CCIE - Internetwork Expert's Online Community

Folks,

(Workbook vol 1 lab IPSEC Lan to Lan between Router and ASA )

Anyone have a working configuration for for LAN to LAN IPSEC with rsa-sig between ASA (8.0.x ) and Router ?

I spent almost 5 hour debugging but i haven't found any solution 

the same configuration working perfectly with 7.2.x

I've check bug list and i see only relayed to  8.0.3 and IPSEC rsa-sig stop working ( for remote access vpn)

Which specific version of 8.0 are you using?

-Erik

I've tried 8.0.3  doing downgrade to 7.2 the same config working.

I also found sometime certification authentication working really bugy.

I think it something relayed how ASA 8.0.3 parse subject-name.

Mate - can you post your config - i'll lab it up here and take a peak ;-)

Hi,

i have the same problem with LAN-to-LAN 

this is the configuration in R3 and ASA

R3#show running-config
Building configuration...

Current configuration : 1369 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
logging queue-limit 100
!
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
!
!
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key CISCO address 136.1.123.12
!
!
crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac
!
crypto map VPN 10 ipsec-isakmp
 set peer 136.1.123.12
 set transform-set 3DES_MD5
 match address VLAN23_TO_VLAN121
!
!
!
!
!
!
!
!
!
!
no voice hpi capture buffer
no voice hpi capture destination
!
!
mta receive maximum-recipients 0
!
!
!
!
interface Ethernet0/0
 ip address 136.1.123.3 255.255.255.0
 half-duplex
 crypto map VPN
!
interface Ethernet0/1
 ip address 136.1.23.3 255.255.255.0
 half-duplex
!
interface Serial1/0
 no ip address
 shutdown
!
interface Serial1/1
 no ip address
 shutdown
!
interface Serial1/2
 no ip address
 shutdown
!
interface Serial1/3
 no ip address
 shutdown
!
router rip
 version 2
 network 136.1.0.0
 no auto-summary
!
ip http server
no ip http secure-server
ip classless
!
!
!
ip access-list extended VLAN23_TO_VLAN121
 permit ip 136.1.23.0 0.0.0.255 136.1.121.0 0.0.0.255
!        
!
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 login
!
!
end

======================

ASA1# show running-config
: Saved
:
ASA Version 7.2(2)
!
hostname ASA1
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 136.1.123.12 255.255.255.0
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 136.1.121.12 255.255.255.0
!
interface Ethernet0/2
 nameif dmz
 security-level 50
 ip address 10.0.0.12 255.255.255.0
!
interface Ethernet0/3
 shutdown
 no nameif   
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list OUTSIDE_IN extended permit tcp any host 10.0.0.100 eq www
access-list OUTSIDE_IN extended permit udp any host 10.0.0.100 eq ntp
access-list OUTSIDE_IN extended permit icmp any any
access-list VLAN121_TO_VLAN23 extended permit ip 136.1.121.0 255.255.255.0 136.1.23.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
access-group OUTSIDE_IN in interface outside
!
router rip
 network 10.0.0.0
 network 136.1.0.0
 version 2
 no auto-summary
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac
crypto map VPN 10 match address VLAN121_TO_VLAN23
crypto map VPN 10 set peer 136.2.123.3
crypto map VPN 10 set transform-set 3DES_MD5
crypto map VPN interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
tunnel-group 136.2.123.3 type ipsec-l2l
tunnel-group 136.2.123.3 ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context

thamk you for your help,

Hi Me,

All configurations is good, you need just to active same trafic in this peer,like that :

R3#ping 136.1.121.1 source ethernet 0/1

and it will be work

Regards

BOB