPN Peers : 750
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has an ASA 5520 VPN Plus license.
I cant find management-access inside
ciscoasa(config)# management-access ?
configure mode commands/options:
Current available interface(s):
GPONET Name of interface GigabitEthernet0/1
Servers Name of interface GigabitEthernet0/2
Servers2 Name of interface GigabitEthernet0/3
management Name of interface Management0/0
com Name of interface GigabitEthernet0/0
09-15-2011 08:07 PM
This thread might help you.
09-16-2011 09:28 AM
Balgaa,
After running packet tracer a few time, i keep getting ACL-Drops. My problem was i didn't have a second ACL saying Source -Vpn1-remote Destination vpn1-local ip allow. After creating my second ACL for my return traffic i am now able pass all my traffic.
.
I am running latest OS 8.4.x which is different for earlier OS's
Hope this helps,
Jasbryan.
09-17-2011 01:37 AM
I got complete stage-by-stage help on VPN forum section.
Thanks, anyway...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide