With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.
The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community
Your Input Matters Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.
If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.
I am trying to set up a Site-to-Site VPN network. Right now I am trying to make this work in the lab. I have the Internet port on the Linksys connected directly to port 0 on the cisco which was set up as the internet port.
My setup is as follows:
Remote Site
Laptop 1 - IP Address 192.168.2.100 255.255.255.0 GW 192.168.2.1 Router 1 (Linksys BEFSX41) - LAN IP Address 192.168.2.1 255.255.255.0 WAN IP Address 209.168.145.49 255.255.255.0 GW 209.168.145.50
Host Site
Laptop 2 - IP Address 192.168.1.100 255.255.255.0 GW 192.168.1.1 Router 2 (Cisco ASA 5505) - LAN 0 IP Address 192.168.1.1 255.255.255.0 WAN IP Address (Port 0) 209.168.145.50 255.255.255.0
My problems:
I am using ASDM 5.2 to configure the ASA router. With the configuration I currently have my linksys is not able to establish a VPN connection. The ASA Log reported via the ASDM is:
4 May 17 2007 06:48:22 713903 Group = 209.168.145.49, IP = 209.168.145.49, Freeing previously allocated memory for authorization-dn-attributes 6 May 17 2007 06:48:22 113009 AAA retrieved default group policy (DfltGrpPolicy) for user = 209.168.145.49 3 May 17 2007 06:48:22 713119 Group = 209.168.145.49, IP = 209.168.145.49, PHASE 1 COMPLETED 5 May 17 2007 06:48:22 713904 Group = 209.168.145.49, IP = 209.168.145.49, All IPSec SA proposals found unacceptable! 3 May 17 2007 06:48:22 713902 Group = 209.168.145.49, IP = 209.168.145.49, QM FSM error (P2 struct &0x3b521e8, mess id 0x3109df5d)! 3 May 17 2007 06:48:22 713902 Group = 209.168.145.49, IP = 209.168.145.49, Removing peer from correlator table failed, no match! 4 May 17 2007 06:48:22 113019 Group = 209.168.145.49, Username = 209.168.145.49, IP = 209.168.145.49, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch 5 May 17 2007 06:48:22 713904 IP = 209.168.145.49, Received encrypted packet with no matching SA, dropping
I also tried to create a Cisco VPN client connection using the cisco client software and connected one of the laptops directly to the internet port (port 0) on the cisco router and was not able to make a connection with that either. I used the ASDM VPN wizard to attempt to set up both the Site-to-site as well as the remote connection scenarios. This has been unsuccessful in both instances.
The only one I am really concerned with getting to work is the site-to-site.
Here is my current cisco configuration:
ciscoasa# sh run
: Saved : ASA Version 7.2(2) ! hostname ciscoasa domain-name default.domain.invalid enable password 8Ry2YjIyt7RRXU24 encrypted names ! interface Vlan1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 209.168.145.50 255.255.255.0 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! passwd 2KFQnbNIdI.2KYOU encrypted ftp mode passive dns server-group DefaultDNS domain-name default.domain.invalid access-list outside_20_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list outside_20_cryptomap extended permit ip any 192.168.2.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list outside_access_in extended permit ip 192.168.2.0 255.255.255.0 host 209.168.145.50 pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-522.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0 access-group outside_access_in in interface outside timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute group-policy DfltGrpPolicy attributes banner none wins-server none dns-server none dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 3 vpn-idle-timeout 30 vpn-session-timeout none vpn-filter none vpn-tunnel-protocol IPSec l2tp-ipsec webvpn password-storage disable ip-comp disable re-xauth disable group-lock none pfs disable ipsec-udp disable ipsec-udp-port 10000 split-tunnel-policy tunnelall split-tunnel-network-list none default-domain none split-dns none intercept-dhcp 255.255.255.255 disable secure-unit-authentication enable user-authentication enable user-authentication-idle-timeout 30 ip-phone-bypass disable leap-bypass disable nem disable backup-servers keep-client-config msie-proxy server none msie-proxy method no-modify msie-proxy except-list none msie-proxy local-bypass disable nac disable nac-sq-period 300 nac-reval-period 36000 nac-default-acl none address-pools none client-firewall none client-access-rule none webvpn functions url-entry html-content-filter none homepage none keep-alive-ignore 4 http-comp gzip filter none url-list none customization value DfltCustomization port-forward none port-forward-name value Application Access sso-server none deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information svc none svc keep-installer installed svc keepalive none svc rekey time none svc rekey method none svc dpd-interval client none svc dpd-interval gateway none svc compression deflate http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA crypto map outside_map 20 match address outside_20_cryptomap crypto map outside_map 20 set pfs crypto map outside_map 20 set peer 209.168.145.49 crypto map outside_map 20 set transform-set ESP-3DES-SHA crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 tunnel-group 209.168.145.49 type ipsec-l2l tunnel-group 209.168.145.49 ipsec-attributes pre-shared-key * isakmp keepalive disable telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd auto_config outside ! dhcpd address 192.168.1.2-192.168.1.254 inside dhcpd enable inside ! ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global prompt hostname context Cryptochecksum:f459be7cb85ffc42336750a4516128c7 : end ciscoasa#
If anyone has any input I would greatly appreciate it. I have been through the cisco manuals as well as scouring the internet and am unable to find an answer.
Get rid of these entries... no access-list outside_20_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 no access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 no access-list outside_20_cryptomap extended permit ip any 192.168.2.0 255.255.255.0
Add these... access-list outside_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
Interesting traffic on the linksys should be 192.168.2.0 to 192.168.1.0, or the mirror of what it is on the ASA.
When I first ran the VPN wizard on the ASDM I had entered in my networks in reverse order. The second issue I had was configuration issues in my Linksys. Once I changed those two items I was able to establish the VPN.
