ASA 5505 VPN Lab Problem

Cisco Adaptive Security Appliance Software Version 8.2(5)
Hello I am having a problem with with this lab every thing works fine until i get to the 2nd to last entry.

in the lab we are setting up two firewalls here is the lab

Configurations[h=3]ASA01[/h] object network net-local
subnet 192.168.101.0 255.255.255.0
object network net-remote
subnet 192.168.102.0 255.255.255.0
access-list outside_1_cryptomap permit ip 192.168.101.0 255.255.255.0 192.168.102.0 255.255.255.0
tunnel-group 192.168.0.12 type ipsec-l2l
tunnel-group 192.168.0.12 ipsec-attributes
pre-shared-key pass1234
isakmp keepalive threshold 10 retry 2
crypto isakmp enable outside
crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encrypt 3des
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 2
crypto isakmp policy 10 lifetime 86400
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 192.168.0.12
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
nat (inside,outside) 1 source static net-local net-local destination static net-remote net-remote ***I get an invlaid error*****
route outside 0 0 192.168.0.1
[h=3]ASA02[/h] object network net-local
subnet 192.168.102.0 255.255.255.0
object network net-remote
subnet 192.168.101.0 255.255.255.0
access-list outside_1_cryptomap permit ip 192.168.102.0 255.255.255.0 192.168.101.0 255.255.255.0
tunnel-group 192.168.0.11 type ipsec-l2l
tunnel-group 192.168.0.11 ipsec-attributes
pre-shared-key pass1234
isakmp keepalive threshold 10 retry 2
crypto isakmp enable outside
crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encrypt 3des
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 2
crypto isakmp policy 10 lifetime 86400
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 192.168.0.11
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
nat (inside,outside) 1 source static net-local net-local destination static net-remote net-remote *I get an invalid error******
route outside 0 0 192.168.0.1

If anyone has any input it would be helpful.

l2l_vpn_lab.jpg

Find more posts tagged with

Comments

dover

Longhorn,

IOS 8.2 and older uses different NAT syntax; the NAT statements you are using are using the new 8.3 and later nat syntax.

Check out this article to see how (and when) to configure identity nat and/or nat exemption.
The difference between Identity NAT and NAT Exemption | Cisco Talk

You should have them up and talking in no time.

TheNewITGuy

yeah look at the static keyword - static (inside,outside) etc etc

longhorn79

Well here is my config file I am going to try anyone like to proof read my commands???

ASA01
hostname ASA01
interface Ethernet 0/0
switchport access vlan 2
no shutdown
exit
interface Ethernet 0/1
switchport access vlan 1
no shutdown
exit
interface Ethernet 0/2
switchport access vlan 1
no shutdown
exit
interface Ethernet 0/3
switchport access vlan 1
no shutdown
exit
interface Ethernet 0/4
switchport access vlan 1
no shutdown
exit
interface Ethernet 0/5
switchport access vlan 1
no shutdown
exit
interface Ethernet 0/6
switchport access vlan 1
no shutdown
exit
interface Ethernet 0/7
switchport access vlan 1
no shutdown
exit
interface vlan2
nameif outside
no shutdown
ip address 192.168.0.11
exit
interface vlan1
nameif inside
ip address 192.168.101.1 255.255.255.0
security-level 100
no shutdown
exit
http server enable
http 192.168.101.0 255.255.255.0 inside
dhcpd address 192.168.101.2-192.168.101.33 inside
dhcpd auto_config outside
dhcpd enable inside
logging asdm informational

*****PHASE 1*******
sysopt connection permit-vpn
crypto isakmp enable outside
crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encrypt 3des
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 2
crypto isakmp policy 10 lifetime 86400
tunnel-group 192.168.0.12 type ipsec-l2l
tunnel-group 192.168.0.12 ipsec-attributes
pre-shared-key pass1234
isakmp keepalive threshold 10 retry 2

******PHASE 2********

access-list NONAT permit ip 192.168.101.0 255.255.255.0 192.168.102.0 255.255.255.0
nat (inside) 0 access-list NONAT
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 set peer 192.168.0.12
crypto map outside_map 1 match address NONAT
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
route outside 0 0 192.168.0.1

###### Configuring ASA02

ASA02
hostname ASA01
interface Ethernet 0/0
switchport access vlan 2
no shutdown
exit
interface Ethernet 0/1
switchport access vlan 1
no shutdown
exit
interface Ethernet 0/2
switchport access vlan 1
no shutdown
exit
interface Ethernet 0/3
switchport access vlan 1
no shutdown
exit
interface Ethernet 0/4
switchport access vlan 1
no shutdown
exit
interface Ethernet 0/5
switchport access vlan 1
no shutdown
exit
interface Ethernet 0/6
switchport access vlan 1
no shutdown
exit
interface Ethernet 0/7
switchport access vlan 1
no shutdown
exit
interface vlan2
nameif outside
no shutdown
ip address 192.168.0.12
exit
interface vlan1
nameif inside
ip address 192.168.102.1 255.255.255.0
security-level 100
no shutdown
exit
http server enable
http 192.168.102.0 255.255.255.0 inside
dhcpd address 192.168.102.2-192.168.102.33 inside
dhcpd auto_config outside
dhcpd enable inside
logging asdm informational

Configuring Site to Site VPN
*****PHASE 1******

sysopt connection permit-vpn
crypto isakmp enable outside
crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encrypt 3des
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 2
crypto isakmp policy 10 lifetime 86400
tunnel-group 192.168.0.11 type ipsec-l2l
tunnel-group 192.168.0.11 ipsec-attributes
isakmp keepalive threshold 10 retry 2
pre-shared-key pass1234

****PHASE 2****

access-list NONAT permit ip 192.168.102.0 255.255.255.0 192.168.101.0 255.255.255.0
nat (inside) 0 access-list NONAT
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 set peer 192.168.0.11
crypto map outside_map 1 match address NONAT
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
route outside 0 0 192.168.0.1