Config remote tunnel with Dynamic IP to Datacenter static IP (ASA 5520)


(Adrian W) #1

After adding: crypto map Outside_map 1 set ikev1 phase1-mode aggressive
My tunnel dropped and stopped working.

Version:

HomeASA(config)# show version
Cisco Adaptive Security Appliance Software Version 9.1(7)16
Device Manager Version 7.7(1)150
Compiled on Thu 30-Mar-17 17:39 by builders
System image file is "disk0:/asa917-16-k8.bin"
Config file at boot was "startup-config"
HomeASA up 2 hours 10 mins
Hardware: ASA5520-K8, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz,
Internal ATA Compact Flash, 256MB
BIOS Flash AT49LW080 @ 0xfff00000, 1024KB
Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode : CNlite-MC-SSLm-PLUS-2.08
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.09
Number of accelerators: 1

Object-group:

HomeASA(config)# show run object-group network
object-group network FLL_DC_Networks
network-object 10.158.0.0 255.255.252.0
network-object 172.16.20.0 255.255.252.0
network-object 192.168.16.0 255.255.255.0
object-group network HomeNetworks
description Home LAN and WLAN
network-object 10.10.250.0 255.255.255.0
network-object 192.168.2.0 255.255.255.0
network-object 192.168.3.0 255.255.255.0

Access-list:

HomeASA(config)# show run access-list
access-list Outside_cryptomap extended permit ip object-group HomeNetworks object-group FLL_DC_Networks
access-list Outside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1
access-list Outside_cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 object REMOTE_2
access-list Outside_cryptomap_1 extended permit ip 10.10.250.0 255.255.255.0 object REMOTE_2
access-list Outside_cryptomap_1 extended permit ip 192.168.3.0 255.255.255.0 object REMOTE_2
access-list Outside_cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 object REMOTE_3
access-list Outside_cryptomap_1 extended permit ip 10.10.250.0 255.255.255.0 object REMOTE_3

Crypto map:


HomeASA(config)# show run crypto map
crypto map Outside_map 1 match address Outside_cryptomap
crypto map Outside_map 1 set peer 199.227.242.218
crypto map Outside_map 1 set ikev1 phase1-mode aggressive
crypto map Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map Outside_map interface Outside

(Rene Molenaar) split this topic #2

2 posts were merged into an existing topic: Cisco ASA Site-to-Site IKEv1 IPsec VPN Dynamic Peer


(Rene Molenaar) closed #3