ASA5520 and RV042

balgaa2008 · ‎09-14-2011

Hello,

I configured ASA5520 and RV042 for site-to-site IPSec VPN tunnel.

Tunnel get connected, but no ping, no traffic between both end network.

Network:

=======

192.168.113.0/24----------192.168.113.6 -ASA--------public, static IP address------Cisco 2821--------Internet

192.168.10.0/24-----------192.168.10.1 -RV042-----public, static IP address------Cisco 2821--------Internet

ASA5520 config:

----------------------

name 192.168.10.0 VPN

!

interface GigabitEthernet0/1

nameif NET

security-level 100

ip address 192.168.113.6 255.255.255.0

!

access-list com_cryptomap extended permit ip VPN 255.255.255.0 192.168.113.0 255.255.255.0

access-list com_nat_outbound extended permit ip 192.168.113.0 255.255.255.0 VPN 255.255.255.0

crypto map com_map0 1 match address com_cryptomap

crypto map com_map0 1 set peer x.x.x.x

crypto map com_map0 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map com_map0 1 set phase1-mode aggressive

crypto map com_map0 interface com

crypto isakmp enable com

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec

tunnel-group DefaultL2LGroup ipsec-attributes

peer-id-validate nocheck

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key *****

peer-id-validate nocheck

!

RV042 config very simple.

Any particular reason or config missing?

jasbryan · ‎09-15-2011

Balgaa,

Also please post this thread on Enterprise Small Business forum. As ASA5500 devices are consider Small Business but are part of the Enterprise support gourp.

We don’t' support ASA @ Small Business group here or on this forum, I have ASA5505 connecting IPSec tunnel to SA500 and I'm having same exact problem. So if you find your problem please repost, our problem could possibly be the same. I will do the same!

Have you ran the packet tracer inside the ASDM (does it show you where the packet drops)

I have problems since I upgraded to new 8.4.x, trying to get use to new code/statements.

Also run ciscoasa (config)#management-access inside

See if you are able to ping from ASA interface to your RV042 interface?

Thanks,

Jasbryan

balgaa2008 · ‎09-15-2011

I cant find Enterprise Small Business forum.

Yes, I run packet tracer and it shows packet drop at access-list check.

Please find below my ASA information.

---------------------------------

ciscoasa# sh ver

Cisco Adaptive Security Appliance Software Version 8.2(2)

Device Manager Version 6.2(5)

Compiled on Mon 11-Jan-10 14:19 by builders

System image file is "disk0:/asa822-k8.bin"

Config file at boot was "startup-config"

ciscoasa up 20 days 15 hours

Hardware: ASA5520-K8, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz

Internal ATA Compact Flash, 256MB

BIOS Flash AT49LW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)

Boot microcode : CN1000-MC-BOOT-2.00

SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03

IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04

0: Ext: GigabitEthernet0/0 : address is 001a.6de9.32a8, irq 9

1: Ext: GigabitEthernet0/1 : address is 001a.6de9.32a9, irq 9

2: Ext: GigabitEthernet0/2 : address is 001a.6de9.32aa, irq 9

3: Ext: GigabitEthernet0/3 : address is 001a.6de9.32ab, irq 9

4: Ext: Management0/0 : address is 001a.6de9.32ac, irq 11

5: Int: Not used : irq 11

6: Int: Not used : irq 5

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited

Maximum VLANs : 150

Inside Hosts : Unlimited

Failover : Active/Active

VPN-DES : Enabled

VPN-3DES-AES : Enabled

Security Contexts : 2

GTP/GPRS : Disabled

SSL VPN Peers : 2

Total VPN Peers : 750

Shared License : Disabled

AnyConnect for Mobile : Disabled

AnyConnect for Cisco VPN Phone : Disabled

AnyConnect Essentials : Disabled

Advanced Endpoint Assessment : Disabled

UC Phone Proxy Sessions : 2

Total UC Proxy Sessions : 2

Botnet Traffic Filter : Disabled

This platform has an ASA 5520 VPN Plus license.

I cant find management-access inside

ciscoasa(config)# management-access ?

configure mode commands/options:
Current available interface(s):
GPONET      Name of interface GigabitEthernet0/1
Servers     Name of interface GigabitEthernet0/2
Servers2    Name of interface GigabitEthernet0/3
management Name of interface Management0/0
com      Name of interface GigabitEthernet0/0

Te-Kai Liu · ‎09-15-2011

This thread might help you.

https://supportforums.cisco.com/message/3099276#3099276

jasbryan · ‎09-16-2011

Balgaa,

After running packet tracer a few time, i keep getting ACL-Drops. My problem was i didn't have a second ACL saying Source -Vpn1-remote Destination vpn1-local ip allow. After creating my second ACL for my return traffic i am now able pass all my traffic.

.

I am running latest OS 8.4.x which is different for earlier OS's

Hope this helps,

Jasbryan.

balgaa2008 · ‎09-17-2011

I got complete stage-by-stage help on VPN forum section.

Thanks, anyway...