Advertisement

05.07.2008 at 09:45PM PDT, ID: 23385102
[x]
Attachment Details

VPN issues between Cisco 1711 and ASA 5505

Asked by netman70 in Virtual Private Networking (VPN), IPSec Security Protocol, Cisco PIX Firewall

Tags: Cisco, Router, 1711

Hi

I have a Cisco 1711 that has a working l2l VPN with another router with peer address 9.28.2.26. I am trying to establish a second l2l VPN with a Cisco ASA (peer address 9.46.46.81) and cannot get a working tunnel going. On the router, I get %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 9.46.46.81  

Could somebody help with the configuration? thanks

The Router script is
***********************************
Building configuration...

Current configuration : 4292 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname gera
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
!
!
ip dhcp excluded-address 10.17.241.1 10.17.241.184
ip dhcp excluded-address 10.17.241.187 10.17.241.255
!
ip dhcp pool sdm-pool
   import all
   network 10.17.241.0 255.255.255.0
   default-router 10.17.241.248
   lease 0 2
!
!
ip domain name gera.com
ip name-server 216.165.129.157
ip name-server 134.215.200.126
ip cef
ip ids po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
!
crypto isakmp policy 20
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key xxx address 9.28.2.26 no-xauth
crypto isakmp key xxx address 9.46.46.81 no-xauth
!
!
crypto ipsec transform-set bpg-set esp-des esp-md5-hmac
crypto ipsec transform-set bpg-high esp-3des esp-md5-hmac
!
crypto map bpg 20 ipsec-isakmp
 set peer 9.28.2.26
 set transform-set bpg-high
 match address 115
crypto map bpg 30 ipsec-isakmp
 set peer 9.46.46.81
 set transform-set bpg-high
 match address 120
!
!
!
interface FastEthernet0
 ip address 9.29.1.42 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed 100
 no cdp enable
 crypto map bpg
!
interface FastEthernet1
 no ip address
 no cdp enable
!
interface FastEthernet2
 no ip address
 no cdp enable
!
interface FastEthernet3
 no ip address
 no cdp enable
!
interface FastEthernet4
 no ip address
 no cdp enable
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 ip address 10.17.241.248 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
interface Async1
 no ip address
!
ip default-gateway 9.29.1.41
ip classless
ip route 0.0.0.0 0.0.0.0 9.29.1.41
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source route-map nonat interface FastEthernet0 overload
!
!
!
access-list 110 deny   ip host 10.17.241.8 10.30.11.0 0.0.0.255
access-list 110 deny   ip host 10.17.241.194 10.30.11.0 0.0.0.255
access-list 110 deny   ip host 10.17.241.248 10.30.11.0 0.0.0.255
access-list 110 deny   ip host 10.17.241.8 10.30.12.0 0.0.0.255
access-list 110 deny   ip host 10.17.241.194 10.30.12.0 0.0.0.255
access-list 110 deny   ip host 10.17.241.248 10.30.12.0 0.0.0.255
access-list 110 permit ip 10.17.241.0 0.0.0.255 any
access-list 115 permit ip host 10.17.241.8 10.30.11.0 0.0.0.255
access-list 115 permit ip host 10.17.241.194 10.30.11.0 0.0.0.255
access-list 115 permit ip host 10.17.241.248 10.30.11.0 0.0.0.255
access-list 120 permit ip host 10.17.241.8 10.30.12.0 0.0.0.255
access-list 120 permit ip host 10.17.241.194 10.30.12.0 0.0.0.255
access-list 120 permit ip host 10.17.241.248 10.30.12.0 0.0.0.255
no cdp run
!
route-map nonat permit 10
 match ip address 110
!
!
control-plane
****************************************

The ASA script is

***********************

ASA Version 8.0(3)
!
hostname becher
domain-name becher.local
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.30.12.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 9.46.46.81 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd /70qf.HF9twSQZB7 encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name becher.local
access-list inside_nat0_outbound extended permit ip 10.30.12.0 255.255.255.0 10.17.241.0 255.255.255.0
access-list to-brook extended permit ip 10.30.12.0 255.255.255.0 10.17.241.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 9.46.46.86 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 match address to-brook
crypto map outside_map 20 set peer 9.29.1.42
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 30
console timeout 0
dhcpd dns 169.207.1.3
dhcpd auto_config outside
!
dhcpd address 10.30.12.200-10.30.12.250 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
tunnel-group 9.29.1.42 type ipsec-l2l
tunnel-group 9.29.1.42 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:c753745d062b9afec778e9bd6c6d3532
: end
******************************
Start Free Trial
[+][-]05.08.2008 at 07:03AM PDT, ID: 21524756

View this solution now by starting your 7-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

 

About this solution

Zones: Virtual Private Networking (VPN), IPSec Security Protocol, Cisco PIX Firewall
Tags: Cisco, Router, 1711
Sign Up Now!
Solution Provided By: batry_boy
Participating Experts: 1
Solution Grade: A
 
 
[+][-]05.08.2008 at 07:55AM PDT, ID: 21525279

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]05.08.2008 at 08:13AM PDT, ID: 21525445

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
 
Loading Advertisement...
20080716-EE-VQP-32 / EE_QW_2_20070628