Cisco ASA 5505 to Cisco 7200 Site-to-Site VPN not comming up.

[briancox86]

I am trying to bring up a VPN between 2 sites. One has a Cisco 7200 the other has an ASA 5505. The VPN will not come up.

It does not show up in 'sho crypto isakmp sa' output.
No stats but there is an entry for it in 'sho crypto ipsec sa' output.

Any help greatly appreciated!!!

Can someone please help.


Thanks!


===Config on 7200===
crypto isakmp key * address [REMOTE SITE WAN IP]

crypto ipsec transform-set defaultset esp-3des esp-md5-hmac

crypto map office-vpn 1420 ipsec-isakmp
set peer [REMOTE SITE WAN IP]
set transform-set defaultset
match address office-to-remote

ip route 10.149.37.96 255.255.255.224 [REMOTE SITE WAN IP]

ip access-list extended office-to-remote
permit ip any host [REMOTE SITE WAN IP]
permit ip any 10.149.37.96 0.0.0.31

===Config on 5505===
ASA Version 7.2(4)

access-list to-home extended permit ip 10.149.37.96 255.255.255.224 any

global (outside) 1 interface
route outside 0.0.0.0 0.0.0.0 [GATEWAY] 1

crypto ipsec transform-set SET esp-3des esp-md5-hmac
crypto map ABC 10 match address to-home
crypto map ABC 10 set peer [VPN PEER]
crypto map ABC 10 set transform-set SET
crypto map ABC interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400

management-access inside

tunnel-group [VPN PEER] type ipsec-l2l
tunnel-group [VPN PEER] ipsec-attributes
pre-shared-key *

class-map inspection_default
match default-inspection-traffic

service-policy global_policy global

 

[unclerico]

include complete scrubbed configs from both devices.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[briancox86]

ASA Version 7.2(4)
!
hostname
enable password XX encrypted
passwd XX encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.XX.XX.97 255.255.255.224
!
interface Vlan2
nameif outside
security-level 0
ip address 64.XX.XX.83 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
access-list to-XXX extended permit ip 10.XX.XX.96 255.255.255.224 any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
route outside 0.0.0.0 0.0.0.0 64.XX.XX.82 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
snmp-server location
snmp-server contact UNKNOWN
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set XXX esp-3des esp-md5-hmac
crypto map XXX 10 match address to-XXX
crypto map XXX 10 set peer 165.XX.XX.246
crypto map XXX 10 set transform-set XXX
crypto map XXX interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5

ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 165.XX.XX.10 165.XX.XX.21
dhcpd wins 165.XX.XX.12 165.XX.XX.232
dhcpd ping_timeout 750

!
dhcpd address 10.XX.XX.107-10.XX.XX.126 inside
dhcpd enable inside
!
tunnel-group 165.XX.XX.246 type ipsec-l2l
tunnel-group 165.XX.XX.246 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context

 

[briancox86]

Working on 7200 config. It is big. Can you for now tell me, is the ASA config sound for a site to site VPN?

 

[briancox86]

7200 Config
This is all i can get you. This is all of what is related to this site... I have hundreds of PIX VPN sites connected the config is WAY to long to post. If you could work with this that would be great. Sorry.


Current configuration : 75826 bytes
version 12.4
no service pad
!
boot-start-marker
boot system flash disk0:c7200-ik9o3s-mz.124-18.bin
boot-end-marker
no ip source-route

controller ISA 2/1

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share

crypto isakmp key * address 64.XX.XX.83
crypto ipsec transform-set defaultset esp-3des esp-md5-hmac

crypto map vpn 1420 ipsec-isakmp
set peer 64.XX.XX.83
set transform-set defaultset
match address ACL
!

no crypto ipsec nat-transparency udp-encaps


ip route 10.XX.XX.96 255.255.255.224 64.XX.XX.83

ip access-list extended ACL
permit ip any host 64.XX.XX.83
permit ip any 10.XX.XX.96 0.0.0.31

end

 

[briancox86]

By the way:

sho crypto isakmp sa output
10.XX.XX.6 64.XX.XX.83 MM_SA_SETUP 1912 0 ACTIVE
10.XX.XX.6 64.XX.XX.83 MM_NO_STATE 1903 0 ACTIVE(deleted)

 

[unclerico]

The only thing that I can see would be with the 7200, the ISAKMP policy doesn't specify a DH group and the ASA is using group 2. Try adding the DH group to the 7200; if that doesn't work then run a debug on the isakmp process and post the results.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)