08-07-2014 11:10 AM
Hello,
I have problem in VPN between ASA5505 Easy VPN Server and 881G Router as Easy VPN Client. ASA 5505 have 7.2.3 software and 881G router have 15.1 software.
881G is configured as hardware client in network exstention mode, and it is placed behind NAT. ASA5505 is working as server. Same VPN Group works correctly from VPN software clients.
When I send traffic from 881G client side, in show cryto sessin detail I see encrypted packets. But with same command I dont see decrypted packet on ASA5505 side. On both devices Phase 1 and Phase 2 are UP.
VPN is working when I replace ASA5505 with ASA5510 correctly with have 8.4.6 software. But problem is that i need to do this VPN between ASA5505 and 881G.
Can you help me, how can I debug or troubleshoot this problem ?
I am unable to update software on ASA5505 side.
08-07-2014 11:18 PM
Hi,
If the packets are not getting decrypted at other end, then traffic itself is not reaching at there... have you enabled NAT-T if your device is behing the NAT device? Can you do check on that?
If you want to update OS from 7.2 to 8.4, then you need to go with first upgrade to 8.2 and then to 8.4 version..... delete the unwanted OS to free up the space..... if space is the constraint.....
Regards
Karthik
08-08-2014 12:03 AM
Hello,
NAT is anabled on ASA5505 side, but there are exemps rules, and they are working correctly. because when i ping from one site to another in crypro sesseinos i see that ASA performas packet encryption. They problem is that I downt see packet decryption on router side. and vice versa.
08-09-2014 01:21 PM
Hi,
can you post the configs of asa 5505 and router????
Regards
Karthik
08-11-2014 03:06 AM
Hello,
Hire is what my config look like:
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set pfs
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 120 set pfs
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 140 set pfs
crypto dynamic-map outside_dyn_map 140 set transform-set ESP-AES-128-SHA
crypto dynamic-map outside_dyn_map 160 set pfs
crypto dynamic-map outside_dyn_map 160 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 180 set pfs
crypto dynamic-map outside_dyn_map 180 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 200 set pfs
crypto dynamic-map outside_dyn_map 200 set transform-set ESP-AES-256-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 2
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto isakmp policy 3
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
tunnel-group HW-CLIENT-GROUPR type ipsec-ra
tunnel-group HW-CLIENT-GROUP general-attributes
address-pool HW-CLIENT-GROUP-POOL
default-group-policy HW-CLIENT-GROUP
tunnel-group HW-CLIENT-GROUP ipsec-attributes
pre-shared-key *******
group-policy HW-CLIENT-GROUP internal
group-policy HW-CLIENT-GROUP attributes
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value cisco_splitTunnelAcl
nem enable
!
08-11-2014 04:06 AM
Hi,
You have pasted one end config alone... can you post other end config as well....
please mention the acl created for this as well.... and NAT statements
Regards
Karthik
08-11-2014 04:50 AM
hire is NAT on ASA5505
!
nat (inside) 0 access-list inside_nat0_outbound
access-list inside_nat0_outbound line 20 extended permit ip 192.168.68.0 255.255.255.0 192.168.69.0 255.255.255.0
!
access-list cisco_splitTunnelAcl line 1 standard permit 192.168.68.0 255.255.255.0
!
hire is config of remoute 881 client
!
aaa session-id common
memory-size iomem 10
!
!
!
!
!
!
!
ip dhcp excluded-address 192.168.111.1 192.168.111.100
!
username user password 0 123
!
crypto isakmp policy 69
encr aes
group 2
!
crypto ipsec client ezvpn HW-CLIENT-GROUPR
connect auto
group HW-CLIENT-GROUPR key 123
mode network-extension
peer x.x.x.x
username user password 123
xauth userid mode local
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
ip address dhcp
duplex auto
speed auto
!
interface Cellular0
no ip address
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer in-band
dialer pool-member 1
async mode interactive
!
interface Vlan1
description LAN
ip address 192.168.69.1 255.255.255.0
crypto ipsec client ezvpn HW-CLIENT-GROUPR inside
!
interface Dialer1
ip address negotiated
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer string gsm
dialer persistent
ppp authentication chap callin
ppp chap hostname grps123
ppp chap password 0 asdasd
ppp ipcp dns request
no cdp enable
crypto ipsec client ezvpn HW-CLIENT-GROUPR
!
!
ip route 0.0.0.0 0.0.0.0 Dialer1
08-11-2014 05:05 AM
tunnel-group HW-CLIENT-GROUPR type ipsec-ra
tunnel-group HW-CLIENT-GROUP general-attributes
address-pool HW-CLIENT-GROUP-POOL
default-group-policy HW-CLIENT-GROUP
I guess you have misconfigured. is that a correct one or typo error while pasting?
Regards
Karthik
08-11-2014 06:41 AM
it is just mistake during configuration paste hire.
08-11-2014 09:57 AM
Hi,
You have not pasted the complete configuration in place.... you have copy pasted, which doesn't have all the required information.
can you post the complete configurations to my email id or through personal message option in csc forum?
because i do see nat commands is missing in vlan/interface.... nat commands is missing @ router end.....
http://www.alfredtong.com/cisco/cisco-ezvpn-cisco-asa-and-ios-router/
http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/68815-ezvpn-asa-svr-871-rem.html
Regards
Karthik
Regards
Karthik
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide