I can ssh to the firewall. It is the VPN connection which is giving me headache.

Thanks, Lars.

check following debugs on ASA to see if the router is even passing the isakmp traffic to ASA

debug cry isa 127

debug cry ips 127

attempt the VPN and then see if the debugs are seen, to stop debug "undebug all"

HTH

Abaji.

Hi!

There is no traffic. No messages.

Some more info: I can succesfully ping the outside interface of asa from the 892 router, but not from anywhere else. Extended ping from the router doesn't work either.

I have also added som acl's to permit pings, without any positive results.

Thanks for your answer, 

Lars.

I believe your router is ISP facing? so that must be having a static public IP configured, you need to do destination NAT on 892 router to outside interface of ASA.

Because you are trying to configure remote access vpn and it'll be on demand VPN which will be initiated by remote user.

In remote VPN software of user you have to configure public of 892 router's outside interface which will be then translated to outside interface of ASA.

Hi again!

I was hoping these two lines would take care of forwarding vpn-traffic to my outside ASA interface:

ip nat inside source static udp 192.168.20.1 500 interface GigabitEthernet8 500
ip nat inside source static udp 192.168.20.1 4500 interface GigabitEthernet8 4500

Thanks, Lars.

Larlid,

you're 50% right but you need to understand

LAN ---> ASA5505 ---> cisco892 ----> internet <---- Remote VPN user

- what IP you have mentioned in VPN client of user? this must be IP of your internet facing router's interface

- since you have not configured VPN on router so router won't know about VPN traffic so you have to do a destination NAT on router so VPN traffic landing to your router must be NATED to outside interface of ASA

because on outside interface of ASA you have enabled VPN by using below command

crypto map mymap interface outside

let me know if you need any help

LAN -192.168.0.0/24--> ASA5505 <--192.168.20.0/24--> cisco892 --public ip--> internet <---- Remote VPN user

Cisco 892 also has another lan interface 192.168.0.0/24 with hosts.

So Cisco 892 has 3 router interfaces, internet with public ip address, and two interfaces with network 192.168.20.0/24 and network 192.168.0.0/24

I've tried to connect my vpn user both to public ip and directly to 192.168.20.2 (outside interface asa)

Quote:

- since you have not configured VPN on router so router won't know about VPN traffic so you have to do a destination NAT on router so VPN traffic landing to your router must be NATED to outside interface of ASA

These lines are on my 892 router:

ip nat inside source static udp 192.168.20.2 500 interface GigabitEthernet8 500
ip nat inside source static udp 192.168.20.2 4500 interface GigabitEthernet8 4500

They will forward udp port 500 & 4500 traffic to 192.168.20.2 (outside asa interface) ?

These are all my crypto commands on ASA:

asa(config)# show run | grep crypto

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 20

asa(config)#

Thanks Lars.