Advertisement

04.28.2008 at 10:35AM PDT, ID: 23359485
[x]
Attachment Details

Cisco asa 5505 Vpn site-to-site

Asked by infoone in Virtual Private Networking (VPN)

Tags: , , , , , ,

Hello,
I have 2 cisco asa 5505 with ios 7.2(3) and asdm 5.2
I have configured the 2 cisco to set up a site to site vpn, but when I try to start the vpn I have this error message:
[code]713061 Group = a.b.c.d, IP = a.b.c.d, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.2.0/255.255.255.0/0/0 local proxy e.f.g.h/255.255.255.255/0/0 on interface outside[/code]

a.b.c.d is the outside ip of the first asa 192.168.2.0/24 is the lan network of the second asa, e.f.g.h is the outside ip of the second asa.

I don't know how to do.
There are the configurations of the 2 asa:
the first one
[code]
ASA Version 7.2(3)
!
hostname ciscoasa
domain-name pippo
enable password 7bLfvfolddMpQ6A4 encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.2.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address x.x.x.x 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name angelini
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 host a.b.c.d
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 host a.b.c.d
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer a.b.c.d
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
client-update enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.2.2-192.168.2.129 inside
dhcpd dns 80.68.202.3 interface inside
dhcpd enable inside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
tunnel-group a.b.c.d type ipsec-l2l
tunnel-group a.b.c.d ipsec-attributes
 pre-shared-key *
prompt hostname context
Cryptochecksum:794083be2997a4029bf15f80e1eab483
: end
[/code]

the configuration of the second asa
[code]
ASA Version 7.2(3)
!
hostname ciscoasa
domain-name pippo
enable password 7bLfvfolddMpQ6A4 encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address x.x.x.x 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name angelini
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 host e.f.g.h
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 host e.f.g.h
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.168.3.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer e.f.g.h
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
client-update enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.0.2-192.168.0.129 inside
dhcpd dns 80.68.202.3 interface inside
dhcpd enable inside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
tunnel-group e.f.g.h type ipsec-l2l
tunnel-group e.f.g.h ipsec-attributes
 pre-shared-key *
prompt hostname context
Cryptochecksum:8a62886804b4e9cf7d81621305f4450b
: end
[/code]

where is the bug?
ThanksStart Free Trial
[+][-]05.02.2008 at 11:13PM PDT, ID: 21491470

View this solution now by starting your 7-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

 

About this solution

Zone: Virtual Private Networking (VPN)
Tags: Cisco, IOS, 7.2(3), Cisco, Asa 5505, Asa 5505, 713061 Group = a.b.c.d, IP = a.b.c.d, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.2.0/255.255.255.0/0/0 local proxy e.f.g.h/255.255.255.255/0/0 on interface outside
Sign Up Now!
Solution Provided By: batry_boy
Participating Experts: 1
Solution Grade: B
 
 
 
Loading Advertisement...
20080716-EE-VQP-32 / EE_QW_2_20070628