Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
801
Views
0
Helpful
2
Replies

IPSec VPN between ASA 5505 and WRVS4400N

ematelyan
Level 1
Level 1

‎05-03-2013 08:21 AM - edited ‎02-21-2020 06:52 PM

Hello,

I'm having some trouble getting our site to site VPN configured, and could use some assistance.

We have 3 sites, PA, CT, and NC.  I have the VPN between PA and CT setup, and all is working.  Both sites have an ASA 5505.

I'm trying to get the VPN between PA and NC, but I can't get it to work.  The NC site has a WRVS4400N

Below is my config on the PA ASA, and some screenshots.

I removed some items to try and simplify the config, as I know the ASA itself works fine, just the IPSec isn't working.

NC site is internal (192.168.5.0/24) and NC's static public IP is 98.101.139.210 (Gateway .209)

Result of the command: "show run"

: Saved

:

ASA Version 8.2(5)

!

hostname WayneASA

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 70.91.18.205 255.255.255.252

!

!

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 75.75.75.75

name-server 75.75.76.76

domain-name 3gtms.com

access-list inside_access_in extended permit ip any any

access-list IPSec_Access extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list inside_nat0 extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.224

access-list inside_nat0 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list TunnelSplit1 standard permit 192.168.10.0 255.255.255.224

access-list TunnelSplit1 standard permit 192.168.1.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list IPSec_Raleigh extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0

pager lines 24

logging enable

mtu inside 1500

mtu outside 1500

ip local pool VPNPool 192.168.10.1-192.168.10.30 mask 255.255.255.224

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0

nat (inside) 1 0.0.0.0 0.0.0.0

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 70.91.18.206 1

dynamic-access-policy-record DfltAccessPolicy

crypto ipsec transform-set VPNTransformSet esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map DynamicMap 1 set pfs group1

crypto dynamic-map DynamicMap 1 set transform-set VPNTransformSet

crypto dynamic-map DynamicMap 1 set reverse-route

crypto map VPNMap 1 ipsec-isakmp dynamic DynamicMap

crypto map IPSec_map 1 match address IPSec_Access

crypto map IPSec_map 1 set peer 50.199.234.229

crypto map IPSec_map 1 set transform-set VPNTransformSet

crypto map IPSec_map 2 match address IPSec_Raleigh

crypto map IPSec_map 2 set peer 98.101.139.210

crypto map IPSec_map 2 set transform-set VPNTransformSet

crypto map IPSec_map interface outside

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer 50.199.234.229

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 43200

group-policy VPNTunnelGroup internal

group-policy VPNTunnelGroup attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value TunnelSplit1

username eric password 0vcSd5J/TLsFy7nU encrypted privilege 15

tunnel-group VPNTunnelGroup type remote-access

tunnel-group VPNTunnelGroup general-attributes

address-pool VPNPool

default-group-policy VPNTunnelGroup

tunnel-group VPNTunnelGroup ipsec-attributes

pre-shared-key *****

tunnel-group 50.199.234.229 type ipsec-l2l

tunnel-group 50.199.234.229 ipsec-attributes

pre-shared-key *****

tunnel-group 98.101.139.210 type ipsec-l2l

tunnel-group 98.101.139.210 ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect icmp

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect dns

inspect pptp

!

These are screenshots from the WRVS4400N

ipsec 1.PNG

ipsec 2.PNG

ipsec 3.PNG

Labels:
0 Helpful
2 Replies 2

rpadwal
Cisco Employee
Cisco Employee

‎05-04-2013 02:41 PM

Hi Eric,

Add this line for nat exemption

access-list inside_nat0 extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0

how ever above nat will come in picture after the tunnel triggers please post the debugs from the below debugs commads when you initiate the traffic from local subnet to the remote end subnet

debug cry cond peer 98.101.139.210

debug cry isa 250

debug cry ipsec 250

sh cry isa sa

sh cry ipsec sa peer  98.101.139.210

also post the output of the follwing commands.

packet-tracer input inside icmp  192.168.1.10 8 0  192.168.5.10 detail

Thanks and Regards,

        ROHAN 

Thanks and Regards, ROHAN :)
0 Helpful

ematelyan
Level 1
Level 1
In response to rpadwal

‎05-06-2013 06:31 AM

Hello,

I was actually able to get this working shortly afterwards.  I rebuilt the VPN tunnel, and it was able to connect.  I must've mistyped something the first time.  Thank you for your reply.

0 Helpful
Customers Also Viewed These Support Documents