jac1991
asked on
Cisco VPN Tunnel
Experts,
I need some help please, tryin to create a vpn tunnell between cisco ASA 5510 and a Cisco 1811 router
Below are the configs:
when I do a sh crypto isakmp sa from the ASA, no tunnel/peer is present same for
no peer shound the tunnel be listed ? as waiting for response ??
no tun nel either when I issue this command sh crypto ipsec sa
Any suggestions ?
If I am telnet'd into the router and I ping 70.24.100.105 to the asa, is this enough for interesting traffic ?
Thanks for any help
Router config
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 16384 informational
no logging console
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
aaa session-id common
clock timezone EST-5 0
!
!
dot11 syslog
ip source-route
!
!
!
ip dhcp pool test
network 172.24.105.0 255.255.255.0
option 150 ip 172.24.225.224 172.24.225.223
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
crypto isakmp key address 70.64.100.105
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set esp-3des-sha esp-3des esp-sha-hmac
!
crypto map ipsec-tunnel 1 ipsec-isakmp
set peer 70.64.100.252
set transform-set esp-3des-sha
match address ipsec-rule
archive
log config
hidekeys
!
!
ip ssh version 1
!
!
!
interface FastEthernet0
ip address 70.64.100.252 255.255.255.0
ip access-group temp-in in
ip access-group temp-out out
no ip redirects
no ip unreachables
ip nat outside
ip virtual-reassembly
speed 100
full-duplex
no cdp enable
crypto map ipsec-tunnel
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
no ip address
!
interface Async1
no ip address
encapsulation slip
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 70.64.100.1
no ip http server
no ip http secure-server
!
!
ip nat inside source list nat-out interrface FastEthernet0 overload
!
ip access-list extended temp-in
deny ip any any
permit udp host 70.64.100.105 eq isakmp host 70.64.100.252 eq isakmp
permit esp host 70.64.100.105 host 12.164.100.252
ip access-list extended temp-out
permit udp host 70.64.100.252 eq isakmp host 70.64.100.105 eq isakmp
permit esp host 70.64.100.252 host 70.64.100.105
deny ip any any
ip access-list extended ipsec-rule
permit ip 172.24.105.0 0.0.0.255 any
deny ip any any
ip access-list extended nat-out
deny ip 172.24.105.0 0.0.0.255 any
permit ip any any
ASA config
interface Ethernet0/0
nameif outside
security-level 0
ip address 70.24.100.105 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 99
ip address 9.3.23.1 255.255.255.248 standby 9.3.23.2
!
interface Ethernet0/2
interface Ethernet0/3
!
interface Management0/0
!
boot system disk0:/asa823-11-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup dmz
dns server-group DefaultDNS
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list any172 extended permit ip 172.24.105.0 255.255.255.0 any
access-list outside_5_cryptomap extended permit ip any 172.24.105.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu dev 1500
ip verify reverse-path interface outside
ip verify reverse-path interface dmz
ip audit attack action alarm drop
failover
failover lan unit primary
failover lan interface state Management0/0
failover replication http
icmp unreachable rate-limit 1 burst-size 1
arp timeout 14400
nat-control
global (outside) 10 70.24.100.200-70.24.100.23
global (outside) 10 70.24.100.117
nat (inside) 0 access-list any172
nat (inside) 10 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list dmz_nat0_outbound
nat (dmz) 10 0.0.0.0 0.0.0.0
nat (dev) 0 access-list any172
nat (dev) 10 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
access-group wan_access_in in interface dev
!
router eigrp 100
no auto-summary
eigrp router-id 9.3.23.1
network 10.3.3.0 255.255.255.248
redistribute static metric 1000000 10 255 1 1500
!
route outside 0.0.0.0 0.0.0.0 12.164.100.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA
crypto dynamic-map inside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 5 match address outside_5_cryptomap
crypto map outside_map 5 set peer 12.64.100.252
crypto map outside_map 5 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
crypto map inside_map interface inside
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp enable dmz
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
crypto isakmp disconnect-notify
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy abc-site-to-site internal
group-policy abc-site-to-site attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy abc internal
group-policy abc attributes
split-tunnel-policy tunnelall
group-policy abc_LOCAL internal
group-policy abc_LOCAL attributes
group-policy DfltGrpPolicy attributes
tunnel-group abc type remote-access
tunnel-group abc general-attributes
address-pool abc_VPN
default-group-policy abc
tunnel-group abc ipsec-attributes
pre-shared-key
tunnel-group abc_LOCAL type remote-access
tunnel-group abc_LOCAL general-attributes
address-pool abc_VPN
default-group-policy abc_LOCAL
tunnel-group abc_LOCAL ipsec-attributes
pre-shared-key
tunnel-group abc_IPsec type remote-access
tunnel-group abc_IPsec general-attributes
address-pool abc_VPN
authentication-server-grou
default-group-policy abc_IPsec
tunnel-group abc_IPsec ipsec-attributes
pre-shared-key
tunnel-group 172.24.100.252 type ipsec-l2l
tunnel-group 172.24.100.252 general-attributes
default-group-policy abc-site-to-site
tunnel-group 172.24.100.252 ipsec-attributes
pre-shared-key !
class-map inspetion_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp strict
inspect ip-options
inspect sip
I need some help please, tryin to create a vpn tunnell between cisco ASA 5510 and a Cisco 1811 router
Below are the configs:
when I do a sh crypto isakmp sa from the ASA, no tunnel/peer is present same for
no peer shound the tunnel be listed ? as waiting for response ??
no tun nel either when I issue this command sh crypto ipsec sa
Any suggestions ?
If I am telnet'd into the router and I ping 70.24.100.105 to the asa, is this enough for interesting traffic ?
Thanks for any help
Router config
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 16384 informational
no logging console
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
aaa session-id common
clock timezone EST-5 0
!
!
dot11 syslog
ip source-route
!
!
!
ip dhcp pool test
network 172.24.105.0 255.255.255.0
option 150 ip 172.24.225.224 172.24.225.223
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
crypto isakmp key address 70.64.100.105
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set esp-3des-sha esp-3des esp-sha-hmac
!
crypto map ipsec-tunnel 1 ipsec-isakmp
set peer 70.64.100.252
set transform-set esp-3des-sha
match address ipsec-rule
archive
log config
hidekeys
!
!
ip ssh version 1
!
!
!
interface FastEthernet0
ip address 70.64.100.252 255.255.255.0
ip access-group temp-in in
ip access-group temp-out out
no ip redirects
no ip unreachables
ip nat outside
ip virtual-reassembly
speed 100
full-duplex
no cdp enable
crypto map ipsec-tunnel
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
no ip address
!
interface Async1
no ip address
encapsulation slip
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 70.64.100.1
no ip http server
no ip http secure-server
!
!
ip nat inside source list nat-out interrface FastEthernet0 overload
!
ip access-list extended temp-in
deny ip any any
permit udp host 70.64.100.105 eq isakmp host 70.64.100.252 eq isakmp
permit esp host 70.64.100.105 host 12.164.100.252
ip access-list extended temp-out
permit udp host 70.64.100.252 eq isakmp host 70.64.100.105 eq isakmp
permit esp host 70.64.100.252 host 70.64.100.105
deny ip any any
ip access-list extended ipsec-rule
permit ip 172.24.105.0 0.0.0.255 any
deny ip any any
ip access-list extended nat-out
deny ip 172.24.105.0 0.0.0.255 any
permit ip any any
ASA config
interface Ethernet0/0
nameif outside
security-level 0
ip address 70.24.100.105 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 99
ip address 9.3.23.1 255.255.255.248 standby 9.3.23.2
!
interface Ethernet0/2
interface Ethernet0/3
!
interface Management0/0
!
boot system disk0:/asa823-11-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup dmz
dns server-group DefaultDNS
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list any172 extended permit ip 172.24.105.0 255.255.255.0 any
access-list outside_5_cryptomap extended permit ip any 172.24.105.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu dev 1500
ip verify reverse-path interface outside
ip verify reverse-path interface dmz
ip audit attack action alarm drop
failover
failover lan unit primary
failover lan interface state Management0/0
failover replication http
icmp unreachable rate-limit 1 burst-size 1
arp timeout 14400
nat-control
global (outside) 10 70.24.100.200-70.24.100.23
global (outside) 10 70.24.100.117
nat (inside) 0 access-list any172
nat (inside) 10 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list dmz_nat0_outbound
nat (dmz) 10 0.0.0.0 0.0.0.0
nat (dev) 0 access-list any172
nat (dev) 10 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
access-group wan_access_in in interface dev
!
router eigrp 100
no auto-summary
eigrp router-id 9.3.23.1
network 10.3.3.0 255.255.255.248
redistribute static metric 1000000 10 255 1 1500
!
route outside 0.0.0.0 0.0.0.0 12.164.100.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA
crypto dynamic-map inside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 5 match address outside_5_cryptomap
crypto map outside_map 5 set peer 12.64.100.252
crypto map outside_map 5 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
crypto map inside_map interface inside
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp enable dmz
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
crypto isakmp disconnect-notify
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy abc-site-to-site internal
group-policy abc-site-to-site attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy abc internal
group-policy abc attributes
split-tunnel-policy tunnelall
group-policy abc_LOCAL internal
group-policy abc_LOCAL attributes
group-policy DfltGrpPolicy attributes
tunnel-group abc type remote-access
tunnel-group abc general-attributes
address-pool abc_VPN
default-group-policy abc
tunnel-group abc ipsec-attributes
pre-shared-key
tunnel-group abc_LOCAL type remote-access
tunnel-group abc_LOCAL general-attributes
address-pool abc_VPN
default-group-policy abc_LOCAL
tunnel-group abc_LOCAL ipsec-attributes
pre-shared-key
tunnel-group abc_IPsec type remote-access
tunnel-group abc_IPsec general-attributes
address-pool abc_VPN
authentication-server-grou
default-group-policy abc_IPsec
tunnel-group abc_IPsec ipsec-attributes
pre-shared-key
tunnel-group 172.24.100.252 type ipsec-l2l
tunnel-group 172.24.100.252 general-attributes
default-group-policy abc-site-to-site
tunnel-group 172.24.100.252 ipsec-attributes
pre-shared-key !
class-map inspetion_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp strict
inspect ip-options
inspect sip
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks I fixed the tunnel, however, no traffic is passing.
Could you suggest any troubleshooting steps ?
Thanks alot !!!!
Could you suggest any troubleshooting steps ?
Thanks alot !!!!
ASKER
sh crypto isakmp sa and sh crypto ipsec sa indicate that the tunnel is up on each end.
Along with any troubleshooting steps, could anyone suggest a good nat'g study guide, I unfortunatly admit I am a bit confused......
Thanks alot.
Along with any troubleshooting steps, could anyone suggest a good nat'g study guide, I unfortunatly admit I am a bit confused......
Thanks alot.
ASKER
Is there a command that will verify nat'g ? sh nat interface name ?
I thought there used to be a command sh nat interface detail, this command is not on my version.............
Should I do a clear xlate ?
I thought there used to be a command sh nat interface detail, this command is not on my version.............
Should I do a clear xlate ?
If you haven't already, I think you'll want to reverse the access-list you're using for nat:
access-list any172 extended permit ip 172.24.105.0 255.255.255.0 any
should probably be:
access-list any172 extended permit ip any 172.24.105.0 255.255.255.0
This would make your no-nat access-list be in line with your crypto-map access list.
Regards,
Ryan
access-list any172 extended permit ip 172.24.105.0 255.255.255.0 any
should probably be:
access-list any172 extended permit ip any 172.24.105.0 255.255.255.0
This would make your no-nat access-list be in line with your crypto-map access list.
Regards,
Ryan
The following article from Cisco outlines (and gives an overview table) of the order of operations of NAT. I've found it very helpful in the past:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml
And then Cisco also has this article on how NAT works that can be helpful:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094831.shtml
Regards,
Ryan
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml
And then Cisco also has this article on how NAT works that can be helpful:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094831.shtml
Regards,
Ryan
ASKER
thanks alot,
(2) more question, I need to add another network to the ASA that is reachable from the router.
I need to add 15.15.200.0, I need this reachable for all networks attached to the ASA, could you give me an example of how to do this ?
Are there any ports that need to be oped up to allow voice traffic ?
Thanks alot !!!
(2) more question, I need to add another network to the ASA that is reachable from the router.
I need to add 15.15.200.0, I need this reachable for all networks attached to the ASA, could you give me an example of how to do this ?
Are there any ports that need to be oped up to allow voice traffic ?
Thanks alot !!!
Because you're currently sending all traffic from 172.24.105.0 255.255.255.0 across the VPN from the router to the ASA, you probably won't need to change anything on the router.
On the ASA, if you really want all the networks attached to the ASA to reach the 15.15.200.0 subnet, you'll want to configure another interface on the ASA with an address in that subnet, and make it's security level something between 0 and 50. The DMZ interface will have a security level of 50, the inside interface has a security level of 100, and the outside interface will have a security level of 0. Any interface with a higher security level number can traffic to an interface with a lower security level without have to add any access-list to permit the traffic.
Once you have the ASA interface configured as you like it, you should be able to traffic from that subnet to the router across the VPN since your access-list is quite broad. You may want to consider using a different subnet since 15.x.x.x is not a private subnet. Consider using 10.x.x.x, or 172.16.x.x, or 192.168.x.x.
If you want to allow voice traffic across the VPN in it's current configuration, I don't believe so. If you want to allow voice traffic in from the internet, I would suggest opening a second question, specify your phone system information and the protocols being used.
Best regards,
Ryan
On the ASA, if you really want all the networks attached to the ASA to reach the 15.15.200.0 subnet, you'll want to configure another interface on the ASA with an address in that subnet, and make it's security level something between 0 and 50. The DMZ interface will have a security level of 50, the inside interface has a security level of 100, and the outside interface will have a security level of 0. Any interface with a higher security level number can traffic to an interface with a lower security level without have to add any access-list to permit the traffic.
Once you have the ASA interface configured as you like it, you should be able to traffic from that subnet to the router across the VPN since your access-list is quite broad. You may want to consider using a different subnet since 15.x.x.x is not a private subnet. Consider using 10.x.x.x, or 172.16.x.x, or 192.168.x.x.
If you want to allow voice traffic across the VPN in it's current configuration, I don't believe so. If you want to allow voice traffic in from the internet, I would suggest opening a second question, specify your phone system information and the protocols being used.
Best regards,
Ryan
ASKER
Thanks,
Just to clarify, 15 network is for voice, I can ping this from the switch and router but the the ASA. The phones are not getting an IP.
I can not ping the 15 from the ASA
I assume I have to add the network to the ASA or is thei a trunk issue on the router ?
Thanks I will open another question for you too if you'd like, I just need clarification if you think this issue is a access list or trunk issue.
Thanks alot.
Just to clarify, 15 network is for voice, I can ping this from the switch and router but the the ASA. The phones are not getting an IP.
I can not ping the 15 from the ASA
I assume I have to add the network to the ASA or is thei a trunk issue on the router ?
Thanks I will open another question for you too if you'd like, I just need clarification if you think this issue is a access list or trunk issue.
Thanks alot.
Are you getting the 15.15.200.x IP addresses from your ISP? If not, you should consider using one of the subnets I mentioned in my last post, as 15.15.200.x is a publicly routable network and could possibly cause you headaches in the future.
I would suggest creating a dhcp pool for 172.16.16.0 255.255.255.0 on your ASA and use that to address your phones. Whichever subnet you use for your phones, you'll want to have an interface on the ASA configured with an IP in that subnet. If your phones are located on the same LAN segment as your computers that are using 10.0.0.x, it'll be a little more involved.
I noticed that in your earlier config your nat statements are natting traffic sourced from the same subnet 10.0.0.0 on three interfaces. You can only have the 10.0.0.0 network on one of the interfaces of the ASA, so this nat configuration may not be what you want. Just thought I'd point that out, you may have already corrected it.
Regards,
Ryan
I would suggest creating a dhcp pool for 172.16.16.0 255.255.255.0 on your ASA and use that to address your phones. Whichever subnet you use for your phones, you'll want to have an interface on the ASA configured with an IP in that subnet. If your phones are located on the same LAN segment as your computers that are using 10.0.0.x, it'll be a little more involved.
I noticed that in your earlier config your nat statements are natting traffic sourced from the same subnet 10.0.0.0 on three interfaces. You can only have the 10.0.0.0 network on one of the interfaces of the ASA, so this nat configuration may not be what you want. Just thought I'd point that out, you may have already corrected it.
Regards,
Ryan
ASKER
Thanks
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
You might want to add:
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
Also, on the router I see no ACL to specify what traffic to encrypt.
HTH,
|T|W|