cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5342
Views
0
Helpful
22
Replies

I cant establish the VPN Site-To-Site, ASA 5506- Cisco 800 series

MikeGodoy12
Level 1
Level 1

 

 

 

 

Hello, im trying to configure a VPN between a ASA 5506-X  and SmallBusiness 800 but i have these errores, previously i had and Asa 5510 and the VPN works, when i migrate to the new ASA the VPN doesnt work, i atthached the configuration of two devices, i hope you can Help me

 

Cisco Small business 

dst                                src                  state    conn-id             status
181.209.173.202 190.56.38.50 NO_STATUS       0          ACTIVE (deleted)

 

i dont know if something is missing in the config

Config of Cliente Smaill 

business

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key L182ii364N address 181.209.173.202
crypto isakmp keepalive 300
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
mode tunnel
crypto ipsec nat-transparency spi-matching
!
!
!
crypto map ASA-G 10 ipsec-isakmp
set peer 181.209.173.202
set security-association lifetime seconds 28800
set transform-set myset
set pfs group2
match address 120

 

Config ASA 

 

interface GigabitEthernet1/1
description outside
duplex full
nameif outside
security-level 0
ip address 181.209.173.202 255.255.255.248
!
interface GigabitEthernet1/2
description inside
speed 100
duplex full
nameif inside
security-level 100
ip address Host_10.150.86.65 255.255.255.224
!
interface GigabitEthernet1/3
description inside_170
speed 100
duplex full
nameif inside_170
security-level 100
ip address Host_10.150.71.161 255.255.255.224

 

crypto ipsec ikev1 transform-set Guatemala-ipsec-proposal-set esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set Teleperformance esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set myset esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set AES esp-aes esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal 8714
protocol esp encryption 3des
protocol esp integrity md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map outside_dyn_map 1 set ikev1 transform-set myset
crypto dynamic-map outside_dyn_map 65535 set ikev1 transform-set ESP-AES-256-SHA
crypto map mymap 1 set pfs
crypto map mymap 1 set peer 189.211.83.76
crypto map mymap 1 set ikev1 transform-set myset
crypto map mymap 20 set peer 201.116.117.162
crypto map mymap 20 set ikev1 transform-set myset
crypto map mymap 100 set pfs
crypto map mymap 100 set peer 190.56.250.174 190.56.250.173
crypto map mymap 100 set ikev1 transform-set ESP-3DES-MD5
crypto map mymap 100 set security-association lifetime seconds 86400
crypto map mymap 120 set pfs
crypto map mymap 120 set peer 190.56.141.162 190.56.141.161
crypto map mymap 120 set ikev1 transform-set ESP-3DES-MD5
crypto map mymap 120 set security-association lifetime seconds 86400
crypto map mymap 130 set pfs
crypto map mymap 130 set peer 190.56.156.54 190.56.156.53
crypto map mymap 130 set ikev1 transform-set ESP-3DES-MD5
crypto map mymap 130 set security-association lifetime seconds 86400
crypto map mymap 140 set pfs
crypto map mymap 140 set peer 190.56.166.26 190.56.166.25
crypto map mymap 140 set ikev1 transform-set ESP-3DES-MD5
crypto map mymap 140 set security-association lifetime seconds 86400
crypto map mymap 150 set pfs
crypto map mymap 150 set peer 190.56.242.22 190.56.242.21
crypto map mymap 150 set ikev1 transform-set ESP-3DES-MD5
crypto map mymap 150 set security-association lifetime seconds 86400
crypto map mymap 160 match address outside_cryptomap
crypto map mymap 160 set pfs
crypto map mymap 160 set peer 190.56.38.50 190.56.38.49
crypto map mymap 160 set ikev1 transform-set ESP-3DES-MD5
crypto map mymap 160 set ikev2 ipsec-proposal 8714
crypto map mymap 160 set security-association lifetime seconds 28800
crypto map mymap 170 set pfs
crypto map mymap 170 set peer 186.151.162.58
crypto map mymap 170 set ikev1 transform-set ESP-3DES-MD5
crypto map mymap 170 set security-association lifetime seconds 28800
crypto map mymap 180 set pfs
crypto map mymap 180 set peer 190.56.152.234 190.56.152.233
crypto map mymap 180 set ikev1 transform-set ESP-3DES-MD5
crypto map mymap 180 set security-association lifetime seconds 86400
crypto map mymap 190 set pfs
crypto map mymap 190 set peer 190.149.255.210 190.149.255.209
crypto map mymap 190 set ikev1 transform-set ESP-3DES-MD5
crypto map mymap 190 set security-association lifetime seconds 86400
crypto map mymap 200 set pfs
crypto map mymap 200 set peer 186.151.219.2 186.151.219.1
crypto map mymap 200 set ikev1 transform-set ESP-3DES-MD5
crypto map mymap 200 set security-association lifetime seconds 86400
crypto map mymap 210 set pfs
crypto map mymap 210 set peer 186.151.218.2 186.151.218.1
crypto map mymap 210 set ikev1 transform-set ESP-3DES-MD5
crypto map mymap 210 set security-association lifetime seconds 86400
crypto map mymap 220 set pfs
crypto map mymap 220 set peer 216.230.148.230 216.230.148.229
crypto map mymap 220 set ikev1 transform-set ESP-3DES-MD5
crypto map mymap 220 set security-association lifetime seconds 86400
crypto map mymap 230 set pfs
crypto map mymap 230 set peer 190.149.247.105 190.149.247.104
crypto map mymap 230 set ikev1 transform-set ESP-3DES-MD5
crypto map mymap 230 set security-association lifetime seconds 86400
crypto map mymap 240 set pfs
crypto map mymap 240 set peer 190.56.153.150 190.56.153.149
crypto map mymap 240 set ikev1 transform-set ESP-3DES-MD5
crypto map mymap 240 set security-association lifetime seconds 86400
crypto map mymap 250 set pfs
crypto map mymap 250 set peer 186.151.211.54 186.151.211.53
crypto map mymap 250 set ikev1 transform-set ESP-3DES-MD5
crypto map mymap 250 set security-association lifetime seconds 86400
crypto map mymap 260 set pfs
crypto map mymap 260 set peer 186.151.120.38 186.151.120.37
crypto map mymap 260 set ikev1 transform-set ESP-3DES-MD5
crypto map mymap 260 set security-association lifetime seconds 86400
crypto map mymap 270 set pfs
crypto map mymap 270 set peer 190.149.236.2 190.149.236.1
crypto map mymap 270 set ikev1 transform-set ESP-3DES-MD5
crypto map mymap 270 set security-association lifetime seconds 86400
crypto map mymap 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map mymap interface outside
crypto map outside_map 160 set ikev1 transform-set AES
crypto ca trustpool policy
crypto isakmp identity address
no crypto isakmp nat-traversal
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev1 enable outside
crypto ikev1 enable inside
crypto ikev1 enable inside_170
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
telnet 10.150.35.47 255.255.255.255 inside
telnet 10.150.86.93 255.255.255.255 inside
telnet 10.150.35.48 255.255.255.255 inside
telnet 10.150.35.46 255.255.255.255 inside
telnet timeout 5
ssh stricthostkeycheck
ssh 201.144.254.80 255.255.255.240 outside
ssh 201.116.50.64 255.255.255.240 outside
ssh 201.144.8.128 255.255.255.224 outside
ssh 187.210.23.33 255.255.255.255 outside
ssh 201.116.117.160 255.255.255.240 outside
ssh 10.150.86.93 255.255.255.255 inside
ssh 10.150.35.45 255.255.255.255 inside
ssh 10.150.17.3 255.255.255.255 inside
ssh 10.150.35.46 255.255.255.255 inside
ssh 10.150.35.47 255.255.255.255 inside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside

dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy DfltGrpPolicy attributes
vpn-idle-timeout none
group-policy mygroup internal
group-policy mygroup attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol ikev1
dynamic-access-policy-record DfltAccessPolicy
username admin password vrC24sa9Gv0hr7EZ encrypted privilege 15
username mgodoy password $sha512$5000$Eez/a4SjnXt6Yqxd8aPy6w==$BdeEsfIN3XbWbnrCRGIwFA== pbkdf2 privilege 15
username lviveros password 7OK8mg9CxKHD2gY2 encrypted
username SOCscitum password BZGfkV6bw8vCVwod encrypted privilege 15
tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 user-authentication none
tunnel-group 201.1136.117.162 type ipsec-l2l
tunnel-group 201.1136.117.162 ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive disable
tunnel-group mygroup type ipsec-l2l
tunnel-group mygroup ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive disable
tunnel-group 201.136.117.162 type ipsec-l2l
tunnel-group 201.116.117.162 type ipsec-l2l
tunnel-group 201.116.117.162 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group TeleperformanceRemoto type ipsec-l2l
tunnel-group TeleperformanceRemoto ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 189.211.83.76 type ipsec-l2l
tunnel-group 189.211.83.76 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group "Tunel Tiendas Filiales" type ipsec-l2l
tunnel-group "Tunel Tiendas Filiales" general-attributes
default-group-policy GroupPolicy1
tunnel-group "Tunel Tiendas Filiales" ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 190.56.250.174 type ipsec-l2l
tunnel-group 190.56.250.174 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 190.56.141.162 type ipsec-l2l
tunnel-group 190.56.141.162 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 190.56.156.54 type ipsec-l2l
tunnel-group 190.56.156.54 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 190.56.166.26 type ipsec-l2l
tunnel-group 190.56.166.26 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 190.56.242.22 type ipsec-l2l
tunnel-group 190.56.242.22 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 190.56.38.50 type ipsec-l2l
tunnel-group 190.56.38.50 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 186.151.162.58 type ipsec-l2l
tunnel-group 186.151.162.58 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 190.56.152.234 type ipsec-l2l
tunnel-group 190.56.152.234 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 190.149.255.210 type ipsec-l2l
tunnel-group 190.149.255.210 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 186.151.219.2 type ipsec-l2l
tunnel-group 186.151.219.2 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 186.151.218.2 type ipsec-l2l
tunnel-group 186.151.218.2 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 216.230.148.230 type ipsec-l2l
tunnel-group 216.230.148.230 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 190.149.247.105 type ipsec-l2l
tunnel-group 190.149.247.105 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 190.56.153.150 type ipsec-l2l
tunnel-group 190.56.153.150 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 186.151.211.54 type ipsec-l2l
tunnel-group 186.151.211.54 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 186.151.120.38 type ipsec-l2l
tunnel-group 186.151.120.38 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 190.149.236.2 type ipsec-l2l
tunnel-group 190.149.236.2 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 190.150.68.225 type ipsec-l2l
tunnel-group 190.150.68.225 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 190.149.247.106 type ipsec-l2l
tunnel-group 190.149.247.106 ipsec-attributes
ikev1 pre-shared-key *****
!

22 Replies 22

Hello Everyone, 

 

Thank you so much, the tunnel is stablished, it's so hard to me assign someone as solution, but i had to select the last reply with the command help me 

 

ASA-GUATEMALA# sh crypto ikev1 sa

IKEv1 SAs:

Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

1 IKE Peer: 190.56.38.50
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE

Hi,

I found something mismatching in the Phase2 configuration: 

Router configuration under the crypto-map:

set pfs group2

 

And ASA configuration:

crypto map mymap 160 set pfs

 

Both devices must have the same PFS group number. 

Change the configuration and share logs from both devices, if VPN will not work.

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

On the ASA Group 2 is the default PFS group, even if you configure "crypto map mymap 160 set pfs group2" it will be displayed in the running configuration as "crypto map mymap 160 set pfs", without group2 at the end

Hello i configured with group2 but the ASA  set FPS, do not change the group, do yoy have any idea why?image.png

Thanks for your replies

Did you check whether you had "crypto ikev1 enable outside" in this latest configuration??

If this fails please enable debugs on both the router and ASA and upload the output as attachments.

 

I addressed PFS in the previous post, if using PFS group 2 on the ASA it's default and doesn't display it in the running configuration - depite configuring it.

Thanks RJI, i configured that command, tomorrow when de the day ends i will try, i need to maintenance Window, i will you coment, thanks

ASA-GUATEMALA(config)# crypto ikev1 enable outside
ASA-GUATEMALA(config)# Mar 21 2019 00:28:22: %ASA-4-713903: IKE reserved IPSec UDP port 27910 on interface outside successfully
Mar 21 2019 00:28:22: %ASA-4-713903: IKE reserved IPSec UDP port 28166 on interface outside successfully

AdamGordon
Level 1
Level 1

I see no problem Mike! You have to change your installed VPN on VeePN. I will explain.

After reading so many reviews on VPNs I decided to try this one. Based on the fact that they've been asked to produce records in multiple court cases and they have nothing to give I knew it was a company that stands to their word. Their network is extensive and the product just works. Now you can establish the VPN Site-To-Site.