Solved

Cisco ASA 5505 and Cisco Small Business WRVS4400N VPN tunnel

Posted on 2012-03-25
30
1,350 Views
Last Modified: 2012-04-11
I didn't receive any responses the first time I asked this question over two weeks ago, so I'll ask again.

I'm trying to establish a VPN tunnel between our main office running a Cisco ASA 5505 [8.3(2)] and a remote user using a Cisco Small Business WRVS4400N firmware version V2.0.1.3.

The Cisco ASA 5505 is already configured to allow incoming IPSec VPN connections via the Cisco VPN Client.

Is this possible, and if so, how would I go about doing so?  The remote user has a static IP address as well as the main office.

Any information provided would be appreciated.  Thanks
0
Comment
Question by:arhame
  • 20
  • 6
  • 4
30 Comments
 
LVL 15

Expert Comment

by:The_Warlock
ID: 37763842
Is the VPN pass-thru option selected/enabled on the WRV device? Also, please clarify a little...Are you looking to enable a site to site vpn or just allow the remote user to access local resources that sit behind the ASA? Let us know.
0
 
LVL 8

Author Comment

by:arhame
ID: 37763866
I'm looking to build a Site to Site tunnel between the remote user's house and the office.
0
 
LVL 6

Expert Comment

by:Ramakrishna Prabhu
ID: 37764238
Assuming you are not sure on how to configure site to site vpn on ASA, please go through the below link

https://learningnetwork.cisco.com/docs/DOC-8696

If you have ASDM then,

http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080a9a7a3.shtml

Once you configure on ASA, its pretty easy to connect from other device.
0
 
LVL 8

Author Comment

by:arhame
ID: 37764279
The ASA is already configured to allow incoming IPSec VPN Client connections via the Cisco VPN Client.  The issue I'm having is how to configure the Cisco WRVS4400N.

I've setup site to site VPN tunnels before using two or more ASA5505's.  I'm just wanting to know how, if it can be done, to do so using the WRVS4400N's.

Thanks for the responses and looking forward to working towards a solution.
0
 
LVL 6

Expert Comment

by:Ramakrishna Prabhu
ID: 37764312
connection using Cisco VPN Client and Cisco Site to Site is totally different.

You have to set up Site to Site VPN on ASA and WRV.

here are the steps for WRV

http://www.cisco.com/en/US/docs/routers/csbr/wrvs4400n/administration/guide/WRVS4400N_AG_OL-20048.pdf - page 203.

Once you setup WRV router, follow the instructions on

https://learningnetwork.cisco.com/docs/DOC-8696

If you have ASDM then,

http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080a9a7a3.shtml
0
 
LVL 15

Expert Comment

by:The_Warlock
ID: 37765347
You have to configure it accordingly (Ip Addr., Encr/Auth type, etc) in the WRVS web interface section of VPN>Ip Sec. Configure your tunnel here and you should b able to see the tunnel under the "Summary" page of this same section. It supports up to 5 tunnels. I've attached a screen shot I found of a similar setup showing 3 tunnels and have attached it below. If you are already configured on your ASA(Since you stated you are and the WRVS has a Static Ip), then configuring the WRVS should be quite fast and simple. If you need anything else let us know.

Sample Config page pic
0
 
LVL 8

Author Comment

by:arhame
ID: 37775282
Ok, it's 0200 in the morning here and I have the tunnels established between the two units.

The only issue I'm having now, is that I'm not able to access the networks on the opposite ends of the tunnels from computers behind those routers, i.e. any of the computers behind the WRVS4400N can not access the servers behind the ASA.

In the morning, I'll post some screen captures of each configuration.

The tunnel connects almost instantly so I'm not sure what I've missed.
0
 
LVL 15

Expert Comment

by:The_Warlock
ID: 37776335
Split tunnel on the ASA side?? Maybe show us that portion of your config in the ASA and or your associated ACL's. Let us know, but Im glad to see that you at least have it up and running.
0
 
LVL 8

Author Comment

by:arhame
ID: 37777388
Here is my current ASA configuration with the following definitions.

$.$.$.146 is the external IP of the ASA
$.$.$.150 is the external IP of the WRVS4400N
192.168.0.0 is the internal IP addresses behind the ASA
192.168.175.0 is the internal IP addresses behind the WRVS4400N

!
ASA Version 8.3(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address $.$.$.146 255.255.255.240
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network inside_lan
 subnet 192.168.0.0 255.255.255.0
object network mailserver
 host 192.168.0.15
object network webserver
 host 192.168.0.15
object network webserver_ssl
 host 192.168.0.15
object network webserver2
 host 192.168.0.110
object network obj-vpnpool
 subnet 192.168.2.0 255.255.255.0
object network NETWORK_OBJ_192.168.0.0
 host 192.168.0.0
object network 192.168.175.0
 subnet 192.168.175.0 255.255.255.0
access-list outside-in extended permit tcp any host 192.168.0.15 eq smtp
access-list outside-in extended permit tcp any host 192.168.0.15 eq www
access-list outside-in extended permit tcp any host 192.168.0.15 eq https
access-list outside-in extended permit tcp any host 192.168.0.110 eq www
access-list internal standard permit 192.168.0.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip object inside_lan object 192.168.175.0
access-list Split_Tunnel_List remark The network behind the ASA
access-list Split_Tunnel_List standard permit 192.168.0.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 192.168.2.1-192.168.2.254
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static any any destination static obj-vpnpool obj-vpnpool
nat (inside,outside) source dynamic any interface
nat (inside,outside) source static NETWORK_OBJ_192.168.0.0 NETWORK_OBJ_192.168.0.0 destination static 192.168.175.0 192.168.175.0
nat (inside,outside) source static inside_lan inside_lan destination static 192.168.175.0 192.168.175.0
!
object network obj_any
 nat (inside,outside) dynamic interface
object network inside_lan
 nat (inside,outside) dynamic $.$.$.147
object network mailserver
 nat (inside,outside) static $.$.$.$.147 service tcp smtp smtp
object network webserver
 nat (inside,outside) static $.$.$.147 service tcp www www
object network webserver_ssl
 nat (inside,outside) static $.$.$.147 service tcp https https
object network webserver2
 nat (inside,outside) static $.$.$.148 service tcp www www
access-group outside-in in interface outside
route outside 0.0.0.0 0.0.0.0 $.$.$.145 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set RA-TS esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DYN_MAP 10 set transform-set RA-TS
crypto map VPN_MAP 1 match address outside_1_cryptomap
crypto map VPN_MAP 1 set pfs group1
crypto map VPN_MAP 1 set peer $.$.$.150
crypto map VPN_MAP 1 set transform-set RA-TS
crypto map VPN_MAP 30 ipsec-isakmp dynamic DYN_MAP
crypto map VPN_MAP interface outside
crypto ca server
 shutdown
 smtp from-address admin@ciscoasa.null
crypto isakmp enable outside
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 3600
crypto isakmp policy 40
 authentication pre-share
 encryption 3des
 hash sha
 group 1
 lifetime 86400
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 30
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption des-sha1
webvpn
group-policy company-vpn-policy internal
group-policy company-vpn-policy attributes
 dns-server value 192.168.0.10
 vpn-idle-timeout 30
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split_Tunnel_List
username arhame password jbwAVYYVbQnpK8qZ encrypted
tunnel-group vpnclient type remote-access
tunnel-group vpnclient general-attributes
 address-pool vpnpool
 default-group-policy company-vpn-policy
tunnel-group vpnclient ipsec-attributes
 pre-shared-key *****
tunnel-group $.$.$.150 type ipsec-l2l
tunnel-group $.$.$.150 ipsec-attributes
 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:d6306b34a7a62e36ab7abfb0dfcd6244
ciscoasa(config)#
0
 
LVL 15

Expert Comment

by:The_Warlock
ID: 37777546
I'm a little confused after looking at your config.

Questions:

1) Do you have remote users accessing local resources via a software VPN client or are you just establishing a site to site tunnel?

2) If client access, are remote users able to establish a vpn session?

3) Have you reviewed your logs?


Let us know.
0
 
LVL 8

Author Comment

by:arhame
ID: 37777562
Yes, we also have the ability for workers who are traveling to connect remotely via the Cisco VPN Client (version 5.0.07.0290).

They are able to connect successfully.

Which logs should I review?
0
 
LVL 8

Author Comment

by:arhame
ID: 37777638
I did find one issue, and corrected it, but still no luck.

object network NETWORK_OBJ_192.168.0.0
 host 192.168.0.0

should be

object network NETWORK_OBJ_192.168.0.0
 subnet 192.168.0.0 255.255.255.0

I made the change, re-established the tunnel, and still no routing between the two.
0
 
LVL 8

Author Comment

by:arhame
ID: 37778018
Any ideas on what to adjust?

Does everything look correct?
0
 
LVL 6

Expert Comment

by:Ramakrishna Prabhu
ID: 37780136
I will review this and advise you on creating site to site tunnel in few hours.
0
 
LVL 8

Author Comment

by:arhame
ID: 37780137
many thanks.  still working on it now.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 6

Expert Comment

by:Ramakrishna Prabhu
ID: 37781683
I have tried to re-write the ipsec tunnel for you here. Go through this and see if this helps.

Do not mix your l2l tunnel config with web-vpn config.

crypto isakmp policy 50
 authentication pre-share
 encryption 3des
 hash sha
 group 3
 lifetime 86400

object network inside_lan
 subnet 192.168.0.0 255.255.255.0

object network 192.168.175.0 	(may be instead of using the subnet u can call it remote_network? if so change the same with the below access-list)
 subnet 192.168.175.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip object-group inside_lan object-group 192.168.175.0

crypto ipsec transform-set RA-TS1 esp-3des esp-sha-hmac

crypto map VPN_MAP 2 match address outside_1_cryptomap
crypto map VPN_MAP 2 set peer $.$.$.150
crypto map VPN_MAP 2 set transform-set RA-TS1	(Create a new transfrom-set)
crypto map VPN_MAP 2 set security-association lifetime seconds 86400
crypto map VPN_MAP 2 set nat-t-disable
crypto map VPN_MAP interface outside
crypto isakmp enable outside	( ISAKMP policy has not been applied?)
crypto isakmp policy 50		( 50 or what ever number)

tunnel-group $.$.$.150 type ipsec-l2l
tunnel-group $.$.$.150 ipsec-attributes
 pre-shared-key *****

nat (inside,outside) source static NETWORK_OBJ_192.168.0.0 NETWORK_OBJ_192.168.0.0 destination static 192.168.175.0 192.168.175.0		> Dont think this is required
nat (inside,outside) source static inside_lan inside_lan destination static 192.168.175.0 192.168.175.0					> Dont think this is required

Open in new window

0
 
LVL 8

Author Comment

by:arhame
ID: 37782343
I've been looking over this and am confused as to what I should remove from my existing configuration to clean it up.

Also, there shouldn't be a web-vpn setup.

I had used the ASDM interface to configure the site to site tunnel via the IPsec VPN Wizard.
0
 
LVL 8

Author Comment

by:arhame
ID: 37785573
Ok.

I think I'm heading in the right direction.

Today, I reset the device to the factory default configuration.  From there, I setup the ASA as I had it before, with the exception of the Remote Access IPsec VPN configuration.

It worked perfectly.

The issue is, I still need the ability to create a vpn connection to the ASA unit via the Cisco VPN client, while having the site to site vpn established.

I am going to do more experimenting, but does anyone have any experience on running both on the same unit?  Any tips or advice would be appreciated.
0
 
LVL 8

Author Comment

by:arhame
ID: 37785630
Hrm.

Well, as soon as I went through to setup the Remote Access IPsec VPN configuration on the ASA, my site-to-site tunnel was trashed, and will no longer come up.

Earlier, after resetting the unit back to the factory default configuration, I simply used the IPsec VPN wizard in the ASDM to establish the site-to-site tunnel.  Worked easy and perfect.

 So, that must be the issue I'm having, making the two configurations play together.

Here are the commands I entered into the unit to setup the Remote Access IPsec VPN configuration:

ip local pool vpnpool 192.168.2.1-192.168.2.254
object network obj-vpnpool
subnet 192.168.2.0 255.255.255.0

nat (inside,outside) 1 source static any any destination static obj-vpnpool obj-vpnpool

group-policy company-vpn-policy internal
group-policy company-vpn-policy attributes
vpn-idle-timeout 30
dns-server value 192.168.0.10

isakmp policy 20
encryption 3des
hash sha
authentication pre-share
group 2
lifetime 3600

isakmp enable outside
crypto ipsec transform-set RA-TS esp-3des esp-sha-hmac
crypto dynamic-map DYN_MAP 10 set transform-set RA-TS
crypto map VPN_MAP 30 ipsec-isakmp dynamic DYN_MAP
crypto map VPN_MAP interface outside
tunnel-group *vpnclient* type remote-access
tunnel-group *vpnclient* general-attributes
address-pool vpnpool
default-group-policy company-vpn-policy

tunnel-group *vpnclient* ipsec-attributes
pre-shared-key *passphrase*
0
 
LVL 8

Author Comment

by:arhame
ID: 37785641
I decided to go ahead and post the entire config.  Using this one, only the remote access ipsec vpn works.  the site-to-site has stopped working.

Here is the current complete config:

: Saved
:
ASA Version 8.3(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address *.*.*.146 255.255.255.240
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network mailserver
 host 192.168.0.15
object network webserver
 host 192.168.0.15
object network webserver_ssl
 host 192.168.0.15
object network webserver2
 host 192.168.0.110
object network NETWORK_OBJ_192.168.0.0_24
 subnet 192.168.0.0 255.255.255.0
object network remote_network
 subnet 192.168.175.0 255.255.255.0
object network obj-vpnpool
 subnet 192.168.2.0 255.255.255.0
access-list outside-in extended permit tcp any host 192.168.0.15 eq smtp
access-list outside-in extended permit tcp any host 192.168.0.15 eq www
access-list outside-in extended permit tcp any host 192.168.0.15 eq https
access-list outside-in extended permit tcp any host 192.168.0.110 eq www
access-list outside_1_cryptomap extended permit ip 192.168.0.0 255.255.255.0 object remote_network
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 192.168.2.1-192.168.2.254
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static any any destination static obj-vpnpool obj-vpnpool
nat (inside,outside) source static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 destination static remote_network remote_network
!
object network obj_any
 nat (inside,outside) dynamic interface
object network mailserver
 nat (inside,outside) static *.*.*.147 service tcp smtp smtp
object network webserver
 nat (inside,outside) static *.*.*.147 service tcp www www
object network webserver_ssl
 nat (inside,outside) static *.*.*.147 service tcp https https
object network dbsoftinc
 nat (inside,outside) static *.*.*.148 service tcp www www
access-group outside-in in interface outside
route outside 0.0.0.0 0.0.0.0 *.*.*.145 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set RA-TS esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DYN_MAP 10 set transform-set RA-TS
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer *.*.*.150
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map VPN_MAP 30 ipsec-isakmp dynamic DYN_MAP
crypto map VPN_MAP interface outside
crypto ca server
 shutdown
 smtp from-address admin@ciscoasa.null
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 1
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 3600
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 30
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy company-vpn-policy internal
group-policy company-vpn-policy attributes
 dns-server value 192.168.0.10
 vpn-idle-timeout 30
username ******** password XLRO2tJ8dfXviPOG encrypted
tunnel-group *.*.*.150 type ipsec-l2l
tunnel-group *.*.*.150 ipsec-attributes
 pre-shared-key *****
tunnel-group *vpnclient* type remote-access
tunnel-group *vpnclient* general-attributes
 address-pool vpnpool
 default-group-policy company-vpn-policy
tunnel-group *vpnclient* ipsec-attributes
 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:e1b5251ca2f603b957686bafa4349615
: end
no asdm history enable
0
 
LVL 6

Accepted Solution

by:
Ramakrishna Prabhu earned 500 total points
ID: 37786428
Question,

After resetting your ASA, you configured it for Site-to-Site, was this through asdm or console?
Did you use the configuration i had sent before?

Just as a thought,
After resetting your ASA, can configure Web VPN through ASDM and then get on to console and copy and paste the below config.

crypto isakmp policy 50
 authentication pre-share
 encryption 3des
 hash sha
 group 3
 lifetime 86400

object network inside_lan
 subnet 192.168.0.0 255.255.255.0

object network outside_network
 subnet 192.168.175.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip object-group inside_lan object-group outside_network

crypto ipsec transform-set RA-TS1 esp-3des esp-sha-hmac

crypto map VPN_MAP 2 match address outside_1_cryptomap
crypto map VPN_MAP 2 set peer $.$.$.150 (provide your peer-ip)
crypto map VPN_MAP 2 set transform-set RA-TS1
crypto map VPN_MAP 2 set security-association lifetime seconds 86400
crypto map VPN_MAP 2 set nat-t-disable
crypto map VPN_MAP interface outside
crypto isakmp enable outside
crypto isakmp policy 50

tunnel-group $.$.$.150 type ipsec-l2l
tunnel-group $.$.$.150 ipsec-attributes
 pre-shared-key ***** (type your preshared key here)

Open in new window

0
 
LVL 8

Author Comment

by:arhame
ID: 37787018
I've successfully created the WebVPN configuration via ASDM as you reccomended.

When I enter the config at the console for the site-to-site as you suggested,

access-list outside_1_cryptomap extended permit ip object-group inside_lan object-group outside_network

I immediately get the following error:

ERROR: specified object group <inside_lan> not found

I have verified that there wasn't any typos in the creation of the network object inside_lan and I can see the network object inside_lan within ASDM and it is properly defined

Any ideas?

Thanks for all of the help.
0
 
LVL 6

Expert Comment

by:Ramakrishna Prabhu
ID: 37787181
Sorry it should be

access-list outside_1_cryptomap extended permit object-group inside_lan object-group outside_network
0
 
LVL 8

Author Comment

by:arhame
ID: 37788030
I get a different error when trying to enter that config line.

ERROR: % Invalid input detected at '^' marker.

and just to verify that it wasn't a typo, I entered the command as:

access-list outside_1_cryptomap extended permit object-group inside_lan object-group outside_network
0
 
LVL 8

Author Comment

by:arhame
ID: 37788683
ok, the line command format was:

access-list outside_1_cryptomap extended permit ip object inside_lan object outside_network

still didn't work though.  Running more tests-experiments.
0
 
LVL 8

Author Comment

by:arhame
ID: 37789577
Status Update.

Ok, here is what I have tested and learned so far.

After the clean reset to default, I can easilty configure the site-to-site tunnel if I use the ASDM Wizard.

After a clean reset to default, and then using the code you gave me above (chesperito), the site-to-site tunnel will not function.  I did have to make one change to the code you gave me in addition to the access-list command.

Under the crypto isakmp policy 50, I changed the group to 1, for compatibility purposes with the WRVS.  I also had to do this using the ASDM Wizard and it worked.  For some reason, group 3 doesn't work on my ASA unit.  Not sure why.

I'll create another post that has the content of both configurations.  I'm going through them now to see if I see anything obvious on why one works and the other doesn't.

Then, back to why it will not work while the Remote Access IPsec VPN tunnel is enabled.
0
 
LVL 8

Author Comment

by:arhame
ID: 37789680
ok, one thing I found that was preventing the site-to-site tunnel from connecting with the code you suggested, was the need to add in the following command:

crypto map VPN_MAP 2 set pfs group1

Once I added this in, the tunnel connected, but I'm still not able to route traffic through either way.
0
 
LVL 8

Author Comment

by:arhame
ID: 37789703
Ok, I found another issue with the code.  There was no nat statment.

I've added the following and now I am routing between the networks

nat (inside,outside) source static inside_lan inside_lan destination static outside_network outside_network

Now, I need to setup the remote-access vpn and see if that will work.

Will let you know.
0
 
LVL 8

Author Comment

by:arhame
ID: 37833638
Sorry for the delayed response.

Once made a few adjustments to the suggested code, and then used the IPsec Remote Access VPN wizard, almost everything is working perfectly.

The only thing left to troubleshoot is split tunneling.

As soon as I get all the kinks worked out, I'll post the updated code for anyone else who might be wanting to try this same scenario.

Overall, so far, I'm very happy with the stability and ability to use the less expensive WRVS with the ASA.

Thanks
0
 
LVL 8

Author Closing Comment

by:arhame
ID: 37833644
Thanks for the help in working through this configuration.  I did a considerable amount of searching on the internet for someone else attempting this same setup, and couldn't find anything.  Hopefully someone else can now benefit from the work.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Suggested Solutions

Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now