11-16-2010 03:10 AM - edited 02-21-2020 04:58 PM
Hello
I am trying to establish a IPSEC VPN between ASA 5510 and 3G Router.
The ASA 5510 is ASA 7.0.8 and ASDM 5.2.
I tried to configure using the VPN Wizard a site to site VPN but does not work.
Can someone please explain the steps.
Regards
Prashant
11-16-2010 09:01 AM
I am using the 3G Router with SIM so have dynamic public IP address. Is it possible to enter a DDNS in the VPN wizard as peer IP address.
11-17-2010 12:47 AM
Hi Prashant,
Yes that is possible.
Please confirm the hardware model of the 3G router in our set up.
Also, find below the guide to setting up a VPN using DDNS (Dynamic DNS),
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtrlres.html#wp1048493
Get back to us if you have any questions.
Cheers,
Avinash.
11-17-2010 03:39 AM
Hello Avinash
Thank you for your reply. I will go through the link you have give for the DDNS settings.
In between I had used the dynamic IP in the peer IP address to test the connectivity. So I used dynamic public IP address at both sides ASA(3G SIM) and 3G router(DSL modem). The 3G router that I have is from china.
Below is the response on configuring VPN through ASDM:
[OK] access-list inside_nat0_outbound line 1 extended permit ip 192.168.12.0 255.255.255.0 host 192.168.10.3
[OK] nat (inside) 0 access-list inside_nat0_outbound
[OK] isakmp enable outside
[WARNING] tunnel-group span type ipsec-l2l
L2L tunnel-groups that have names which are not an IP
address may only be used if the tunnel authentication
method is Digitial Certificates and/or The peer is
configured to use Aggressive Mode
[OK] tunnel-group span ipsec-attributes
tunnel-group span ipsec-attributes
[OK] pre-shared-key span
[OK] isakmp keepalive threshold 10 retry 2
[OK] isakmp policy 10 authen pre-share
[OK] isakmp policy 10 encrypt 3des
[OK] isakmp policy 10 hash md5
[OK] isakmp policy 10 group 2
[OK] isakmp policy 10 lifetime 86400
[OK] access-list outside_cryptomap_20 extended permit ip 192.168.12.0 255.255.255.0 host 192.168.10.3
[OK] crypto map outside_map 20 set connection-type bidirectional
[OK] crypto map outside_map 20 set peer 59.179.135.201
[OK] crypto map outside_map 20 match address outside_cryptomap_20
[OK] crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
[OK] crypto map outside_map 20 set transform-set ESP-3DES-MD5
[OK] crypto map outside_map 20 set security-association lifetime seconds 28800 kilobytes 4608000
[OK] no crypto map outside_map 20 set nat-t-disable
[OK] no crypto map outside_map 20 set reverse-route
[OK] crypto map outside_map 20 set phase1-mode main
[OK] crypto map outside_map 20 set inheritance rule
[OK] crypto map outside_map interface outside
Regards
Prashant
12-14-2010 08:30 AM
Hey Avinash,
First of, I don't want to be rude and like seem to have taken over the thread.
But I have a similar question so I thought something better might come out of this.
I really need help. I've got a ASA-5510, and many of my outlets are on 3G connection, they're all on dynamic IPs.
I'm trying to configure my ASA to accept IPSEC vpn connections from any dynamic peer, is this possible ? 3G site would be the innitiator.
I already have a configuration running on the ASA, but that requires a user autentication + Group ID, which works on the TheGreenBow VPN Client, but then I cannot ping any other Client computer other than the pc which is running the VPN Client, cuz all the other client pc have the 3G modem as the default gateway.
I would like to use a Netgear or any other hardware VPN router, so i can set that as my default gateway and initiate the connection from there. But the Netgear does not have any configuration where I can set the Group ID thing.
Can you help ? Is it possible to set a VPN on ASA which can accept connections from any Dynamic peer and would require only a Pre-Share key for authentication ?
Any help would highly be apprecaited.
Thanks,
Aj.
12-15-2010 05:37 PM
Hi,
> I'm trying to configure my ASA to accept IPSEC vpn connections from any dynamic peer, is this possible ?
Remote access VPN is the solution for you. Please refer the below link:
I'm trying to configure my ASA to accept IPSEC vpn connections from any dynamic peer, is this possible ?
> Is it possible to set a VPN on ASA which can accept connections from any Dynamic peer and would require only a Pre-Share key for authentication ?
Yes even this is possible in reomte access IPSec VPN. You will need to add the command isakmp ikev1-user-auth none.
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i3.html#wp1842328
This needs to be under the tunel-group you configure for remote acces VPN.
Let me know if this helps!!
Cheers,
Prapanch
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide