04-18-2011 03:23 AM - edited 03-11-2019 01:22 PM
I have just bought brand new 5505 and a 5510 which I want to install for a company to replace thier old firewalls.
I created a basic seup on both firewalls with a routerin between in a testlab to create a site to site VPN tunnel.
but the tunnel doesn't come up.
It just shows:
RS-NWY-ASA# sh crypto is sa
There are no isakmp sas
RS-NWY-ASA# sh crypto is sa
There are no isakmp sas
I can ping from one firewall to the other. But can not ping from LAN to LAN as the tunnel does not come up.
I have attached both configs, hope some
Solved! Go to Solution.
04-18-2011 07:19 AM
Actually, I think the problem may be your NAT rules. You have configured 2 Manual NAT rules. These are processed in order as opposed to the
Auto NAT rules which are not. This means that your traffic will always hit your PAT config and never reach the static below. There are 2 solutions.
1) Re order your rules. Just remove and re-add the PAT statement and it will be moved to the bottom.
no nat (LAN,WAN) source dynamic any interface
nat (LAN,WAN) source dynamic any interface
2) Configure your PAT with auto nat. (preferred)
no nat (LAN,WAN) source dynamic any interface
object network NETWORK_OBJ_192.168.144.0_24
nat (inside,outside) dynamic interface
Thanks,
Brendan
04-18-2011 07:10 AM
Ashley,
This discussion would probably do better in the VPN forum. But to get you started, try enabling your isakmp and ipsec debugs. If theres a problem with the VPN, then this should get you on the right track.
Ex:
debug crypto ipsec
debug crypto isakmp
If you don't get any crypto debugs, there may be another problem. You may also want to upgrade to the latest 8.3.2.x interim build to make sure you're not hitting any bugs.
Thanks,
Brendan
04-18-2011 07:16 AM
Hey Brendan,
both debugs show nothing and i'm running the latest software, these ASA's are brand new
04-18-2011 07:19 AM
Actually, I think the problem may be your NAT rules. You have configured 2 Manual NAT rules. These are processed in order as opposed to the
Auto NAT rules which are not. This means that your traffic will always hit your PAT config and never reach the static below. There are 2 solutions.
1) Re order your rules. Just remove and re-add the PAT statement and it will be moved to the bottom.
no nat (LAN,WAN) source dynamic any interface
nat (LAN,WAN) source dynamic any interface
2) Configure your PAT with auto nat. (preferred)
no nat (LAN,WAN) source dynamic any interface
object network NETWORK_OBJ_192.168.144.0_24
nat (inside,outside) dynamic interface
Thanks,
Brendan
04-18-2011 07:50 AM
Brendan,
Thats awesome, you just made my day!
I made my PAT first, to get users out to the internet, then started on the VPN.
I had no idea that my traffic would try to be PAT'd
Thanks for your time man
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: