12-11-2013 08:08 PM
Hi I setup a vpn lan to lan between a cisco 5510 and 881.
I setup both box using the wizzard assiten and I see the vpn up but i can make a ping between lans.
I try using difernte configuration and i see alway the same.
I can acces to ASA but in it it're work some other vpn and i dont know were're the problem and i need to be sure that my setup at my cisco 881 it's ok.
The diagagram of my vpn is :
10.57.88.1 : C881: 181.81.57.47 --- Internet --- 90.11.11.202 : ASA5510 : 10.57.1.10
10.57.88.0/27 10.57.0.0/18
The setup and some show are :
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key 1234567890 address 90.11.11.202
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
mode tunnel
!
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to90.11.11.202
set peer 90.11.11.202
set transform-set ESP-3DES-SHA2
match address 103
!
!
!
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
description $ETH-WAN$
ip address 181.81.57.47 255.255.248.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Vlan1
description $ETH_LAN$
ip address 10.57.88.1 255.255.255.224
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 186.80.64.1
!
ip sla auto discovery
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.57.88.0 0.0.0.31
access-list 23 permit 10.57.88.0 0.0.0.31
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 10.57.88.0 0.0.0.31 10.57.0.0 0.0.63.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 10.57.88.0 0.0.0.31 10.57.0.0 0.0.63.255
access-list 101 permit ip 10.57.88.0 0.0.0.31 any
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 186.80.56.0 0.0.7.255 10.57.0.0 0.0.63.255
access-list 103 remark CCP_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 10.57.88.0 0.0.0.31 10.57.0.0 0.0.63.255
no cdp run
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
banner exec ^C
^C.
^C
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
!
end
******************************************************************************
******************************************************************************
MCQ#sh cry session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: FastEthernet4
Uptime: 02:19:33
Session status: UP-ACTIVE
Peer: 90.11.11.202 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 90.11.11.202
Desc: (none)
IKEv1 SA: local 181.81.57.47/500 remote 90.11.11.202/500 Active
Capabilities:(none) connid:2001 lifetime:21:40:26
IPSEC FLOW: permit ip 10.57.88.0/255.255.255.224 10.57.0.0/255.255.192.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 2643 drop 0 life (KB/Sec) 4210590/2043
Outbound: #pkts enc'ed 5410 drop 0 life (KB/Sec) 4210567/2043
******************************************************************************
******************************************************************************
MCQ#sh crypto ipsec sa detail
interface: FastEthernet4
Crypto map tag: SDM_CMAP_1, local addr 181.81.57.47
protected vrf: (none)
local ident (addr/mask/prot/port): (10.57.88.0/255.255.255.224/0/0)
remote ident (addr/mask/prot/port): (10.57.0.0/255.255.192.0/0/0)
current_peer 90.11.11.202 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 5422, #pkts encrypt: 5422, #pkts digest: 5422
#pkts decaps: 2643, #pkts decrypt: 2643, #pkts verify: 2643
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 0, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts tagged (send): 0, #pkts untagged (rcv): 0
#pkts not tagged (send): 0, #pkts not untagged (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0
local crypto endpt.: 181.81.57.47, remote crypto endpt.: 90.11.11.202
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
current outbound spi: 0xA9082DFD(2835885565)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x9C615383(2623624067)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 5, flow_id: Onboard VPN:5, sibling_flags 80000040, crypto map: SDM_CMAP_1
sa timing: remaining key lifetime (k/sec): (4210590/1988)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xA9082DFD(2835885565)
******************************************************************************
******************************************************************************
MCQ#sh crypto route
No VPN routes to display
******************************************************************************
******************************************************************************
MCQ#sh crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
T - cTCP encapsulation, X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.
2001 181.81.57.47 90.11.11.202 ACTIVE 3des sha psk 2 21:38:21
Engine-id:Conn-id = SW:1
IPv6 Crypto ISAKMP SA
******************************************************************************
******************************************************************************
MCQ#sh crypto ruleset detail
Mtree:
199 VRF 0 11 181.81.57.47/500 ANY Forward, Forward
299 VRF 0 11 181.81.57.47/4500 ANY Forward, Forward
200000199 VRF 0 11 ANY/848 ANY Forward, Forward
200000299 VRF 0 11 ANY ANY/848 Forward, Forward
100000000000101 VRF 0 IP 10.57.88.0/27 10.57.0.0/18 Discard/notify, Encrypt
100000000000199 VRF 0 IP 10.57.88.0/27 10.57.0.0/18 Discard/notify, Discard/notify
******************************************************************************
******************************************************************************
MCQ#sh crypto map interface FastEthernet4
Crypto Map IPv4 "SDM_CMAP_1" 1 ipsec-isakmp
Description: Tunnel to90.11.11.202
Peer = 90.11.11.202
Extended IP access list 103
access-list 103 permit ip 10.57.88.0 0.0.0.31 10.57.0.0 0.0.63.255
Current peer: 90.11.11.202
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
ESP-3DES-SHA2: { esp-3des esp-sha-hmac } ,
}
Interfaces using crypto map SDM_CMAP_1:
FastEthernet4
12-13-2013 01:43 AM
Can you check for a NAT exemption on the ASA? Using ASDM you should see some logs when you ping from 881-LAN to ASA-LAN
Michael
Please rate all helpful posts
12-13-2013 06:37 AM
Hi, i found the problem, i check a setup in ASA and found that the default in ASA is other GW than the gateway of peer.
I create a route that send all traficto fo 10.57.88.0/27 to gateway of ASA peer and it work.
Thanks for you help.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: