Site to Site VPN Problems With 2801 Router and ASA 5505

joescott4t · ‎12-10-2012

Hello,

I am having some issue setting up a site to site ipsec VPN between a Cisco 2801 router and a Cisco ASA 5505. I was told there was a vpn previously setup with an old hosting provider, but those connections have been servered. Right now I am trying to get the sites to talk to the 2801. Here ere are my current configs, please let me know if you need anything else. Im stumped on this one. Thanks.

IP scheme at SIte A:

IP 172.19.3.x

sub 255.255.255.128

GW 172.19.3.129

Site A Ciscso 2801 Router

Current configuration : 11858 bytes

!

version 12.4

service timestamps debug datetime localtime

service timestamps log datetime localtime show-timezone

service password-encryption

!

hostname router-2801

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

logging buffered 4096

!

aaa new-model

!

aaa authentication login userauthen group radius local

aaa authorization network groupauthor local

!

aaa session-id common

clock timezone est -5

clock summer-time zone recurring last Sun Mar 2:00 1 Sun Nov 2:00

dot11 syslog

ip source-route

!

ip dhcp excluded-address 172.19.3.129 172.19.3.149

ip dhcp excluded-address 172.19.10.1 172.19.10.253

ip dhcp excluded-address 172.19.3.140

ip dhcp ping timeout 900

!

ip dhcp pool DHCP

network 172.19.3.128 255.255.255.128

default-router 172.19.3.129

domain-name domain.local

netbios-name-server 172.19.3.7

option 66 ascii 172.19.3.225

dns-server 172.19.3.140 208.67.220.220 208.67.222.222

!

ip dhcp pool VoiceDHCP

network 172.19.10.0 255.255.255.0

default-router 172.19.10.1

dns-server 208.67.220.220 8.8.8.8

option 66 ascii 172.19.10.2

lease 2

!

ip cef

ip inspect name SDM_LOW cuseeme

ip inspect name SDM_LOW dns

ip inspect name SDM_LOW ftp

ip inspect name SDM_LOW h323

ip inspect name SDM_LOW https

ip inspect name SDM_LOW icmp

ip inspect name SDM_LOW imap

ip inspect name SDM_LOW pop3

ip inspect name SDM_LOW netshow

ip inspect name SDM_LOW rcmd

ip inspect name SDM_LOW realaudio

ip inspect name SDM_LOW rtsp

ip inspect name SDM_LOW esmtp

ip inspect name SDM_LOW sqlnet

ip inspect name SDM_LOW streamworks

ip inspect name SDM_LOW tftp

ip inspect name SDM_LOW tcp

ip inspect name SDM_LOW udp

ip inspect name SDM_LOW vdolive

no ip domain lookup

ip domain name domain.local

!

multilink bundle-name authenticated

!

key chain key1

key 1

key-string 7 06040033484B1B484557

!

crypto pki trustpoint TP-self-signed-3448656681

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3448bb6681

revocation-check none

rsakeypair TP-self-signed-344bbb56681

!

crypto pki certificate chain TP-self-signed-3448656681

certificate self-signed 01

3082024F

quit

!

username admin privilege 15 password 7 F55

archive

log config

hidekeys

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key XXXXX address 209.118.0.1

crypto isakmp key xxxxx address SITE B Public IP

crypto isakmp keepalive 40 5

crypto isakmp nat keepalive 20

!

crypto isakmp client configuration group IISVPN

key 1nsur3m3

dns 172.19.3.140

wins 172.19.3.140

domain domain.local

pool VPN_Pool

acl 198

crypto isakmp profile IISVPNClient

description VPN clients profile

match identity group IISVPN

client authentication list userauthen

isakmp authorization list groupauthor

client configuration address respond

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

crypto dynamic-map Dynamic 5

set transform-set myset

set isakmp-profile IISVPNClient

qos pre-classify

!

crypto map VPN 10 ipsec-isakmp

set peer 209.118.0.1

set peer SITE B Public IP

set transform-set myset

match address 101

qos pre-classify

crypto map VPN 65535 ipsec-isakmp dynamic Dynamic

!

track 123 ip sla 1 reachability

delay down 15 up 10

!

class-map match-any VoiceTraffic

match protocol rtp audio

match protocol h323

match protocol rtcp

match access-group name VOIP

match protocol sip

class-map match-any RDP

match access-group 199

!

policy-map QOS

class VoiceTraffic

bandwidth 512

class RDP

bandwidth 768

policy-map MainQOS

class class-default

shape average 1500000

service-policy QOS

!

interface FastEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$FW_INSIDE$

ip address 172.19.3.129 255.255.255.128

ip access-group 100 in

ip inspect SDM_LOW in

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/0.10

description $ETH-VoiceVLAN$$

encapsulation dot1Q 10

ip address 172.19.10.1 255.255.255.0

ip inspect SDM_LOW in

ip nat inside

ip virtual-reassembly

!

interface FastEthernet0/1

description "Comcast"

ip address PUB IP 255.255.255.248

ip access-group 102 in

ip inspect SDM_LOW out

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map VPN

!

interface Serial0/1/0

description "Verizon LEC Circuit ID: w0w13908 Site ID: U276420-1"

bandwidth 1536

no ip address

encapsulation frame-relay IETF

frame-relay lmi-type ansi

!

interface Serial0/1/0.1 point-to-point

bandwidth 1536

ip address 152.000.000.18 255.255.255.252

ip access-group 102 in

ip verify unicast reverse-path

ip inspect SDM_LOW out

ip nat outside

ip virtual-reassembly

frame-relay interface-dlci 500 IETF

crypto map VPN

service-policy output MainQOS

!

interface Serial0/2/0

description "PAETEC 46.HCGS.788446.CV (Verizon ID) / 46.HCGS.3 (PAETEC ID)"

ip address 123.252.123.102 255.255.255.252

ip access-group 102 in

ip inspect SDM_LOW out

ip nat outside

ip virtual-reassembly

encapsulation ppp

crypto map VPN

service-policy output MainQOS

!

ip local pool VPN_Pool 172.20.3.130 172.20.3.254

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 50.00.000.110 track 123

ip route 0.0.0.0 0.0.0.0 111.252.237.000 254

ip route 122.112.197.20 255.255.255.255 209.252.237.101

ip route 208.67.220.220 255.255.255.255 50.78.233.110

no ip http server

no ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip flow-top-talkers

top 20

sort-by bytes

!

ip nat inside source route-map COMCAST interface FastEthernet0/1 overload

ip nat inside source route-map PAETEC interface Serial0/2/0 overload

ip nat inside source route-map VERIZON interface Serial0/1/0.1 overload

ip nat inside source static tcp 172.19.3.140 21 PUB IP 21 extendable

!

ip access-list extended VOIP

permit ip 172.20.3.0 0.0.0.127 host 172.19.3.190

permit ip host 172.19.3.190 172.20.3.0 0.0.0.127

!

ip radius source-interface FastEthernet0/0

ip sla 1

icmp-echo 000.67.220.220 source-interface FastEthernet0/1

timeout 10000

frequency 15

ip sla schedule 1 life forever start-time now

access-list 23 permit 172.19.3.0 0.0.0.127

access-list 23 permit 172.19.3.128 0.0.0.127

access-list 23 permit 173.189.251.192 0.0.0.63

access-list 23 permit 107.0.197.0 0.0.0.63

access-list 23 permit 173.163.157.32 0.0.0.15

access-list 23 permit 72.55.33.0 0.0.0.255

access-list 23 permit 172.19.5.0 0.0.0.63

access-list 100 remark "Outgoing Traffic"

access-list 100 deny ip 67.128.87.156 0.0.0.3 any

access-list 100 deny ip host 255.255.255.255 any

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

access-list 100 permit tcp host 172.19.3.190 any eq smtp

access-list 100 permit tcp host 172.19.3.137 any eq smtp

access-list 100 permit tcp any host 66.251.35.131 eq smtp

access-list 100 permit tcp any host 173.201.193.101 eq smtp

access-list 100 permit ip any any

access-list 100 permit tcp any any eq ftp

access-list 101 remark "Interesting VPN Traffic"

access-list 101 permit ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127

access-list 101 permit ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127

access-list 101 permit ip 172.19.3.128 0.0.0.127 host 172.19.250.10

access-list 101 permit ip 172.19.3.128 0.0.0.127 host 172.19.250.11

access-list 101 permit tcp any any eq ftp

access-list 101 permit tcp any any eq ftp-data

access-list 102 remark "Inbound Access"

access-list 102 permit udp any host 152.179.53.18 eq non500-isakmp

access-list 102 permit udp any host 152.179.53.18 eq isakmp

access-list 102 permit esp any host 152.179.53.18

access-list 102 permit ahp any host 152.179.53.18

access-list 102 permit udp any host 209.000.000.102 eq non500-isakmp

access-list 102 permit udp any host 209.000.000.102 eq isakmp

access-list 102 permit esp any host 209.000.000.102

access-list 102 permit ahp any host 209.000.000.102

access-list 102 permit udp any host PUB IP eq non500-isakmp

access-list 102 permit udp any host PUB IP eq isakmp

access-list 102 permit esp any host PUB IP

access-list 102 permit ahp any host PUB IP

access-list 102 permit ip 72.55.33.0 0.0.0.255 any

access-list 102 permit ip 107.0.197.0 0.0.0.63 any

access-list 102 deny ip 172.19.3.128 0.0.0.127 any

access-list 102 permit icmp any any echo-reply

access-list 102 permit icmp any any time-exceeded

access-list 102 permit icmp any any unreachable

access-list 102 permit icmp any any

access-list 102 deny ip any any log

access-list 102 permit tcp any host 172.19.3.140 eq ftp

access-list 102 permit tcp any host 172.19.3.140 eq ftp-data established

access-list 102 permit udp any host SITE B Public IP eq non500-isakmp

access-list 102 permit udp any host SITE B Public IP eq isakmp

access-list 102 permit esp any host SITE B Public IP

access-list 102 permit ahp any host SITE B Public IP

access-list 110 remark "Outbound NAT Rule"

access-list 110 remark "Deny VPN Traffic NAT"

access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127

access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.10.0 0.0.0.255

access-list 110 deny ip 172.19.10.0 0.0.0.255 172.19.3.128 0.0.0.127

access-list 110 deny ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127

access-list 110 deny ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127

access-list 110 deny ip 172.19.3.128 0.0.0.127 host 172.19.250.11

access-list 110 deny ip 172.19.3.128 0.0.0.127 host 172.19.250.10

access-list 110 permit ip 172.19.3.128 0.0.0.127 any

access-list 110 permit ip 172.19.10.0 0.0.0.255 any

access-list 198 remark "Networks for IISVPN Client"

access-list 198 permit ip 172.19.3.0 0.0.0.127 172.20.3.128 0.0.0.127

access-list 198 permit ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127

access-list 199 permit tcp any any eq 3389

!

route-map PAETEC permit 10

match ip address 110

match interface Serial0/2/0

!

route-map COMCAST permit 10

match ip address 110

match interface FastEthernet0/1

!

route-map VERIZON permit 10

match ip address 110

match interface Serial0/1/0.1

!

snmp-server community 123 RO

radius-server host 172.19.3.7 auth-port 1645 acct-port 1646 key 7 000000000000000

!

control-plane

!

line con 0

line aux 0

line vty 0 4

access-class 23 in

privilege level 15

transport input telnet ssh

line vty 5 15

access-class 23 in

privilege level 15

transport input telnet ssh

!

scheduler allocate 20000 1000

ntp server 128.118.25.3

ntp server 217.150.242.8

end

IP scheme at site B:

ip 172.19.5.x

sub 255.255.255.292

gw 172.19.5.65

Cisco ASA 5505 at Site B

ASA Version 8.2(5)

!

hostname ASA5505

domain-name domain.com

enable password b04DSH2HQqXwS8wi encrypted

passwd b04DSH2HQqXwS8wi encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 172.19.5.65 255.255.255.192

!

interface Vlan2

nameif outside

security-level 0

ip address SITE B public IP 255.255.255.224

!

boot system disk0:/asa825-k8.bin

ftp mode passive

clock timezone est -5

clock summer-time zone recurring last Sun Mar 2:00 last Sun Oct 2:00

dns server-group DefaultDNS

domain-name iis-usa.com

same-security-traffic permit intra-interface

object-group network old hosting provider

network-object 72.55.34.64 255.255.255.192

network-object 72.55.33.0 255.255.255.0

network-object 173.189.251.192 255.255.255.192

network-object 173.163.157.32 255.255.255.240

network-object 66.11.1.64 255.255.255.192

network-object 107.0.197.0 255.255.255.192

object-group network old hosting provider

network-object host 172.19.250.10

network-object host 172.19.250.11

access-list 100 extended permit ip 172.19.5.64 255.255.255.192 object-group old hosting provider

access-list 100 extended permit ip 172.19.5.64 255.255.255.192 172.19.3.128 255.255.255.128

access-list 10 extended deny ip 0.0.0.0 255.0.0.0 any

access-list 10 extended deny ip 127.0.0.0 255.0.0.0 any

access-list 10 extended deny ip 169.254.0.0 255.255.0.0 any

access-list 10 extended deny ip 172.16.0.0 255.255.0.0 any

access-list 10 extended deny ip 224.0.0.0 224.0.0.0 any

access-list 10 extended permit icmp any any echo-reply

access-list 10 extended permit icmp any any time-exceeded

access-list 10 extended permit icmp any any unreachable

access-list 10 extended permit icmp any any traceroute

access-list 10 extended permit icmp any any source-quench

access-list 10 extended permit icmp any any

access-list 10 extended permit tcp object-group old hosting provider any eq 3389

access-list 10 extended permit tcp any any eq https

access-list 10 extended permit tcp any any eq www

access-list 110 extended permit ip 172.19.5.64 255.255.255.192 172.19.3.0 255.255.255.128

access-list 110 extended permit ip 172.19.5.64 255.255.255.192 object-group old hosting provider

pager lines 24

logging enable

logging timestamp

logging console emergencies

logging monitor emergencies

logging buffered warnings

logging trap debugging

logging history debugging

logging asdm informational

mtu inside 1500

mtu outside 1500

ip verify reverse-path interface inside

ip verify reverse-path interface outside

ip audit name jab attack action alarm drop reset

ip audit name probe info action alarm drop reset

ip audit interface outside probe

ip audit interface outside jab

ip audit info action alarm drop reset

ip audit attack action alarm drop reset

ip audit signature 2000 disable

ip audit signature 2001 disable

ip audit signature 2004 disable

ip audit signature 2005 disable

icmp unreachable rate-limit 1 burst-size 1

icmp permit 75.150.169.48 255.255.255.240 outside

icmp permit 72.44.134.16 255.255.255.240 outside

icmp permit 72.55.33.0 255.255.255.0 outside

icmp permit any outside

icmp permit 173.163.157.32 255.255.255.240 outside

icmp permit 107.0.197.0 255.255.255.192 outside

icmp permit 66.11.1.64 255.255.255.192 outside

icmp deny any outside

asdm image disk0:/asdm-645.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 100

nat (inside) 1 0.0.0.0 0.0.0.0

access-group 10 in interface outside

route outside 0.0.0.0 0.0.0.0 174.78.151.225 1

timeout xlate 3:00:00

timeout conn 24:00:00 half-closed 0:10:00 udp 0:10:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 24:00:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http 107.0.197.0 255.255.255.192 outside

http 66.11.1.64 255.255.255.192 outside

snmp-server host outside 107.0.197.29 community *****

snmp-server host outside 107.0.197.30 community *****

snmp-server host inside 172.19.250.10 community *****

snmp-server host outside 172.19.250.10 community *****

snmp-server host inside 172.19.250.11 community *****

snmp-server host outside 172.19.250.11 community *****

snmp-server host outside 68.82.122.239 community *****

snmp-server host outside 72.55.33.37 community *****

snmp-server host outside 72.55.33.38 community *****

snmp-server host outside 75.150.169.50 community *****

snmp-server host outside 75.150.169.51 community *****

no snmp-server location

no snmp-server contact

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map VPNMAP 10 match address 110

crypto map VPNMAP 10 set peer 72.00.00.7 old vpn public ip Site B Public IP

crypto map VPNMAP 10 set transform-set ESP-3DES-MD5

crypto map VPNMAP 10 set security-association lifetime seconds 86400

crypto map VPNMAP 10 set security-association lifetime kilobytes 4608000

crypto map VPNMAP interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

telnet 172.19.5.64 255.255.255.192 inside

telnet 172.19.3.0 255.255.255.128 outside

telnet timeout 60

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 60

console timeout 0

management-access inside

dhcpd dns 172.19.3.140

dhcpd wins 172.19.3.140

dhcpd ping_timeout 750

dhcpd domain iis-usa.com

!

dhcpd address 172.19.5.80-172.19.5.111 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection scanning-threat shun except object-group old hosting provider

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 128.118.25.3 source outside

ntp server 217.150.242.8 source outside

tunnel-group 72.00.00.7 type ipsec-l2l

tunnel-group 72.00.00.7 ipsec-attributes

pre-shared-key *****

tunnel-group old vpn public ip type ipsec-l2l

tunnel-group old vpn public ip ipsec-attributes

pre-shared-key *****

tunnel-group SITE A Public IP type ipsec-l2l

tunnel-group SITE A Public IP ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect netbios

inspect tftp

inspect pptp

inspect sip

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:

: end

Jiri Zvolanek · ‎12-11-2012

Hi Joe.

I think your problem is in crypto access-list at IOS router´s end. Your crypto access-lists dont match each other.

Here you have your crypto access-list on IOS router:

access-list 101 remark "Interesting VPN Traffic"

access-list 101 permit ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127

access-list 101 permit ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127

access-list 101 permit ip 172.19.3.128 0.0.0.127 host 172.19.250.10

access-list 101 permit ip 172.19.3.128 0.0.0.127 host 172.19.250.11

access-list 101 permit tcp any any eq ftp

access-list 101 permit tcp any any eq ftp-data

And here is your ACL for VPN from ASA:

access-list 110 extended permit ip 172.19.5.64 255.255.255.192 172.19.3.0 255.255.255.128

access-list 110 extended permit ip 172.19.5.64 255.255.255.192 object-group old hosting provider

At the ASA´s end you have host 172.19.5.64/32 as source for VPN traffic but thist host is not mentioned above in crypto access-list of the IOS router and I dont think "any any" statement would match the ASA´s crypto access-list properly.

Try to insert following line into your ACL 101 at the IOS router before that "any any" statements:

access-list 101 permit ip 172.19.3.128 0.0.0.127 host 172.19.5.64

joescott4t · ‎12-11-2012

thank you for your replay how would i add it before that line? Do I need to manually copy the config add the line and then copy it back up?

Richard Burts · ‎12-11-2012

I believe that this is a valid point. I would ask about one other aspect of the configuration of the IOS router. The crypto map has one instance defined which has two set peer statements. This will result in only one being active at a time (the router will try the first one listed and if it fails then it will try the other one listed). I am not clear whether this is the intended behavior. If the original poster wants only a single tunnel (with redundancy) this approach is fine. But if the intended result is to have two tunnels then there need to be two instances in the crypto map and each instance has a single set peer.

I also note that the crypto map on the IOS router has these destinations

172.19.3.0 0.0.0.127

172.19.250.10

172.19.250.11

but I do not see these addresses on the ASA. This mismatch would also cause problems with the VPN tunnel.

HTH

Rick

HTH

Rick

joescott4t · ‎12-11-2012

Richard Burts wrote:

I believe that this is a valid point. I would ask about one other aspect of the configuration of the IOS router. The crypto map has one instance defined which has two set peer statements. This will result in only one being active at a time (the router will try the first one listed and if it fails then it will try the other one listed). I am not clear whether this is the intended behavior. If the original poster wants only a single tunnel (with redundancy) this approach is fine. But if the intended result is to have two tunnels then there need to be two instances in the crypto map and each instance has a single set peer.

I also note that the crypto map on the IOS router has these destinations

172.19.3.0 0.0.0.127

172.19.250.10

172.19.250.11

but I do not see these addresses on the ASA. This mismatch would also cause problems with the VPN tunnel.

HTH

Rick

Are you refering to this section:

crypto map VPN 10 ipsec-isakmp

set peer 209.118.69.7

set peer 174.00.000.248

set transform-set myset

match address 101

qos pre-classify

the 209 address was a vpn branch to a location that no longer exists. the 174.000.000.248 is the public ip of site B. Should I remove the set peer 209.118.69.7?

Richard Burts · ‎12-11-2012

Yes I am referring to the section

crypto map VPN 10 ipsec-isakmp

set peer 209.118.69.7

set peer 174.00.000.248

set transform-set myset

match address 101

qos pre-classify

If the 209 address no longer exists then I would certainly suggest that you take it out of the config.

I agree with the suggestion that getting a fresh start on the crypto/IPSec VPN on both devices might be a good thing to do.

HTH

Rick

HTH

Rick

joescott4t · ‎12-11-2012

Aso wouldnt i have to allow for access for that whole network?

joescott4t · ‎12-11-2012

ive added the line to my router and it now looks like this. I tried a ping to the asa on te other side at 172.29.5.65 but it failed.

access-list 101 remark "Interesting VPN Traffic"

access-list 101 permit ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127

access-list 101 permit ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127

access-list 101 permit ip 172.19.3.128 0.0.0.127 host 172.19.250.10

access-list 101 permit ip 172.19.3.128 0.0.0.127 host 172.19.250.11

access-list 101 permit tcp any any eq ftp

access-list 101 permit tcp any any eq ftp-data

access-list 101 permit ip 172.19.3.128 0.0.0.127 host 172.19.5.64

Jiri Zvolanek · ‎12-11-2012

I would recommend yout to erase old crypto access-lists on both sides and start from a scratch.
Draw topology on the paper and think about networks on each side which have to communicate with each other.
At the end you should end up with crypto access-lists similar to this (created from your config post, I can see just one network on each side):

IOS router:
access-list 101 permit ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.65

ASA fw:
access-list 110 extended permit ip 172.19.5.64 255.255.255.192 172.19.3.128 255.255.255.128

And I have to agree with Richard, erase that old "set peer" statement from the crypto map on the IOS router.

joescott4t · ‎12-11-2012

I have removed the old "set peer" and have added:

IOS router:
access-list 101 permit ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.65

ASA fw:
access-list 110 extended permit ip 172.19.5.64 255.255.255.192 172.19.3.128 255.255.255.128

on the router I have also added;

access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.63

Here is my acl :

access-list 110 remark "Outbound NAT Rule"

access-list 110 remark "Deny VPN Traffic NAT"

access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127

access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.10.0 0.0.0.255

access-list 110 deny ip 172.19.10.0 0.0.0.255 172.19.3.128 0.0.0.127

access-list 110 deny ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127

access-list 110 deny ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127

access-list 110 deny ip 172.19.3.128 0.0.0.127 host 172.19.250.11

access-list 110 deny ip 172.19.3.128 0.0.0.127 host 172.19.250.10

access-list 110 permit ip 172.19.3.128 0.0.0.127 any

access-list 110 permit ip 172.19.10.0 0.0.0.255 any

access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.63

access-list 198 remark "Networks for IISVPN Client"

access-list 198 permit ip 172.19.3.0 0.0.0.127 172.20.3.128 0.0.0.127

access-list 198 permit ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127

Still no ping tothe other site.

Jiri Zvolanek · ‎12-11-2012

Watch out for NAT ACL(110) at the IOS router side.

Statement:

access-list 110 permit ip 172.19.3.128 0.0.0.127 any

is before

access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.63

So traffic which should be encrypted is translated first and no encryption is done, u have to move it up.

It suppose to look like this:

access-list 110 remark "Outbound NAT Rule"

access-list 110 remark "Deny VPN Traffic NAT"

access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127

access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.10.0 0.0.0.255

access-list 110 deny ip 172.19.10.0 0.0.0.255 172.19.3.128 0.0.0.127

access-list 110 deny ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127

access-list 110 deny ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127

access-list 110 deny ip 172.19.3.128 0.0.0.127 host 172.19.250.11

access-list 110 deny ip 172.19.3.128 0.0.0.127 host 172.19.250.10

access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.63 //denying NAT for your VPN traffice between those two subnets

access-list 110 permit ip 172.19.3.128 0.0.0.127 any //allowing NAT for other traffic not mentioned in previouse statements

access-list 110 permit ip 172.19.10.0 0.0.0.255 any //allowing NAT for other traffic not mentioned in previouse statements

joescott4t · ‎12-11-2012

How do I move a policy up or down?

Jiri Zvolanek · ‎12-11-2012

By this command u will display your ACL with sequence numbers:

router#show ip access-lists 110

Extended IP access list 110

10 deny ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127

20 deny ip 172.19.3.128 0.0.0.127 172.19.10.0 0.0.0.255

30 deny ip 172.19.10.0 0.0.0.255 172.19.3.128 0.0.0.127

40 deny ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127

50 deny ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127

60 deny ip 172.19.3.128 0.0.0.127 host 172.19.250.11

70 deny ip 172.19.3.128 0.0.0.127 host 172.19.250.10

80 deny ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.63

90 permit ip 172.19.3.128 0.0.0.127 any

100 permit ip 172.19.10.0 0.0.0.255 any

router(config)#ip access-list extended 110 //enter extended ACL config

router(config-ext-nacl)#no //u can modify/delete/create particular statement by sequence number

router(config-ext-nacl)# permit ip ...............