cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1676
Views
0
Helpful
8
Replies

How to setup Cisco ASA 5506 PPPoE Site to Site VPN

ShadowoftheD
Level 1
Level 1

Hi,

 

We have an existing Remote Site using an ASA 5506. We're connected to this site via a site to site vpn. We've decided to switch to another provider for budgeting purposes and we've obtained a broadband to that site. The problem is they gave us a PPPoE /32 ip address and thus we'll have to make a few configuration changes. The primary thing I noticed is when we switched over to PPPoE is I can't ping the public ip, thus killing the site to site vpn. I even added an allow any any rule in the firewall but i still can't ping the public interface. 

 

Is there anything that i should know to allow the public ip to be pingable when changing the ip from a static to a PPPoE in a Cisco ASA 5506?

 

THanks

1 Accepted Solution

Accepted Solutions

Session is being torn down. Reason: crypto map policy not found   - see some logs failed one

 

Look at the below thread and change setting on Meraki and try

 

https://community.meraki.com/t5/Security-SD-WAN/VPN-stops-passing-traffic-between-Meraki-Security-Appliances-and/td-p/1505/page/2

 

ASA diag tipds for reference :

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/81824-common-ipsec-trouble.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

8 Replies 8

balaji.bandi
Hall of Fame
Hall of Fame

Not sure if the provider allowed PING yes or no, check with provider that.

 

1. The site to Site VPN do not require Ping, as long they able to have communication.

2. check other required ports open for you to establish a tunnel ?

3. from the new provider you able to use the internet and other sites normally as expected as ISP provider?

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

1. The site to Site VPN do not require Ping, as long they able to have communication.

2. check other required ports open for you to establish a tunnel ?

3. from the new provider you able to use the internet and other sites normally as expected as ISP provider?

Yeah ping isn't required but I like to use it for troubleshooting. 

I already did an any any rule in the i still can't ping google 8.8.8.8 from the PPPoE interface

the provider s

I already did an any any rule in the i still can't ping google 8.8.8.8 from the PPPoE interface

 

BB - This case different, first you need to have basic connectivity over the internet, before you establish the S2S VPN connection.

 

you need to fix this, post the configuration, the one not having ping to 8.8.8.8 ? is this 8.8.8.8 not pining after S2S config or before?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Ok I got internet access for the PPPoE in ASA 5506

asa# ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/26/30 ms
asa#

However, I'm trying to follow the wizard vpn and i can't seem to establish the vpn. i'm faced again with the issue of unable to ping the peer ip however from the other side i can ping the pppoe ip. Is a PPPoE interface allowed to do a site to site vpn peering?

Thanks

Some ASA not allowed to ping, so you wont be able to ping back the WAN Public IP address.

 

Can you post VPN config Both the side, and also look at the logs related to VPN, where do you see the issue Phase 1 or Phase2 ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hi,

Sure, here is the config on my ASA



!
interface GigabitEthernet1/1
nameif outside
security-level 0
pppoe client vpdn group PLDT
ip address pppoe setroute
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0

object-group network Group_Inside_Subnets
network-object 192.168.1.0 255.255.255.0

object-group network Group_HQ_Inside_Subnets
network-object 10.11.15.224 255.255.255.224

access-list 100 extended permit icmp any any
access-list outside_cryptomap extended permit ip object-group Group_Inside_Subnets object-group Group_HQ_Inside_Subnets

crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 100.100.100.100
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map interface outside

crypto ikev2 enable outside
crypto ikev1 enable outside

group-policy GroupPolicy_100.100.100.100 internal
group-policy GroupPolicy_100.100.100.100 attributes
vpn-tunnel-protocol ikev1 ikev2
dynamic-access-policy-record DfltAccessPolicy
tunnel-group 100.100.100.100 type ipsec-l2l
tunnel-group 100.100.100.100 general-attributes
default-group-policy GroupPolicy_100.100.100.100
tunnel-group 100.100.100.100 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****



I'm peering with Meraki so no cli output but here's the config on their end

set at Default
Phase 1
Encryption: 3DES
Auth: SHA1
lifetime: 28800

Phase 2
Encryption: AES256, AES192, AES128 3DES
Auth: SHA1, MD5
PFS Group: off
Lifetime: 28800

ASA is giving out these logs as well

5 Mar 03 2020 3:00:48 713259 Group = 100.100.100.100, IP = 100.100.100.100, Session is being torn down. Reason: crypto map policy not found
3 Mar 03 2020 3:00:48 713902 Group = 100.100.100.100, IP = 100.100.100.100, Removing peer from correlator table failed, no match!
3 Mar 03 2020 3:00:48 713061 Group = 100.100.100.100, IP = 100.100.100.100, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 10.11.15.128/255.255.255.224/0/0 local proxy 192.168.1.0/255.255.255.0/0/0 on interface outside

 

Phase 1 is fine though

 

5 Mar 03 2020 2:55:16 713119 Group = 100.100.100.100, IP = 100.100.100.100, PHASE 1 COMPLETED

Thanks!

Session is being torn down. Reason: crypto map policy not found   - see some logs failed one

 

Look at the below thread and change setting on Meraki and try

 

https://community.meraki.com/t5/Security-SD-WAN/VPN-stops-passing-traffic-between-Meraki-Security-Appliances-and/td-p/1505/page/2

 

ASA diag tipds for reference :

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/81824-common-ipsec-trouble.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Thanks Balaji, finally got the vpn to work although I can't ping end devices lol. its okay i'll just post another forum questio for it.

Thanks again!
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: