03-31-2020 07:43 AM
Hello Dears,
I am trying to configure a VPN tunnel between Cisco ASA and cisco router 2900, but the tunnel doesn't seem to work.
- below are the changes i done on the ASA:
crypto ikev1 policy 5
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
object-group network destination-ranges
network-object 192.168.15.0 255.255.255.0
!
access-list vpn-destination extended permit ip object-group local-ranges object-group destination-ranges
!
access-list outgoing extended permit tcp object-group local-ranges object-group destination-ranges range 1 65535
access-list outgoing extended permit ip object-group local-ranges object-group destination-ranges
nat (inside,outside) source static local-ranges local-ranges destination static destination-ranges destination-ranges no-proxy-arp route-lookup
!
crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes esp-sha-hmac
!
crypto ipsec ikev1 transform-set destination esp-3des esp-md5-hmac
crypto map outside_map 10 match address vpn-destination
crypto map outside_map 10 set peer (destination IP)
crypto map outside_map 10 set ikev1 transform-set destination
tunnel-group (destination IP) type ipsec-l2l
tunnel-group (destination IP) ipsec-attributes
ikev1 pre-shared-key (pre-shared key)
- and below are the changes done on the router:
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key (pre-shared key) address (destination IP)
ip access-list extended VPN
permit ip 192.168.15.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 100 deny ip 192.168.15.0 0.0.0.255 192.168.0.0 0.0.0.255
crypto ipsec transform-set ESP-DES esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES esp-aes esp-sha-hmac
crypto map MAP 200 ipsec-isakmp
set peer (destination IP)
set transform-set ESP-DES
match address VPN
interface GigabitEthernet0/0
crypto map MAP
can anyone help or show me how i can troubleshoot the issue?
Solved! Go to Solution.
03-31-2020 07:59 AM
Hello there...
There's several things to check out.
On the ASA
Is the 'destination-ranges' routed towards the outside interface?
There's no group-policy assigned to the ASA tunnel-group, so i inherits from the 'DfltGrpPolicy' is 'IKEv1' allowed as a 'vpn-tunnel-protocol'?
Is IKEv1 enabled on the outside interface?
Should be something like:
crypto ikev1 enable outside
On the router
Where is ACL 100 used? My guess would be in the NAT overload access-list, if there's any.
This could be a start to troubleshoot.
03-31-2020 07:59 AM
Hello there...
There's several things to check out.
On the ASA
Is the 'destination-ranges' routed towards the outside interface?
There's no group-policy assigned to the ASA tunnel-group, so i inherits from the 'DfltGrpPolicy' is 'IKEv1' allowed as a 'vpn-tunnel-protocol'?
Is IKEv1 enabled on the outside interface?
Should be something like:
crypto ikev1 enable outside
On the router
Where is ACL 100 used? My guess would be in the NAT overload access-list, if there's any.
This could be a start to troubleshoot.
04-01-2020 09:32 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide