ASA to Cisco Router IPSEC VPN
Bl8ckr0uter
Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
in Off-Topic
Anybody do alot of these. I am having a problem. Tunnel won't turn it (won't get past phase one). This is in my test environment between a Cisco ASA 5520 and a 2801. Take a look here:
ASA:
Router:
I keep getting these messages on the cisco router
I think it has something to do with killing the NATs between the two boxes like I have done here on the cisco router:
I can't figure out how to do the same thing on the ASA (using 8.3). Anybody see anything I totally messed up?
ASA:
crypto ipsec transform-set Router2ASA esp-aes-256 esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto map CryptoMap2Router 1 match address CryptoMap2Router crypto map CryptoMap2Router 1 set peer X.X.X.9 crypto map CryptoMap2Router 1 set transform-set Router2ASA crypto map CryptoMap2Router interface outside crypto isakmp identity address crypto isakmp enable outside crypto isakmp policy 1 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 crypto isakmp policy 65535 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 tunnel-group XX.XX.XX.X9 type ipsec-l2l tunnel-group XX.XX.XX.x9 ipsec-attributes pre-shared-key ***** access-list CryptoMap2Router extended permit ip 192.168.9.0 255.255.255.0 10.0.100.0 255.255.255.0
Router:
crypto isakmp policy 1 encr aes 256 authentication pre-share group 2 crypto isakmp key X.X.X.X address X.X.X.X8 no-xauth ! crypto ipsec security-association lifetime seconds 28800 ! crypto ipsec transform-set ASAROUTER esp-aes 256 esp-sha-hmac ! crypto map Router2ASA 1 ipsec-isakmp set peer X.X.X.X8 set transform-set ASAROUTER match address VPN ! ip access-list extended VPN permit ip 10.0.100.0 0.0.0.255 192.168.9.0 0.0.0.255
I keep getting these messages on the cisco router
*Sep 20 21:51:36.354: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from X.X.X.58 was not encrypted and it should've been.
I think it has something to do with killing the NATs between the two boxes like I have done here on the cisco router:
ip access-list extended Nat deny ip 10.0.100.0 0.0.0.255 192.168.9.0 0.0.0.255 permit ip 10.0.100.0 0.0.0.255 any
I can't figure out how to do the same thing on the ASA (using 8.3). Anybody see anything I totally messed up?
Comments
-
unclerico Member Posts: 237 ■■■■□□□□□□What does your policy NAT statement look like on the ASA? I recently setup a policy-based VPN between a 5505 and a 2911 and had a hell of a time. I checked configs on both sides about 20 times, I debugged traffic on both sides and it would never get past Phase 1. The thing that fixed it was going from AES to 3DES.Preparing for CCIE Written
-
Bl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□I guess I am having a problem doing the policy nat because I can't figure it out. How did you do it
?
(inside,outside)???? Profit -
unclerico Member Posts: 237 ■■■■□□□□□□Something like this:
object network obj-local subnet 192.168.9.0 255.255.255.0 object network obj-remote subnet 10.0.100.0 255.255.255.0 nat (inside,outside) 1 source static obj-local obj-local destination static obj-remote obj-remote
Preparing for CCIE Written -
Bl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□Ok so here is what I tried
1 (inside) to (outside) source static localnet localnet destination static remotenet remotenet
translate_hits = 0, untranslate_hits = 0
Still not working from the Router Side. Can't try it from the ASA side until morning....sigh....
EDIT: FIXED. Thanks for your help! +Rep for the policy NAT. For the life of me I couldn't figure out how to do what I knew I needed to do. Looking at the syntax, it does make sense. -
unclerico Member Posts: 237 ■■■■□□□□□□No problem. The 8.3+ NAT syntax is so much different than 8.2 and earlier so it definitely takes some getting used to. Thanks for the Rep.Preparing for CCIE Written