Problem with VPN between 5510 and 881

santiagohoyos · ‎12-11-2013

Hi I setup a vpn lan to lan between a cisco 5510 and 881.

I setup both box using the wizzard assiten and I see the vpn up but i can make a ping between lans.

I try using difernte configuration and i see alway the same.

I can acces to ASA but in it it're work some other vpn and i dont know were're the problem and i need to be sure that my setup at my cisco 881 it's ok.

The diagagram of my vpn is :

10.57.88.1 : C881: 181.81.57.47 --- Internet --- 90.11.11.202 : ASA5510 : 10.57.1.10

10.57.88.0/27 10.57.0.0/18

The setup and some show are :

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key 1234567890 address 90.11.11.202

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

mode tunnel

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

mode tunnel

crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac

mode tunnel

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to90.11.11.202

set peer 90.11.11.202

set transform-set ESP-3DES-SHA2

match address 103

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface FastEthernet4

description $ETH-WAN$

ip address 181.81.57.47 255.255.248.0

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

crypto map SDM_CMAP_1

!

interface Vlan1

description $ETH_LAN$

ip address 10.57.88.1 255.255.255.224

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

!

ip forward-protocol nd

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload

ip route 0.0.0.0 0.0.0.0 186.80.64.1

!

ip sla auto discovery

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 10.57.88.0 0.0.0.31

access-list 23 permit 10.57.88.0 0.0.0.31

access-list 100 remark CCP_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip 10.57.88.0 0.0.0.31 10.57.0.0 0.0.63.255

access-list 101 remark CCP_ACL Category=2

access-list 101 remark IPSec Rule

access-list 101 deny ip 10.57.88.0 0.0.0.31 10.57.0.0 0.0.63.255

access-list 101 permit ip 10.57.88.0 0.0.0.31 any

access-list 102 remark CCP_ACL Category=4

access-list 102 remark IPSec Rule

access-list 102 permit ip 186.80.56.0 0.0.7.255 10.57.0.0 0.0.63.255

access-list 103 remark CCP_ACL Category=4

access-list 103 remark IPSec Rule

access-list 103 permit ip 10.57.88.0 0.0.0.31 10.57.0.0 0.0.63.255

no cdp run

!

route-map SDM_RMAP_1 permit 1

match ip address 101

!

banner exec ^C

^C.

^C

!

line con 0

login local

no modem enable

line aux 0

line vty 0 4

access-class 23 in

privilege level 15

login local

transport input telnet ssh

!

end

******************************************************************************

MCQ#sh cry session detail

Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection

K - Keepalives, N - NAT-traversal, T - cTCP encapsulation

X - IKE Extended Authentication, F - IKE Fragmentation

Interface: FastEthernet4

Uptime: 02:19:33

Session status: UP-ACTIVE

Peer: 90.11.11.202 port 500 fvrf: (none) ivrf: (none)

Phase1_id: 90.11.11.202

Desc: (none)

IKEv1 SA: local 181.81.57.47/500 remote 90.11.11.202/500 Active

Capabilities:(none) connid:2001 lifetime:21:40:26

IPSEC FLOW: permit ip 10.57.88.0/255.255.255.224 10.57.0.0/255.255.192.0

Active SAs: 2, origin: crypto map

Inbound: #pkts dec'ed 2643 drop 0 life (KB/Sec) 4210590/2043

Outbound: #pkts enc'ed 5410 drop 0 life (KB/Sec) 4210567/2043

******************************************************************************

MCQ#sh crypto ipsec sa detail

interface: FastEthernet4

Crypto map tag: SDM_CMAP_1, local addr 181.81.57.47

protected vrf: (none)

local ident (addr/mask/prot/port): (10.57.88.0/255.255.255.224/0/0)

remote ident (addr/mask/prot/port): (10.57.0.0/255.255.192.0/0/0)

current_peer 90.11.11.202 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 5422, #pkts encrypt: 5422, #pkts digest: 5422

#pkts decaps: 2643, #pkts decrypt: 2643, #pkts verify: 2643

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#pkts no sa (send) 0, #pkts invalid sa (rcv) 0

#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0

#pkts invalid prot (recv) 0, #pkts verify failed: 0

#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0

#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0

##pkts replay failed (rcv): 0

#pkts tagged (send): 0, #pkts untagged (rcv): 0

#pkts not tagged (send): 0, #pkts not untagged (rcv): 0

#pkts internal err (send): 0, #pkts internal err (recv) 0

local crypto endpt.: 181.81.57.47, remote crypto endpt.: 90.11.11.202

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4

current outbound spi: 0xA9082DFD(2835885565)

PFS (Y/N): N, DH group: none

inbound esp sas:

spi: 0x9C615383(2623624067)

transform: esp-3des esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 5, flow_id: Onboard VPN:5, sibling_flags 80000040, crypto map: SDM_CMAP_1

sa timing: remaining key lifetime (k/sec): (4210590/1988)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0xA9082DFD(2835885565)

******************************************************************************

MCQ#sh crypto route

No VPN routes to display

******************************************************************************

MCQ#sh crypto isakmp sa detail

Codes: C - IKE configuration mode, D - Dead Peer Detection

K - Keepalives, N - NAT-traversal

T - cTCP encapsulation, X - IKE Extended Authentication

psk - Preshared key, rsig - RSA signature

renc - RSA encryption

IPv4 Crypto ISAKMP SA

C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.

2001 181.81.57.47 90.11.11.202 ACTIVE 3des sha psk 2 21:38:21

Engine-id:Conn-id = SW:1

IPv6 Crypto ISAKMP SA

******************************************************************************

MCQ#sh crypto ruleset detail

Mtree:

199 VRF 0 11 181.81.57.47/500 ANY Forward, Forward

299 VRF 0 11 181.81.57.47/4500 ANY Forward, Forward

200000199 VRF 0 11 ANY/848 ANY Forward, Forward

200000299 VRF 0 11 ANY ANY/848 Forward, Forward

100000000000101 VRF 0 IP 10.57.88.0/27 10.57.0.0/18 Discard/notify, Encrypt

100000000000199 VRF 0 IP 10.57.88.0/27 10.57.0.0/18 Discard/notify, Discard/notify

******************************************************************************

MCQ#sh crypto map interface FastEthernet4

Crypto Map IPv4 "SDM_CMAP_1" 1 ipsec-isakmp

Description: Tunnel to90.11.11.202

Peer = 90.11.11.202

Extended IP access list 103

access-list 103 permit ip 10.57.88.0 0.0.0.31 10.57.0.0 0.0.63.255

Current peer: 90.11.11.202

Security association lifetime: 4608000 kilobytes/3600 seconds

Responder-Only (Y/N): N

PFS (Y/N): N

Transform sets={

ESP-3DES-SHA2: { esp-3des esp-sha-hmac } ,

}

Interfaces using crypto map SDM_CMAP_1:

FastEthernet4

Michael Muenz · ‎12-13-2013

Can you check for a NAT exemption on the ASA? Using ASDM you should see some logs when you ping from 881-LAN to ASA-LAN

Michael

Please rate all helpful posts

Michael Please rate all helpful posts

santiagohoyos · ‎12-13-2013

Hi, i found the problem, i check a setup in ASA and found that the default in ASA is other GW than the gateway of peer.

I create a route that send all traficto fo 10.57.88.0/27 to gateway of ASA peer and it work.

Thanks for you help.