Advertisement

03.27.2008 at 12:14PM PDT, ID: 23275248
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
9.1
How can I establish a L2L IPSec VPN Tunnel with a Cisco ASA 5505 behind a Netopia 3347 Router via DSL
Zones: Networking Hardware Firewalls, Computer Modems
Tags: Cisco, Adaptive Security Appliance, ASA 5505
I cannot get a Cisco ASA 5505 to establish a L2L IPSec tunnel with a Cisco VPN Concentrator (which is correctly configured). I have new DSL service with Static IPs and an ISP provided Netopia 3347 Router. I have 5 static IPs assigned by the ISP of which I am using the first for the Outside Interface and the Last for the Gateway/DSL LAN Static. I have followed Netopias instructions at www.netopia.com/support/hardware/technotes/CQG_042.html with no luck. See configuration below. I have also attached the output from the ASA showing it's attempts to establish the tunnel. I have a feeling that I am missing something in the pppoe configuration on the ASA?? I have verified ppp authentication as CHAP. FYI: I am using the command line to configure the ASA, not the ASDM. 
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:

HOSTNAME# sh run
: Saved
:
ASA Version 7.2(3)
!
hostname HOSTNAME
domain-name XXX.XXXX.XXXX
enable password ************* encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.228.254 255.255.255.224
!
interface Vlan2
 nameif outside
 security-level 0
 pppoe client vpdn group DSLGROUP
 ip address 74.189.153.225 255.255.255.248 pppoe
!
interface Vlan3
 no forward interface Vlan1
 nameif lab
 security-level 50
 ip address 192.168.228.254 255.255.255.224
!
interface Ethernet0/0
 description Outside
 switchport access vlan 2
!
interface Ethernet0/1
 description inside
!
interface Ethernet0/2
 description inside
!
interface Ethernet0/3
 description inside
!
interface Ethernet0/4
 description inside
!
interface Ethernet0/5
 description LAB
 switchport access vlan 3
!
interface Ethernet0/6
 description LAB
 switchport access vlan 3
!
interface Ethernet0/7
 description LAB
 switchport access vlan 3
!
passwd **************** encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name XXX.XXXX.XXXX
access-list lab-access extended permit tcp any XX.XXX.XXX.0 255.255.255.0 eq 338
9
access-list statics extended permit tcp any interface outside eq 9100
access-list nat0 extended permit ip 10.0.228.224 255.255.255.224 10.0.45.0 255.2
55.255.0
access-list nat0 extended permit ip 10.0.228.224 255.255.255.224 10.0.47.0 255.2
55.255.0
access-list nat0 extended permit ip 10.0.228.224 255.255.255.224 10.0.204.0 255.
255.255.0
access-list nat0 extended permit ip 10.0.228.224 255.255.255.224 10.0.206.0 255.
255.255.0
access-list nat0 extended permit ip 10.0.228.224 255.255.255.224 10.0.22.0 255.2
55.255.0
access-list nat0 extended permit ip 10.0.228.224 255.255.255.224 host 10.0.46.10
 
access-list tunnel extended permit ip 10.0.228.224 255.255.255.224 10.0.45.0 255
.255.255.0
access-list tunnel extended permit ip 10.0.228.224 255.255.255.224 10.0.47.0 255
.255.255.0
access-list tunnel extended permit ip 10.0.228.224 255.255.255.224 10.0.204.0 25
5.255.255.0
access-list tunnel extended permit ip 10.0.228.224 255.255.255.224 10.0.206.0 25
5.255.255.0
access-list tunnel extended permit ip 10.0.228.224 255.255.255.224 10.0.22.0 255
.255.255.0
access-list tunnel extended permit ip 10.0.228.224 255.255.255.224 host 10.0.46.
10
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu lab 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo inside
icmp permit any echo-reply inside
icmp permit any traceroute inside
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nat0
nat (inside) 1 0.0.0.0 0.0.0.0
nat (lab) 1 0.0.0.0 0.0.0.0
static (lab,outside) tcp interface 9100 192.168.228.250 9100 netmask 255.255.255
.255
access-group statics in interface outside
access-group lab-access in interface lab
route outside 0.0.0.0 0.0.0.0 74.189.153.230 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server community XXXXXXX
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map tunnel 10 match address tunnel
crypto map tunnel 10 set peer XX.XX.XX.195
crypto map tunnel 10 set transform-set ESP-3DES-MD5
crypto map tunnel interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
telnet 10.0.228.224 255.255.255.224 inside
telnet 10.0.45.200 255.255.255.255 inside
telnet 10.0.204.0 255.255.255.0 inside
telnet timeout 15
ssh timeout 5
console timeout 0
management-access inside
vpdn group DSLGROUP request dialout pppoe
vpdn group DSLGROUP localname ***************************
vpdn group DSLGROUP ppp authentication chap
vpdn username ********************** password ********* store-local
dhcpd address 10.0.228.225-10.0.228.249 inside
dhcpd dns 10.0.45.1 10.0.22.53 interface inside
dhcpd enable inside
!
dhcpd address 192.168.228.225-192.168.228.249 lab
dhcpd dns XX.XX.XX.162 interface lab
!
 
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
tunnel-group XX.XX.XX.195 type ipsec-l2l
tunnel-group XX.XX.XX.195 ipsec-attributes
 pre-shared-key *
prompt hostname context
Cryptochecksum:399e6ec49f5c3db7c8ddb4aa6ba46a98
: end
 
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 
Hostname# sh isakmp stat
 
Global IKE Statistics
Active Tunnels: 0
Previous Tunnels: 0
In Octets: 0
In Packets: 0
In Drop Packets: 0
In Notifys: 0
In P2 Exchanges: 0
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In P2 Sa Delete Requests: 0
Out Octets: 28728
Out Packets: 266
Out Drop Packets: 0
Out Notifys: 0
Out P2 Exchanges: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 0
Initiator Tunnels: 67
Initiator Fails: 66
Responder Fails: 0
System Capacity Fails: 0
Auth Fails: 0
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 0
Hostname# sh isakmp sa
 
   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
 
1   IKE Peer: XX.XX.XX.195
    Type    : user            Role    : initiator
    Rekey   : no              State   : MM_WAIT_MSG2
Start your free trial to view this solution
Question Stats
Zone: Computer Hardware
Question Asked By: ChattNet
Solution Provided By: Press2Esc
Participating Experts: 2
Solution Grade: A
Views: 82
Translate:
Loading Advertisement...
03.27.2008 at 12:20PM PDT, ID: 21224857
prueconsulting:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
03.27.2008 at 12:28PM PDT, ID: 21224930
ChattNet:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
03.27.2008 at 12:37PM PDT, ID: 21224999
prueconsulting:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
03.28.2008 at 08:12AM PDT, ID: 21231111
Press2Esc:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
03.31.2008 at 07:04AM PDT, ID: 21245436
ChattNet:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
03.31.2008 at 01:11PM PDT, ID: 21248716
Press2Esc:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
 
Loading Advertisement...
Microsoft
  • Internet Protocols
  • Applications
  • Development
  • OS
  • Hardware
  • Windows Security
Apple
  • Operating Systems
  • Hardware
  • Programming
  • Networking
  • Software
Internet
  • Search Engines
  • File Sharing
  • WebTrends / Stats
  • Spy / Ad Blockers
  • Web Browsers
  • New Net Users
  • Web Development
  • Chat / IM
  • Anti Spam
  • Web Servers
  • Anti-Virus
  • Email Clients
Gamers
  • Tips
  • Online / MMORPG
  • Puzzle
  • Emulators
  • Action / Adventure
  • Role Playing
  • Consoles
  • Game Programming
  • Strategy
  • Sports
  • Misc
  • Computer Games
Digital Living
  • Hardware
  • New Net Users
  • New Users
  • Software
  • Digital Music
  • Gaming World
  • Home Security
  • Apple
  • Networking Hardware
Virus & Spyware
  • Vulnerabilities
  • IDS
  • Encryption
  • Anti-Virus
  • Operating Systems Security
  • Software Firewalls
  • WebApplications
  • Cell Phones
  • Operating Systems
  • Internet
  • Hardware Firewalls
Hardware
  • Handhelds / PDAs
  • Displays / Monitors
  • Components
  • Networking Hardware
  • Peripherals
  • Laptops/Notebooks
  • Storage
  • Servers
  • Desktops
  • New Users
  • Misc
  • Apple
Software
  • System Utilities
  • Industry Specific
  • Network Management
  • Photos / Graphics
  • Page Layout
  • VMWare
  • Misc
  • Web Development
  • OS
  • CYGWIN
  • Voice Recognition
  • Message Queue
  • Quality Assurance
  • Security
  • Firewalls
  • MultiMedia Applications
  • Development
  • Database
  • Office / Productivity
  • Business Management
  • OS/2 Apps
  • Server Software
  • Internet / Email
ITPro
  • OS
  • Storage
  • Encryption
  • Operating Systems Security
  • Apple Hardware
  • Laptops & Notebooks
  • Servers
  • Networking Hardware
  • Peripherals
  • Devices
  • Displays / Monitors
  • WebTrends / Stats
  • Search Engines
  • Firewalls
  • WebApplications
  • IDS
  • Vulnerabilities
  • Email Clients
  • File Sharing
  • Spy / Ad Blockers
  • Web Browsers
  • Web Servers
  • Networking
  • Anti-Virus
  • Chat / IM
  • Anti Spam
Developer
  • Web Servers
  • Web Browsers
  • Game Programming
  • Dev Tools
  • Industry Specific
  • Office / Productivity
  • Database
  • CYGWIN
  • Web Development
  • Search Engines
  • File Sharing
  • WebTrends / Stats
  • Programming
  • Content Management
  • Application Servers
  • Protocols
Storage
  • Removable Backup Media
  • Storage Technology
  • Servers
  • Grid
  • Remote Access
  • Backup / Restore
  • Misc
  • Hard Drives
OS
  • Miscellaneous
  • Security
  • Development
  • Linux
  • VMWare
  • MainFrame OS
  • Unix
  • Apple
  • OS / 2
  • AS / 400
  • BeOS
  • Microsoft
  • VMS / OpenVMS
Database
  • Oracle
  • Miscellaneous
  • MySQL
  • Software
  • Sybase
  • Contact Management
  • PostgreSQL
  • Data Manipulation
  • Clarion
  • InterSystems Cache
  • Siebel
  • MUMPS
  • OLAP
  • SQLBase
  • SAS
  • GIS & GPS
  • 4GL
  • Berkeley DB
  • DB2
  • Informix
  • Interbase / Firebird
  • FoxPro
  • Reporting
  • LDAP
  • Filemaker Pro
  • MS SQL Server
  • dBase
  • MS Access
Security
  • Misc
  • Web Browsers
  • Software Firewalls
  • Operating Systems Security
  • File Sharing
  • Spy / Ad Blockers
  • Vulnerabilities
  • WebApplications
  • IDS
  • Anti-Virus
  • Encryption
  • Anti Spam
  • Email Clients
  • VPN
  • Chat / IM
Programming
  • Editors IDEs
  • Installation
  • Handhelds / PDAs
  • Multimedia Programming
  • System / Kernel
  • Algorithms
  • Game
  • Signal Processing
  • Project Management
  • Open Source
  • Database
  • Misc
  • Languages
  • Processor Platforms
  • Theory
Web Development
  • Scripting
  • Blogs
  • Web Servers
  • Software
  • Search Engines
  • Web Graphics
  • Images
  • Internet Marketing
  • Images and Photos
  • Components
  • Document Imaging
  • Web Languages/Standards
  • Illustration
  • WebApplications
  • Fonts
  • WebTrends / Stats
  • Authoring
  • Digital Camera Software
  • Miscellaneous
Networking
  • Protocols
  • Apple Networking
  • Network Management
  • Message Queue
  • Application Servers
  • Content Management
  • File Servers
  • Email Servers
  • Misc
  • Java Editors & IDEs
  • Wireless
  • Networking Hardware
  • Backup / Restore
  • System Utilities
  • ISPs & Hosting
  • Web Servers
  • Storage Technology
  • Removable Backup Media
  • Servers
  • Broadband
  • Grid
  • OS / 2
  • Novell Netware
  • Unix Networking
  • Windows Networking
  • Security
  • Telecommunications
  • Operating Systems
  • Linux Networking
Other
  • Community Advisor
  • Lounge
  • Community Support
  • New Net Users
  • Philosophy / Religion
  • Math / Science
  • Miscellaneous
  • URLs
  • Expert Lounge
  • Politics
  • Puzzles / Riddles
Community Support
  • Suggestions
  • New to EE
  • New Topics
  • Community Advisor
  • CleanUp
  • Announcements
  • General
  • Feedback
  • Input
  • EE Bugs
 
03.27.2008 at 12:20PM PDT, ID: 21224857
prueconsulting:
This could be as simple as possibly adding

isakmp nat-traversal  20

in case the netopia is doing some type of nat'ing on it.

Can you reach the internet from a machine behind the ASA ?


 
03.27.2008 at 12:28PM PDT, ID: 21224930
ChattNet:
I disabled the nat'ing on the Netopia per their Instructions.

No, I cannot reach the internet from a machine behind the ASA.
 
03.27.2008 at 12:37PM PDT, ID: 21224999
prueconsulting:
If this device is behind the Netopia i dont really see that you would need to configure PPPOE at all .

interface Vlan2
 nameif outside
 security-level 0
 ip address 74.189.153.225 255.255.255.248

and then set a route pointing to the netopia
ip as your default route

 
03.28.2008 at 08:12AM PDT, ID: 21231111
Press2Esc:
there are three (3) different scenerios to handle the MSIPs (and VPN tunnel) via Netopia...  If the Netopia is doing the pppoe, as it appears it is doing, then the asa would grab one of the 5 useable public static IPs.  in your present config, it looks like the asa is setup with this scenerio...  i am not sure how the netopia is setup.  

Option 2, would be to bridge (a 3-step process) the Netopia & run the pppoe, config the MSIPs and do all the routing in the cisco....
  ref: http://support.att.net/bellsouth/asp/contentredirect.asp?sprt_cid=5ad08ec4-d51b-43ef-9e2d-76704b883878

option 3, would be to run pppoe in the netopia and setup the dsl router to run a 1:1 NAT using IP Map (addr fwdg).  In this case, the outside addr for the cisco would be config'd with private static IP & the netopia would "map" a public IP with a private (cisco) ip.
  ref: http://www.netopia.com/support/hardware/technotes/CQG_024.html

in any case, all configs will work.  however, for most instances, i recommend option #2.

btw, what is your MSIP block (74.189.153.22?/29)?  can you ping the netopia's gateway wan addr?

P2E
Accepted Solution
 
03.31.2008 at 07:04AM PDT, ID: 21245436
ChattNet:
Thanks to both of you,

I gonna give Press2Esc recommendation(Option 2) a whirl and post my findings.

 
03.31.2008 at 01:11PM PDT, ID: 21248716
Press2Esc:
Good choice - works like a champ.  The Netopia becomes a "dumb" passthru device - no firewall, just a simple telco (TJ11) to ethernet (rj45) "modem"...  The Cisco, your area of expertise, must be config'd to provide the PPPoE, the MSIP routing/configuration &, of course, the VPN.  
P2E
 
 
ChattNet
04.11.2008 at 05:47AM PDT, ID: 21333653
P2E
Worked like a charm.!!
Sorry for the delay in responding but, I had a problem with the ISPs MSIP block. Since the ASA is the DHCP Server I could not use the MSIP scheme provided by the ISP. I had to have the ISP change the account to a single Static IP so the WAN IP would remain static and the ASA could assign my configured IP addresses to the clients.

ChattNet
 
 
Press2Esc
04.11.2008 at 07:42AM PDT, ID: 21334698
Chatt, great news!  

Also I like also liked your KISS (keep it simple stupid) approach (MSIP to SIP).  This "principal" is especially true with networking!!

P2E
 
 
 
20080236-EE-VQP-29 / EE_QW_2_20070628