• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 655
  • Last Modified:

Dynamic IPsec between a statically assigned ASA and Dynamic IOS router

I have configured a 2811 router to bring up a IPsec VPN tunnel between it and my corporate ASA. I followed cisco document 81883, but it is not working. from the debugs on the ASA and router it doesn't even look like the router is trying to establish phase1. Am I missing something.....


Celebration2811(config)#do sh run
Building configuration...


Current configuration : 1860 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Celebration2811
!
boot-start-marker
boot system flash c2800nm-advipservicesk9-mz.124-24.T3.bin
boot-end-marker
!
logging message-counter syslog
no logging console
!
no aaa new-model
!
dot11 syslog
ip source-route
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.30.39.2 10.30.39.20
!
ip dhcp pool Celebration
   network 10.30.39.0 255.255.255.0
   dns-server 10.1.200.108 10.1.200.16 10.1.200.45
   netbios-name-server 10.1.200.17
   default-router 10.30.39.1
!
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
!
!
!
!
archive
 log config
  hidekeys
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key cisco123 address 10.10.10.10
!
!
crypto ipsec transform-set asa-set esp-3des esp-md5-hmac
!
crypto map asa 10 ipsec-isakmp
 set peer 10.10.10.10
 set transform-set asa-set
 match address 101
!
!
!
!
!
!
!
interface FastEthernet0/0
 description outside DSL service
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map asa
!
interface FastEthernet0/1
 description Internal Network
 ip address 10.30.39.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 dhcp
no ip http server
no ip http secure-server
!
!
ip nat inside source list 110 interface FastEthernet0/0 overload
!
access-list 101 permit ip 10.30.39.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 permit ip 10.30.39.0 0.0.0.255 any
!
!
!
!
route-map nonat permit 10
 match ip address 110
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 login
!
scheduler allocate 20000 1000
end
0
dtadmin
Asked:
dtadmin
1 Solution
 
dtadminAuthor Commented:
i modified ACL 110 as follows:

access-list 110 deny   ip 10.30.39.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 permit ip 10.30.39.0 0.0.0.255 any
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: CompTIA Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now