Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
346
Views
1
Helpful
2
Replies

Cisco ASA to Cisco Router VPN not working

ivanderseah08
Level 1
Level 1

‎11-24-2023 04:59 AM

Hi, I'm trying to make a VPN that connects a Cisco ASA Firewall to a Cisco Router. I've attached an image of my GNS3 Topology.

Here are the commands I ran:
On the Firewall:
• conf t
• Crypto ikev1 policy 10
• encryption 3des
• authentication pre-share
• hash md5
• group 2
• lifetime 86400
• exit
• crypto ikev1 enable outside
• tunnel-group 192.168.1.82 type ipsec-l2l (the br-router to internet-router)
• tunnel-group 192.168.1.82 ipsec-attribute (the br-router to internet-router)
• ikev1 pre-shared-key Untar
• exit
• crypto ipsec ikev1 transform-set TSET esp-3des esp-md5-hmac
• object-group network local-network
• network-object 192.168.1.88 255.255.255.248 (the server subnet)
• object-group network remote-network
• network-object 192.168.1.32 255.255.255.224 (the br-router lubuntu subnet)
• access-list IPSec_Traffic extended permit ip object-group local-network object-group remote-network
• crypto map CMAP 10 match address IPSec_Traffic
• crypto map CMAP 10 set peer 192.168.1.82
• crypto map CMAP 10 set ikev1 transform-set TSET
• crypto map CMAP interface outside

On BR-Router:
• conf t
• crypto isakmp enable
• Crypto isakmp policy 1
• encryption 3des
• authentication pre-share
• hash md5
• group 2
• lifetime 86400
• crypto isakmp key Untar address 192.168.1.65
• crypto ipsec transform-set TSET esp-3des esp-md5-hmac
• ip access-list extended IPSEC_List
• permit ip 192.168.1.32 0.0.0.31 192.168.1.88 0.0.0.7
• crypto map CMAP 1 ipsec-isakmp
• set peer 192.168.1.65
• set transform-set TSET
• match address IPSEC_List
• int fa0/0 (BR-Router to Internet-Router interface)
• crypto map CMAP

Inside (100) is left, DMZ (50) is top, outside (0) is right. The problem is that running ping inside 192.168.1.33 doesn't connect. I've made sure that everything that is ping-able can ping each other. When I ran show crypto session in the BR-Router, it says that the session status is DOWN. When I tried to check for SAs for both IKEv1 and IPSEC in the Firewall, it says there are none. I'm not sure what I did wrong here. I tried Wiresharking when pinging and still, the same. I'm sorry for being annoying and vague, I'm really new to this. Thank you for attempting to help me.

Labels:
Preview file
255 KB
2 Replies 2

Rob Ingram
VIP
VIP

‎11-24-2023 06:05 AM - edited ‎11-24-2023 06:06 AM

@ivanderseah08 do you have NAT configured either on the ASA or the router? If so do you have a NAT exemption rule to ensure traffic is not unintentially translated?

When you generate traffic what is the source IP address and what is the destination IP address? Are those IP addresses defined in the crypto ACL?

0 Helpful

MHM Cisco World
VIP
VIP

‎11-24-2023 06:29 AM

You need to check if you add 

Route in ASA for router LAN

Route in router for ASA lan 

Icmp inspect is enable in ASA 

0 Helpful
Customers Also Viewed These Support Documents