Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3264
Views
0
Helpful
5
Replies

ASA 5510 - 3G Router IPSEC VPN

prashantchandak7
Level 1
Level 1

‎11-16-2010 03:10 AM - edited ‎02-21-2020 04:58 PM

Hello

I am trying to establish a IPSEC VPN between ASA 5510 and 3G Router.

The ASA 5510 is ASA 7.0.8 and ASDM 5.2.

I tried to configure using the VPN Wizard a site to site VPN but does not work.

Can someone please explain the steps.

Regards

Prashant

Labels:
0 Helpful
5 Replies 5

prashantchandak7
Level 1
Level 1

‎11-16-2010 09:01 AM

I am using the 3G Router with SIM so have dynamic public IP address. Is it possible to enter a DDNS in the VPN wizard as peer IP address.

0 Helpful

apothula
Level 1
Level 1
In response to prashantchandak7

‎11-17-2010 12:47 AM

Hi Prashant,


Yes that is possible.

Please confirm the hardware model of the 3G router in our set up.

Also, find below the guide to setting up a VPN using DDNS (Dynamic DNS),

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtrlres.html#wp1048493

Get back to us if you have any questions.

Cheers,


Avinash.

0 Helpful

prashantchandak7
Level 1
Level 1
In response to apothula

‎11-17-2010 03:39 AM

Hello Avinash

Thank you for your reply. I will go through the link you have give for the DDNS settings.

In between I had used the dynamic IP in the peer IP address to test the connectivity. So I used dynamic public IP address at both sides ASA(3G SIM) and 3G router(DSL modem). The 3G router that I have is from china.

Below is the response on configuring VPN through ASDM:

[OK] access-list inside_nat0_outbound line 1 extended permit ip 192.168.12.0 255.255.255.0  host 192.168.10.3

[OK] nat (inside) 0 access-list inside_nat0_outbound

[OK] isakmp enable outside

[WARNING] tunnel-group span type ipsec-l2l

L2L tunnel-groups that have names which are not an IP

address may only be used if the tunnel authentication

method is Digitial Certificates and/or The peer is

configured to use Aggressive Mode

[OK] tunnel-group span ipsec-attributes

      tunnel-group span ipsec-attributes

[OK] pre-shared-key span

[OK] isakmp keepalive threshold 10 retry 2

[OK] isakmp policy 10 authen pre-share

[OK] isakmp policy 10 encrypt 3des

[OK] isakmp policy 10 hash md5

[OK] isakmp policy 10 group 2

[OK] isakmp policy 10 lifetime 86400

[OK] access-list outside_cryptomap_20 extended permit ip 192.168.12.0 255.255.255.0  host 192.168.10.3

[OK] crypto map outside_map 20 set connection-type bidirectional

[OK] crypto map outside_map 20 set peer 59.179.135.201

[OK] crypto map outside_map 20 match address outside_cryptomap_20

[OK] crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

[OK] crypto map outside_map 20 set transform-set ESP-3DES-MD5

[OK] crypto map outside_map 20 set security-association lifetime seconds 28800 kilobytes 4608000

[OK] no crypto map outside_map 20 set nat-t-disable

[OK] no crypto map outside_map 20 set reverse-route

[OK] crypto map outside_map 20 set phase1-mode main

[OK] crypto map outside_map 20 set inheritance rule

[OK] crypto map outside_map interface outside

Regards

Prashant

0 Helpful

ariyanozz
Level 1
Level 1
In response to apothula

‎12-14-2010 08:30 AM

Hey Avinash,

First of, I don't want to be rude and like seem to have taken over the thread.

But I have a similar question so I thought something better might come out of this.

I really need help. I've got a ASA-5510, and many of my outlets are on 3G connection, they're all on dynamic IPs.

I'm trying to configure my ASA to accept IPSEC vpn connections from any dynamic peer, is this possible ? 3G site would be the innitiator.

I already have a configuration running on the ASA, but that requires a user autentication + Group ID, which works on the TheGreenBow VPN Client, but then I cannot ping any other Client computer other than the pc which is running the VPN Client, cuz all the other client pc have the 3G modem as the default gateway.

I would like to use a Netgear or any other hardware VPN router, so i can set that as my default gateway and initiate the connection from there. But the Netgear does not have any configuration where I can set the Group ID thing.

Can you help ? Is it possible to set a VPN on ASA which can accept connections from any Dynamic peer and would require only a Pre-Share key for authentication ?

Any help would highly be apprecaited.

Thanks,

Aj.

0 Helpful

praprama
Cisco Employee
Cisco Employee
In response to ariyanozz

‎12-15-2010 05:37 PM

Hi,

> I'm trying to configure my ASA to accept IPSEC vpn connections from any  dynamic peer, is this possible ?

Remote access VPN is the solution for you. Please refer the below link:

I'm trying to configure my ASA to accept IPSEC vpn connections from any  dynamic peer, is this possible ?

> Is it possible to set a VPN on ASA which can accept connections from any  Dynamic peer and would require only a Pre-Share key for authentication ?

Yes even this is possible in reomte access IPSec VPN. You will need to add the command isakmp ikev1-user-auth none.

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i3.html#wp1842328

This needs to be under the tunel-group you configure for remote acces VPN.

Let me know if this helps!!

Cheers,

Prapanch

0 Helpful
Customers Also Viewed These Support Documents