04-22-2009 06:07 AM
Hi,
I have a Cisco 2621 router that is required to be used as a VPN between to a Cisco ASA.
Below I have started to build the config on the router, but have stalled. I can ping the peer address of the firewall and have been told the ASA is all configured. I have set up VPN's using a DSL router like an 877 to a ASA before but not a 2621 ethernet based router.
ASA is 192.168.82.5 (example peer)
My crypto map MYCRYPTOMAP is not bound to an interface yet, would this need to go on the FE0/0 (outside)
I'm sure there are many gaps to be added.
C2621XM#sh run
Building configuration...
Current configuration : 1350 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname C2621XM
!
boot-start-marker
boot-end-marker
!
logging buffered 8192 notifications
!
no network-clock-participate slot 1
no network-clock-participate wic 0
no aaa new-model
ip subnet-zero
ip cef
!
!
no ip domain lookup
ip dhcp excluded-address 10.10.10.1 10.10.10.10
!
ip dhcp pool LAN
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
crypto isakmp key tottenham address 192.168.82.5
!
!
crypto ipsec transform-set MYSET esp-aes 256 esp-sha-hmac
!
crypto map MYCRYPTOMAP 1 ipsec-isakmp
set peer 192.168.82.5
set security-association lifetime seconds 86400
set transform-set MYSET
set pfs group5
match address 100
!
!
!
!
interface FastEthernet0/0
ip address 192.168.82.6 255.255.255.240
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.10.10.1 255.255.255.0
duplex auto
speed auto
!
ip http server
no ip http secure-server
ip classless
!
!
logging trap notifications
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
!
!
!
!
!
!
!
!
!
line con 0
password cisco
logging synchronous
line aux 0
line vty 0 4
password ****
logging synchronous
login
!
!
end
C2621XM#
04-22-2009 09:49 AM
Are you sure this settings match the ASA? PFS? match address? does the ASA have any as the source for this tunnel? Can you enabled ipsec and isakmp debugs and post them here?
04-22-2009 11:02 AM
They do seem to match, well I am told they do as I don't control the ASA which is another company.
The only thing I haven't done is bind my crypto map "MYCRYPTOMAP" to anything, what interface should I bind this too, as I have only ever worked with DSL routers like the 877 and I bind these cryptomaps to the dialer interface.
04-22-2009 12:20 PM
Yeah you need to apply the crypto map to the interface that connects to interface.
07-23-2009 07:17 AM
disregaurd
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide