Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
913
Views
0
Helpful
5
Replies

Configuration crypto ipsec client router & ASA

eperezb
Level 1
Level 1

‎01-28-2020 10:15 AM

I currently have a vpn from a site A to a Site B, Site A has internet access locally but the internet modem was placed in bridge mode, now all navigation should go through site B,

But it is not like that, there is no navigation on site A, but the private network of both ends is reached, they will know if there is any configuration that is happening to me on the router, annex config

 

 

crypto ipsec security-association de por vida segundos 86400
!
!
!
!
crypto ipsec client ezvpn crws-client
connect auto
group VPNBackup key ******
mode network-extension
peer 187.141.226.35
username **** password ******
xauth userid mode local

interface FastEthernet4
descripción LINK to WAN
no ip dirección
ip flujo ingreso
duplex
velocidad automática auto
pppoe-client dial-pool-number 1
!
interfaz Vlan1
dirección ip 172.16.223.1 255.255.255.0
ip access-group 101 out
ip helper-address 172.16.21.44
ingreso de flujo ip
ip virtual-reesembly
ip tcp ajuste-mss 1412
crypto ipsec client ezvpn crws-client inside
!
interfaz Marcador0
dirección IP negociada
grupo de acceso ip 102 en
ip mtu 1452
ingreso de flujo de
ip montaje virtual ip
encapsulación ppp
intervalo de carga 30
grupo de
marcadores 1 grupo de marcadores 1
autenticación de ppp chap pap callin
ppp cap nombre de host ventaschihuahua
ppp chap contraseña 0 *** ******
ppp pap nombre de usuario enviado ******** contraseña ********* ¡
no hay cdp habilitado el
cliente cripto ipsec ezvpn crws-client
!
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
lista de acceso 101 permiso ip cualquiera cualquier
lista de acceso 102 permiso ip cualquiera cualquiera
access-list 103 permiso ip 172.16.223.0 0.0.0.255 cualquier
marcador-list 1 protocolo ip permit
route-map SDM_RMAP_1 permiso 1
coincidencia ip address 103
!
snmp-server community alen RO
!
plano de control
!
!

Labels:
0 Helpful
5 Replies 5

Georg Pauwen
VIP
VIP

‎01-28-2020 11:22 AM

Hello,

 

add the lines marked in bold to your configuration:

 

crypto ipsec client ezvpn crws-client
connect auto
group VPNBackup key ******
mode network-extension
peer 187.141.226.35
acl VPN_TRAFFIC
username **** password ******
xauth userid mode local
!
ip access-list extended VPN_TRAFFIC
permit ip 172.16.223.0 0.0.0.255 any

0 Helpful

eperezb
Level 1
Level 1
In response to Georg Pauwen

‎01-28-2020 12:18 PM

add the ACL as I request it but it remains the same without internet access

 

crypto ipsec client ezvpn crws-client
connect auto
group VPNBackup key *******
mode network-extension
peer 187.141.226.35
acl VPN_TRAFFIC
username ******* password ********
xauth userid mode local

 

VPN_ofchi# sh access-lists
Extended IP access list 101
10 permit ip any any (105559 matches)
Extended IP access list 102
10 permit ip any any (133441 matches)
Extended IP access list 103
10 permit ip 172.16.223.0 0.0.0.255 any
Extended IP access list VPN_TRAFFIC
10 permit ip 172.16.223.0 0.0.0.255 any
VPN_ofchi#

0 Helpful

Georg Pauwen
VIP
VIP
In response to eperezb

‎01-28-2020 01:08 PM

Hello,

 

is the ASA allowing traffic from 172.16.223.0/24 to be natted towards the Internet ?

 

Post the configuration of the ASA as well...

0 Helpful

eperezb
Level 1
Level 1
In response to Georg Pauwen

‎01-28-2020 01:20 PM

Yes 

MTYVPNASA# sh run | i 172.16.223.0
network-object 172.16.223.0 255.255.255.0
network-object 172.16.223.0 255.255.255.0
access-list INSIDE_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_30 172.16.223.0 255.255.255.0
access-list INSIDE_nat0_outbound extended permit ip any 172.16.223.0 255.255.255.0
access-list VPN_CHI extended permit ip 172.16.44.0 255.255.252.0 172.16.223.0 255.255.255.0
access-list VPN_CHI extended permit ip any 172.16.223.0 255.255.255.0
access-list VPN_CHIHUAHUA extended permit ip any 172.16.223.0 255.255.255.0
route Outside 172.16.223.0 255.255.255.0 187.141.226.33 1
route Outside 172.16.223.0 255.255.255.0 187.141.226.35 1

 

 

Router 

 

VPN_ofchi#sh crypto ipsec sa

interface: Dialer0
Crypto map tag: Dialer0-head-0, local addr 189.237.131.214

protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.223.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 187.141.226.35 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 1702, #pkts encrypt: 1702, #pkts digest: 1702
#pkts decaps: 1143, #pkts decrypt: 1143, #pkts verify: 1143
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 189.237.131.214, remote crypto endpt.: 187.141.226.35
path mtu 1452, ip mtu 1452, ip mtu idb Dialer0
current outbound spi: 0xF5EF2FA6(4126093222)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0xE33CFA5C(3812424284)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: Onboard VPN:1, sibling_flags 80000046, crypto map: Dialer0-head-0
sa timing: remaining key lifetime (k/sec): (4390726/28564)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

 

0 Helpful

Georg Pauwen
VIP
VIP
In response to eperezb

‎01-28-2020 02:28 PM

Hello,

 

you posted only access lists, post the entire running configuration so I can see the NAT statements...

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card