Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
737
Views
0
Helpful
4
Replies

ASA-to-Router VPN, Private to Public

Go to solution
pstebner10
Level 1
Level 1

‎10-09-2009 12:05 PM

I have a setup where a customer will be sending calls from a UCM, sourced from a private address, through a VPN tunnel terminating at a 2811. The call needs to hit an SBC that is publicly addressed and sits right behind the router on FE0/1. (See attached picture)

The traffic going through the ASA is being exempted from NAT.

Since this is all public on my end and my default route points to my ISP's router, I would assume that I do not need anything other than a default route. (i'm not running any routing protocols - just a static route outbound)

The tunnel does not come up. In fact, I never see any traffic hit my side at all. Does anyone have any experience doing a private-to-public VPN, or know of a config example anywhere?

Here's my end of the config:

crypto isakmp policy 4

encr 3des

hash md5

authentication pre-share

group 2

lifetime 28800

crypto isakmp key XXXXXXXXXX address (public address #1) no-xauth

crypto ipsec transform-set XXXSET esp-3des esp-md5-hmac

crypto map XXXMAP 4 ipsec-isakmp

set peer (public address #1)

set security-association idle-time 3600

set transform-set XXXSET

set pfs group2

match address 170

access-list 170 permit ip host (public address #3) host 10.0.0.5

interface FastEthernet0/0

ip address (public address #2) 255.255.255.252

load-interval 30

speed 100

full-duplex

no cdp enable

crypto map XXXMAP

service-policy output AutoQoS-Policy-UnTrust

Thank you,

paul

Labels:
Preview file
55 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
auraza
Cisco Employee
Cisco Employee

‎10-09-2009 12:22 PM

Your configuration looks fine.

Does Phase 1 come up when you try to pass traffic through? "show cry isa sa"

If P1 comes up, does P2 come up? "show crypto ipsec sa | i ident|spi|encr|decr"

If neither is coming up, run a debug:

debug cry isa

debug cry ips

See if the tunnel is being initiated when traffic is sent. As long as you have a default route pointing outbound, and have no other routes, you should be fine. Looks like everything else will be a connected network.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
auraza
Cisco Employee
Cisco Employee

‎10-09-2009 12:22 PM

Your configuration looks fine.

Does Phase 1 come up when you try to pass traffic through? "show cry isa sa"

If P1 comes up, does P2 come up? "show crypto ipsec sa | i ident|spi|encr|decr"

If neither is coming up, run a debug:

debug cry isa

debug cry ips

See if the tunnel is being initiated when traffic is sent. As long as you have a default route pointing outbound, and have no other routes, you should be fine. Looks like everything else will be a connected network.

0 Helpful

Go to solution
pstebner10
Level 1
Level 1
In response to auraza

‎10-09-2009 12:53 PM

Auraza-

Thank you for the reply. Phase I never completes, so I am checking with the guys on the other end as to what the discrepencies between our configs may be. I'll post back when I have more info.

Paul

0 Helpful

Go to solution
pstebner10
Level 1
Level 1
In response to pstebner10

‎10-09-2009 01:46 PM

Problem solved. It was a Phase I issue on the ASA side.

Thanks again,

Paul

0 Helpful

Go to solution
auraza
Cisco Employee
Cisco Employee
In response to pstebner10

‎10-09-2009 01:53 PM

Great! Glad to know its working!

Thanks for the rating!

0 Helpful
Customers Also Viewed These Support Documents