We help IT Professionals succeed at work.
Get Started

Cisco VPN Tunnel

762 Views
Last Modified: 2012-04-25
Experts,

I need some help please, tryin to create a vpn tunnell between cisco ASA 5510 and a Cisco 1811 router

Below are the configs:

when I do a sh crypto isakmp sa from the ASA, no tunnel/peer is present same for
no peer shound the tunnel be listed ? as waiting for response ??

no tun nel either  when I issue this command sh crypto ipsec sa
Any suggestions ?

If I am telnet'd into the router and I ping 70.24.100.105 to the asa,  is this enough for interesting traffic ?

Thanks for any help

Router config

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 16384 informational
no logging console

!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
aaa session-id common
clock timezone EST-5 0
!
!
dot11 syslog
ip source-route
!
!
!
ip dhcp pool test
   network 172.24.105.0 255.255.255.0
   option 150 ip 172.24.225.224 172.24.225.223
   
!
!
ip cef

no ipv6 cef
!
multilink bundle-name authenticated
!
!
!

!
!
crypto isakmp policy 5
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key  address 70.64.100.105
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set esp-3des-sha esp-3des esp-sha-hmac
!
crypto map ipsec-tunnel 1 ipsec-isakmp
 set peer 70.64.100.252
 set transform-set esp-3des-sha
 match address ipsec-rule



archive
 log config
  hidekeys
!
!
ip ssh version 1
!
!
!
interface FastEthernet0
 ip address 70.64.100.252 255.255.255.0
 ip access-group temp-in in
 ip access-group temp-out out
 no ip redirects
 no ip unreachables
 ip nat outside
 ip virtual-reassembly
 speed 100
 full-duplex
 no cdp enable
 crypto map ipsec-tunnel
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
 no ip address
!
interface Async1
 no ip address
 encapsulation slip
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 70.64.100.1
no ip http server
no ip http secure-server
!
!
ip nat inside source list nat-out interrface FastEthernet0 overload
!
ip access-list extended temp-in
 deny   ip any any
 permit udp host 70.64.100.105 eq isakmp host 70.64.100.252 eq isakmp
 permit esp host 70.64.100.105 host 12.164.100.252
ip access-list extended temp-out
 permit udp host 70.64.100.252 eq isakmp host 70.64.100.105 eq isakmp
 permit esp host 70.64.100.252 host 70.64.100.105
 deny   ip any any
ip access-list extended ipsec-rule
 permit ip 172.24.105.0 0.0.0.255 any
 deny   ip any any
ip access-list extended nat-out
 deny   ip 172.24.105.0 0.0.0.255 any
 permit ip any any







ASA config

interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 70.24.100.105 255.255.255.0
!
interface Ethernet0/1
 nameif inside
 security-level 99
 ip address 9.3.23.1 255.255.255.248 standby 9.3.23.2
!
interface Ethernet0/2
 
interface Ethernet0/3
 
!
interface Management0/0
 !
boot system disk0:/asa823-11-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup dmz
dns server-group DefaultDNS
 
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

access-list any172 extended permit ip 172.24.105.0 255.255.255.0 any
access-list outside_5_cryptomap extended permit ip any 172.24.105.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu dev 1500
ip verify reverse-path interface outside
ip verify reverse-path interface dmz
ip audit attack action alarm drop
failover
failover lan unit primary
failover lan interface state Management0/0
failover replication http
icmp unreachable rate-limit 1 burst-size 1
arp timeout 14400
nat-control
global (outside) 10 70.24.100.200-70.24.100.230
global (outside) 10 70.24.100.117
nat (inside) 0 access-list any172
nat (inside) 10 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list dmz_nat0_outbound
nat (dmz) 10 0.0.0.0 0.0.0.0
nat (dev) 0 access-list any172
nat (dev) 10 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
access-group wan_access_in in interface dev
!
router eigrp 100
 no auto-summary
 eigrp router-id 9.3.23.1
 network 10.3.3.0 255.255.255.248
 redistribute static metric 1000000 10 255 1 1500
!
route outside 0.0.0.0 0.0.0.0 12.164.100.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA
crypto dynamic-map inside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 5 match address outside_5_cryptomap
crypto map outside_map 5 set peer 12.64.100.252
crypto map outside_map 5 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
crypto map inside_map interface inside
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp enable dmz
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
crypto isakmp disconnect-notify
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy abc-site-to-site internal
group-policy abc-site-to-site attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy abc internal
group-policy abc attributes
 split-tunnel-policy tunnelall
group-policy abc_LOCAL internal
group-policy abc_LOCAL attributes
group-policy DfltGrpPolicy attributes
 
tunnel-group abc type remote-access
tunnel-group abc general-attributes
 address-pool abc_VPN
 default-group-policy abc
tunnel-group abc ipsec-attributes
 pre-shared-key
tunnel-group abc_LOCAL type remote-access
tunnel-group abc_LOCAL general-attributes
 address-pool abc_VPN
 default-group-policy abc_LOCAL
tunnel-group abc_LOCAL ipsec-attributes
 pre-shared-key
tunnel-group abc_IPsec type remote-access
tunnel-group abc_IPsec general-attributes
 address-pool abc_VPN
 authentication-server-group LDAP
 default-group-policy abc_IPsec
tunnel-group abc_IPsec ipsec-attributes
 pre-shared-key
tunnel-group 172.24.100.252 type ipsec-l2l
tunnel-group 172.24.100.252 general-attributes
 default-group-policy abc-site-to-site
tunnel-group 172.24.100.252 ipsec-attributes
 pre-shared-key !
class-map inspetion_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp strict
  inspect ip-options
  inspect sip
Comment
Watch Question
This problem has been solved!
Unlock 1 Answer and 12 Comments.
See Answer
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE