03-08-2011 12:43 PM
Hello Cisco Community,
We would like to have our Cisco ISR 881 connect to our head which is a Cisco ASA 5520. Ideally we would like to do this using network extension mode.
I have found a couple of configuration guide on the internet but I am unable to get the tunnel up and connected.
Cisco 881 configuration
============================
ip dhcp pool SomeDHCPpool
import all
network 10.10.1.240 255.255.255.240
default-router 10.10.1.241
dns-server 10.1.0.35
lease 1
ip dhcp excluded-address 10.10.1.1 10.10.1.243
ip dhcp excluded-address 10.10.1.255
interface FastEthernet4
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no sh
interface Vlan1
ip address 10.10.1.249 255.255.255.240
ip nat inside
ip virtual-reassembly
no sh
no access-list 23
access-list 23 permit 10.10.1.240 0.0.0.255
ip nat inside source list 23 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 dhcp
interface FastEthernet0
spanning-tree portfast
!
interface FastEthernet1
spanning-tree portfast
!
interface FastEthernet2
spanning-tree portfast
!
interface FastEthernet3
spanning-tree portfast
===================
ASA 5520
===================
access−list no−nat extended permit ip 10.1.20.0 255.255.240.0 10.10.1.240 255.255.255.240
access−list ezvpn1 extended permit ip 10.1.20.0 255.255.240.0 10.10.1.240 255.255.255.240
access−list Split_Tunnel_List remark The corporate network behind the ASA
access−list Split_Tunnel_List standard permit 10.0.0.0 255.0.0.0
route outside 0.0.0.0 0.0.0.0 x.x.x.x
--global config mode
group−policy DfltGrpPolicy attributes
split−tunnel−policy tunnelspecified
split−tunnel−network−list value Split_Tunnel_List
nem enable
username "username" password "password"
crypto ipsec transform−set mySET esp−des esp−md5−hmac
crypto dynamic−map myDYN−MAP 5 set transform−set mySET
crypto map myMAP 65535 ipsec−isakmp dynamic myDYN−MAP
crypto map myMAP interface outside
isakmp identity address
isakmp enable outside
isakmp policy 1 authentication pre−share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
tunnel−group DefaultRAGroup general−attributes
default−group−policy DfltGrpPolicy
tunnel−group DefaultRAGroup ipsec−attributes
pre−shared−key *
any feedback or suggestions or links to other configuration examples would be appreciated.
GMF
03-10-2011 09:02 AM
Federico,
IPv4 Crypto ISAKMP SA
dst src state conn-id status
a.b.c.d 192.168.2.30 AG_INIT_EXCH 2021 ACTIVE
a.b.c.d 192.168.2.30 MM_NO_STATE 2020 ACTIVE (deleted)
a.b.c.d 192.168.2.30 MM_NO_STATE 2019 ACTIVE (deleted)
trsts0h0#sh cry ips sa
No SAs found
again,
thanks.
GMF
03-10-2011 10:53 AM
From the ASA include the output of:
debug cry isa 127
debug cry ips 127
This should show us why the tunnel is not establishing correctly.
Federico.
03-10-2011 12:07 PM
Federico,
i do not get any output after running both commands on the ASA.
thx,
GMF
03-10-2011 01:45 PM
You need to enable term mon
if trying to get the output of the debugs from a remote session (SSH)
If after some tries you don't get any output (assuming the debugs are enabled and sent to the terminal screen), it's strange because it will mean
no VPN packets are reaching the ASA.
You can try checking the debugs from the IOS client:
debug cry isa
debug cry ipsec
Federico.
03-14-2011 09:24 AM
So, we believe our problems may be related to the latest firmware on the ASA5520 which is verison 8.4.1
There are a few changes to commands, i.e. NAT for example, that we are now going through the 8.4.1 admin guide to pin point what we are missing or not configured.
thanks,
Greg
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide