Solved

VPN Between Cisco ASA and NetVanta

Posted on 2006-07-22
2
1,027 Views
Last Modified: 2007-12-19
I am trying to create a VPN between Cisco ASA5510 and NetVanta 2054. I followed the instructions to create site to site VPN, but it doesn't work. How do I troubleshoot it?

Cisco ASA5510

ASA Version 7.0(5)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password BXdBI/nCX9W8gnaT encrypted
names
name 192.168.0.114 Consults
name 192.168.0.112 IBM
name 192.168.0.117 Outer
name 192.168.102.0 DMZ
name 192.168.0.213 Color
name 192.168.0.95 USA8200
dns-guard
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address x.x.129.37 255.255.255.248
!
interface Ethernet0/1
 nameif Inside
 security-level 100
 ip address 192.168.0.250 255.255.255.0
!
interface Ethernet0/2
 nameif DMZ
 security-level 50
 ip address 192.168.102.250 255.255.255.0
!
interface Management0/0
 nameif management
 security-level 100
 no ip address
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
same-security-traffic permit intra-interface
access-list tac extended permit ip any host x.x.241.10
access-list tac extended permit ip host x.x.241.10 any
access-list out_to_inside extended permit tcp any host x.x.129.34 eq www
access-list out_to_inside extended permit tcp any host x.x.129.34 eq 8080
access-list out_to_inside extended permit tcp any host x.x.129.34 eq 8383
access-list out_to_inside extended permit tcp any host x.x.129.36 eq www
access-list out_to_inside extended permit tcp any host x.x.129.34 eq smtp
access-list out_to_inside extended permit tcp any host x.x.129.34 eq pop3
access-list out_to_inside extended permit tcp any host x.x.129.34 eq 3389
access-list out_to_inside extended permit tcp any host x.x.129.34 eq 13001
access-list out_to_inside extended permit tcp any host x.x.129.36 eq 13001
access-list out_to_inside extended permit tcp any host x.x.129.36 eq 3389
access-list out_to_inside extended permit tcp any host x.x.129.36 eq pop3
access-list out_to_inside extended permit tcp any host x.x.129.36 eq smtp
access-list out_to_inside extended permit tcp any host x.x.129.36 eq 8383
access-list out_to_inside extended permit icmp any any
access-list out_to_inside extended permit tcp any host x.x.129.35 eq www
access-list out_to_inside extended permit tcp any host x.x.129.38 eq www
access-list out_to_inside extended permit tcp any host x.x.129.35 eq 8383
access-list out_to_inside extended permit tcp any host x.x.129.35 eq smtp
access-list out_to_inside extended permit tcp any host x.x.129.35 eq pop3
access-list out_to_inside extended permit tcp any host 1x.x.129.36 eq pptp
access-list Inside_nat0_outbound extended permit ip any 192.168.101.0 255.255.25
5.0
access-list Inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 ho
st x.x.53.106
access-list 102 standard permit 192.168.0.0 255.255.0.0
access-list Outside_cryptomap_20 extended permit ip 192.168.0.0 255.255.255.0 ho
st x.x.53.106
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu DMZ 1500
mtu management 1500
ip local pool 101 192.168.101.1-192.168.101.254 mask 255.255.255.0
asdm image disk0:/asdm505.bin
no asdm history enable
arp timeout 14400
global (Outside) 10 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 10 0.0.0.0 0.0.0.0
nat (management) 10 0.0.0.0 0.0.0.0
static (Inside,Outside) x.x.129.36 IBM netmask 255.255.255.255 dns
static (Inside,Outside) x.x.129.34 Color netmask 255.255.255.255 dns
static (Inside,Outside) x.x.129.35 Consult netmask 255.255.255.255 dns
static (Inside,Outside) x.x.129.38 Outer netmask 255.255.255.255 dns
static (Inside,Outside) 1x.x.129.36 USA8200 netmask 255.255.255.255
access-group out_to_inside in interface Outside
route Outside 0.0.0.0 0.0.0.0 x.x.129.33 1
route Inside 192.168.1.0 255.255.255.0 192.168.0.81 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
url-list chicagotech "chicagotech" http://chicagotech.dyndns.org
url-list chicagotech "199" http://x.x.43.199
url-list chicagotech "197" http://x.x.43.197
group-policy DfltGrpPolicy attributes
 banner none
 wins-server value 192.168.0.231
 dns-server value 192.168.0.231 4.2.2.1
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 5
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec webvpn
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value 102
 default-domain none
 split-dns none
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 client-firewall none
 client-access-rule none
 webvpn
  functions url-entry
  port-forward-name value Application Access
group-policy Webvpn internal
group-policy Webvpn attributes
 vpn-tunnel-protocol IPSec webvpn
 webvpn
  functions url-entry file-access file-entry file-browsing
username demo password GBlBq1FXkhsjWruD encrypted
username demo attributes
 vpn-group-policy DfltGrpPolicy
 webvpn
username admin password W77CNyqO17KPQbW3 encrypted privilege 15
username admin attributes
 vpn-group-policy DfltGrpPolicy
 webvpn
username chrisp password A9yadLd/TEEGgSex encrypted
username chrisp attributes
 vpn-group-policy DfltGrpPolicy
 webvpn
 vpn-group-policy DfltGrpPolicy
 webvpn
http server enable
http 192.168.0.0 255.255.255.0 Inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map Outside_map 20 match address Outside_cryptomap_20
crypto map Outside_map 20 set peer x.x.53.106
crypto map Outside_map 20 set transform-set ESP-3DES-MD5
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
isakmp enable Outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 1
isakmp policy 30 lifetime 86400
tunnel-group DefaultRAGroup general-attributes
 default-group-policy Webvpn
tunnel-group PPTPVPN type ipsec-ra
tunnel-group PPTPVPN general-attributes
 address-pool 101
tunnel-group PPTPVPN ipsec-attributes
 pre-shared-key *
tunnel-group x.x.53.106 type ipsec-l2l
tunnel-group x.x.53.106 ipsec-attributes
 pre-shared-key *
telnet 192.168.0.0 255.255.255.0 Inside
telnet timeout 10
ssh x.x.208.81 255.255.255.255 Outside
ssh x.x.115.246 255.255.255.255 Outside
ssh x.x.89.0 255.255.255.0 Outside
ssh timeout 5
console timeout 0
management-access Inside
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
webvpn
 enable Outside
 nbns-server 192.168.0.231 master timeout 2 retry 2
: end
[OK]
ciscoasa#






NetVanta 2054
!
clock timezone -6-Central-Time
!
ip subnet-zero
ip classless
ip domain-proxy
ip domain-name "hsd1.il.comcast.net."
ip name-server 192.168.11.1 4.2.2.1
ip routing
!
event-history on
no logging forwarding
logging forwarding priority-level info
no logging email
logging email priority-level info
!
!
ip policy-timeout tcp telnet 28800
!
ip firewall
no ip firewall alg h323
ip firewall alg sip
!
!
!
!
!
ip dhcp-server excluded-address 192.168.11.0 192.168.11.2
ip dhcp-server excluded-address 192.168.11.255
!
ip dhcp-server pool "Private"
  network 192.168.11.0 255.255.255.0
  domain-name "ah2054"
  dns-server 192.168.2.1 4.2.2.1
  netbios-node-type h-node
  default-router 192.168.11.1
!
ip crypto
!
crypto ike policy 102
  initiate main
  respond anymode
  local-id address x.x.53.106
  peer x.x.129.37
  attribute 1
    encryption 3des
    hash md5
    authentication pre-share
!
crypto ike remote-id address x.x.129.37 preshared-key 12345678 ike-policy 102
crypto map VPN 30 no-mode-config no-xauth
!
crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac
  mode tunnel
!
crypto map VPN 30 ipsec-ike
  description AH to EG
  match address VPN-30-vpn-selectors
  set peer x.x.129.37
  set transform-set esp-3des-esp-md5-hmac
  ike-policy 102
!
!
vlan 1
  name "Default"
!
interface eth 0/1
  description AH2054
  ip address  x.x.53.106  255.255.255.248
  access-policy Public
  crypto map VPN
  no shutdown
!
interface eth 0/2
  no shutdown
!
interface eth 0/3
  no shutdown
!
interface eth 0/4
  no shutdown
!
interface eth 0/5
  no shutdown
!
!
interface vlan 1
  description Inside
  ip address  192.168.11.1  255.255.255.0
  access-policy Private
  no shutdown
!
!
!
!
!
ip access-list standard wizard-ics
  remark Internet Connection Sharing
  permit any
!
!
ip access-list extended self
  remark Traffic to Netvanta
  permit ip any  any    log
!
ip access-list extended VPN-30-vpn-selectors
  permit ip 192.168.11.0 0.0.0.255  192.168.0.0 0.0.0.255
!
ip access-list extended web-acl-7
  remark Admin Access
  permit tcp any  any eq www  log
  permit tcp any  any eq telnet  log
  permit tcp any  any eq https  log
  permit icmp any  any  echo  log
!
ip access-list extended web-acl-9
  remark TS
  permit tcp any  host x.x.53.106 eq 3389  log
!
ip policy-class Private
  allow list VPN-30-vpn-selectors
  allow list self self
  nat source list wizard-ics interface eth 0/1 overload
!
ip policy-class Public
  allow reverse list VPN-30-vpn-selectors
  allow list web-acl-7 self
  nat destination list web-acl-9 address 192.168.11.2
!
!
!
ip route 0.0.0.0 0.0.0.0 x.x.53.105
!
no ip tftp server
ip http server
ip http secure-server
no ip snmp agent
no ip ftp agent
ip scp server
!
!
!
!
!
line con 0
  login local-userlist
!
line telnet 0 4
  login local-userlist
!
!
!
end
AH2054#
0
Comment
Question by:blin2000
2 Comments
 
LVL 7

Author Comment

by:blin2000
ID: 17177566
Fixed the problem. The problem is the remote network pointed to public IP address of the NetVanta instead of the private subnet. The details can be found this link,

VPN between ASA 5510 and NetVanta 2054 - Case Study
http://www.chicagotech.net/cisco/vpnasa&netvanta1.htm
0
 

Accepted Solution

by:
EE_AutoDeleter earned 0 total points
ID: 17305422
blin2000,
Because you have presented a solution to your own problem which may be helpful to future searches, this question is now PAQed and your points have been refunded.

EE_AutoDeleter
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Join & Write a Comment

Suggested Solutions

Sometimes, you want your microsoft VPN to route all the traffic to the remote network. Usually your employer network. This makes it possible to access all the nodes inside this remote LAN, even if they have no "public DNS" entries. To do so, you wo…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now