Hi all,

Can anoyone help me on how to configurate site to site vpn with the cisco asa 8.3 with asa 8.2 or older version. I have got some resource from book itself but it doesnt seems to work. Appreciated if anyone can help? Thanks

Here is an example, just do the reverse on the otherside.


access-list outside_1_cryptomap extended permit ip [Inside LAN IP/Subnet Mask] [Outside LAN IP/Subnet Mask]
access-list inside_nat0_outbound extended permit ip [Inside LAN IP/Subnet Mask] [Outside LAN IP/Subnet Mask]

nat (inside) 0 access-list inside_nat0_outbound
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 10 set pfs
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer [IP address]
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group [IP address] type ipsec-l2l
tunnel-group [IP address] ipsec-attributes
pre-shared-key [Key]

Asdm ftw!!!

Hi Both,


For the methods you show me was trying on my own in the first place, but i didnt get it to work..i dont know it is because of the firmware i using on both sites is different, one is 8.3(latest version), other is 8.2 and 7.0...so i dont know is there any difference in term of the command..further help would be appreciated..thanks so much

Version differences wont matter, you can still bring up a L2L tunnel. Unfortunately troubleshooting it is quite tricky as any mismatch in configuration will stop the tunnel from coming up. We need to know the configs on both ends to see what's going on.

Using the ASDM wizard on both ends is the quickest way to get a tunnel up. Just remember to preview the commands before sending them to the devices.

Can you give any furtehr info? Does Phase 1 (ISAKMP) work?

HI Fuzz,

Really need help form you..below is my configuration on both side...

access-list outside_1_cryptomap extended permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0


nat (inside) 0 access-list inside_nat0_outbound


crypto ipsec transform-set ESP-DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 1.1.1.1
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map interface Outside
crypto isakmp identity address
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
!
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key 123456


The above is the configuration on the asa 8.2 of one of the site...but for the 8.3, I was not able to do so as 8.3 is required to create object instead so where the nat is as below( using adsm)..Do i have to do nat on the first asa in the top? But after all, it still having problem where indicate IKEv1: Information Exchange Failed....and isakmp sa shown: there is no isakmp sa

nat(inside,outside) source static [LAN_SUBNET/MASK] [LAN_SUBNET/MASK] destination static [REMOTE_SUBNET MASK] [REMOTE_SUBNET MASK]


access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0

crypto ipsec transform-set ESP-DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 2.2.2.2
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map interface Outside
crypto isakmp identity address
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
!
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key 123456


Please help me check on the configuration on both..nat0 is not longer on the cisco asa 8.3..can please help on this...thanks so much

I would remove the crypto isakmp identity address cmd, as you have no "crypto isakmp key sharedkeystring address [IP Address]" cmd in there.

Hi,

I've configure the configure accordingly, but it always show the error IKEv1 : group x.x.x.x IP x.x.x.x remove peer from correlator table failed : no match!

and

IKEv1 : group x.x.x.x IP x.x.x.x session is being torn down : user requested


I wonder it is because of the group policies? Thanks

Hi,

I've managed to get the tunnel up and it shown active now..but i cant seem to be able to ping either side? Is something to do with the acl? assume that the configuration is stated above, i already create the permit ip acl on both side 8.3 and 8.2..anyone can can advise? thanks