Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
592
Views
5
Helpful
2
Replies

VPN connection between Cisco ASA and Cisco Router issue

Go to solution
amdbt28874
Level 1
Level 1

‎03-31-2020 07:43 AM

Hello Dears, 

 

I am trying to configure a VPN tunnel between Cisco ASA and cisco router 2900, but the tunnel doesn't seem to work.

 

- below are the changes i done on the ASA:

crypto ikev1 policy 5
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400


object-group network destination-ranges
network-object 192.168.15.0 255.255.255.0
!
access-list vpn-destination extended permit ip object-group local-ranges object-group destination-ranges
!
access-list outgoing extended permit tcp object-group local-ranges object-group destination-ranges range 1 65535
access-list outgoing extended permit ip object-group local-ranges object-group destination-ranges

nat (inside,outside) source static local-ranges local-ranges destination static destination-ranges destination-ranges no-proxy-arp route-lookup
!
crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes esp-sha-hmac
!

crypto ipsec ikev1 transform-set destination esp-3des esp-md5-hmac

crypto map outside_map 10 match address vpn-destination
crypto map outside_map 10 set peer (destination IP)
crypto map outside_map 10 set ikev1 transform-set destination


tunnel-group (destination IP) type ipsec-l2l
tunnel-group (destination IP) ipsec-attributes
ikev1 pre-shared-key (pre-shared key)

 

- and below are the changes done on the router:

 

crypto isakmp policy 10
encr aes
authentication pre-share
group 2

crypto isakmp key (pre-shared key) address (destination IP)

ip access-list extended VPN
permit ip 192.168.15.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 100 deny ip 192.168.15.0 0.0.0.255 192.168.0.0 0.0.0.255

crypto ipsec transform-set ESP-DES esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES esp-aes esp-sha-hmac


crypto map MAP 200 ipsec-isakmp
set peer (destination IP)
set transform-set ESP-DES
match address VPN

interface GigabitEthernet0/0
crypto map MAP

can anyone help or show me how i can troubleshoot the issue? 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
girafskind
Level 1
Level 1

‎03-31-2020 07:59 AM

Hello there...

There's several things to check out.

 

On the ASA

Is the 'destination-ranges' routed towards the outside interface?

There's no group-policy assigned to the ASA tunnel-group, so i inherits from the 'DfltGrpPolicy' is 'IKEv1' allowed as a 'vpn-tunnel-protocol'?

 

Is IKEv1 enabled on the outside interface?

Should be something like:

crypto ikev1 enable outside

 

On the router

Where is ACL 100 used? My guess would be in the NAT overload access-list, if there's any.

 

This could be a start to troubleshoot.

View solution in original post

2 Replies 2

Go to solution
girafskind
Level 1
Level 1

‎03-31-2020 07:59 AM

Hello there...

There's several things to check out.

 

On the ASA

Is the 'destination-ranges' routed towards the outside interface?

There's no group-policy assigned to the ASA tunnel-group, so i inherits from the 'DfltGrpPolicy' is 'IKEv1' allowed as a 'vpn-tunnel-protocol'?

 

Is IKEv1 enabled on the outside interface?

Should be something like:

crypto ikev1 enable outside

 

On the router

Where is ACL 100 used? My guess would be in the NAT overload access-list, if there's any.

 

This could be a start to troubleshoot.

Go to solution
amdbt28874
Level 1
Level 1
In response to girafskind

‎04-01-2020 09:32 AM

I needed to enable it on the outside interface as you mentioned. thank you.
0 Helpful
Customers Also Viewed These Support Documents