cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
760
Views
0
Helpful
9
Replies

ASA 8.4 troubleshooting steps..

raajesh8228
Level 1
Level 1

Hi guys,

 

Can you please help me out with troubleshooting steps for ASA FW.

1 Accepted Solution

Accepted Solutions

Hi Rajesh,

 

In case if you have the overlapping subnets on both ends then you have to do nat on the subnet....

say in site A you have 192.168.10.0/24 (real) then Nat it to 192.168.20.0/24

site B you have 192.168.10.0/24 (real) the NAt it to 192.168.30.0/24...

 

Your crypto ACL @ site A should be with the NATed subnet

Site A should be like

access-list crypto_acl extended permit ip 192.168.20.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list crypto_acl extended permit ip 192.168.30.0 255.255.255.0 192.168.20.0 255.255.255.0

 

Then it should work

 

Regards

Karthik

View solution in original post

9 Replies 9

nkarthikeyan
Level 7
Level 7

Hi Rajesh,

You have to go through with the document.....

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/admin_trouble.html

 

Else specify which part of config you want to tshot.... so that we can suggest...

 

Regards

Karthik

 

 

Need to know what issue you are troubleshooting to be able to give you the steps and possible solution.  Please be as detailed as possible when describing the issue, and include the ASA version and model.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

raajesh8228
Level 1
Level 1

HI,

 

I am facing problem with site to site and remote vpn issues..

As noted by Karthik and Marius, useful answers to specific questions require you to give us some details.

For example:

"I am running a site-site VPN with my end being an ASA 5515-X running ASA software 9.1(3). A sanitized copy of the current running-configuration is in the attached file. The VPN is new and has not yet worked properly. I am trying to connect from local network 192.168.1.0/24 to remote network 172.16.1.0/24. The ASA's inside interface address is the default gateway for my client which is at 192.168.1.10. I am trying unsuccessfully to reach a web server via http at 172.16.1.100."

With that kind of question, we can give well-informed suggestions and answers. Otherwise we can only give general answers like "check the configuration" or "run a couple of show commands" that may or may not be useful.

There is a general troubleshooting guide for VPN on ASA here:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/81824-common-ipsec-trouble.html

Well, without knowing much more about your network, the trouble shooting steps for site to site would be as follows:

1. make sure that both sites have the same crypto policy map parameters configured

2. make sure that both sites have the same transform set parameters configured

3. if using preshared key, make sure the tunnel group is configured with the correct key at both sites

4. make sure that the crypto ACLs at both sites are mirror images of eachother.

5. make sure you have applied the crypto map to the outside interface

6. depending on your ASA version, make sure you have enabled ikev1 or ikev2 (depending on which version you are using) on the outside interface.

For the remote access VPN it depends on if you are using AnyConnect VPN or IPsec VPN.

To troubleshoot further you can use debug commands to get more info and fine out if there are issues in either ike phase1 or phase 2 of the VPN establishment.

debug crypto isakmp sa
debug crypto ipsec sa

newer versions

debug crytpo ikev1
debug crytpo ipsec

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Hi Guys,

 

Thanks for all provide the troubleshooting steps.

Hi guys,

 

Please find the issue details.

 

we have configured site to site vpn from site A to B.

ASA : 8.4

Both ends VPN paramerts are same.

 

Phase I coming up but not phase II.

 

Site  A:

 

Source subnet : 192.168.X.0/24

Site B :

Subnect : 192.168.X.0/24

 both subnect are overlapping and communication not happening. Please suggest on this.

 

 

 

 

Hi Rajesh,

 

In case if you have the overlapping subnets on both ends then you have to do nat on the subnet....

say in site A you have 192.168.10.0/24 (real) then Nat it to 192.168.20.0/24

site B you have 192.168.10.0/24 (real) the NAt it to 192.168.30.0/24...

 

Your crypto ACL @ site A should be with the NATed subnet

Site A should be like

access-list crypto_acl extended permit ip 192.168.20.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list crypto_acl extended permit ip 192.168.30.0 255.255.255.0 192.168.20.0 255.255.255.0

 

Then it should work

 

Regards

Karthik

When you say the subnets are overlapping do you mean that both sites...for example...use the subnet 192.168.30.0/24?

If that is the case and it is not an option to change the IP address scheme at one of the sites, you will need to use NAT to help solve this issue.  On top of that, you would need change the crypto ACL to have the NATed IPs configured as interesting traffic, and you would need to use the NATed IP to reach the remote site.  This will need to be done at both sites.

But before we get to far into the details, please confirm that this is the issue you are facing when you say you have overlapping IPs subnets.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: