VPN SITE TO SITE CONFIGURATION

50 pts.
Tags:
Cisco 2811
CLI
VPN configuration
This is my first time to configure site to site vpn from ASA5510:116.93.65.34 -Host-to REmote Cisco 2811-41.204.36.150 (LAN-IP Start at 172.16.16.0-172.16.19.254 subnet mask-255.255.252.0)

Note: Already done configruation on ASA5510 but need to start configure on cisco2811 but i dont know the cli and where to start

Just configure site to site VPN under ASA5510 and having configuration as listed-

 IKE Authentication-preshared Key,

IKE Proposal-pre-shared-3des-sha,IPsec

proposal-ESP-3DES-SHA,

CryptoMap Entry-enable,

 NAT-T-Enable,

 IKENegotiation Mode-Main,

Group Policy-Enable,

Please help me on how i can configure via CLI to Cisco 2811 since not

familiar on CLI and i will be glad if you someone can guide me on how to do it in 2811 so my

site can do site to site VPN. Please help me needed badly...thanks and appreciate your help

Lope



Software/Hardware used:
ASA5510 AND CISCO2811

Answer Wiki

Thanks. We'll let you know when a new response is added.

BY THE WAY SEE THE CONFIG OF MY ROUTER AT THE REMOTE JUST WANT TO ASK WHAT ADDITONAL CONFIG WILL ADD ON THIS ROUTER 2811 SO I CAN PING THE HOST OF SERVER LIKE -72.28.150.15,14,11,16,13 .

HOST:
ASA5510: 116.93.65.34 (Already configured the VPN site to site)

Remote Site:
Cisco 2811 -configuration

corrouter#show config
Using 3652 out of 245752 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname corrouter
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 51200
logging console critical
enable secret 5 <REMOVED>
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
!
!
aaa session-id common
!
dot11 syslog
no ip subnet-zero
ip source-route
!
!
ip cef
!
!
no ip bootp server
ip name-server 63.216.0.5
ip name-server 63.216.0.6
ip name-server 217.20.240.30
ip name-server 217.20.240.5
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
vpdn enable
!
vpdn-group GEV-VPN
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
!
!
!
!
username admin privilege 15 password 7 <REMOVED>
username gevuser password 7 0<REMOVED>
username corroot privilege 15 secret 5 <REMOVED>
username coradmin privilege 15 secret 5 <REMOVED>
username ian password 7 <REMOVED>
username mike password 7 <REMOVED>
username vpnuser1 password 7 <REMOVED>
username cor01 password 7 <REMOVED>
username cor2 password 7 <REMOVED>
username ianhyens password 7 <REMOVED>
archive
log config
hidekeys
!
!
!
!
!
ip tcp synwait-time 10
ip ssh version 1
!
class-map match-any WebEmail
match protocol http
match protocol secure-http
match protocol ftp
match protocol smtp
match protocol pop3
!
!
!
!
!
interface FastEthernet0/0
description WAN Coonection to the Internet
bandwidth 512
ip address <REMOVED> 255.255.255.128
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1
description LAN Interface$ES_LAN$
ip address 172.16.16.1 255.255.252.0
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
!
interface Virtual-Template1
ip unnumbered FastEthernet0/1
peer default ip address pool defaultpool
ppp encrypt mppe auto required
ppp authentication ms-chap ms-chap-v2
!
ip local pool defaultpool 10.10.100.1 10.10.100.10
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 <REMOVED>
ip http server
ip http access-class 23
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip flow-export version 5
ip flow-export destination <REMOVED> 2055
!
ip nat inside source list internet-access interface FastEthernet0/0 overload
!
ip access-list standard ctslpmb46
!
ip access-list extended internet-access
permit ip 172.16.16.0 0.0.3.255 any
ip access-list extended internet_access
permit ip 172.16.16.0 0.0.1.255 any
!
logging trap debugging
snmp-server community RO RO <REMOVED>
snmp-server community RW RO <REMOVED>
snmp-server community <REMOVED> RW
snmp-server community public RO
no cdp run

!
!
!
!
!
!
!
control-plane
!
!
!
ccm-manager fax protocol cisco
!
mgcp fax t38 ecm
!
!
!
!
!
banner motd ^C WARNING!! THIS IS A PRIVATE NETWORK. PROCEED NO FURTHER ^C
!
line con 0
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
password 7 <REMOVED>
transport input telnet
line vty 5 15
access-class 23 in
privilege level 15
password 7 <REMOVED>
transport input telnet
line vty 16 156
!
scheduler allocate 20000 1000
end

——–error recieve on 2811 router—————————
Syslog logging: enabled (0 messages dropped, 1 messages rate-limited,
0 flushes, 0 overruns, xml disabled, filtering disabled)

No Active Message Discriminator.

No Inactive Message Discriminator.

Console logging: level critical, 0 messages logged, xml disabled,
filtering disabled
Monitor logging: level debugging, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: level debugging, 248 messages logged, xml disabled,
filtering disabled
Logging Exception size (4096 bytes)
Count and timestamp logging messages: disabled
Persistent logging: disabled

No active filter modules.

ESM: 0 messages dropped

Trap logging: level debugging, 253 message lines logged

Log Buffer (51200 bytes):
stun test inited

*Aug 23 11:04:29.211: %VPN_HW-6-INFO_LOC: Crypto engine: onboard 0 State changed to: Initialized
*Aug 23 11:04:29.215: %VPN_HW-6-INFO_LOC: Crypto engine: onboard 0 State changed to: Enabled
*Aug 23 11:04:31.327: %LINEPROTO-5-UPDOWN: Line protocol on Interface VoIP-Null0, changed state to up
*Aug 23 11:04:31.327: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Aug 23 11:04:31.327: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
*Aug 23 11:04:31.331: %LINEPROTO-5-UPDOWN: Line protocol on Interface SSLVPN-VIF0, changed state to up
*Aug 23 11:04:32.723: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
*Aug 23 11:04:32.727: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
*Aug 23 11:04:32.855: RSA key size needs to be atleast 768 bits for ssh version 2
000010: *Aug 23 11:04:46.231 UTC: %SYS-5-CONFIG_I: Configured from memory by console
000011: *Aug 23 11:04:46.583 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to up
000012: *Aug 23 11:04:47.111 UTC: %SYS-5-RESTART: System restarted –
Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 12.4(22)T, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Fri 10-Oct-08 00:05 by prod_rel_team
000013: *Aug 23 11:04:47.119 UTC: %SNMP-5-COLDSTART: SNMP agent on host corrouter is undergoing a cold start
000014: *Aug 23 11:04:47.195 UTC: %SSH-5-ENABLED: SSH 1.5 has been enabled
000015: *Aug 23 11:04:47.563 UTC: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
000016: *Aug 23 11:04:47.563 UTC: %CRYPTO-6-GDOI_ON_OFF: GDOI is OFF
000017: *Aug 23 11:04:47.563 UTC: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
000018: *Aug 23 11:04:47.563 UTC: %CRYPTO-6-GDOI_ON_OFF: GDOI is OFF
000019: *Aug 23 11:04:50.803 UTC: %SYS-6-BOOTTIME: Time taken to reboot after reload = 205 seconds
000020: *Aug 23 11:05:02.907 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
000021: *Aug 23 11:05:14.175 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
000022: *Aug 23 11:11:49.975 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
000023: *Aug 23 11:24:50.195 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
000024: *Aug 23 11:25:28.255 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
000025: *Aug 23 11:32:18.371 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to down
000026: *Aug 23 11:32:54.731 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
000027: *Aug 23 11:33:25.835 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
000028: *Aug 23 11:36:31.483 UTC: %SYS-5-CONFIG_I: Configured from console by admin on vty16 (172.16.16.153)
000029: *Aug 23 12:41:36.483 UTC: %MV64340_ETHERNET-5-LATECOLLISION: FastEthernet0/0, late collision error
000030: *Aug 23 12:44:30.323 UTC: %MV64340_ETHERNET-5-LATECOLLISION: FastEthernet0/0, late collision error
000031: *Aug 23 12:45:07.279 UTC: %MV64340_ETHERNET-5-LATECOLLISION: FastEthernet0/0, late collision error
000032: *Aug 23 12:57:33.323 UTC: %MV64340_ETHERNET-5-LATECOLLISION: FastEthernet0/0, late collision error
000033: *Aug 23 13:09:44.215 UTC: %MV64340_ETHERNET-5-LATECOLLISION: FastEthernet0/0, late collision error
000034: *Aug 23 13:09:47.563 UTC: %MV64340_ETHERNET-5-LATECOLLISION: FastEthernet0/0, late collision error
000035: *Aug 23 13:14:39.291 UTC: %MV64340_ETHERNET-5-LATECOLLISION: FastEthernet0/0, late collision error
000036: *Aug 23 13:19:57.271 UTC: %MV64340_ETHERNET-5-LATECOLLISION: FastEthernet0/0, late collision error
000037: *Aug 23 13:23:35.843 UTC: %MV64340_ETHERNET-5-LATECOLLISION: FastEthernet0/0, late collision error
000038: *Aug 23 13:29:34.455 UTC: %MV64340_ETHERNET-5-LATECOLLISION: FastEthernet0/0, late collision error
000039: *Aug 23 13:34:56.255 UTC: %MV64340_ETHERNET-5-LATECOLLISION: FastEthernet0/0, late collision error
000040: *Aug 23 13:38:54.715 UTC: %MV64340_ETHERNET-5-LATECOLLISION: FastEthernet0/0, late collision error
000041: *Aug 23 13:43:05.615 UTC: %MV64340_ETHERNET-5-LATECOLLISION: FastEthernet0/0, late collision error
000042: *Aug 23 13:43:13.323 UTC: %MV64340_ETHERNET-5-LATECOLLISION: FastEthernet0/0, late collision error
000043: *Aug 23 13:43:19.963 UTC: %MV64340_ETHERNET-5-LATECOLLISION: FastEthernet0/0, late collision error
000044: *Aug 23 13:43:35.567 UTC: %MV64340_ETHERNET-5-LATECOLLISION: FastEthernet0/0, late collision error
000045: *Aug 23 13:43:40.695 UTC: %MV64340_ETHERNET-5-LATECOLLISION: FastEthernet0/0, late collision error
000046: *Aug 23 13:45:17.843 UTC: %MV64340_ETHERNET-5-LATECOLLISION: FastEthernet0/0, late collision error
000047: *Aug 23 13:45:21.623 UTC: %MV64340_ETHERNET-5-LATECOLLISION: FastEthernet0/0, late collision error
000048: *Aug 23 14:04:45.951 UTC: %MV64340_ETHERNET-5-LATECOLLISION: FastEthernet0/0, late collision error
000049: *Aug 23 14:08:12.463 UTC: %MV64340_ETHERNET-5-LATECOLLISION: FastEthernet0/0, late collision error
000050: *Aug 23 14:19:24.887 UTC: %MV64340_ETHERNET-5-LATECOLLISION: FastEthernet0/0, late collision error
000051: *Aug 23 14:36:54.667 UTC: %MV64340_ETHERNET-5-LATECOLLISION: FastEthernet0/0, late collision error
000052: *Aug 23 14:40:08.559 UTC: %MV64340_ETHERNET-5-LATECOLLISION: FastEthernet0/0, late collision error
000053: *Aug 23 14:41:26.691 UTC: %MV64340_ETHERNET-5-LATECOLLISION: FastEthernet0/0, late collision error
000054: *Aug 23 14:42:36.599 UTC: %MV64340_ETHERNET-5-LATECOLLISION: FastEthernet0/0, late collision error
000055: *Aug 23 14:42:40.403 UTC: %MV64340_ETHERNET-5-LATECOLLISION: FastEthernet0/0, late collision error
000056: *Aug 23 14:42:55.707 UTC: %MV64340_ETHERNET-5-LATECOLLISION: FastEthernet0/0, late collision error
000057: *Aug 23 14:48:26.527 UTC: %MV64340_ETHERNET-5-LATECOLLISION: FastEthernet0/0, late collision error
000058: *Aug 23 14:59:13.219 UTC: %MV64340_ETHERNET-5-LATECOLLISION: FastEthernet0/0, late collision error
000059: *Aug 23 15:00:37.723 UTC: %MV64340_ETHERNET-5-LATECOLLISION: FastEthernet0/0, late collision error
000060: *Aug 23 15:14:20.586 UTC: %MV64340_ETHERNET-5-LATECOLLISION: FastEthernet0/0, late collision error
000061: *Aug 23 15:33:13.242 UTC: %MV64340_ETHERNET-5-LATECOLLISION: FastEthernet0/0, late collision error
000062: *Aug 23 15:33:18.738 UTC: %MV64340_ETHERNET-5-LATECOLLISION: FastEthernet0/0, late collision error
000063: *Aug 23 15:34:01.254 UTC: %MV64340_ETHERNET-5-LATECOLLISION: FastEthernet0/0, late collision error
000064: *Aug 23 15:38:31.782 UTC: %MV64340_ETHERNET-5-LATECOLLISION: FastEthernet0/0, late collision error
000065: *Aug 23 15:43:17.594 UTC: %MV64340_ETHERNET-5-LATECOLLISION: FastEthernet0/0, late collision error
000066: *Aug 23 15:48:21.074 UTC: %MV64340_ETHERNET-5-LATECOLLISION: FastEthernet0/0, late collision error
000067: *Aug 23 15:52:16.594 UTC: %MV64340_ETHERNET-5-LATECOLLISION: FastEthernet0/0, late collision error
000068: *Aug 23 15:52:25.322 UTC: %MV64340_ETHERNET-5-LATECOLLISION: FastEthernet0/0, late collision error
000069: *Aug 23 16:05:01.390 UTC: %MV64340_ETHERNET-5-LATECOLLISION: FastEthernet0/0, late collision error
000070: *Aug 23 16:06:54.130 UTC: %MV64340_ETHERNET-5-LATECOLLISION: FastEthernet0/0, late collision error
000071: *Aug 23 16:07:09.266 UTC: %MV64340_ETHERNET-5-LATECOLLISION: FastEthernet0/0, late collision error
000072: *Aug 23 16:07:11.202 UTC: %MV64340_ETHERNET-5-LATECOLLISION: FastEthernet0/0, late collision error
000073: *Aug 23 16:07:29.350 UTC: %MV64340_ETHERNET-5-LATECOLLISION: FastEthernet0/0, late collision error
000074: *Aug 23 16:08:49.298 UTC: %MV64340_ETHERNET-5-LATECOLLISION: FastEthernet0/0, late collision error
000075: *Aug 23 16:09:24.450 UTC: %MV64340_ETHERNET-5-LATECOLLISION: FastEthernet0/0, late collision error
000076: *Aug 23 16:12:51.418 UTC: %MV64340_ETHERNET-5-LATECOLLISION: FastEthernet0/0, late collision error
000077: *Aug 23 16:14:10.322 UTC: %MV64340_ETHERNET-5-LATECOLLISION: FastEthernet0/0, late collision error
000078: *Aug 23 16:15:13.934 UTC: %MV64340_ETHERNET-5-LATECOLLISION: FastEthernet0/0, late collision error
000079: *Aug 23 16:46:00.366 UTC: %MV64340_ETHERNET-5-LATECOLLISION: FastEthernet0/0, late collision error
000080: *Aug 23 16:47:13.062 UTC: %MV64340_ETHERNET-5-LATECOLLISION: FastEthernet0/0, late collision error
000081: *Aug 23 16:53:04.754 UTC: %MV64340_ETHERNET-5-LATECOLLISION: FastEthernet0/0, late collision error
000082: *Aug 23 16:53:45.798 UTC: %MV64340_ETHERNET-5-LATECOLLISION: FastEthernet0/0, late collision error
000083: *Aug 23 16:54:29.678 UTC: %MV64340_ETHERNET-5-LATECOLLISION: FastEthernet0/0, late collision error
000084: *Aug 23 17:02:19.042 UTC: %MV64340_ETHERNET-5-LATECOLLISION: FastEthernet0/0, late collision error
000085: *Aug 23 17:10:59.466 UTC: %MV64340_ETHERNET-5-LATECOLLISION: FastEthernet0/0, late collision error
000086: *Aug 23 17:17:43.818 UTC: %MV64340_ETHERNET-5-LATECOLLISION: FastEthernet0/0, late collision error
000087: *Aug 23 17:18:00.230 UTC: %MV64340_ETHERNET-5-LATECOLLISION: FastEthernet0/0, late collision error
000088: *Aug 23 17:18:23.478 UTC: %MV64340_ETHERNET-5-LATECOLLISION: FastEthernet0/0, late collision error
000089: *Aug 23 17:40:42.882 UTC: %MV64340_ETHERNET-5-LATECOLLISION: FastEthernet0/0, late collision error
000090: *Aug 23 20:53:25.637 UTC: %MV64340_ETHERNET-5-LATECOLLISION: FastEthernet0/0, late collision error
000091: *Aug 23 21:10:10.733 UTC: %MV64340_ETHERNET-5-LATECOLLISION: FastEthernet0/0, late collision error
000092: *Aug 23 21:16:49.521 UTC: %MV64340_ETHERNET-5-LATECOLLISION: FastEthernet0/0, late collision error
000093: *Aug 23 21:18:40.417 UTC: %MV643

Discuss This Question: 6  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • BlankReg
    To save this router being hacked, I have removed all the passwords and useful IP addresses that you had included. I would STRONGLY recommend that you change ALL the passwords immediately, as you do not know who has copied htis information.
    12,325 pointsBadges:
    report
  • BlankReg
    I am not convinced that you have configured the ASA - the information required is virtually the same for the router as for the ASA. On the ASA do the following access-list To-Remote permit ip {local subnet} {local mask} {remote subnet} {remote mask} access-list No-NAT permit ip {local subnet} {local mask} {remote subnet} {remote mask} nat (inside) 0 access-list No-NAT crypto ipsec transform-set VPN-TS esp-3des esp-sha-hmac crypto map Remote-Peer match address To-Remote crypto map Remote-Peer set peer {External IP address of remote router} crypto map Remote-Peer set transform-set VPN-TS crypto map Remote-Peer set pfs crypto map Remote-Peer interface outside crypto isakmp identity address crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3-des hash sha group 2 tunnel-group {External IP address of remote router} type l2l tunnel-group {External IP address of remote router} ipsec attributes pre-shared-key {the pre-shared-key} On the router crypto isakmp policy 10 encr 3des hash sha authentication pre-share group 2 ! crypto isakmp key {the pre-shared-key} address {outside addres of the ASA} ! crypto ipsec transform-set VPN-TS esp-3des esp-sha-hmac crypto ipsec nat-transparency spi-matching ! crypto map VPN-MAP 10 ipsec-isakmp set peer {outside addres of the ASA} set transform-set VPN-TS set pfs group2 match address VPN-ACL ! ip access-list extended VPN-ACL permit ip {local subnet to router} {local mask} {remote subnet at ASA} {remote mask} ! ! On the outside Interface interface FastEthernet0/0 crypto map VPN-MAP That shoudl then establish a 3-des VPN between these networks. On each side you need to set the route to the remote subnet to be either the VPN router or the ASA as appropriate.
    12,325 pointsBadges:
    report
  • RENCE01
    Hi BlankReg good day, thanks for your help to remove the hits password and really appreciated by the way under ASA we are using 2 separate network one for private and the othe one is outside with i almost configure site to site vpn same scenario for this site. It is connected to outside under firewall ASA and end is cisco 2811 this is the 1st time that end one is cisco 2811 the rest that we are using in other end site to site is sonic firewall. It is possible to work since when doing config under ASA i'm login into ASA and then go to configuration then SITE TO SITE VPN then put the same configuration doing on others vpn config (via webbase). So the main problem is the configuration of cisco2811 since i need to stablished vpn site to site on cisco 2811. Hope you can add and tackle more about how i can do the config cli under 2811. Again thanks you for your help about the the removing list of hits password and i change already...please update and advise me if any additional info to be add....
    50 pointsBadges:
    report
  • BlankReg
    If you are using the web based configuration for the ASA, then I need to know what parameters you are using for this. Have you tried the router config that I posted above ? I think it should match the basic parameters you have for the ASA. If it doesn't work, then modify the values to match what you have set on the ASA. If that doesn't work, then post the crypto commands from the ASA CLI, (removing any IP addresses and passwords !) which should help me to understand what you have configured there.
    12,325 pointsBadges:
    report
  • RENCE01
    Hi BlankReg, parameters as listed below Just configure site to site VPN under ASA5510 and having configuration as listed- IKE Authentication-preshared Key, IKE Proposal-pre-shared-3des-sha,IPsec proposal-ESP-3DES-SHA, CryptoMap Entry-enable, NAT-T-Enable, IKENegotiation Mode-Main, Group Policy-Enable, Group 2 I'm trying now the config posted you given me at the parameters listed above is the one configure on ASA. I can provide some info if this is not complete. thanks bro for urgent reply and hope can up the vpn...thanks...Lope
    50 pointsBadges:
    report
  • BlankReg
    Looks about the same, just leave out the 'set pfs group2' command on the crypto map.
    12,325 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following