12-16-2014 06:40 PM
Hello everyone, I was trying to make a vpn between an asa 5505 8.2(5) version and an asa 5512x 9.1(1) but its not working, my configuration:
ASA1 (5505 8.2(5))
interface Vlan23
nameif INSIDE
security-level 100
ip address 150.128.101.1 255.255.255.0
!
interface Vlan25
nameif OUTSIDE
security-level 0
ip address 66.249.12.25 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 25
!
interface Ethernet0/1
switchport access vlan 23
access-list ACL_VPN extended permit ip host 150.18.10.31 host 172.166.30.13
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set NEMETEC-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set Infocorp-Set esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map VPN_map 10 match address ACL_VPN
crypto map VPN_map 10 set peer 200.87.12.23
crypto map VPN_map 10 set transform-set 3DES-MD5
crypto map VPN_map 10 set security-association lifetime seconds 28800
crypto map VPN_map 10 interface OUTSIDE
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
tunnel-group 200.87.12.23 type ipsec-l2l
tunnel-group 200.87.12.23 ipsec-attributes
pre-shared-key mykey123
ASA 2 (5512x 9.1(1))
interface GigabitEthernet0/0
nameif INSIDE
security-level 100
ip address 172.166.30.10 255.255.255.0
!
interface GigabitEthernet0/1
speed 100
nameif INTERNET
security-level 0
ip address 200.87.12.23 255.255.255.0
!
access-list ACL_VPN extended permit ip host 172.166.30.13 host 150.18.10.31
crypto ipsec ikev1 transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set 3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set NEMETEC-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set Infocorp-Set esp-3des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map dynmap 20 set ikev1 transform-set 3DES-MD5
crypto map VPN_map 10 match address ACL_VPN
crypto map VPN_map 10 set peer 66.249.12.25
crypto map VPN_map 10 set ikev1 transform-set 3DES-MD5
crypto map VPN_map 10 set security-association lifetime seconds 28800
crypto map VPN_map 200 ipsec-isakmp dynamic dynmap
crypto map VPN_map interface INTERNET
crypto ikev1 enable INTERNET
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
tunnel-group 66.249.125.25 type ipsec-l2l
tunnel-group 66.249.125.25 ipsec-attributes
ikev1 pre-shared-key mykey123
What am I missing?
thanks.
12-17-2014 09:11 AM
If its not a type then i believe you have your tunnel-group IP mis-configured.
Peer On the ASA 2 (5512x 9.1(1)) is 66.249.12.25 and your tunnel group is configured as :
tunnel-group 66.249.125.25 type ipsec-l2l
Please correct that and hopefully it should work.
Please rate this if you think it was useful.
Thanks
Jeet Kumar
12-22-2014 08:19 AM
In fact I change a little the IPs for posting here
The problem was that the other PC had another firewall, apart from the windows.
thanks.
01-07-2016 09:11 AM
Can you show us the NAT statements?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide