IPSEC 2811 to ASA 5510

leelove01 · ‎10-28-2011

I have a 2811 that is my HQ router with a 10MB pipe. I was trying to configure a IPSEC tunnel to connect to my ASA that has access to our companies internal servers on the 10.33. and 172.16.31 network. I am having a problem getting phase 1 to even come up. I've looked over the configurations and unless i'm overlooking something I dont see what could be keeping it from at least completing phase 1

Below are the configs.

2811-CFG

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp policy 20

encr aes

authentication pre-share

group 2

crypto isakmp key XXXXXXX address 1.1.1.1

crypto ipsec transform-set CORE-TRANS-SET esp-3des esp-md5-hmac

crypto map CORE-CRYPTO-MAP 20 ipsec-isakmp

set peer 1.1.1.1

set transform-set CORE-TRANS-SET

match address 102

Extended IP access list 102

10 permit ip 192.168.1.0 0.0.0.255 10.33.220.0 0.0.0.255

20 permit ip 192.168.1.0 0.0.0.255 172.31.0.0 0.0.0.255

30 permit ip 192.168.1.0 0.0.0.255 192.168.200.0 0.0.0.255

Router#

------------------------------------------------------------------------------------------------------

tunnel-group 2.2.2.2 type ipsec-l2l

tunnel-group 2.2.2.2 ipsec-attributes

pre-shared-key *

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto map Outside_map interface Outside

crypto isakmp enable Outside

crypto map Outside_map 1 match address Outside_cryptomap

crypto map Outside_map 1 set peer 2.2.2.2

crypto map Outside_map 1 set transform-set ESP-DES-MD5

access-list Outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 192.168.1.0 255.255.255.0

object-group network DM_INLINE_NETWORK_1

network-object 10.33.220.0 255.255.255.0

network-object 172.31.0.0 255.255.255.0

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

Any help on this matter would be appreciated.

cadet alain · ‎10-28-2011

Hi,

Have you configured nat(inside)0 on ASA for traffic going through tunnel and exempted traffic going through tunnel from being natted on the router?

Can you post following outputs:

ASA: sh run global

sh run nat

Router: sh run | i ip nat

sh access-list

sh route-map

Alain.

Don't forget to rate helpful posts.

leelove01 · ‎10-30-2011

Result of the command: "sh run global"

global (Outside) 1 interface

Result of the command: "sh run nat"

nat (INSIDE) 0 access-list INSIDE_nat0_outbound
nat (INSIDE) 1 access-list SERVER_NAT

Result of the command: "sh access-list INSIDE_nat0_outbound"

access-list INSIDE_nat0_outbound; 2 elements; name hash: 0xe0d1245e
access-list INSIDE_nat0_outbound line 1 extended permit ip object-group DM_INLINE_NETWORK_1 192.168.1.0 255.255.255.0 0xc5627885
access-list INSIDE_nat0_outbound line 1 extended permit ip 10.33.220.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=0) 0xd5faa000
access-list INSIDE_nat0_outbound line 1 extended permit ip 172.31.0.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=0) 0x6d7d262e

cadet alain · ‎10-30-2011

Hi,

ok So what about the router? I NAT configured correctly to exempt traffic going through the tunnel?

Did you permit IPSec traffic on the outside interface of ASA ?

Can you ping from 192.168.1.0 to one of the other subnet and do a debug crypto isa on the router?

An do the same test on ASA that is pinging from one subnet to the other and debug

Alain.

Don't forget to rate helpful posts.

leelove01 · ‎11-03-2011

I set it up were the VPN traffic bypasses the usual interface ACL's when I created it. I cannot ping anything in the 192.168.1.x from the FW sourcing from the other private networks of 10.33 or 172.31.x.x I also tried ping the 10.33.x.x and 172.31.x.x from the router. Its strange due to the fact that none of the debugs generate any information. The IKE phase 1 isn't getting completed so I had hoped to see some information via debug to get a better understanding but it shows nothing.

cadet alain · ‎11-03-2011

Hi,

just issue the debug crypto isakmp on the router when sourcing interesting traffic supposed to bring th tunnel up from the router LAN to ASA LAN.

If you're connected to the router via telnet or ssh then you must issue terminal monitor into privileged mode to see the debugs.

Alain

Don't forget to rate helpful posts.

Richard Burts · ‎11-03-2011

Can you verify that the router can reach the ASA address of 1.1.1.1 using 2.2.2.2 as the source address?

Can you verify that the ASA can reach the router address of 2.2.2.2 using 1.1.1.1 as the source address?

Can you verify that the keys match between the router and the ASA (perhaps the best way to verify this is to re-enter the key on both the router and the ASA).

HTH

Rick

HTH

Rick