ASA 5505 VPN Lab Problem
longhorn79
Member Posts: 48 ■■□□□□□□□□
Cisco Adaptive Security Appliance Software Version 8.2(5)
Hello I am having a problem with with this lab every thing works fine until i get to the 2nd to last entry.
in the lab we are setting up two firewalls here is the lab
Configurations[h=3]ASA01[/h] object network net-local
subnet 192.168.101.0 255.255.255.0
object network net-remote
subnet 192.168.102.0 255.255.255.0
access-list outside_1_cryptomap permit ip 192.168.101.0 255.255.255.0 192.168.102.0 255.255.255.0
tunnel-group 192.168.0.12 type ipsec-l2l
tunnel-group 192.168.0.12 ipsec-attributes
pre-shared-key pass1234
isakmp keepalive threshold 10 retry 2
crypto isakmp enable outside
crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encrypt 3des
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 2
crypto isakmp policy 10 lifetime 86400
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 192.168.0.12
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
nat (inside,outside) 1 source static net-local net-local destination static net-remote net-remote ***I get an invlaid error*****
route outside 0 0 192.168.0.1
[h=3]ASA02[/h] object network net-local
subnet 192.168.102.0 255.255.255.0
object network net-remote
subnet 192.168.101.0 255.255.255.0
access-list outside_1_cryptomap permit ip 192.168.102.0 255.255.255.0 192.168.101.0 255.255.255.0
tunnel-group 192.168.0.11 type ipsec-l2l
tunnel-group 192.168.0.11 ipsec-attributes
pre-shared-key pass1234
isakmp keepalive threshold 10 retry 2
crypto isakmp enable outside
crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encrypt 3des
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 2
crypto isakmp policy 10 lifetime 86400
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 192.168.0.11
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
nat (inside,outside) 1 source static net-local net-local destination static net-remote net-remote *I get an invalid error******
route outside 0 0 192.168.0.1
If anyone has any input it would be helpful.
Hello I am having a problem with with this lab every thing works fine until i get to the 2nd to last entry.
in the lab we are setting up two firewalls here is the lab
Configurations[h=3]ASA01[/h] object network net-local
subnet 192.168.101.0 255.255.255.0
object network net-remote
subnet 192.168.102.0 255.255.255.0
access-list outside_1_cryptomap permit ip 192.168.101.0 255.255.255.0 192.168.102.0 255.255.255.0
tunnel-group 192.168.0.12 type ipsec-l2l
tunnel-group 192.168.0.12 ipsec-attributes
pre-shared-key pass1234
isakmp keepalive threshold 10 retry 2
crypto isakmp enable outside
crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encrypt 3des
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 2
crypto isakmp policy 10 lifetime 86400
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 192.168.0.12
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
nat (inside,outside) 1 source static net-local net-local destination static net-remote net-remote ***I get an invlaid error*****
route outside 0 0 192.168.0.1
[h=3]ASA02[/h] object network net-local
subnet 192.168.102.0 255.255.255.0
object network net-remote
subnet 192.168.101.0 255.255.255.0
access-list outside_1_cryptomap permit ip 192.168.102.0 255.255.255.0 192.168.101.0 255.255.255.0
tunnel-group 192.168.0.11 type ipsec-l2l
tunnel-group 192.168.0.11 ipsec-attributes
pre-shared-key pass1234
isakmp keepalive threshold 10 retry 2
crypto isakmp enable outside
crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encrypt 3des
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 2
crypto isakmp policy 10 lifetime 86400
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 192.168.0.11
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
nat (inside,outside) 1 source static net-local net-local destination static net-remote net-remote *I get an invalid error******
route outside 0 0 192.168.0.1
If anyone has any input it would be helpful.
2012/2013 Certification Goals:
ICND1: Work in progress
ICND2: depends on ICND1
70-640 AD: if I have time
ICND1: Work in progress
ICND2: depends on ICND1
70-640 AD: if I have time
Comments
-
dover
Member Posts: 184 ■■■■□□□□□□
Longhorn,
IOS 8.2 and older uses different NAT syntax; the NAT statements you are using are using the new 8.3 and later nat syntax.
Check out this article to see how (and when) to configure identity nat and/or nat exemption.
The difference between Identity NAT and NAT Exemption | Cisco Talk
You should have them up and talking in no time. -
TheNewITGuy
Member Posts: 169 ■■■■□□□□□□
yeah look at the static keyword - static (inside,outside) etc etc -
longhorn79
Member Posts: 48 ■■□□□□□□□□
Well here is my config file I am going to try anyone like to proof read my commands???
ASA01
hostname ASA01
interface Ethernet 0/0
switchport access vlan 2
no shutdown
exit
interface Ethernet 0/1
switchport access vlan 1
no shutdown
exit
interface Ethernet 0/2
switchport access vlan 1
no shutdown
exit
interface Ethernet 0/3
switchport access vlan 1
no shutdown
exit
interface Ethernet 0/4
switchport access vlan 1
no shutdown
exit
interface Ethernet 0/5
switchport access vlan 1
no shutdown
exit
interface Ethernet 0/6
switchport access vlan 1
no shutdown
exit
interface Ethernet 0/7
switchport access vlan 1
no shutdown
exit
interface vlan2
nameif outside
no shutdown
ip address 192.168.0.11
exit
interface vlan1
nameif inside
ip address 192.168.101.1 255.255.255.0
security-level 100
no shutdown
exit
http server enable
http 192.168.101.0 255.255.255.0 inside
dhcpd address 192.168.101.2-192.168.101.33 inside
dhcpd auto_config outside
dhcpd enable inside
logging asdm informational
*****PHASE 1*******
sysopt connection permit-vpn
crypto isakmp enable outside
crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encrypt 3des
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 2
crypto isakmp policy 10 lifetime 86400
tunnel-group 192.168.0.12 type ipsec-l2l
tunnel-group 192.168.0.12 ipsec-attributes
pre-shared-key pass1234
isakmp keepalive threshold 10 retry 2
******PHASE 2********
access-list NONAT permit ip 192.168.101.0 255.255.255.0 192.168.102.0 255.255.255.0
nat (inside) 0 access-list NONAT
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 set peer 192.168.0.12
crypto map outside_map 1 match address NONAT
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
route outside 0 0 192.168.0.1
###### Configuring ASA02
ASA02
hostname ASA01
interface Ethernet 0/0
switchport access vlan 2
no shutdown
exit
interface Ethernet 0/1
switchport access vlan 1
no shutdown
exit
interface Ethernet 0/2
switchport access vlan 1
no shutdown
exit
interface Ethernet 0/3
switchport access vlan 1
no shutdown
exit
interface Ethernet 0/4
switchport access vlan 1
no shutdown
exit
interface Ethernet 0/5
switchport access vlan 1
no shutdown
exit
interface Ethernet 0/6
switchport access vlan 1
no shutdown
exit
interface Ethernet 0/7
switchport access vlan 1
no shutdown
exit
interface vlan2
nameif outside
no shutdown
ip address 192.168.0.12
exit
interface vlan1
nameif inside
ip address 192.168.102.1 255.255.255.0
security-level 100
no shutdown
exit
http server enable
http 192.168.102.0 255.255.255.0 inside
dhcpd address 192.168.102.2-192.168.102.33 inside
dhcpd auto_config outside
dhcpd enable inside
logging asdm informational
Configuring Site to Site VPN
*****PHASE 1******
sysopt connection permit-vpn
crypto isakmp enable outside
crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encrypt 3des
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 2
crypto isakmp policy 10 lifetime 86400
tunnel-group 192.168.0.11 type ipsec-l2l
tunnel-group 192.168.0.11 ipsec-attributes
isakmp keepalive threshold 10 retry 2
pre-shared-key pass1234
****PHASE 2****
access-list NONAT permit ip 192.168.102.0 255.255.255.0 192.168.101.0 255.255.255.0
nat (inside) 0 access-list NONAT
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 set peer 192.168.0.11
crypto map outside_map 1 match address NONAT
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
route outside 0 0 192.168.0.12012/2013 Certification Goals:
ICND1: Work in progress
ICND2: depends on ICND1
70-640 AD: if I have time