Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
361
Views
0
Helpful
1
Replies

Cannot establish site-site vpn tunnel through ASA 9.1(2)

Go to solution
plwalsh
Level 1
Level 1

‎08-18-2014 04:13 AM - edited ‎03-11-2019 09:38 PM

Hi,

We use ASA 9.1(2) to filter traffic in/out of our organisation. A dept within the organisation also have a firewall. They want to establish a site-site VPN tunnel with a remote firewall. We have allowed full access between the public address of the dept firewall and the remote firewall and full access between the remote firewall address and the dept firewall address . We do not use NAT.

The site-site VPN tunnel fails to establish.

The dept sysadmin has requested that we enable IPSec Passthrough. From my reading this will not make any difference as we allow full access between the firewalls in both directions. Is that correct?

Has anyone encountered issues with ASA 9.1(2) interfering with site-site tunnels?

Regards

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎08-18-2014 07:36 AM

>The dept sysadmin has requested that we enable IPSec Passthrough. From my reading this will not make any difference as we allow full access between the firewalls in both directions. Is that correct?

Yes, in that case, no IPsec-pass-through is needed. All you need is (in both directions):

  • UDP/500
  • UDP/4500 (also if you don't use NAT, the remote gateway could be located behind a NAT gateway)
  • IP/50
  • for testing ICMP/Echo

If you allowed full IP-access between these two endpoints, it is more than enough.

  1. When they start testing, do you see a connection on your ASA. There should be at least UDP/500 traffic.
  2. Can the two gateways ping each other? 

 

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Karsten Iwen
VIP
VIP

‎08-18-2014 07:36 AM

>The dept sysadmin has requested that we enable IPSec Passthrough. From my reading this will not make any difference as we allow full access between the firewalls in both directions. Is that correct?

Yes, in that case, no IPsec-pass-through is needed. All you need is (in both directions):

  • UDP/500
  • UDP/4500 (also if you don't use NAT, the remote gateway could be located behind a NAT gateway)
  • IP/50
  • for testing ICMP/Echo

If you allowed full IP-access between these two endpoints, it is more than enough.

  1. When they start testing, do you see a connection on your ASA. There should be at least UDP/500 traffic.
  2. Can the two gateways ping each other? 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card