Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
831
Views
0
Helpful
1
Replies

Site to Site between ASA and Cisco IOS Router

aneeshkumart84
Level 1
Level 1

‎04-25-2018 06:58 AM - last edited on ‎03-25-2019 06:14 PM by Community Manager

Please help me on VPN: Tunnel not Building: Even debug command not showing anything. 

 

Router Config:

!
interface gi 0/0/2
ip address 172.31.99.1 255.255.255.0
des **Local-Net**
!
interface gi 0/0/3
ip address 10.20.20.1 255.255.255.252
crypto map VPN-MAP
des **WAN-Port**
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp key cisco12345 address 10.40.40.2
crypto ipsec transform-set ESP-AES-MD5 esp-aes esp-md5-hmac
mode transport
!
crypto map VPN-MAP 10 ipsec-isakmp
set peer 10.40.40.2
set transform-set ESP-AES-MD5
match address VPN-List
!
ip access-list extended VPN-List
permit ip 172.31.99.0 0.0.0.255 10.200.200.0 0.0.0.255
!
ip route 10.40.40.2 255.255.255.255 10.20.20.2
ip route 10.200.200.0 255.255.255.0 10.20.20.2
!

 

ASA Config:

interface gi 0/0/1
ip address 10.40.40.2 255.255.255.252
nameif WAN-UPLINK
no shutdown
!
interface i 0/0/3
ip address 10.200.200.1 255.255.255.0
nameif LAN
security-level 100
no shutdown
!
crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes esp-md5-hmac
!
crypto map WAN-UPLINK_map 1 match address WAN-UPLINK_cryptomap
crypto map WAN-UPLINK_map 1 set peer 10.20.20.1
crypto map WAN-UPLINK_map 1 set ikev1 transform-set ESP-AES-SHA
crypto map WAN-UPLINK_map interface WAN-UPLINK
!
tunnel-group 10.20.20.1 type ipsec-l2l
tunnel-group 10.20.20.1 ipsec-attributes
ikev1 pre-shared-key cisco12345
!
object-group network local-network
network-object 10.200.200.0 255.255.255.0
object-group network remote-network
network-object 172.31.99.0 255.255.255.0
!
access-list WAN-UPLINK_cryptomap extended permit ip object-group local-network object-group remote-network
!
route WAN-UPLINK 10.20.20.1 255.255.255.255 10.40.40.1
route WAN-UPLINK 172.31.99.0 255.255.255.0 10.40.40.1
!

 

There is no nat enabled in both devices. Any suggession. 

Labels:
0 Helpful
1 Reply 1

Rob Ingram
VIP
VIP

‎04-25-2018 08:25 AM

Hi,
The VPN tunnel will only come up once interesting traffic is seen, at which point it will attempt to build a tunnel. What commands have you run to check the tunnel is up? Have you run a ping from a computer attached to the local network on either end?

On the ASA can you please show the output for the 2 x object-group = local-network and remote-network?
In your output above you've not included the IKEv1 policy from the ASA, can you post that please?
0 Helpful
Customers Also Viewed These Support Documents