troubleshooting Question

Cisco VPN Tunnel

Avatar of jac1991
jac1991 asked on
Internet Protocol SecurityCiscoVPN
12 Comments1 Solution763 ViewsLast Modified:
Experts,

I need some help please, tryin to create a vpn tunnell between cisco ASA 5510 and a Cisco 1811 router

Below are the configs:

when I do a sh crypto isakmp sa from the ASA, no tunnel/peer is present same for
no peer shound the tunnel be listed ? as waiting for response ??

no tun nel either  when I issue this command sh crypto ipsec sa
Any suggestions ?

If I am telnet'd into the router and I ping 70.24.100.105 to the asa,  is this enough for interesting traffic ?

Thanks for any help

Router config

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 16384 informational
no logging console

!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
aaa session-id common
clock timezone EST-5 0
!
!
dot11 syslog
ip source-route
!
!
!
ip dhcp pool test
   network 172.24.105.0 255.255.255.0
   option 150 ip 172.24.225.224 172.24.225.223
   
!
!
ip cef

no ipv6 cef
!
multilink bundle-name authenticated
!
!
!

!
!
crypto isakmp policy 5
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key  address 70.64.100.105
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set esp-3des-sha esp-3des esp-sha-hmac
!
crypto map ipsec-tunnel 1 ipsec-isakmp
 set peer 70.64.100.252
 set transform-set esp-3des-sha
 match address ipsec-rule



archive
 log config
  hidekeys
!
!
ip ssh version 1
!
!
!
interface FastEthernet0
 ip address 70.64.100.252 255.255.255.0
 ip access-group temp-in in
 ip access-group temp-out out
 no ip redirects
 no ip unreachables
 ip nat outside
 ip virtual-reassembly
 speed 100
 full-duplex
 no cdp enable
 crypto map ipsec-tunnel
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
 no ip address
!
interface Async1
 no ip address
 encapsulation slip
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 70.64.100.1
no ip http server
no ip http secure-server
!
!
ip nat inside source list nat-out interrface FastEthernet0 overload
!
ip access-list extended temp-in
 deny   ip any any
 permit udp host 70.64.100.105 eq isakmp host 70.64.100.252 eq isakmp
 permit esp host 70.64.100.105 host 12.164.100.252
ip access-list extended temp-out
 permit udp host 70.64.100.252 eq isakmp host 70.64.100.105 eq isakmp
 permit esp host 70.64.100.252 host 70.64.100.105
 deny   ip any any
ip access-list extended ipsec-rule
 permit ip 172.24.105.0 0.0.0.255 any
 deny   ip any any
ip access-list extended nat-out
 deny   ip 172.24.105.0 0.0.0.255 any
 permit ip any any







ASA config

interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 70.24.100.105 255.255.255.0
!
interface Ethernet0/1
 nameif inside
 security-level 99
 ip address 9.3.23.1 255.255.255.248 standby 9.3.23.2
!
interface Ethernet0/2
 
interface Ethernet0/3
 
!
interface Management0/0
 !
boot system disk0:/asa823-11-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup dmz
dns server-group DefaultDNS
 
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

access-list any172 extended permit ip 172.24.105.0 255.255.255.0 any
access-list outside_5_cryptomap extended permit ip any 172.24.105.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu dev 1500
ip verify reverse-path interface outside
ip verify reverse-path interface dmz
ip audit attack action alarm drop
failover
failover lan unit primary
failover lan interface state Management0/0
failover replication http
icmp unreachable rate-limit 1 burst-size 1
arp timeout 14400
nat-control
global (outside) 10 70.24.100.200-70.24.100.230
global (outside) 10 70.24.100.117
nat (inside) 0 access-list any172
nat (inside) 10 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list dmz_nat0_outbound
nat (dmz) 10 0.0.0.0 0.0.0.0
nat (dev) 0 access-list any172
nat (dev) 10 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
access-group wan_access_in in interface dev
!
router eigrp 100
 no auto-summary
 eigrp router-id 9.3.23.1
 network 10.3.3.0 255.255.255.248
 redistribute static metric 1000000 10 255 1 1500
!
route outside 0.0.0.0 0.0.0.0 12.164.100.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA
crypto dynamic-map inside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 5 match address outside_5_cryptomap
crypto map outside_map 5 set peer 12.64.100.252
crypto map outside_map 5 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
crypto map inside_map interface inside
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp enable dmz
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
crypto isakmp disconnect-notify
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy abc-site-to-site internal
group-policy abc-site-to-site attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy abc internal
group-policy abc attributes
 split-tunnel-policy tunnelall
group-policy abc_LOCAL internal
group-policy abc_LOCAL attributes
group-policy DfltGrpPolicy attributes
 
tunnel-group abc type remote-access
tunnel-group abc general-attributes
 address-pool abc_VPN
 default-group-policy abc
tunnel-group abc ipsec-attributes
 pre-shared-key
tunnel-group abc_LOCAL type remote-access
tunnel-group abc_LOCAL general-attributes
 address-pool abc_VPN
 default-group-policy abc_LOCAL
tunnel-group abc_LOCAL ipsec-attributes
 pre-shared-key
tunnel-group abc_IPsec type remote-access
tunnel-group abc_IPsec general-attributes
 address-pool abc_VPN
 authentication-server-group LDAP
 default-group-policy abc_IPsec
tunnel-group abc_IPsec ipsec-attributes
 pre-shared-key
tunnel-group 172.24.100.252 type ipsec-l2l
tunnel-group 172.24.100.252 general-attributes
 default-group-policy abc-site-to-site
tunnel-group 172.24.100.252 ipsec-attributes
 pre-shared-key !
class-map inspetion_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp strict
  inspect ip-options
  inspect sip
ASKER CERTIFIED SOLUTION
rschnitzer

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 1 Answer and 12 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 12 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros