Re: Cisco ISR 881 <--> Cisco ASA 5520 - Page 2

GMF2011RES · ‎03-08-2011

Hello Cisco Community,

We would like to have our Cisco ISR 881 connect to our head which is a Cisco ASA 5520. Ideally we would like to do this using network extension mode.

I have found a couple of configuration guide on the internet but I am unable to get the tunnel up and connected.

Cisco 881 configuration

============================

ip dhcp pool SomeDHCPpool
import all
network 10.10.1.240 255.255.255.240
default-router 10.10.1.241
dns-server 10.1.0.35
lease 1

ip dhcp excluded-address 10.10.1.1 10.10.1.243
ip dhcp excluded-address 10.10.1.255

interface FastEthernet4
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no sh

interface Vlan1
ip address 10.10.1.249 255.255.255.240
ip nat inside
ip virtual-reassembly
no sh

no access-list 23
access-list 23 permit 10.10.1.240 0.0.0.255
ip nat inside source list 23 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 dhcp

interface FastEthernet0
spanning-tree portfast
!
interface FastEthernet1
spanning-tree portfast
!
interface FastEthernet2
spanning-tree portfast
!
interface FastEthernet3
spanning-tree portfast

===================
ASA 5520
===================
access−list no−nat extended permit ip 10.1.20.0 255.255.240.0 10.10.1.240 255.255.255.240

access−list ezvpn1 extended permit ip 10.1.20.0 255.255.240.0 10.10.1.240 255.255.255.240

access−list Split_Tunnel_List remark The corporate network behind the ASA
access−list Split_Tunnel_List standard permit 10.0.0.0 255.0.0.0

route outside 0.0.0.0 0.0.0.0 x.x.x.x

--global config mode
group−policy DfltGrpPolicy attributes

split−tunnel−policy tunnelspecified

split−tunnel−network−list value Split_Tunnel_List

nem enable

username "username" password "password"

crypto ipsec transform−set mySET esp−des esp−md5−hmac
crypto dynamic−map myDYN−MAP 5 set transform−set mySET
crypto map myMAP 65535 ipsec−isakmp dynamic myDYN−MAP
crypto map myMAP interface outside
isakmp identity address
isakmp enable outside
isakmp policy 1 authentication pre−share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
tunnel−group DefaultRAGroup general−attributes
default−group−policy DfltGrpPolicy
tunnel−group DefaultRAGroup ipsec−attributes
pre−shared−key *

any feedback or suggestions or links to other configuration examples would be appreciated.

GMF

GMF2011RES · ‎03-10-2011

Federico,

IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
a.b.c.d   192.168.2.30    AG_INIT_EXCH      2021 ACTIVE
a.b.c.d   192.168.2.30    MM_NO_STATE       2020 ACTIVE (deleted)
a.b.c.d   192.168.2.30    MM_NO_STATE       2019 ACTIVE (deleted)

trsts0h0#sh cry ips sa

No SAs found

again,

thanks.

GMF

Federico Coto Fajardo · ‎03-10-2011

From the ASA include the output of:

debug cry isa 127

debug cry ips 127

This should show us why the tunnel is not establishing correctly.

Federico.

GMF2011RES · ‎03-10-2011

Federico,

i do not get any output after running both commands on the ASA.

thx,

GMF

Federico Coto Fajardo · ‎03-10-2011

You need to enable term mon

if trying to get the output of the debugs from a remote session (SSH)

If after some tries you don't get any output (assuming the debugs are enabled and sent to the terminal screen), it's strange because it will mean

no VPN packets are reaching the ASA.

You can try checking the debugs from the IOS client:

debug cry isa
debug cry ipsec

Federico.

GMF2011RES · ‎03-14-2011

So, we believe our problems may be related to the latest firmware on the ASA5520 which is verison 8.4.1

There are a few changes to commands, i.e. NAT for example, that we are now going through the 8.4.1 admin guide to pin point what we are missing or not configured.

thanks,

Greg