Solved: ASA5520 and RV042 - Page 2

balgaa2008 · ‎09-15-2011

Hello,

I configured ASA5520 and RV042 for site-to-site IPSec VPN tunnel.

Tunnel get connected, but no ping, no traffic between both end network.

Network:

=======

192.168.113.0/24----------192.168.113.6 -ASA--------public, static IP address------Cisco 2821--------Internet

192.168.10.0/24-----------192.168.10.1 -RV042-----public, static IP address------Cisco 2821--------Internet

ASA5520 config:

----------------------

name 192.168.10.0 VPN

!

interface GigabitEthernet0/1

nameif NET

security-level 100

ip address 192.168.113.6 255.255.255.0

!

access-list com_cryptomap extended permit ip VPN 255.255.255.0 192.168.113.0 255.255.255.0

access-list com_nat_outbound extended permit ip 192.168.113.0 255.255.255.0 VPN 255.255.255.0

crypto map com_map0 1 match address com_cryptomap

crypto map com_map0 1 set peer x.x.x.x

crypto map com_map0 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map com_map0 1 set phase1-mode aggressive

crypto map com_map0 interface com

crypto isakmp enable com

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec

tunnel-group DefaultL2LGroup ipsec-attributes

peer-id-validate nocheck

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key *****

peer-id-validate nocheck

!

RV042 config very simple.

Any particular reason or config missing?

balgaa2008 · ‎09-17-2011

what about between server1 and server2 interface?

can make correct config for server1 and net, server1 and server2 case?

i am bit confusing...

Jennifer Halim · ‎09-17-2011

Between server1 and net, just add the access-list:

access-list nonat-NET permit ip 192.168.113.0 255.255.255.0 192.168.130.0 255.255.255.0

Between server1 and server2, here is the config:

access-list nonat-server1 permit ip 192.168.130.0 255.255.255.0 192.168.131.0 255.255.255.0

nat (Servers) 0 access-list nonat-server1

Hope this helps.

balgaa2008 · ‎09-17-2011

Thank you very much,

It means same security level interface NAT exemption config can be either one of interface.

any suggestion on performance of Linksys RV0xx VPN wired routers and Cisco ASA5505? as i know they has cpu limited for bandwidth or number of vpn tunnels.

i am going to install 10-50 remote vpn routers connect to asa5520 and remote bandwidth will be 128k-2Mbps. currently ASA used for organization internal firewall/nat security function. ASA performance will be enough for VPN + firewall/nat multifunction?

Is recommended minimum bandwidth to run remote site VPN tunnel without performance, delay?

Jennifer Halim · ‎09-17-2011

Absolutely correct, with same security level interface, NAT exemption can be configured on either interface.

10-50 VPN connections to ASA 5520 would not be any problems as it supports up to 750 IPSec VPN connections, and max throughput for 3DES/AES VPN is 225Mbps

Here is a summary of ASA 5520 specification for your reference:

http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html#~mid-range

balgaa2008 · ‎09-17-2011

Thanks for your time.

balgaa2008 · ‎09-18-2011

what is difference between IPSec only and L2TP/IPSec?

I understand Clienless SSL VPN means Web browser based?

balgaa2008 · ‎09-23-2011

Hi,

I changed topology little bit between ASA5520 and RV042 of site-to-site IPSec VPN tunnel.

Tunnel get connected, but no ping, no traffic between both end network.

On RV042, only changed Dynamic IP + FQDN

On ASA, added connection profile same config as used for static IP address

Main site:

=======

192.168.113.0/24----------192.168.113.6 ---ASA--------public, static IP address------Cisco 2821--------Internet

Remote site:

==========

192.168.10.0/24-----------192.168.10.1----RV042-----10.0.1.x--Apple Airport Extreme router--------192.168.1.1--------Huawei HG-256-------172.31.x.x-------Huawei BRAS-------public, dynamic IP address-------Internet

Apple is doing NAT, Huawei doing NAT...

Every access of outside Internet, always change public IP address

Is it possible to get work VPN tunnel on this network topology?