site to site vpn with a dynamic map

hanwucisco · ‎05-21-2011

i am trying to configure a site to site vpn with a dynamic map, with ASA2 has the dhcp assigned on the outside interface. The underlying routing works fine. But when I applied the ASAs with my phase1 and phase2 configs. it stops working, not even pinging.

Thanks

Han

R1==ASA1-----ASA2=====R2

ASA1

crypto isakmp policy 5
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp enable outside

tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key cisco

crypto ipsec transform-set myset esp-aes esp-sha-hmac
crypto dynamic-map MAP-DYN 20 set transform-set myset
crypto map MAP-VPN 55 ipsec-isakmp dynamic MAP-DYN
crypto map MAP-VPN interface outside

============

crypto isakmp policy 15
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp enable outside
isakmp key cisco address 1.1.10.1

access-list 120 permit ip any any
access-list 120 permit icmp any any

crypto ipsec transform-set myset esp-aes esp-sha-hmac
crypto map MAP-VPN 10 match address 120
crypto map MAP-VPN 10 set peer 1.1.10.1
crypto map MAP-VPN 10 set transform-set myset
crypto map MAP-VPN 10 set security-association lifetime kilobytes 10000
crypto map MAP-VPN interface outside

Vikas Saxena · ‎05-25-2011

Configs are fine. However, what do you mean when you say it stops even responding to pings.

Since you have permit ip any any in your dynamic ASA crypto ACL you are encrypting anything and everything.

'permit ip any any' is not a good deed anyways, you should apply the acl as

access-li 120 permit ip any, this way you are restricting the crypto to only when the traffic is coming out from the inside ip range going to anywhere. Sometime having permit ip any any in the crypto acl will give you a feel as if the device has stopped responding, it is just encrypting ALL the traffic coming out of the interface.

-Vikas