Re: IOS to IOS VPN across ASA

From: Ajay mehra (ajaymehra01@gmail.com)
Date: Wed Aug 06 2008 - 05:47:31 ART

• Next message: Khawar Butt: "RE: IOS to IOS VPN across ASA"
• Previous message: Ajay mehra: "IOS to IOS VPN across ASA"
• Maybe in reply to: Ajay mehra: "IOS to IOS VPN across ASA"
• Next in thread: Khawar Butt: "RE: IOS to IOS VPN across ASA"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I got an answer for my 1st query. in ASA I did not clear xlate table before
initiaing connection from outside. Since there was a previous entry for UDP
port 500 in xlate table I was able to initiate tunnel from outside.

But surely I am looking for the answer on second query until I find it by
myself :).

Thanks,
Ajay

On 06/08/2008, Ajay mehra <ajaymehra01@gmail.com> wrote:

> Hi,
>
>
> I started with IE labs today and was trying to do IOS to IOS IPsec across
> ASA.
> Can you please help me in finding the correct answer for these question
>
>
>
> I have R1---------------ASA-----------------------R2 with R1 on inside and
> R2 on outside network.
>
> R1 is 136.1.121.1 and R2 is 136.1.122.2
>
> 1: To establish Ipsec tunnel using esp we should permit esp on outside
> interface. Also we need to permit udp port 500 for ISAKMP on outside (only
> if we are initiating tunnel from R2). But in my case tunnel comes up even
> though I do not have any access list to permit udp port 500 in outsid
> interface, I am initiating connection from R2.
>
>
> access-list OUTSIDE_IN extended permit icmp any any
> access-list OUTSIDE_IN extended permit tcp any host 10.0.0.100 eq www
> access-list OUTSIDE_IN extended permit udp any host 10.0.0.100 eq ntp
> access-list OUTSIDE_IN extended permit esp host 136.1.122.2 host
> 136.1.121.1
> access-group OUTSIDE_IN in interface outside
>
> why ISAKMP phase 1 negotiation is sucessful when I initiate connection from
> R2 even though I do not permit UDP port 500 on outside interface?
>
>
>
> 2: Will the IPSEC tunnel remain up even if I clear ISAKMP sa? I was under
> impression that clearing phase 1 sa will clear phase 2 sa also.
>
> after I do "clea crypto isakm sa" I still have counters incrementing for
> packets encypt and decrypt.
>
>
>
> R2(config-if)#do sh cryp isa sa
> dst src state conn-id slot status
>
> R2(config-if)#do sh cryp ipsec sa | in encaps|decaps
> #pkts encaps: 38, #pkts encrypt: 38, #pkts digest: 38
> #pkts decaps: 30, #pkts decrypt: 30, #pkts verify: 30
> R2(config-if)#
>
> R2(config-if)#do pi 150.1.1.1 so 150.1.2.2
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 150.1.1.1, timeout is 2 seconds:
> Packet sent with a source address of 150.1.2.2
> !!!!!
> Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
>
> R2(config-if)#do sh cryp ipsec sa | in encaps|decaps
> #pkts encaps: 43, #pkts encrypt: 43, #pkts digest: 43
> #pkts decaps: 35, #pkts decrypt: 35, #pkts verify: 35
> R2(config-if)#
>
>
>
>
>
> Thanks,
>
> Ajay

Blogs and organic groups at http://www.ccie.net

• Next message: Khawar Butt: "RE: IOS to IOS VPN across ASA"
• Previous message: Ajay mehra: "IOS to IOS VPN across ASA"
• Maybe in reply to: Ajay mehra: "IOS to IOS VPN across ASA"
• Next in thread: Khawar Butt: "RE: IOS to IOS VPN across ASA"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Sep 01 2008 - 08:15:29 ART