I have a 2811 that is my HQ router with a 10MB pipe. I was trying to configure a IPSEC tunnel to connect to my ASA that has access to our companies internal servers on the 10.33. and 172.16.31 network. I am having a problem getting phase 1 to even come up. I've looked over the configurations and unless i'm overlooking something I dont see what could be keeping it from at least completing phase 1
Below are the configs.
crypto isakmp policy 10
crypto isakmp policy 20
crypto isakmp key XXXXXXX address 184.108.40.206
crypto ipsec transform-set CORE-TRANS-SET esp-3des esp-md5-hmac
crypto map CORE-CRYPTO-MAP 20 ipsec-isakmp
set peer 220.127.116.11
set transform-set CORE-TRANS-SET
match address 102
Extended IP access list 102
10 permit ip 192.168.1.0 0.0.0.255 10.33.220.0 0.0.0.255
20 permit ip 192.168.1.0 0.0.0.255 172.31.0.0 0.0.0.255
30 permit ip 192.168.1.0 0.0.0.255 192.168.200.0 0.0.0.255
tunnel-group 18.104.22.168 type ipsec-l2l
tunnel-group 22.214.171.124 ipsec-attributes
crypto isakmp policy 5
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto map Outside_map 1 match address Outside_cryptomap
crypto map Outside_map 1 set peer 126.96.36.199
crypto map Outside_map 1 set transform-set ESP-DES-MD5
access-list Outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 192.168.1.0 255.255.255.0
object-group network DM_INLINE_NETWORK_1
network-object 10.33.220.0 255.255.255.0
network-object 172.31.0.0 255.255.255.0
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
Any help on this matter would be appreciated.
Have you configured nat(inside)0 on ASA for traffic going through tunnel and exempted traffic going through tunnel from being natted on the router?
Can you post following outputs:
ASA: sh run global
sh run nat
Router: sh run | i ip nat
Result of the command: "sh run global"
global (Outside) 1 interface
Result of the command: "sh run nat"
nat (INSIDE) 0 access-list INSIDE_nat0_outbound
nat (INSIDE) 1 access-list SERVER_NAT
Result of the command: "sh access-list INSIDE_nat0_outbound"
access-list INSIDE_nat0_outbound; 2 elements; name hash: 0xe0d1245e
access-list INSIDE_nat0_outbound line 1 extended permit ip object-group DM_INLINE_NETWORK_1 192.168.1.0 255.255.255.0 0xc5627885
access-list INSIDE_nat0_outbound line 1 extended permit ip 10.33.220.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=0) 0xd5faa000
access-list INSIDE_nat0_outbound line 1 extended permit ip 172.31.0.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=0) 0x6d7d262e
ok So what about the router? I NAT configured correctly to exempt traffic going through the tunnel?
Did you permit IPSec traffic on the outside interface of ASA ?
Can you ping from 192.168.1.0 to one of the other subnet and do a debug crypto isa on the router?
An do the same test on ASA that is pinging from one subnet to the other and debug
I set it up were the VPN traffic bypasses the usual interface ACL's when I created it. I cannot ping anything in the 192.168.1.x from the FW sourcing from the other private networks of 10.33 or 172.31.x.x I also tried ping the 10.33.x.x and 172.31.x.x from the router. Its strange due to the fact that none of the debugs generate any information. The IKE phase 1 isn't getting completed so I had hoped to see some information via debug to get a better understanding but it shows nothing.
just issue the debug crypto isakmp on the router when sourcing interesting traffic supposed to bring th tunnel up from the router LAN to ASA LAN.
If you're connected to the router via telnet or ssh then you must issue terminal monitor into privileged mode to see the debugs.
Can you verify that the router can reach the ASA address of 188.8.131.52 using 184.108.40.206 as the source address?
Can you verify that the ASA can reach the router address of 220.127.116.11 using 18.104.22.168 as the source address?
Can you verify that the keys match between the router and the ASA (perhaps the best way to verify this is to re-enter the key on both the router and the ASA).