IPVPN Connection Between 2 ASAs

Hi,
I have the setup below, where IPVPN_A is an existing network and IPVPN_B will be a new network. Looking at exising configuration for IPVPN_A, there's no NAT configured on ABC and XYZ firewalls, just routing. For example, from ABC I route to XYZ via 172.21.0.254.
When IPVPN_B is added in, routes between ABC and XYZ has been set to go via IPVPN_B as primary and via IPVPN_A as backup. Still the same, no NAT was configured on both side, but I can't reach XYZ from ABC. When I configured Static NAT at ABC, I can reach XYZ WAN IP (10.20.84.2) only, not the LAN IP. When performed traceroute from ABC to 10.20.84.2 (WAN) and 172.22.2.2 (LAN), can see the first 3 hops are the same, but at hop 4 it is going to different hops. Hence, can I conclude that for IPVPN_B, ABC and XYZ LAN IPs are not within their routing table?
Not sure what/how is the IPVPN_A and IPVPN_B configuration, but if normal Service Providers won't be advertising client's LAN, right? But when I traceroute from ABC to XYZ using IPVPN_A, I can see within their internal network is a Public IP.
So, I'd like to know what are the options I have to have a valid connectivity between ABC and XYZ via IPVPN_B.
1) Any method of doing NAT on both ABC and XYZ?
2) Or create site-to-site VPN between ABC and XYZ will be easier?

Hi,
your question:
When creating a replacementpath variable you don't have the option to make it depends on other variable entry (i didn't find the option) I'm using BEx 7
Answer:
In BI7.0 Query designer, replacement path with other variable entry is possbile.
your requirement:
When a user make a selection in the first var. (Prod Hier. 1) in the var screen, i need that the F4 help in the second variable will show only the Prod Hier. 2 that is under Prod Hier. 1.
my answer:
replacement path with variable will not suit your requirement as far as i know.. any way let us wait for other experts reply...might be someonw knowing.
if it is useful assign points.
Regards,
Senthil

Similar Messages

Site to Site Tunnel between 2 ASAs

Hello,
I have a strange problem. I have been able to establish a l2l tunnel between 2 ASAs at sites A and B. But I cant ping or access the network on the remote end. I have checked all my access lists on both end and they permit the traffic. At site A, I have multiple tunnels from the ASA to other sites and they work fine. The problem is with this tunnel to site B which is another ASA. At site B, the ASA connects to the internet via a cisco 837 ADSL router. Is this a problem with ASAs. How can I resolve this??

Try this:
Remove the Crypto map in interfaces and reapply the crypto map again.
Ensure that there no overlapping in network.
Refer this link:
http://www.cisco.com/en/US/products/ps6120/products_getting_started_guide_chapter09186a00805e2929.html

Causing some network problem after connecting the new ASA to my network

Hi everyone,
Hope you can help on this issue.... It is strange to me...but may not be to you
Currently, I have a subnet connects to my primary network. All the internet travel thru a router there in turn thru a pair of ASA failover firewall (ie Subet -> router -> Subnet ASA -> Pirmary network ASA -> Primary network router -> Internet).
Now we try to setup a internet pipe so the subnet can go to internet by its own. So...for security purpose, we put another new ASA in between.the subnet and the new internet. This will be the first, and the old path to Interent would be the back up route.
NOW
I have not even make any route cahgnes on the router yet. What I did was to connect the new ASA to the subnet. Again, I do not change any routes, or any gateway settings on all the computers yet in the subnet!! I just connect the asa. That is it...please remember this.
However, problem happens. I have a application server in the same subnet.... that keeps kick out users. I also have continuous ping to it... I saw that the server has requesdted time out...it did not come back up until about 10 to 20 seconds later. The server, in fact, is a cluster server. Although I can ping the physical server, I cannot ping the virutal server.
In order to fix the problem, I really need to unplug the new ASA from the network, and reload the cluster server. Then it starts to work.
ANother symptom is that...people complaint the log on is obviously slower than usual.
May I ask why the new ASA will cuase this trouble?? Again, no routes on the router have been change. And all PCs in the subnet are still using old gateway, and did not nkow about the new ASA.
Any ideas would be great!! Very strange to me. Thank you very much for your help.
Riderfaiz

First guest would be proxy ARP.
Proxy ARP is enabled by default on the ASA. The new ASA might be proxy ARPing for whatever reason.
OR the new ASA might have been configured with an ip address that belongs to another device by mistake.

Connections between servers using CSS VIP?

In our new pre-production environment we have several servers connected to a 3750 switch, which is then connected to a CSS 11503. Upstream the CSS is then connected to an ASA firewall pair. The CSS VIPs are 10.22.1.0/24 on the "outside" and the servers have 10.21.1.0/24 addresses on the inside. The CSS inside & server 3750 switchports are all on the same VLAN. There is no PAT/NAT configured (except for the VIP being translated to a chosen server IP I suppose).
Whilst the clients will connect to the servers via the VIPs what we want is for each server to also be able to talk to other servers via a VIP. This is because some of the servers provide a service (LDAP actually) that we would like to be load balanced.
Now, what is curious, is that *this works* in our production environment where the servers are *directly* attached to the 8 port switch module in the CSS. However in this new environment, where the 3750 is between the servers and the CSS, it doesn't (actually you can ping the VIP sucessfully but nothing else works).
I have seen other postings on NetPro where people are trying similar things, like: http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Networking%20Solutions&topic=Application%20Networking&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dd81312 and http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Emerging%20Technologies&topic=Content%20Networking&CommCmd=MB?cmd=display_location&location=.1dd72fd0
The relevant CSS config I think (there are lots more services etc but they are all similar) is:
circuit VLAN1
ip address 10.21.1.100 255.255.255.0
circuit VLAN2
ip address 10.22.1.1 255.255.255.0
keep alive ssokeepalive
type http
keepalive port 7777
uri "/sso/status"
keepalive frequency 10
keepalive maxfailure 2
tcp-close fin
active
service pulpldp001sso
ip address 10.21.1.6
keepalive type named ssokeepalive
active
content SSO
vip address 10.22.1.12
protocol tcp
port 7777
application http
url "/*"
advanced-balance cookie
add service pulldp001
active
i.e. VIP 10.22.1.12 will be directed to the server 10.21.1.6 (only the one shown above).
Q1) My first question is: is server to server communication via an outside VIP possible?!
Q2) Given that this seems to work our production environment without the 3750s any idea what areas of config could be wrong on the 3750 or the servers? (we've tried default routes of both the 3750 and the ISS inside address but that hasn't worked). Note the ping from a server works but when we try, say, "telnet 10.22.1.12 7777" that doesn't connect.
Q3) Let's assume that the servers run more than one service, e.g. an HTTP and an LDAP service. If a server can communicate with another server using its VIP, will it work from one server up to the CSS/VIP and back to itself? (of course it may or may not actually return to itself depending on the load etc)
I can provide full configs on Monday if required.
Hope these aren't dumb questions! Many thanks!
Simon
PS. the CSS is running 7.50 at the moment but could upgrade to 8.2 if required

Thank you Adedayo - that appears to have done the trick! I can't believe it: one little keyword!
I have to say, even once you told me the answer I still didn't find the Cisco content config manual very helpful on this point (perhaps I'm looking in the wrong place?).
Note: we're not currently doing any PAT on the CSS so don't have any source groups set up - perhaps most people do and so don't have the same problem.
I'll get chance to report back on some proper testing next week and promise to update this conversation.
Adedayo: sorry, I wanted to flag your post as solving my problem once I was sure next week but now the tick box has gone - if you reply again I'll flag that! I appreciate you taking the trouble to post.
One final question: do you have a situation where you use a VIP from a server to potentially connect back to itself? If so, does it work OK? (e.g. if you have a webserver can you connect to the content VIP that it belongs to?)
Simon

VPN connection between ASA5520 and RV215w

Hello everyone,
I am trying to setup a vpn connection between ASA5520 with 9.1.(3) and rv215w 1.1.0.6
Here is my setup ...
But the vpn connection fails with an error message on ASA.
RV215w shows ipsec established but i cannot ping the network behind.
You can find asa-config and show-tech as attachment. I have added also some screenshots from RV215w.
Any hint or help is appreciated.
Cengiz

Hi Cengiz,
Dynamic CRYPTO maps mostly used in a Remote Access or Client to site VPN because end users working from home can have IP address new every time or like different whcn connect from home or from Internet cafe , hence ASA cant make a fix IP as Peer.
But for site to site also Dynamic Crypto Map can be used but only at one side , else if you use Dynamic crypto map at both ends , both peer will wait for each other to initiate a tunnel Request as the device n this case ASA) configured with Dynamic Crypto map can only REPLY for a tunnel initiation , it can never send tunned initilaization request as it never know the IP address of the peer. Hence never make both device as dynamic crypto map or else they both never initiate and wait for each pther and tunnel will never happen.
The main steps to be configured on the ASA end in order to establish dynamic tunnel:
    Phase 1 ISAKMP related configuration
    Nat exemption configuration
    Dynamic crypto map configuration
The Cisco IOS router has a static crypto map configured because the ASA is assumed to have a static public IP address. Now this is the list of main steps to be configured on the Cisco IOS Router end to establish dynamic IPSEC tunnel.
    Phase 1 ISAKMP related configuration
    Static crypto map related configuration
!---1. Configure the IPsec transform-set
crypto ipsec transform-set myset esp-des esp-md5-hmac
!--- 2. Configure the dynamic crypto map. Always rememeber to bind a dynamic crypto map to a blank static crypto map and then call that static crypto map to a ASA OUTSIDE Interface as Dynamic Crypto maps cannot be bind directly to ASA OUTSIDE Interface or say any interface.
crypto dynamic-map MY_DYNAMIC_MAP 1 set transform-set myset
crypto dynamic-map MY_DYNAMIC_MAP 1 set reverse-route
!--- Enable Reverse Route Injection (RRI), which allows the ASA
!--- to learn routing information for connected clients hence the static route will come above defaut route and hence
!... will make the routing decision fast else every time for the other side router dynamic IP , default route have to get a hit but only after checking the entire routing table and when no match then use default route , so to save this entire route matchin process always good to use reverse route enjection so that other side non dynamic crypt peer can insert a static route enrty in ASA.
!--- 2A. Always Bind dynamic crypto map named MY_DYNAMIC_MAP to a static crypto map named STATIC_MAP_CALLING_DYMANIC_MAP using a keyword dynamic in the last
crypto map STATIC_MAP_CALLING_DYMANIC_MAP 10 IPSec-isakmp dynamic MY_DYNAMIC_MAP
!--- 2B.now apply static map on ASA OUTSIDE Interface
crypto map STATIC_MAP_CALLING_DYMANIC_MAP interface outside
!--- 3. Configure the phase I ISAKMP policy
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
!--- 4. Configure the default L2L tunnel group parameters
tunnel-group DefaultL2LGroup IPSec-attributes
pre-shared-key *
Plase rate if you like my post.
Best Regards
Sachin Garg

Lan connection timeout after ASA reload

hi guys
i have 2 asa 5520 HA .
i have a problem ..
whenever reload this asa my lan users for tcp and udp and icmp connection is time out , and i force restart users pc , and after restart ok ...
but without restart my connection timeout
please help .

Hi,
It seems to suggest somekind of problem between the ASA firewalls as the "comm failure" is listed.
What does the "show failover" command show?
Have you checked both the GigabitEthernet0/2 and GigabitEthernet0/3 links on both units and the network between the ASA units through those interfaces? I think you should go through those interfaces and the network segment between the ASAs and confirm that there is a working Failover/Statefull link between the ASAs.
Did you log into the Standby ASA and check the output of "show conn". If you got connections active through the Active ASA and the Standby ASA does not have anything in its connection table then you have a problem with the Failover setup.
- Jouni

Setting up a https connection between SAP CRM and genesys gplus adapter

Hello All-
We are integrating SAP CRM with genesys mysap gplus adapter. We are struck in setting up a https connection between sap and gplus adapter.
Can anyone here help me out in this like how to get the SSL Protocol, keystore, keystore password,truststore and truststore password.
Information abt Adapters server certificate. Do we need to configure the adapter for the proxy also?
Any additional comment will help. Thanks in advance!

Hello Vinod,
Please refer the following OSS notes 564085.
Please reward if helpful.
regards,
Muralidhar Prasad.C

Connection between SDM client and server is broken

Dear All,
First of all this is what I have
-NW04 SPS 17
-NWDS Version: 7.0.09 Build id: 200608262203
-using VPN connection
-telnet on port 57018 is succesfull
I can login to SDM server (from NWDS and from SDM GUI) I can see the state of SDM(green light), restart it, can navigate through tabs in GUI, but every time I am trying to deploy an ear i have this error:
Deployment exception : Filetransfer failed: Error received from server: Connection between SDM client and server is broken
Inner exception was :
Filetransfer failed: Error received from server: Connection between SDM client and server is broken
I have already read a lot of topics,blogs,notes but didn't find the solution.
Can anybody help me?
Best Regards

Having same issue. Nothing helped so far... Using NWDS 7.0 SP18.
I have turned SDM tracing on and this is what I see on client side after sending first data package:
com.sap.sdm.is.cs.cmd.client.impl.CmdClientImpl: debug "20120224140253 0280/17 Client: finished sending string part"
com.sap.sdm.is.cs.cmd.client.impl.CmdClientImpl: debug "20120224140253 0280/0 Client: receive String part from Server"
com.sap.sdm.is.cs.cmd.client.impl.CmdClientImpl.receiveFromServer(NetComm ..): Entering method
com.sap.bc.cts.tp.net.NetComm.receive(): Entering method
com.sap.bc.cts.tp.net.NetComm: debug "Method "receive(char[])" could not read all requested bytes. There are still 12 bytes to read"
com.sap.bc.cts.tp.net.NetComm: debug "Caught IOException during read of header bytes (-1, 43):Connection reset"
com.sap.bc.cts.tp.net.NetComm: debug " throwing IOException(net.id_000001)"
com.sap.bc.cts.tp.net.NetComm.receive(): Exiting method
com.sap.sdm.is.cs.cmd.client.impl.CmdClientImpl: Exiting method
com.sap.sdm.is.cs.cmd.client.impl.CmdClientImpl: debug "20120224140253 0281/1 Client: connection was broken"
com.sap.sdm.is.cs.cmd.client.impl.CmdClientImpl: Exiting method
com.sap.sdm.is.cs.cmd.client.impl.CmdClientImpl: debug "20120224140253 0281/0 Client: finshed sendAndReceive"
com.sap.sdm.is.cs.cmd.client.impl.CmdClientImpl: Exiting method
My connection on server is still active so I have to restart SDM server to reset and try it again.
Anyone have idea whats happening?
Edited by: skyrma on Feb 24, 2012 2:46 PM
Edited by: skyrma on Feb 24, 2012 2:47 PM
Edited by: skyrma on Feb 24, 2012 2:47 PM

Connection between O and BP is missing

Hi,
When i check inconsistency for a user, i am getting " Connection between "O" and "BP" is missing. When i check the Org.unit in PPOSA_BBP, i could see no BP exists for that Org.unit where user is assigned. I have replicated the org.unit from HR system but yet the BP hasnt been generated. Can you please share your idea on this.
Regards,
Prasath J

Hi Prasath,
This might be because you need to assign the user to a Purchasing Organisation or a Purchasing Group. If the user do not have BP created then you can do this by using tcode USERS_GEN.
Go to USERS_GEN and follow below steps :
1. Select Create User From Existing SU01 user
2. Enter the org id of the POrg or Pgroup under which you want to assign the user
3. Select country and execute
4. In next window one popup will occur, select Area Of User
5. In next popup enter the user id
6. Next select the user and click Ok.
7. This will create a BP and CP for the user and assigns the BP to the Org id of the POrg or Pgroup.
8. Now check the consistency of the user it will show all green.
It might give you error like eMail id for BP XXXXX is missing if the SU01 profile of the user does not contain any user id but it is not critical.
You can open the BP in BP tcode and enter the email id of the user.
Let us know if it solves your issue.
Regards,
Mayur

(Trouble printing) Trouble with connection between Macbook Pro and Hp Deskjet 1510.

Trouble with connection between Macbook Pro and Hp Deskjet 1510. (Nothing Prints).
I have a Macbook Pro and am having difficulty printing documents from ‘Pages' from my Hp Deskjet 1510. I have installed the necessary software for the printer and it is connected via USB. Every time I try to print the printer icon comes up as it should, 'printing' and then 'job completed' and then the icon disappears. (Nothing is printed.) I thought it might be something to do with Pages compatibility with the printer but exporting the document to Word or making it a PDF doesn’t change anything. I don’t have Microsoft Word on my computer. The scanner does work and when I printed a ‘Test Page’ that worked too.
Let me know if you know why this is happening.

With these settings the network now works flawlessly, however, when i have my ethernet cable plugged in, my internet access via my airport card(on the macbook pro) is no longer available. Hoping you can tell me why this would be with this info i've provided.
Educated guess. The networking devices have priorities as to which are used. The standard order is that Ethernet has a higher priority than Airport.
While your Ethernet is unplugged it is inactive and the Mac ignores it. Once you plug it in, the Mac sees that it is active and switches traffic to that interface.
I actually take advantage of this feature at home, but configuring my Airport and Ethernet with identical fixed IP addresses. Normally I'll use Airport, but if I'm copying a huge file and I want faster performance, I'll just walk my MacBook (previously iBook, previously Powerbook) over to my Ethernet switch and plug in my MacBook. Magically, the Mac detects that the Ethernet is active and continues the file transfer uninterrupted over the faster 100baseT Ethernet connection. When the transfer is finished, or if I really need to move back to the Comfy Chair, I unplug the Ethernet cable, and all activity reverts back to the Airport, all without disrupting any existing networking connections.
You on the other hand have totally different settings for your Ethernet and your Airport, so when you switch to Ethernet, you basically loose your Airport connections.
Something you can try:
System Preferences -> Network
Gear icon on the bottom left, next to the [+] [-] icons.
Select *Set Service Order...*
Now Drag the network interfaces into the perfer priority order you want. In this case put Airport above Ethernet.
NOTE: You may want to create a new Network Location for this, instead of messing with your normal home Location (which is most likely the default Automatic. That way you have your original you can always fall back to.

Connection between CRM back end and ASP front end website for Ecommerce

Hi All,
I want to establish the connection between a ASP website and CRM back end server(we are replacing th existing ERP back end system with SAP CRM ).
I want to know whether I have to go with XI or any other connectors provided by SAP to establsih the communication between the existing ASP website and CRM back end server..
Can anyone please help me out.
Thank you,

Okay here is the general concept for your scenario:
-You will call standard/custom RFC's(could be BAPI's) in the CRM system from the existing application.
-You will need to write a new model layer in your ASP application that calls the RFC layer in CRM
-You decide what data you want to use from CRM in your application
Let's assume at minimum you will want to use the product master, business partner master, and business transactions. You will need RFC's/BAPI's for every interaction point where you will consume/publish data to CRM.
So when an user creates an order from your e-commerce site, you will need to support saving an order in CRM. This is example of how you need to map out each function in your existing site to a part of the CRM system. Since we don't know what your site currently does, this is something you would have to do.
Once you have mapped out the business level data to the CRM system, then you can evaluate where you will need a BAPI and/or RFC call. Once that is done, then you can look at the CRM system and see what standard pieces can be called. Then everything else is custom development. Your ASP application will call CRM via RFC.
It is possible to do what you want to do, but it is going to require a lot mapping work and a fair amount of development effort to integrate the two pieces. I don't know if you might be better off looking at the SAP Internet Sales Solution instead so you could focus only customizing that application, instead of worrying about an integration problem. It just depends on how much special functionality your existing e-commerce site has today.
My general recommendation would be for you to hire a consultant that has done an SAP e-commerce project using SAP CRM in the past and let them guide you on the implementation issues. An on-site resource could better answer your "high-level" questions.
However if you have more questions please ask and I will try to answer to the best of my knowledge.
Good luck,
Stephen

Regarding connection between front end HTML and back end SQL 7.0

Hi!!
I am working on the project 'ERM'. I have designed 12 forms using HTML. Can u please give me brief idea how to establish the connection between a back end and front end i.e. between HTML and SQL 7.0. If possible can u provide me the source code for the same.
I will be very thankful to you.
Thanks,
Jigar.

Read up about multi-tier applications.
You need servlet and JSPs for the server-side presentation layer, some classes for the business logic, and some mor for the persistence layer either using JDBC or some framework like Hibernate.

How can I get connection between VC and back end ABAP system

Hi, I'm developing the kits in the VC platform, and I need to access the back end system designed by ABAP. For example, the system provides some public functions(not web services), and I hope when I click the "search" button, the VC front can call the remote functions and get the data from the back end system. In addition to that, the most important is I must keep the connection real-time. How can I do it?

Thanks for your help. At present, my VC version is 7.1.4 which isn't installed in the portal server but in local machine, and I'm new in the VC. What I want is when I click the "search" button(in the properties pannel), I can get the data from the remote server. I know the VC 6 provides similar functions, but the current version doesn't. Could you explain the details of how to get and keep the connection between them? Thanks so much.

Site to Site VPN Between Two ASA 5505's Up But Not Passing Traffic

hello,
i am setting up a site to site vpn between two asa 5505's. the tunnel is up but i cannot get it to pass traffic and i have run out of ideas at this point. i am on site as i am posting this question and only have about 4 hours left to figure this out, so any help asap is greatly appreciated. i'll post the configs below along with the output of sh crypto isakmp sa and sh ipsec sa.
FYI the asa's are different versions, one is 9.2 the other is 8.2
Note: 1.1.1.1 = public ip for Site A 2.2.2.2 = public ip for site B
Site A running config:
Result of the command: "sh run"
: Saved
ASA Version 8.2(2)
hostname csol-asa
enable password WI19w3dXj6ANP8c6 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.1.0 san_antonio_inside
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
name-server 24.93.41.125
name-server 24.93.41.126
object-group network NETWORK_OBJ_192.168.2.0_24
access-list inside_access_out extended permit ip any any
access-list outside_access_out extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in_1 extended permit icmp any interface outside
access-list outside_access_in_1 extended permit tcp any interface outside eq pop3
access-list outside_access_in_1 extended permit tcp any interface outside eq 8100
access-list outside_access_in_1 extended permit udp any interface outside eq 8100
access-list outside_access_in_1 extended permit udp any interface outside eq 1025
access-list outside_access_in_1 extended permit tcp any interface outside eq 1025
access-list outside_access_in_1 extended permit tcp any interface outside eq 5020
access-list outside_access_in_1 extended permit tcp any interface outside eq 8080
access-list outside_access_in_1 extended permit tcp any interface outside eq www
access-list outside_access_in_1 extended permit ip san_antonio_inside 255.255.255.0 any
access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 host san_antonio_inside
access-list outside_1_cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 san_antonio_inside 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 san_antonio_inside 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (inside) 2 interface
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface pop3 192.168.2.249 pop3 netmask 255.255.255.255
static (inside,outside) tcp interface 8100 192.168.2.161 8100 netmask 255.255.255.255
static (inside,outside) udp interface 8100 192.168.2.161 8100 netmask 255.255.255.255
static (inside,outside) udp interface 1025 192.168.2.161 1025 netmask 255.255.255.255
static (inside,outside) tcp interface 5020 192.168.2.8 5020 netmask 255.255.255.255
static (inside,outside) tcp interface 8080 192.168.2.251 8080 netmask 255.255.255.255
static (inside,inside) tcp interface www 192.168.2.8 www netmask 255.255.255.255
static (inside,outside) tcp interface 1025 192.168.2.161 1025 netmask 255.255.255.255
access-group inside_access_out out interface inside
access-group outside_access_in_1 in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 inside
http 2.2.2.2 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map1 1 match address outside_1_cryptomap_1
crypto map outside_map1 1 set peer 2.2.2.2
crypto map outside_map1 1 set transform-set ESP-3DES-SHA
crypto map outside_map1 interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.2.30-192.168.2.155 inside
dhcpd dns 24.93.41.125 24.93.41.126 interface inside
dhcpd domain corporatesolutionsfw.local interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
group-policy DfltGrpPolicy attributes
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key *****
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:021cf43a4211a99232849372c380dda2
: end
Site A sh crypto isakmp sa:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 2.2.2.2
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Site A sh ipsec sa:
Result of the command: "sh ipsec sa"
interface: outside
Crypto map tag: outside_map1, seq num: 1, local addr: 1.1.1.1
access-list outside_1_cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (san_antonio_inside/255.255.255.0/0/0)
current_peer: 2.2.2.2
#pkts encaps: 1, #pkts encrypt: 1, #pkts digest: 1
#pkts decaps: 239, #pkts decrypt: 239, #pkts verify: 239
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 71.40.110.179
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: C1074C40
current inbound spi : B21273A9
inbound esp sas:
spi: 0xB21273A9 (2987553705)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1691648, crypto-map: outside_map1
sa timing: remaining key lifetime (kB/sec): (3914989/27694)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xC1074C40 (3238480960)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1691648, crypto-map: outside_map1
sa timing: remaining key lifetime (kB/sec): (3914999/27694)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Site B running config:
Result of the command: "sh run"
: Saved
: Serial Number: JMX184640WY
: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
ASA Version 9.2(2)4
hostname CSOLSAASA
enable password WI19w3dXj6ANP8c6 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 2.2.2.2 255.255.255.248
ftp mode passive
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object network mcallen_network
subnet 192.168.2.0 255.255.255.0
access-list outside_cryptomap extended permit ip object NETWORK_OBJ_192.168.1.0_24 object mcallen_network
access-list outside_access_in extended permit ip object mcallen_network 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-731-101.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static mcallen_network mcallen_network no-proxy-arp route-lookup
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 2.2.2.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map3 1 match address outside_cryptomap
crypto map outside_map3 1 set peer 1.1.1.1
crypto map outside_map3 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map3 interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.200-192.168.1.250 inside
dhcpd dns 24.93.41.125 24.93.41.126 interface inside
dhcpd domain CSOLSA.LOCAL interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key *****
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:4e058021a6e84ac7956dca0e5a143b8d
: end
Site B sh crypto isakmp sa:
Result of the command: "sh crypto isakmp sa"
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 1.1.1.1
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
There are no IKEv2 SAs
Site B sh ipsec sa:
Result of the command: "sh ipsec sa"
interface: outside
Crypto map tag: outside_map3, seq num: 1, local addr: 71.40.110.179
access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
current_peer: 1.1.1.1
#pkts encaps: 286, #pkts encrypt: 286, #pkts digest: 286
#pkts decaps: 1, #pkts decrypt: 1, #pkts verify: 1
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 286, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.2/0, remote crypto endpt.: 1.1.1.1/0
path mtu 1500, ipsec overhead 58(36), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: B21273A9
current inbound spi : C1074C40
inbound esp sas:
spi: 0xC1074C40 (3238480960)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 28672, crypto-map: outside_map3
sa timing: remaining key lifetime (kB/sec): (4373999/27456)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000003
outbound esp sas:
spi: 0xB21273A9 (2987553705)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 28672, crypto-map: outside_map3
sa timing: remaining key lifetime (kB/sec): (4373987/27456)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

Hi Keegan,
Your tunnel is up and encrypting traffic one way, the other end is not able to encrypt the traffic.
I would suggest to do a 'clear xlate'? Sometimes if you setup the nonat configuration after you've attempted other configurations, you need to 'clear xlate' before the previous NAT configuration is cleared and the new one works.
HTH
"Please rate useful posts"

Site-to-Site VPN between Cisco ASA 5505 (8.4) and Cisco Router (IOS 15.2)

Hi, I'm trying to create Site-to-Site VPN between Cisco ASA 5505 and Cisco Router 3945.
I've tried create configuration with and without ASA wizard, but anyway it doesn't work.
Please help me to find where is the issue.
I have two sites and would like to get access from 192.168.83.0 to 192.168.17.0
192.168.17.0 --- S1.S1.S1.S1 (IOS Router) ==================== S2.S2.S2.S2 (ASA 5505) --- 192.168.83.0
Here is my current configuration.
Thanks for your help.
IOS Configuration
version 15.2
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key cisco address 198.0.183.225
crypto isakmp invalid-spi-recovery
crypto ipsec transform-set AES-SET esp-aes esp-sha-hmac
mode transport
crypto map static-map 1 ipsec-isakmp
set peer S2.S2.S2.S2
set transform-set AES-SET
set pfs group2
match address 100
interface GigabitEthernet0/0
ip address S1.S1.S1.S1 255.255.255.240
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map static-map
interface GigabitEthernet0/1
ip address 192.168.17.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
access-list 100 permit ip 192.168.17.0 0.0.0.255 192.168.83.0 0.0.0.255
ASA Configuration
ASA Version 8.4(3)
interface Ethernet0/0
switchport access vlan 2
interface Vlan1
nameif inside
security-level 100
ip address 192.168.83.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address S2.S2.S2.S2 255.255.255.248
ftp mode passive
same-security-traffic permit intra-interface
object network inside-network
subnet 192.168.83.0 255.255.255.0
object network datacenter
host S1.S1.S1.S1
object network datacenter-network
subnet 192.168.17.0 255.255.255.0
object network NETWORK_OBJ_192.168.83.0_24
subnet 192.168.83.0 255.255.255.0
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended deny ip any any log
access-list outside_cryptomap extended permit ip 192.168.83.0 255.255.255.0 object datacenter-network
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpn_pool 192.168.83.200-192.168.83.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic inside-network interface
nat (inside,outside) source static inside-network inside-network destination static inside-network inside-network no-proxy-arp route-lookup
nat (inside,outside) source static inside-network inside-network destination static datacenter-network datacenter-network no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.83.0_24 NETWORK_OBJ_192.168.83.0_24 destination static datacenter-network pdatacenter-network no-proxy-arp route-lookup
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 DEFAULT_GATEWAY 1
crypto ipsec ikev1 transform-set vpn-transform-set esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set vpn-transform-set mode transport
crypto ipsec ikev1 transform-set L2L_SET esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set L2L_SET mode transport
crypto dynamic-map dyno 10 set ikev1 transform-set vpn-transform-set
crypto map vpn 1 match address outside_cryptomap
crypto map vpn 1 set pfs
crypto map vpn 1 set peer S1.S1.S1.S1
crypto map vpn 1 set ikev1 transform-set L2L_SET
crypto map vpn 20 ipsec-isakmp dynamic dyno
crypto map vpn interface outside
crypto isakmp nat-traversal 3600
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
group-policy GroupPolicy_S1.S1.S1.S1 internal
group-policy GroupPolicy_S1.S1.S1.S1 attributes
vpn-tunnel-protocol ikev1
group-policy remote_vpn_policy internal
group-policy remote_vpn_policy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec
username artem password 8xs7XK3To4s5WfTvtKAutA== nt-encrypted
username admin password rqiFSVJFung3fvFZ encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
address-pool vpn_pool
default-group-policy remote_vpn_policy
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group S1.S1.S1.S1 type ipsec-l2l
tunnel-group S1.S1.S1.S1 general-attributes
default-group-policy GroupPolicy_S1.S1.S1.S1
tunnel-group S1.S1.S1.S1 ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:f55f10c19a0848edd2466d08744556eb
: end

Thanks for helping me again. I really appreciate.
I don't hve any NAT-exemptions in Cisco IOS Router. Transform-set I will change soon, but I've tried with tunnel mode and it didn't work.
Maybe NAT-exemptions is the issue. Can you advice me which exemptions should be in Cisco IOS Router?
Because on Cisco ASA I guess I have everything.
Here is show crypto session detail
router(config)#do show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: GigabitEthernet0/0
Session status: DOWN
Peer: 198.0.183.225 port 500 fvrf: (none) ivrf: (none)
      Desc: (none)
      Phase1_id: (none)
IPSEC FLOW: permit ip 192.168.17.0/255.255.255.0 192.168.83.0/255.255.255.0
        Active SAs: 0, origin: crypto map
        Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
        Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
Should I see something in crypto isakmp sa?
pp-border#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
IPv6 Crypto ISAKMP SA
Thanks again for your help.

IPVPN Connection Between 2 ASAs

Similar Messages

Maybe you are looking for