09-15-2011 07:13 PM
Hello,
I configured ASA5520 and RV042 for site-to-site IPSec VPN tunnel.
Tunnel get connected, but no ping, no traffic between both end network.
Network:
=======
192.168.113.0/24----------192.168.113.6 -ASA--------public, static IP address------Cisco 2821--------Internet
192.168.10.0/24-----------192.168.10.1 -RV042-----public, static IP address------Cisco 2821--------Internet
ASA5520 config:
----------------------
name 192.168.10.0 VPN
!
interface GigabitEthernet0/1
nameif NET
security-level 100
ip address 192.168.113.6 255.255.255.0
!
access-list com_cryptomap extended permit ip VPN 255.255.255.0 192.168.113.0 255.255.255.0
access-list com_nat_outbound extended permit ip 192.168.113.0 255.255.255.0 VPN 255.255.255.0
crypto map com_map0 1 match address com_cryptomap
crypto map com_map0 1 set peer x.x.x.x
crypto map com_map0 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map com_map0 1 set phase1-mode aggressive
crypto map com_map0 interface com
crypto isakmp enable com
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec
tunnel-group DefaultL2LGroup ipsec-attributes
peer-id-validate nocheck
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *****
peer-id-validate nocheck
!
RV042 config very simple.
Any particular reason or config missing?
Solved! Go to Solution.
09-17-2011 01:47 AM
what about between server1 and server2 interface?
can make correct config for server1 and net, server1 and server2 case?
i am bit confusing...
09-17-2011 06:20 PM
Between server1 and net, just add the access-list:
access-list nonat-NET permit ip 192.168.113.0 255.255.255.0 192.168.130.0 255.255.255.0
Between server1 and server2, here is the config:
access-list nonat-server1 permit ip 192.168.130.0 255.255.255.0 192.168.131.0 255.255.255.0
nat (Servers) 0 access-list nonat-server1
Hope this helps.
09-17-2011 06:52 PM
Thank you very much,
It means same security level interface NAT exemption config can be either one of interface.
any suggestion on performance of Linksys RV0xx VPN wired routers and Cisco ASA5505? as i know they has cpu limited for bandwidth or number of vpn tunnels.
i am going to install 10-50 remote vpn routers connect to asa5520 and remote bandwidth will be 128k-2Mbps. currently ASA used for organization internal firewall/nat security function. ASA performance will be enough for VPN + firewall/nat multifunction?
Is recommended minimum bandwidth to run remote site VPN tunnel without performance, delay?
09-17-2011 07:29 PM
Absolutely correct, with same security level interface, NAT exemption can be configured on either interface.
10-50 VPN connections to ASA 5520 would not be any problems as it supports up to 750 IPSec VPN connections, and max throughput for 3DES/AES VPN is 225Mbps
Here is a summary of ASA 5520 specification for your reference:
http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html#~mid-range
09-17-2011 07:35 PM
Thanks for your time.
09-18-2011 07:13 PM
what is difference between IPSec only and L2TP/IPSec?
I understand Clienless SSL VPN means Web browser based?
09-23-2011 06:31 AM
Hi,
I changed topology little bit between ASA5520 and RV042 of site-to-site IPSec VPN tunnel.
Tunnel get connected, but no ping, no traffic between both end network.
On RV042, only changed Dynamic IP + FQDN
On ASA, added connection profile same config as used for static IP address
Main site:
=======
192.168.113.0/24----------192.168.113.6 ---ASA--------public, static IP address------Cisco 2821--------Internet
Remote site:
==========
192.168.10.0/24-----------192.168.10.1----RV042-----10.0.1.x--Apple Airport Extreme router--------192.168.1.1--------Huawei HG-256-------172.31.x.x-------Huawei BRAS-------public, dynamic IP address-------Internet
Apple is doing NAT, Huawei doing NAT...
Every access of outside Internet, always change public IP address
Is it possible to get work VPN tunnel on this network topology?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide