12-16-2014 06:40 PM
Hello everyone, I was trying to make a vpn between an asa 5505 8.2(5) version and an asa 5512x 9.1(1) but its not working, my configuration:
ASA1 (5505 8.2(5))
interface Vlan23
nameif INSIDE
security-level 100
ip address 150.128.101.1 255.255.255.0
!
interface Vlan25
nameif OUTSIDE
security-level 0
ip address 66.249.12.25 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 25
!
interface Ethernet0/1
switchport access vlan 23
access-list ACL_VPN extended permit ip host 150.18.10.31 host 172.166.30.13
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set NEMETEC-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set Infocorp-Set esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map VPN_map 10 match address ACL_VPN
crypto map VPN_map 10 set peer 200.87.12.23
crypto map VPN_map 10 set transform-set 3DES-MD5
crypto map VPN_map 10 set security-association lifetime seconds 28800
crypto map VPN_map 10 interface OUTSIDE
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
tunnel-group 200.87.12.23 type ipsec-l2l
tunnel-group 200.87.12.23 ipsec-attributes
pre-shared-key mykey123
ASA 2 (5512x 9.1(1))
interface GigabitEthernet0/0
nameif INSIDE
security-level 100
ip address 172.166.30.10 255.255.255.0
!
interface GigabitEthernet0/1
speed 100
nameif INTERNET
security-level 0
ip address 200.87.12.23 255.255.255.0
!
access-list ACL_VPN extended permit ip host 172.166.30.13 host 150.18.10.31
crypto ipsec ikev1 transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set 3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set NEMETEC-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set Infocorp-Set esp-3des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map dynmap 20 set ikev1 transform-set 3DES-MD5
crypto map VPN_map 10 match address ACL_VPN
crypto map VPN_map 10 set peer 66.249.12.25
crypto map VPN_map 10 set ikev1 transform-set 3DES-MD5
crypto map VPN_map 10 set security-association lifetime seconds 28800
crypto map VPN_map 200 ipsec-isakmp dynamic dynmap
crypto map VPN_map interface INTERNET
crypto ikev1 enable INTERNET
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
tunnel-group 66.249.125.25 type ipsec-l2l
tunnel-group 66.249.125.25 ipsec-attributes
ikev1 pre-shared-key mykey123
What am I missing?
thanks.
12-17-2014 09:11 AM
If its not a type then i believe you have your tunnel-group IP mis-configured.
Peer On the ASA 2 (5512x 9.1(1)) is 66.249.12.25 and your tunnel group is configured as :
tunnel-group 66.249.125.25 type ipsec-l2l
Please correct that and hopefully it should work.
Please rate this if you think it was useful.
Thanks
Jeet Kumar
12-22-2014 08:19 AM
In fact I change a little the IPs for posting here
The problem was that the other PC had another firewall, apart from the windows.
thanks.
01-07-2016 09:11 AM
Can you show us the NAT statements?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: