Advertisement

07.16.2008 at 02:10AM PDT, ID: 23568883
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
9.5

Need to create 2 vpn tunnels from a cisco 2800 router towards ASA 5510.

Asked by ugirishknair in Cisco PIX Firewall, Network Routers, Virtual Private Networking (VPN)

I have been trying to set a s2s vpn between ASA 5510 and 2800 series router.
The points i am trying is that
a) There will be primary vpn tunnel from ASA to Router. If the primay link/tunnel fails at ASA
   the asa and router should form a secondary tunnel with the new vpn gateway at ASA.
 I had tried this but its continously failing. Please help me in this case. I am copying the config details of
both asa and router here.

Router S2S:
----------------
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption

hostname yourname

boot-start-marker
boot system flash c2800nm-adventerprisek9-mz.124-19a.bin
boot-end-marker

logging buffered 51200 warnings
no logging console
enable secret 5 $1$h44b$PhiL63tajVCY/aW/rse5y1

no aaa new-model


ip cef


ip domain name yourdomain.com
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3


voice-card 0
 no dspfarm














username cisco privilege 15 secret 5 $1$R/Zz$P6sPvFA9C3BdpURJajLvb0
username


 

crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key VPN-HCL-CHENNAI address 110.110.110.65 255.255.255.252
crypto isakmp key VPN-HCL-CHENNAI address 203.91.202.10 255.255.255.0


crypto ipsec transform-set totest esp-3des esp-md5-hmac
crypto ipsec transform-set mytest esp-3des esp-md5-hmac

crypto map great 20 ipsec-isakmp
 set peer 203.91.202.10
 set transform-set mytest
 match address 110
crypto map great 30 ipsec-isakmp
 set peer 110.110.110.65
 set transform-set totest
 match address 105






interface FastEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$
 ip address 200.200.200.190 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map great

interface FastEthernet0/1
 ip address 44.0.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex full
 speed 100

interface Serial0/0/0
 no ip address
 shutdown
 clock rate 2000000

interface Serial0/0/1
 no ip address
 shutdown
 clock rate 2000000

ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 200.200.200.189 20


ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 110 interface FastEthernet0/0 overload

access-list 23 permit 10.10.10.0 0.0.0.7
access-list 105 permit ip 44.0.0.0 0.255.255.255 120.120.120.0 0.0.0.255
access-list 110 permit ip 44.0.0.0 0.255.255.255 120.120.120.0 0.0.0.255

ASA config:
--------------------
ASA Version 7.2(3)



hostname ciscoasa

domain-name default.domain.invalid

enable password 8Ry2YjIyt7RRXU24 encrypted

names



interface Ethernet0/0

 speed 100

 duplex full

 nameif outside

 security-level 0

 ip address 110.110.110.65 255.255.255.252



interface Ethernet0/1

 speed 100

 duplex full

 nameif inside

 security-level 100

 ip address 120.120.120.1 255.255.255.0



interface Ethernet0/2

 description LAN Failover Interface


             


interface Ethernet0/3

 speed 100

 duplex full

 nameif dmz

 security-level 50

 ip address 203.91.202.10 255.255.255.0



interface Management0/0

 nameif management

 security-level 100

 ip address 192.168.1.1 255.255.255.0

 management-only



passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns server-group DefaultDNS

 domain-name default.domain.invalid

access-list 101 extended permit ip 120.120.120.0 255.255.255.0 44.0.0.0 255.0.0.0

access-list 102 extended permit ip any any

access-list 102 extended permit icmp any any

access-list 103 extended permit ip 120.120.120.0 255.255.255.0 44.0.0.0 255.0.0.0

access-list dmz_allow extended permit icmp any any

access-list dmz_allow extended permit ip any any


             
access-list 110 extended permit ip 120.120.120.0 255.255.255.0 44.0.0.0 255.0.0.0

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu dmz 1500

mtu management 1500

failover

failover lan unit secondary

failover lan interface LANFAIL Ethernet0/2

failover interface ip LANFAIL 192.168.15.1 255.255.255.0 standby 192.168.15.2

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

nat (inside) 0 access-list 101

access-group 102 in interface outside

access-group dmz_allow in interface dmz

route outside 0.0.0.0 0.0.0.0 110.110.110.66 1 track 1

route dmz 0.0.0.0 0.0.0.0 203.91.202.11 25

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00


             
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 120.120.120.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sla monitor 50

 type echo protocol ipIcmpEcho 200.200.200.190 interface outside

sla monitor schedule 50 life forever start-time now

crypto ipsec transform-set test esp-3des esp-md5-hmac

crypto ipsec transform-set test2 esp-3des esp-md5-hmac

crypto map test 10 match address 110

crypto map test 10 set peer 200.200.200.190

crypto map test 10 set transform-set test

crypto map test interface dmz

crypto map test21 20 match address 103

crypto map test21 20 set peer 200.200.200.190

crypto map test21 20 set transform-set test2

crypto map test21 interface outside

crypto isakmp enable outside

crypto isakmp enable dmz

crypto isakmp policy 10

 authentication pre-share


             
 encryption 3des

 hash md5

 group 2

 lifetime 86400



track 1 rtr 50 reachability

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management





class-map inspection_default

 match default-inspection-traffic





policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp


             
  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp



service-policy global_policy global

username user1 password iqm/O64OATR4zXx7 encrypted

tunnel-group 200.200.200.190 type ipsec-l2l

tunnel-group 200.200.200.190 ipsec-attributes

 pre-shared-key *

prompt hostname context

Cryptochecksum:3fb569ab4674653d4d3514049a5b88ec
     Start Free Trial
[+][-]07.16.2008 at 08:04AM PDT, ID: 22016639

View this solution now by starting your 7-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

 

About this solution

Zones: Cisco PIX Firewall, Network Routers, Virtual Private Networking (VPN)
Sign Up Now!
Solution Provided By: Melaleuca
Participating Experts: 1
Solution Grade: A
 
 
[+][-]07.16.2008 at 09:45AM PDT, ID: 22017694

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
 
Loading Advertisement...
20080716-EE-VQP-32 / EE_QW_2_20070628