Techrunner
asked on
Site to Site VPN Cisco ASA and Cisco Router
Hello Experts,
I have configured Site to Site IPSec VPN between our Cisco ASA and Cisco Router. The VPN is up but I cannot ping the devices each other from both sites. I dont know what's wrong with the configuration I have Remote Access VPN configured on our ASA for Cisco Anyconnect and Cisco VPN Client
Router Configuration
hostname Router
!
!
!
ip cef
!
!
!
username admin privilege 15 password 0 come$takeit
!
!
crypto isakmp policy 2
encr aes
authentication pre-share
crypto isakmp key cisco123 address 1.1.1.1
!
!
crypto ipsec transform-set test esp-aes esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to1.1.1.1
set peer 1.1.1.1
set transform-set test
match address 100
!
archive
log config
hidekeys
!
!
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 0/35
pppoe-client dial-pool-number 1
!
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address 192.168.16.8 255.255.252.0
ip nat inside
ip virtual-reassembly
!
interface Dialer1
ip address negotiated
ip access-group 101 out
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname **************
ppp chap password 7 ************************
ppp pap sent-username **************************
ppp ipcp dns request
ppp ipcp wins request
crypto map SDM_CMAP_1
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
no ip http server
ip http authentication local
ip http secure-server
ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload
!
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.16.0 0.0.3.255 10.1.2.0 0.0.0.255
access-list 101 remark SDM_ACL Category=19
access-list 101 remark IPSec Rule
access-list 101 deny ip 192.168.16.0 0.0.3.255 10.1.2.0 0.0.0.255
access-list 101 permit ip 192.168.16.0 0.0.3.255 any
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
login local
!
scheduler max-task-time 5000
end
ASA Configuration
access-list Outside_1_cryptomap line 1 extended permit ip 10.1.2.0 255.255.255.0 192.168.16.0 255.255.252.0
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key **********
isakmp keepalive threshold 10 retry 2
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto map Outside_map 1 match address Outside_1_cryptomap
crypto map Outside_map 1 set peer 2.2.2.2
crypto map Outside_map 1 set transform-set ESP-AES-128-SHA
Any help please?
Thanks
I have configured Site to Site IPSec VPN between our Cisco ASA and Cisco Router. The VPN is up but I cannot ping the devices each other from both sites. I dont know what's wrong with the configuration I have Remote Access VPN configured on our ASA for Cisco Anyconnect and Cisco VPN Client
Router Configuration
hostname Router
!
!
!
ip cef
!
!
!
username admin privilege 15 password 0 come$takeit
!
!
crypto isakmp policy 2
encr aes
authentication pre-share
crypto isakmp key cisco123 address 1.1.1.1
!
!
crypto ipsec transform-set test esp-aes esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to1.1.1.1
set peer 1.1.1.1
set transform-set test
match address 100
!
archive
log config
hidekeys
!
!
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 0/35
pppoe-client dial-pool-number 1
!
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address 192.168.16.8 255.255.252.0
ip nat inside
ip virtual-reassembly
!
interface Dialer1
ip address negotiated
ip access-group 101 out
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname **************
ppp chap password 7 ************************
ppp pap sent-username **************************
ppp ipcp dns request
ppp ipcp wins request
crypto map SDM_CMAP_1
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
no ip http server
ip http authentication local
ip http secure-server
ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload
!
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.16.0 0.0.3.255 10.1.2.0 0.0.0.255
access-list 101 remark SDM_ACL Category=19
access-list 101 remark IPSec Rule
access-list 101 deny ip 192.168.16.0 0.0.3.255 10.1.2.0 0.0.0.255
access-list 101 permit ip 192.168.16.0 0.0.3.255 any
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
login local
!
scheduler max-task-time 5000
end
ASA Configuration
access-list Outside_1_cryptomap line 1 extended permit ip 10.1.2.0 255.255.255.0 192.168.16.0 255.255.252.0
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key **********
isakmp keepalive threshold 10 retry 2
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto map Outside_map 1 match address Outside_1_cryptomap
crypto map Outside_map 1 set peer 2.2.2.2
crypto map Outside_map 1 set transform-set ESP-AES-128-SHA
Any help please?
Thanks
Last Comment
ASKER
I have no idea what you are talking about
I have problem pinging the sites.
I have problem pinging the sites.
>>I have no idea what you are talking about
<grin>
Don't forget that ping is disabled on the ASA unless you have enabled ICMP in the inspection map
I'm quite weak on the router IOS (sorry)
Try to bring up the tunnel, then on the ASA issue a show cry isa command to see if phase 1 has esablished.
<grin>
Don't forget that ping is disabled on the ASA unless you have enabled ICMP in the inspection map
I'm quite weak on the router IOS (sorry)
Try to bring up the tunnel, then on the ASA issue a show cry isa command to see if phase 1 has esablished.
Check if the "interesting traffic" (the 2 networks communicating) are exempted from NAT
Run a capture on the ASA and see if you see traffic on the inside and outside interface. If you see, both, then the traffic is not passing through the tunnel. You should only see traffic on the inside.
The tunnel formation is one thing (between 2 end points), while the traffic passing through the tunnel is another.
Run a capture on the ASA and see if you see traffic on the inside and outside interface. If you see, both, then the traffic is not passing through the tunnel. You should only see traffic on the inside.
The tunnel formation is one thing (between 2 end points), while the traffic passing through the tunnel is another.
few things we have to check
a) do you have NAT enabled on the ASA , if so exempt the VPN traffic from the NAT and try the connectivity
b) check the routing on both side Lan devices are proper .. both side devices should have proper gateway to reach each other LAN .
c) only ping is not working : inspect icmp in ASA and try
d) enable Nat-traversal on ASA and try : crypto isakmp nat-trav 60
c) remove the access-list 101 from router dialer interface and try
even after doing all workaround still facing issues, kindly show the output of
show crypto isakmp sa and show crypto ipsec sa from router and ASA
a) do you have NAT enabled on the ASA , if so exempt the VPN traffic from the NAT and try the connectivity
b) check the routing on both side Lan devices are proper .. both side devices should have proper gateway to reach each other LAN .
c) only ping is not working : inspect icmp in ASA and try
d) enable Nat-traversal on ASA and try : crypto isakmp nat-trav 60
c) remove the access-list 101 from router dialer interface and try
even after doing all workaround still facing issues, kindly show the output of
show crypto isakmp sa and show crypto ipsec sa from router and ASA
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Routers
A router is a networking device that forwards data packets between computer networks. Routers perform the "traffic directing" functions on the Internet. The most familiar type of routers are home and small office cable or DSL routers that simply pass data, such as web pages, email, IM, and videos between computers and the Internet. More sophisticated routers, such as enterprise routers, connect large business or ISP networks up to the powerful core routers that forward data at high speed along the optical fiber lines of the Internet backbone. Though routers are typically dedicated hardware devices, use of software-based routers has grown increasingly common.
49K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
Check if you have ASDM Configured on ASA interface
else download and install cisco asmd
Once its installed you have plenty of ways to configure.
check this and reply back