cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1636
Views
0
Helpful
7
Replies

VPN between ASA and router

Hi all, 

First, I'd like to say that I'm trying to implement this on Packet tracer. I'd like to establish a VPN using an ASA 5505 and a Cisco Router 1841 (both available on Packet tracer).

The devices can ping each other external IP.

The problem is that the VPN is not established. If I run sh crypto isakmp sa command on the ASA, it says: There are no IKEv1 SAs

Configurations for both devices are attached.

Any idea why it's not working?. Sorry if it's not the right forum for this, it's the firt time I post. I've been looking in the forums and I've checked some of the proposed solutions but I haven't found the right answer for my problem :-(

Thanks in advance,

Patty

1 Accepted Solution

Accepted Solutions

  1. On the router, there is no crypto map. That is needed in a compatible way to the ASA.
  2. Your Phase1 policy is not compatible. They parameters have to match on both sides (router: 3des, ASA: aes)
  3. You should adjust your NAT on both devices that the tunnel-traffic will not get NATed. Remember that NAT is done before IPsec. If you don't exempt the traffic from NAT, then it will not match the crypto ACL any more after NAT.
  4. Yes, the forum is perfectly fine! ;-)

View solution in original post

7 Replies 7

  1. On the router, there is no crypto map. That is needed in a compatible way to the ASA.
  2. Your Phase1 policy is not compatible. They parameters have to match on both sides (router: 3des, ASA: aes)
  3. You should adjust your NAT on both devices that the tunnel-traffic will not get NATed. Remember that NAT is done before IPsec. If you don't exempt the traffic from NAT, then it will not match the crypto ACL any more after NAT.
  4. Yes, the forum is perfectly fine! ;-)

Hi Karsten, 

Thanks for answering my post :-)

So I adjusted my configuration, attached the new files.

After the modifications,if I run sh crypto isakmp sa command on both devices I get:

on the ASA:

There are no IKEv1 SAs

on the router:

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

IPv6 Crypto ISAKMP SA

But at least after applying the crypto map on the router to the fa0/0 interface, the router gave this message:

*Jan 3 07:16:26.785: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

If I run sh crypto ipsec sa on both devices, I get:

on the ASA: 

There are no ipsec sas

on the router:

No SAs found

------------------------------

The modifications:

1- I created a crypto map on the router as recommended, as it's a bit different than creating it in the ASA I hope I did it well

2- I fixed the parameters for phase 1 in the router

3- not sure how to make the tunnel-traffic not NATed... could you please guide me a bit?

4- I've created an access list in the router called vpn like in the ASA, is it ok or is it redundant with the other ACLs?

Sorry, all this VPN and ASA configurations are kind of new to me as I've been learning from some articles I've found in the internettrying to implement it , probably I'm missing a deep knowledge of some important concepts.

Thanks a lot,

Patty

That config looks much better now. Typically, it's easier to learn first the foundation of router- and ASA-operation, which includes NAT, and then go further with things like IPSec. But here we go:

On both devices you need NAT rules that tell the router/ASA not to NAT the traffic that comes from the local network and goes to the remote network. For the router it could look like the following:

ip access-list extended NAT
deny ip any 172.16.0.0 0.15.255.255
permit ip 172.16.0.0 0.15.255.255 any
!
ip nat inside source list NAT interface FastEthernet0/0 overload

Whenever you communicate *to* a network 172.16.0.0/12 (which includes your remote network) the traffic is not NATed. Whenever you communicate from your local private addresses to anywhere else, the traffic is NATed.

For the ASA, it's completely different:

nat (inside,outside) source static internal-subnet internal-subnet destination static TERASA-subnet TERASA-subnet no-proxy-arp route-lookup

Here I used the existing objects for Identity NAT, when you start to use the VPN for multiple local or remote subnets, then I would configure extra objects/object-groups for that.

For testing, make sure that the triggering traffic is part of your crypto-definition. On the router you could use an extended ping:

ping 172.23.101.100 source vlan 101

Thanks for your answer, the problem is the ASA is recognising the nat as an invalid input:

asa#nat (inside,outside) source static internal-subnet internal-subnet destination static TERRASA-subnet TERRASA-subnet no-proxy-arp route-lookup

^

% Invalid input detected at '^' marker.

Here the list of available commands:

asa(config)#?

aaa Enable, disable, or view user authentication, authorization and accounting

access-group Bind an access-list to an interface to filter traffic

access-list Configure an access control element

class-map Configure MPF Class Map

clock Configure time-of-day clock

configure Configure using various methods

crypto Configure IPSec, ISAKMP, Certification, authority, key

dhcpd Configure DHCP Server

domain-name Change domain name

enable Configure password for the enable command

end Exit from configure mode

exit Exit from configure mode

group-policy Configure or remove a group policy

hostname Change host name of the system

http Configure http server and https related commands

interface Select an interface to configure

ipv6 Global IPv6 configuration commands

name Associate a name with an IP address

names Enable/Disable IP address to name mapping

no Negate a command or set its defaults

ntp Configure NTP

object Configure an object

object-group Create an object group for use in 'access-list', etc

passwd Change Telnet console access password

policy-map Configure MPF Parameter Map

route Configure a static route for an interface

service-policy Configure MPF service policy

setup Pre-configure the system

ssh Configure SSH options

telnet Add telnet access to system console or set idle timeout

tunnel-group Create and manage the database of connection specific records

for IPSec connections

username Configure user authentication local database

webvpn Configure the WebVPN service

Is there any other possible work around? 

I never used Packet-Tracer, but I would assume that it's related to this software. On real ASAs, there is a nat-statement in global configuration which is needed here.

As a workaround you could remove all NAT-statements from the ASA. Then the ASA will pass all allowed packets without translation. With that you could at least continue your VPN-practicing (if there are not more restrictions in Packet Tracer).

If you want to do more learning on Cisco, then you could also switch to VIRL where all needed features are available. ut this is commercial software ($199/yr) with quite high prerequisites on the PC.

Thanks a lot Karsten, you've been really helpful :-)