ASA 5505 VPN Lab Problem

longhorn79longhorn79 Posts: 48Member ■■□□□□□□□□
Cisco Adaptive Security Appliance Software Version 8.2(5)
Hello I am having a problem with with this lab every thing works fine until i get to the 2nd to last entry.

in the lab we are setting up two firewalls here is the lab

Configurations[h=3]ASA01[/h] object network net-local
subnet 192.168.101.0 255.255.255.0
object network net-remote
subnet 192.168.102.0 255.255.255.0
access-list outside_1_cryptomap permit ip 192.168.101.0 255.255.255.0 192.168.102.0 255.255.255.0
tunnel-group 192.168.0.12 type ipsec-l2l
tunnel-group 192.168.0.12 ipsec-attributes
pre-shared-key pass1234
isakmp keepalive threshold 10 retry 2
crypto isakmp enable outside
crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encrypt 3des
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 2
crypto isakmp policy 10 lifetime 86400
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 192.168.0.12
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
nat (inside,outside) 1 source static net-local net-local destination static net-remote net-remote ***I get an invlaid error*****
route outside 0 0 192.168.0.1
[h=3]ASA02[/h] object network net-local
subnet 192.168.102.0 255.255.255.0
object network net-remote
subnet 192.168.101.0 255.255.255.0
access-list outside_1_cryptomap permit ip 192.168.102.0 255.255.255.0 192.168.101.0 255.255.255.0
tunnel-group 192.168.0.11 type ipsec-l2l
tunnel-group 192.168.0.11 ipsec-attributes
pre-shared-key pass1234
isakmp keepalive threshold 10 retry 2
crypto isakmp enable outside
crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encrypt 3des
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 2
crypto isakmp policy 10 lifetime 86400
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 192.168.0.11
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
nat (inside,outside) 1 source static net-local net-local destination static net-remote net-remote *I get an invalid error******
route outside 0 0 192.168.0.1





If anyone has any input it would be helpful.
2012/2013 Certification Goals:
ICND1: Work in progress
ICND2: depends on ICND1
70-640 AD: if I have time

Comments

  • doverdover Posts: 184Member ■■■■□□□□□□
    Longhorn,

    IOS 8.2 and older uses different NAT syntax; the NAT statements you are using are using the new 8.3 and later nat syntax.

    Check out this article to see how (and when) to configure identity nat and/or nat exemption.
    The difference between Identity NAT and NAT Exemption | Cisco Talk

    You should have them up and talking in no time.
  • TheNewITGuyTheNewITGuy Posts: 169Member ■■■■□□□□□□
    yeah look at the static keyword - static (inside,outside) etc etc
  • longhorn79longhorn79 Posts: 48Member ■■□□□□□□□□
    Well here is my config file I am going to try anyone like to proof read my commands???

    ASA01
    hostname ASA01
    interface Ethernet 0/0
    switchport access vlan 2
    no shutdown
    exit
    interface Ethernet 0/1
    switchport access vlan 1
    no shutdown
    exit
    interface Ethernet 0/2
    switchport access vlan 1
    no shutdown
    exit
    interface Ethernet 0/3
    switchport access vlan 1
    no shutdown
    exit
    interface Ethernet 0/4
    switchport access vlan 1
    no shutdown
    exit
    interface Ethernet 0/5
    switchport access vlan 1
    no shutdown
    exit
    interface Ethernet 0/6
    switchport access vlan 1
    no shutdown
    exit
    interface Ethernet 0/7
    switchport access vlan 1
    no shutdown
    exit
    interface vlan2
    nameif outside
    no shutdown
    ip address 192.168.0.11
    exit
    interface vlan1
    nameif inside
    ip address 192.168.101.1 255.255.255.0
    security-level 100
    no shutdown
    exit
    http server enable
    http 192.168.101.0 255.255.255.0 inside
    dhcpd address 192.168.101.2-192.168.101.33 inside
    dhcpd auto_config outside
    dhcpd enable inside
    logging asdm informational




    *****PHASE 1*******
    sysopt connection permit-vpn
    crypto isakmp enable outside
    crypto isakmp policy 10 authentication pre-share
    crypto isakmp policy 10 encrypt 3des
    crypto isakmp policy 10 hash sha
    crypto isakmp policy 10 group 2
    crypto isakmp policy 10 lifetime 86400
    tunnel-group 192.168.0.12 type ipsec-l2l
    tunnel-group 192.168.0.12 ipsec-attributes
    pre-shared-key pass1234
    isakmp keepalive threshold 10 retry 2


    ******PHASE 2********


    access-list NONAT permit ip 192.168.101.0 255.255.255.0 192.168.102.0 255.255.255.0
    nat (inside) 0 access-list NONAT
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto map outside_map 1 set peer 192.168.0.12
    crypto map outside_map 1 match address NONAT
    crypto map outside_map 1 set pfs group1
    crypto map outside_map 1 set transform-set ESP-3DES-SHA
    crypto map outside_map interface outside
    route outside 0 0 192.168.0.1












    ###### Configuring ASA02


    ASA02
    hostname ASA01
    interface Ethernet 0/0
    switchport access vlan 2
    no shutdown
    exit
    interface Ethernet 0/1
    switchport access vlan 1
    no shutdown
    exit
    interface Ethernet 0/2
    switchport access vlan 1
    no shutdown
    exit
    interface Ethernet 0/3
    switchport access vlan 1
    no shutdown
    exit
    interface Ethernet 0/4
    switchport access vlan 1
    no shutdown
    exit
    interface Ethernet 0/5
    switchport access vlan 1
    no shutdown
    exit
    interface Ethernet 0/6
    switchport access vlan 1
    no shutdown
    exit
    interface Ethernet 0/7
    switchport access vlan 1
    no shutdown
    exit
    interface vlan2
    nameif outside
    no shutdown
    ip address 192.168.0.12
    exit
    interface vlan1
    nameif inside
    ip address 192.168.102.1 255.255.255.0
    security-level 100
    no shutdown
    exit
    http server enable
    http 192.168.102.0 255.255.255.0 inside
    dhcpd address 192.168.102.2-192.168.102.33 inside
    dhcpd auto_config outside
    dhcpd enable inside
    logging asdm informational


    Configuring Site to Site VPN
    *****PHASE 1******


    sysopt connection permit-vpn
    crypto isakmp enable outside
    crypto isakmp policy 10 authentication pre-share
    crypto isakmp policy 10 encrypt 3des
    crypto isakmp policy 10 hash sha
    crypto isakmp policy 10 group 2
    crypto isakmp policy 10 lifetime 86400
    tunnel-group 192.168.0.11 type ipsec-l2l
    tunnel-group 192.168.0.11 ipsec-attributes
    isakmp keepalive threshold 10 retry 2
    pre-shared-key pass1234


    ****PHASE 2****


    access-list NONAT permit ip 192.168.102.0 255.255.255.0 192.168.101.0 255.255.255.0
    nat (inside) 0 access-list NONAT
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto map outside_map 1 set peer 192.168.0.11
    crypto map outside_map 1 match address NONAT
    crypto map outside_map 1 set pfs group1
    crypto map outside_map 1 set transform-set ESP-3DES-SHA
    crypto map outside_map interface outside
    route outside 0 0 192.168.0.1
    2012/2013 Certification Goals:
    ICND1: Work in progress
    ICND2: depends on ICND1
    70-640 AD: if I have time
Sign In or Register to comment.