cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
836
Views
3
Helpful
2
Replies

Problem with VPN between 5510 and 881

santiagohoyos
Level 1
Level 1

Hi I setup a vpn lan to lan between a cisco 5510 and 881.

I setup both box using the wizzard assiten and I see the vpn up but  i can make a ping between lans.

I try using difernte configuration and i see alway the same.

I can acces to ASA but in it it're work some other vpn and i dont know were're the problem and i need to be sure that my setup at my cisco 881 it's ok.

The diagagram of my vpn is :

10.57.88.1      : C881: 181.81.57.47 --- Internet --- 90.11.11.202 : ASA5510 : 10.57.1.10

10.57.88.0/27                                                                                                    10.57.0.0/18

The setup and some show are :

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key 1234567890 address 90.11.11.202

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

mode tunnel

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

mode tunnel

crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac

mode tunnel

!

!

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to90.11.11.202

set peer 90.11.11.202

set transform-set ESP-3DES-SHA2

match address 103

!

!

!

!

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface FastEthernet4

description $ETH-WAN$

ip address 181.81.57.47 255.255.248.0

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

crypto map SDM_CMAP_1

!

interface Vlan1

description $ETH_LAN$

ip address 10.57.88.1 255.255.255.224

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

!

ip forward-protocol nd

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload

ip route 0.0.0.0 0.0.0.0 186.80.64.1

!

ip sla auto discovery

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 10.57.88.0 0.0.0.31

access-list 23 permit 10.57.88.0 0.0.0.31

access-list 100 remark CCP_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip 10.57.88.0 0.0.0.31 10.57.0.0 0.0.63.255

access-list 101 remark CCP_ACL Category=2

access-list 101 remark IPSec Rule

access-list 101 deny   ip 10.57.88.0 0.0.0.31 10.57.0.0 0.0.63.255

access-list 101 permit ip 10.57.88.0 0.0.0.31 any

access-list 102 remark CCP_ACL Category=4

access-list 102 remark IPSec Rule

access-list 102 permit ip 186.80.56.0 0.0.7.255 10.57.0.0 0.0.63.255

access-list 103 remark CCP_ACL Category=4

access-list 103 remark IPSec Rule

access-list 103 permit ip 10.57.88.0 0.0.0.31 10.57.0.0 0.0.63.255

no cdp run

!

route-map SDM_RMAP_1 permit 1

match ip address 101

!

!

banner exec ^C

^C.

^C

!

line con 0

login local

no modem enable

line aux 0

line vty 0 4

access-class 23 in

privilege level 15

login local

transport input telnet ssh

!

!

end

******************************************************************************

******************************************************************************

MCQ#sh cry session detail

Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection

K - Keepalives, N - NAT-traversal, T - cTCP encapsulation

X - IKE Extended Authentication, F - IKE Fragmentation

Interface: FastEthernet4

Uptime: 02:19:33

Session status: UP-ACTIVE

Peer: 90.11.11.202 port 500 fvrf: (none) ivrf: (none)

      Phase1_id: 90.11.11.202

      Desc: (none)

  IKEv1 SA: local 181.81.57.47/500 remote 90.11.11.202/500 Active

          Capabilities:(none) connid:2001 lifetime:21:40:26

  IPSEC FLOW: permit ip 10.57.88.0/255.255.255.224 10.57.0.0/255.255.192.0

        Active SAs: 2, origin: crypto map

        Inbound:  #pkts dec'ed 2643 drop 0 life (KB/Sec) 4210590/2043

        Outbound: #pkts enc'ed 5410 drop 0 life (KB/Sec) 4210567/2043

******************************************************************************

******************************************************************************

MCQ#sh crypto ipsec sa detail

interface: FastEthernet4

    Crypto map tag: SDM_CMAP_1, local addr 181.81.57.47

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (10.57.88.0/255.255.255.224/0/0)

   remote ident (addr/mask/prot/port): (10.57.0.0/255.255.192.0/0/0)

   current_peer 90.11.11.202 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 5422, #pkts encrypt: 5422, #pkts digest: 5422

    #pkts decaps: 2643, #pkts decrypt: 2643, #pkts verify: 2643

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #pkts no sa (send) 0, #pkts invalid sa (rcv) 0

    #pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0

    #pkts invalid prot (recv) 0, #pkts verify failed: 0

    #pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0

    #pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0

    ##pkts replay failed (rcv): 0

    #pkts tagged (send): 0, #pkts untagged (rcv): 0

    #pkts not tagged (send): 0, #pkts not untagged (rcv): 0

    #pkts internal err (send): 0, #pkts internal err (recv) 0

     local crypto endpt.: 181.81.57.47, remote crypto endpt.: 90.11.11.202

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4

     current outbound spi: 0xA9082DFD(2835885565)

     PFS (Y/N): N, DH group: none

     inbound esp sas:

      spi: 0x9C615383(2623624067)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 5, flow_id: Onboard VPN:5, sibling_flags 80000040, crypto map: SDM_CMAP_1

        sa timing: remaining key lifetime (k/sec): (4210590/1988)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0xA9082DFD(2835885565)

******************************************************************************

******************************************************************************

MCQ#sh crypto route

No VPN routes to display

******************************************************************************

******************************************************************************

MCQ#sh crypto isakmp sa detail

Codes: C - IKE configuration mode, D - Dead Peer Detection

       K - Keepalives, N - NAT-traversal

       T - cTCP encapsulation, X - IKE Extended Authentication

       psk - Preshared key, rsig - RSA signature

       renc - RSA encryption

IPv4 Crypto ISAKMP SA

C-id  Local           Remote          I-VRF  Status Encr Hash   Auth DH Lifetime Cap.

2001  181.81.57.47    90.11.11.202          ACTIVE 3des sha    psk  2  21:38:21

       Engine-id:Conn-id =  SW:1

IPv6 Crypto ISAKMP SA

******************************************************************************

******************************************************************************

MCQ#sh crypto ruleset detail

Mtree:

199 VRF 0  11 181.81.57.47/500 ANY Forward, Forward

299 VRF 0  11 181.81.57.47/4500 ANY Forward, Forward

200000199 VRF 0  11 ANY/848 ANY Forward, Forward

200000299 VRF 0  11 ANY ANY/848 Forward, Forward

100000000000101 VRF 0 IP 10.57.88.0/27 10.57.0.0/18 Discard/notify, Encrypt

100000000000199 VRF 0 IP 10.57.88.0/27 10.57.0.0/18 Discard/notify, Discard/notify

******************************************************************************

******************************************************************************

MCQ#sh crypto map interface FastEthernet4

Crypto Map IPv4 "SDM_CMAP_1" 1 ipsec-isakmp

        Description: Tunnel to90.11.11.202

        Peer = 90.11.11.202

        Extended IP access list 103

            access-list 103 permit ip 10.57.88.0 0.0.0.31 10.57.0.0 0.0.63.255

        Current peer: 90.11.11.202

        Security association lifetime: 4608000 kilobytes/3600 seconds

        Responder-Only (Y/N): N

        PFS (Y/N): N

        Transform sets={

                ESP-3DES-SHA2:  { esp-3des esp-sha-hmac  } ,

        }

        Interfaces using crypto map SDM_CMAP_1:

                FastEthernet4

2 Replies 2

Michael Muenz
Level 5
Level 5

Can you check for a NAT exemption on the ASA? Using ASDM you should see some logs when you ping from 881-LAN to ASA-LAN

Michael

Please rate all helpful posts

Michael Please rate all helpful posts

Hi, i found the problem, i check a setup in ASA and found that the default in ASA is other GW  than the gateway of peer.

I create a route that send all traficto fo 10.57.88.0/27 to gateway of ASA peer and it work.

Thanks for you help.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: