03-16-2016 11:27 PM - edited 02-21-2020 08:43 PM
But now I'm having some problems, so I have cisco asa branches and headquarters to establish successful ipsec vpn.
1) branch routeros WAN port using a private IP address and headquarters asa above outside public address established ipsec vpn, vpn successfully established internal servers and I can ping the switch at the branch headquarters. However, there is a problem, I go through routeros visit the headquarters of the server https pages can not be opened, telnet internal switches can telnet up, but were unable to enter the character.
2) In addition, I let the branch routeros WAN port to a public IP address, and asa headquarters established IPSEC VPN, the above said problems are not found, the server can also be accessed, telnet the switch can also enter text and command.
At present, I encountered this problem can not interface because I need to create very, very many branches, and the need to establish communications headquarters, branch offices so I have to use private IP addresses to access Wan, unable to do so wan are public IP address and headquarters to establish IPSEC VPN.
now, i cannot telnet asa inside cisco router and open the inside https web,i cannot fix the problems.
now,asa filers :
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 49.239.3.10 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.17.0.111 255.255.255.0
object network inside
subnet 172.17.1.0 255.255.255.0
object network outsidevpn
subnet 192.168.0.0 255.255.0.0
qqq
nat (inside,outside) source static inside inside destination static outsidevpn outsidevpn no-proxy-arp route-lookup
route outside 0.0.0.0 0.0.0.0 49.239.3.1 1
route inside 172.17.1.0 255.255.255.0 172.17.0.5 1
crypto ipsec ikev1 transform-set cisco esp-3des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map cisco 1000 set pfs
crypto dynamic-map cisco 1000 set ikev1 transform-set cisco
crypto dynamic-map cisco 1000 set reverse-route
crypto map cisco 1000 ipsec-isakmp dynamic cisco
crypto map cisco interface outside
crypto ca trustpool policy
crypto isakmp nat-traversal 60
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key *****
Solved! Go to Solution.
03-17-2016 03:01 AM
Hi,
Could you share the output of show cry
Regards,
Aditya
03-16-2016 11:30 PM
03-16-2016 11:36 PM
Hi,
Please share the
Regards,
Aditya
Please rate helpful posts.
03-17-2016 02:55 AM
ciscoasa(config)# sh crypto ipsec sa
interface: outside
Crypto map tag: cisco, seq num: 1000, local addr: 49.239.3.10
local ident (addr/mask/prot/port): (172.17.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.88.0/255.255.255.0/0/0)
current_peer: 49.239.0.226
#pkts encaps: 109, #pkts encrypt: 109, #pkts digest: 109
#pkts decaps: 24, #pkts decrypt: 24, #pkts verify: 24
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 109, #pkts comp failed: 0, #pkts decomp failed: 0
#post-frag successes: 0, #post-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 49.239.3.10/4500, remote crypto endpt.: 49.239.0.226/29473
path mtu 1500, ipsec overhead 66(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 0139748B
current inbound spi : 41B82D1E
inbound esp sas:
spi: 0x41B82D1E (1102589214)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 2, IKEv1, }
slot: 0, conn_id: 155648, crypto-map: cisco
sa timing: remaining key lifetime (kB/sec): (4374000/1696)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x0139748B (20542603)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 2, IKEv1, }
slot: 0, conn_id: 155648, crypto-map: cisco
sa timing: remaining key lifetime (kB/sec): (4374000/1696)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
ciscoasa(config)# sh crypto isakmp sa
IKEv1 SAs:
Active SA: 3
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 3
1 IKE Peer: 49.239.3.200
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
03-17-2016 03:01 AM
Hi,
Could you share the output of show cry
Regards,
Aditya
03-17-2016 03:32 AM
ciscoasa(config)# sh crypto ipsec sa peer 49.239.3.10
There are no ipsec sas for peer 49.239.3.10
ciscoasa(config)# sh crypto ipsec sa peer 49.239.3.200
peer address: 49.239.3.200
Crypto map tag: cisco, seq num: 1000, local addr: 49.239.3.10
local ident (addr/mask/prot/port): (172.17.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.90.0/255.255.255.0/0/0)
current_peer: 49.239.3.200
#pkts encaps: 20, #pkts encrypt: 20, #pkts digest: 20
#pkts decaps: 20, #pkts decrypt: 20, #pkts verify: 20
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 20, #pkts comp failed: 0, #pkts decomp failed: 0
#post-frag successes: 0, #post-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 49.239.3.10/4500, remote crypto endpt.: 49.239.3.200/4500
path mtu 1500, ipsec overhead 66(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 07553A5F
current inbound spi : F70DCB8C
inbound esp sas:
spi: 0xF70DCB8C (4144876428)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 2, IKEv1, }
slot: 0, conn_id: 233472, crypto-map: cisco
sa timing: remaining key lifetime (kB/sec): (4373998/1774)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x003FFFFF
outbound esp sas:
spi: 0x07553A5F (123026015)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 2, IKEv1, }
slot: 0, conn_id: 233472, crypto-map: cisco
sa timing: remaining key lifetime (kB/sec): (4373998/1774)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
03-17-2016 03:58 AM
Thank you for your reply, I carefully study a little, the problem is resolved, we need to openrouteros firewall inside fasttrack to accept!
03-17-2016 03:33 AM
my asa outside publish ip is 49.239.3.10
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide