ASA to Cisco Router IPSEC VPN

Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
Anybody do alot of these. I am having a problem. Tunnel won't turn it (won't get past phase one). This is in my test environment between a Cisco ASA 5520 and a 2801. Take a look here:

ASA:
crypto ipsec transform-set Router2ASA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map CryptoMap2Router 1 match address CryptoMap2Router
crypto map CryptoMap2Router 1 set peer X.X.X.9
crypto map CryptoMap2Router 1 set transform-set Router2ASA
crypto map CryptoMap2Router interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

tunnel-group XX.XX.XX.X9 type ipsec-l2l
tunnel-group XX.XX.XX.x9 ipsec-attributes
 pre-shared-key *****

access-list CryptoMap2Router extended permit ip 192.168.9.0 255.255.255.0 10.0.100.0 255.255.255.0



Router:

crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 2
crypto isakmp key X.X.X.X address X.X.X.X8 no-xauth
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set ASAROUTER esp-aes 256 esp-sha-hmac
!
crypto map Router2ASA 1 ipsec-isakmp
 set peer X.X.X.X8
 set transform-set ASAROUTER
 match address VPN
!


ip access-list extended VPN
 permit ip 10.0.100.0 0.0.0.255 192.168.9.0 0.0.0.255



I keep getting these messages on the cisco router

*Sep 20 21:51:36.354: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from X.X.X.58 was not encrypted and it should've been.



I think it has something to do with killing the NATs between the two boxes like I have done here on the cisco router:

ip access-list extended Nat
 deny   ip 10.0.100.0 0.0.0.255 192.168.9.0 0.0.0.255
 permit ip 10.0.100.0 0.0.0.255 any

I can't figure out how to do the same thing on the ASA (using 8.3). Anybody see anything I totally messed up?

Comments

  • unclericounclerico Member Posts: 237 ■■■■□□□□□□
    What does your policy NAT statement look like on the ASA? I recently setup a policy-based VPN between a 5505 and a 2911 and had a hell of a time. I checked configs on both sides about 20 times, I debugged traffic on both sides and it would never get past Phase 1. The thing that fixed it was going from AES to 3DES.
    Preparing for CCIE Written
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    I guess I am having a problem doing the policy nat because I can't figure it out. How did you do it
    ?

    (inside,outside)???? Profit
  • unclericounclerico Member Posts: 237 ■■■■□□□□□□
    Something like this:
    object network obj-local
        subnet 192.168.9.0 255.255.255.0
    
    object network obj-remote
        subnet 10.0.100.0 255.255.255.0
    
    nat (inside,outside) 1 source static obj-local obj-local destination static obj-remote obj-remote
    
    Preparing for CCIE Written
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    Ok so here is what I tried

    1 (inside) to (outside) source static localnet localnet destination static remotenet remotenet
    translate_hits = 0, untranslate_hits = 0



    Still not working from the Router Side. Can't try it from the ASA side until morning....sigh....


    EDIT: FIXED. Thanks for your help! +Rep for the policy NAT. For the life of me I couldn't figure out how to do what I knew I needed to do. Looking at the syntax, it does make sense.
  • unclericounclerico Member Posts: 237 ■■■■□□□□□□
    No problem. The 8.3+ NAT syntax is so much different than 8.2 and earlier so it definitely takes some getting used to. Thanks for the Rep.
    Preparing for CCIE Written
Sign In or Register to comment.