cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
370
Views
0
Helpful
4
Replies

new 5505 and 5510

ashleyisa
Level 1
Level 1

I have just bought brand new  5505 and a 5510 which I want to install for a company to replace thier old firewalls.

I created a basic seup on both firewalls with a routerin between in a testlab to create a site to site VPN tunnel.

but the tunnel doesn't come up.

It just shows:

RS-NWY-ASA# sh crypto is sa

There are no isakmp sas

RS-NWY-ASA# sh crypto is sa

There are no isakmp sas

I can ping from one firewall to the other. But can not ping from LAN to LAN as the tunnel does not come up.

I have attached both configs, hope some

1 Accepted Solution

Accepted Solutions

Actually, I think the problem may be your NAT rules. You have configured 2 Manual NAT rules. These are processed in order as opposed to the

Auto NAT rules which are not. This means that your traffic will always hit your PAT config and never reach the static below. There are 2 solutions.

1) Re order your rules. Just remove and re-add the PAT statement and it will be moved to the bottom.

no nat (LAN,WAN) source dynamic any interface
nat (LAN,WAN) source dynamic any interface

2) Configure your PAT with auto nat. (preferred)

no nat (LAN,WAN) source dynamic any interface

object network NETWORK_OBJ_192.168.144.0_24
nat (inside,outside) dynamic interface

Thanks,

Brendan

View solution in original post

4 Replies 4

brquinn
Level 1
Level 1

Ashley,

This discussion would probably do better in the VPN forum. But to get you started, try enabling your isakmp and ipsec debugs. If theres a problem with the VPN, then this should get you on the right track.

Ex:

debug crypto ipsec

debug crypto isakmp

If you don't get any crypto debugs, there may be another problem. You may also want to upgrade to the latest 8.3.2.x interim build to make sure you're not hitting any bugs.

Thanks,

Brendan

Hey Brendan,

both debugs show nothing and i'm running the latest software, these ASA's are brand new

Actually, I think the problem may be your NAT rules. You have configured 2 Manual NAT rules. These are processed in order as opposed to the

Auto NAT rules which are not. This means that your traffic will always hit your PAT config and never reach the static below. There are 2 solutions.

1) Re order your rules. Just remove and re-add the PAT statement and it will be moved to the bottom.

no nat (LAN,WAN) source dynamic any interface
nat (LAN,WAN) source dynamic any interface

2) Configure your PAT with auto nat. (preferred)

no nat (LAN,WAN) source dynamic any interface

object network NETWORK_OBJ_192.168.144.0_24
nat (inside,outside) dynamic interface

Thanks,

Brendan

Brendan,

Thats awesome, you just made my day!

I made my PAT first, to get users out to the internet, then started on the VPN.

I had no idea that my traffic would try to be PAT'd

Thanks for your time man

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: