Cisco ASA vpn can not be established correctly. Every time I try adding a crypto dynamic-map I get a warning i.e. " WARNING: Existing map is being linked to dynamic-map: vpn_map.
All static attributes in existing map will be inactive!"
The setup I have is I have a /30 from the router and /27 for public ips. However I have used one of the /30 ips as my outside interface. I can't seem to get site-to-site vpn working as well. This might be related. Here is my config below and hope that someone can assist me in getting this correctly setup.
ASAFW1(config)# sh run
: Saved
:
ASA Version 7.2(2)10
!
hostname ASAFW1
domain-name default.domain.invalid
enable password 5frNYRGa9U2321997hR7jLh encrypted
names
!
interface Ethernet0/0
speed 10
duplex full
nameif outside
security-level 0
ip address 216.x.x.166 255.255.255.252
!
interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.110.1 255.255.255.0
!
interface Ethernet0/2
speed 100
duplex full
nameif eth2
security-level 50
ip address x.x.x.2 255.255.255.252
!
interface Ethernet0/3
speed 10
duplex half
nameif eth3
security-level 50
ip address x.x.x.2 255.255.255.252
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd w9ITcun.WwJmfyK5 encrypted
boot system disk0:/asa722-10-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group network encoders
network-object 64.x.x.44 255.255.255.255
network-object 64.x.x.45 255.255.255.255
network-object 64.x.x.46 255.255.255.255
network-object 64.x.x.47 255.255.255.255
network-object 64.x.x.48 255.255.255.255
network-object 64.x.x.59 255.255.255.255
network-object 64.x.x.60 255.255.255.255
network-object 64.x.x.61 255.255.255.255
object-group network ENCACCESS
network-object 193.108.92.0 255.255.255.0
network-object 63.210.47.0 255.255.255.0
network-object 64.15.254.0 255.255.255.0
access-list acl_out extended permit icmp any any echo-reply
access-list acl_out extended permit tcp object-group ENCACCESS object-group encoders eq www
access-list nonat extended permit ip 192.168.110.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list nonat extended permit ip any 10.10.111.0 255.255.255.0
access-list vpn_acl standard permit 192.168.110.0 255.255.255.0
access-list vpn_acl standard permit 10.1.1.0 255.255.255.0
access-list 1vfw1 extended permit ip 192.168.110.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 1vfw1 extended permit ip 192.168.110.0 255.255.255.0 10.1.10.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu eth2 1500
mtu eth3 1500
mtu management 1500
ip local pool vpn 10.10.111.1-10.10.111.50 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm522-54.bin
no asdm history enable
arp timeout 14400
global (outside) 1 64.x.x.37
global (outside) 10 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.110.0 255.255.255.0
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) 64.x.x.44 192.168.110.140 netmask 255.255.255.255
static (inside,outside) 64.x.x.45 192.168.110.141 netmask 255.255.255.255
static (inside,outside) 64.x.x.46 192.168.110.142 netmask 255.255.255.255
static (inside,outside) 64.x.x.47 192.168.110.143 netmask 255.255.255.255
static (inside,outside) 64.x.x.48 192.168.110.144 netmask 255.255.255.255
static (inside,outside) 64.x.x.59 192.168.110.137 netmask 255.255.255.255
static (inside,outside) 64.x.x.60 192.168.110.138 netmask 255.255.255.255
static (inside,outside) 64.x.x.61 192.168.110.139 netmask 255.255.255.255
static (inside,outside) 64.x.x.50 192.168.110.150 netmask 255.255.255.255
static (inside,outside) 64.x.x.55 192.168.110.151 netmask 255.255.255.255
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 216.x.x.165 1
route eth3 10.73.249.0 255.255.255.0 x.x.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy NYCVPN internal
group-policy NYCVPN attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_acl
username admin password OUZL9TRQu7Ns/Bzn encrypted privilege 15
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map vpn_map 30 set transform-set ESP-3DES-SHA
crypto map outside_map 20 match address 1vfw1
crypto map outside_map 20 set peer 72.x.x.77
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 30 ipsec-isakmp dynamic vpn_map
crypto map outside_map interface outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group 72.x.x.77 type ipsec-l2l
tunnel-group 72.x.x.77 ipsec-attributes
pre-shared-key *
tunnel-group NYCVPN type ipsec-ra
tunnel-group NYCVPN general-attributes
address-pool vpn
default-group-policy NYCVPN
tunnel-group NYCVPN ipsec-attributes
pre-shared-key *
telnet 192.168.110.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
!
prompt hostname context
Cryptochecksum:13bd243cbeb
122a0ae70e
6954b3f56c
2
: end
Start Free Trial
