Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
841
Views
11
Helpful
8
Replies

VPN between IOS and ASA

thomasMung
Level 1
Level 1

‎07-02-2014 02:57 AM

Hello my friends,

I have been trying to establish VPN connectivity between IOS cisco router and ASA firewall over the internet - no luck so far. I think I am missing some important bit of the configuration.

 

Here are my configuration commands:

 

Router:

crypto isakmp policy 20
encryption 3des
auth pre-share
hash md5
group 2

crypto isakmp key XXX address 103.252.AAA.AAA

crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac

crypto map MAP 5 ipsec-isakmp
set transform 3DES-MD5
match address VPN
set peer 103.252.AAA.AAA

ip access-list extended VPN
 permit ip 10.110.25.0 0.0.0.255 10.10.0.0 0.0.255.255
 permit icmp 10.110.25.0 0.0.0.255 10.10.0.0 0.0.255.255

ASA commands:

 

sysopt connection permit-vpn

crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5

tunnel-group 203.167.BBB.BBB type ipsec-l2l
tunnel-group 203.167.BBB.BBB ipsec-attributes
pre-shared-key XXX

access-list LIST permit ip 10.10.0.0 255.255.0.0 10.110.25.0 255.255.255.0

access-list LIST permit icmp 10.10.0.0 255.255.0.0 10.110.25.0 255.255.255.0

crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac

crypto map VPN 10 set transform-set 3DES-MD5
crypto map VPN 10 match address LIST
crypto map VPN 10 set peer 203.167.BBB.BBB

crypto map VPN interface outside

 

Do you have any idea what is wrong? Thank you a lot in advance.

Labels:
0 Helpful
8 Replies 8

Tagir Temirgaliyev
Spotlight
Spotlight

‎07-02-2014 03:09 AM

where is router interface config?

 

and post from router and asa

 

sh cry isa sa

sh cry ips sa

 

thomasMung
Level 1
Level 1
In response to Tagir Temirgaliyev

‎07-02-2014 03:49 AM

Hi ttemir,

Here you go:

 

ASA# sh cry ips sa

There are no ipsec sas

 

RT01#sh cry ips sa | include 103.252
RT01#

(there is output for sh cry ips sa but not a single paragraph  related to 103.252 VPN)

 

router interface:

interface GigabitEthernet0/1
 description Internet
 ip address 203.167.BBB.BBB 255.255.255.252
 ip access-group outside_access_in in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip virtual-reassembly in
 no ip route-cache
 duplex full
 speed 100
  no clns route-cache
 crypto map MAP

 

 

ip access-list extended outside_access_in

 permit esp host 103.252.AAA.AAA host 203.167.BBB.BBB
 permit udp host 103.252.AAA.AAA host 203.167.BBB.BBB eq isakmp
 permit udp host 103.252.AAA.AAA host 203.167.BBB.BBB range 1 65535
 permit tcp host 103.252.AAA.AAA host 203.167.BBB.BBB range 1 65535
 permit icmp host 103.252.AAA.AAA host 203.167.BBB.BBB

 

 

 

thank you!

 

 

 

 

 

 

 

0 Helpful

bhnegi
Cisco Employee
Cisco Employee
In response to thomasMung

‎07-02-2014 04:57 AM

Hi Thomas,

 
Have you excluded ipsec traffic from being getting Natted.

 

Best Regards,

Bheem

0 Helpful

thomasMung
Level 1
Level 1
In response to bhnegi

‎07-02-2014 05:07 AM

Hi Bhnegi,

 

Yes I did.

 

Also, when I am trying to enable ikev1 on the outside interface I am getting this error:

 

crypto ikev1 enable outside
ERROR: Unable to configure IKEv1 on interface 'outside' as ipsec-over-tcp is enabled on port 45, which is currently in use by another service. Please choose a different port for ipsec-over-tcp.

 

But from the show run i can see that it is enabled:

 

ASA# show run | include enable\ outside
crypto ikev2 enable outside client-services port 443
crypto ikev1 enable outside
 enable outside

 

 

Thank you, I am stuck.

0 Helpful

bhnegi
Cisco Employee
Cisco Employee
In response to thomasMung

‎07-02-2014 05:37 AM

Are you using NAT on ASA? If yes please see workaround of bug below where

TCP Port 10000 was reserved as a fix of

CSCtl74435     VPN ports not removed from PAT pool

UDP Port 10000 was reserved as a fix of

CSCtn69941     VPN ports not removed from PAT pool (UDP cases)

Best Regards,

Bheem

thomasMung
Level 1
Level 1
In response to bhnegi

‎07-02-2014 05:54 AM

Hi Bheem,

 

'Topic not found' when I try to open these links :-(

 

I am using NAT for normal internet access and no NAT for the VPN connectivity.

 

Does this bug mean that

crypto isakmp enable outside

is not enabled?

0 Helpful

thomasMung
Level 1
Level 1
In response to thomasMung

‎07-02-2014 07:15 AM

I managed to get this from the show crypto ipsec sa

 

     local crypto endpt.: 203.167.BBB.BBB, remote crypto endpt.: 103.252.AAA.AAA
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

     local crypto endpt.: 203.167.BBB.BBB, remote crypto endpt.: 103.252.AAA.AAA
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

 

 

And  details from show crypto session detail

 

Interface: GigabitEthernet0/1
Session status: DOWN
Peer: 103.252.AAA.AAA port 500 fvrf: (none) ivrf: (none)
      Desc: (none)
      Phase1_id: (none)
  IPSEC FLOW: permit 1 10.110.25.0/255.255.255.0 10.10.0.0/255.255.0.0
        Active SAs: 0, origin: crypto map
        Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
        Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0

 

 

0 Helpful

Tagir Temirgaliyev
Spotlight
Spotlight

‎07-02-2014 03:18 AM

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/9353-39.html

Customers Also Viewed These Support Documents