Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1187
Views
0
Helpful
3
Replies

vpn between asa 5505 8.2(5) and asa 5512x 9.1(1) not working

dotansplus
Level 1
Level 1

‎12-16-2014 06:40 PM

Hello everyone, I was trying to make a vpn between an asa 5505 8.2(5) version and an asa 5512x 9.1(1) but its not working, my configuration:

 

ASA1 (5505 8.2(5))

interface Vlan23

 nameif INSIDE

 security-level 100

 ip address 150.128.101.1 255.255.255.0

!

interface Vlan25

 nameif OUTSIDE

 security-level 0

 ip address 66.249.12.25 255.255.255.0

!

interface Ethernet0/0

 switchport access vlan 25

!

interface Ethernet0/1

 switchport access vlan 23

 

access-list ACL_VPN extended permit ip host 150.18.10.31 host  172.166.30.13 

 

crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set NEMETEC-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set Infocorp-Set esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

 

crypto map VPN_map 10 match address ACL_VPN

crypto map VPN_map 10 set peer 200.87.12.23

crypto map VPN_map 10 set transform-set 3DES-MD5

crypto map VPN_map 10 set security-association lifetime seconds 28800

crypto map VPN_map 10 interface OUTSIDE

 

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash md5

 group 2

 lifetime 86400

 

tunnel-group 200.87.12.23 type ipsec-l2l

tunnel-group 200.87.12.23 ipsec-attributes

 pre-shared-key mykey123

 

 

ASA 2 (5512x 9.1(1)) 

 

interface GigabitEthernet0/0

 nameif INSIDE

 security-level 100

 ip address 172.166.30.10 255.255.255.0

!

interface GigabitEthernet0/1

 speed 100

 nameif INTERNET

 security-level 0

 ip address 200.87.12.23 255.255.255.0

!

access-list ACL_VPN extended permit ip host 172.166.30.13 host 150.18.10.31

 

crypto ipsec ikev1 transform-set 3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set 3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set NEMETEC-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set Infocorp-Set esp-3des esp-md5-hmac

crypto ipsec security-association pmtu-aging infinite

crypto dynamic-map dynmap 20 set ikev1 transform-set 3DES-MD5

 

crypto map VPN_map 10 match address  ACL_VPN

crypto map VPN_map 10 set peer 66.249.12.25

crypto map VPN_map 10 set ikev1 transform-set 3DES-MD5

crypto map VPN_map 10 set security-association lifetime seconds 28800

crypto map VPN_map 200 ipsec-isakmp dynamic dynmap

crypto map VPN_map interface INTERNET

crypto ikev1 enable INTERNET

 

crypto ikev1 policy 10

 authentication pre-share

 encryption 3des

 hash md5

 group 2

 lifetime 86400

 

tunnel-group 66.249.125.25 type ipsec-l2l

tunnel-group 66.249.125.25 ipsec-attributes

 ikev1 pre-shared-key mykey123

 

What am I missing?

 

thanks.

Labels:
0 Helpful
3 Replies 3

Jeet Kumar
Cisco Employee
Cisco Employee

‎12-17-2014 09:11 AM

If its not a type then i believe you have your tunnel-group IP mis-configured.

Peer On the ASA 2 (5512x 9.1(1)) is 66.249.12.25 and your tunnel group is configured as :

tunnel-group 66.249.125.25 type ipsec-l2l

Please correct that and hopefully it should work.

Please rate this if you think it was useful.

 

Thanks

Jeet Kumar

 

 

 

 

0 Helpful

dotansplus
Level 1
Level 1
In response to Jeet Kumar

‎12-22-2014 08:19 AM

In fact I change a little the IPs for posting here

 

The problem was that the other PC had another firewall, apart from the windows.

 

thanks.

 

 

0 Helpful

nshinde01
Level 1
Level 1
In response to dotansplus

‎01-07-2016 09:11 AM

Can you show us the NAT statements? 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents