cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
814
Views
0
Helpful
1
Replies

ASA5505 - SA520W traffic won't pass through IPSec VPN

JGranade
Beginner
Beginner

We've been struggling to get 3 SA520W's to make an IPSec Site-to-Site tunnel.  After searching the web, we finally found a post about the Racoon firewall and this issue suggesting turning off Perfect Forward Secrecy.  After turning off PFS on the SA and the ASAsetups, we've got all the tunnels to come up.  However, we can't get any traffic to pass between the two networks.

We're still learning the SA's.  We're still learning the SA units.  How can we see the traffic coming through the tunnel?  When we go to View Logs, nothing shows up on the SA but I'm not sure how to enable logging for that traffic.  Ultimately, we'd like to be able to control the traffic through the VPN tunnel in the firewall settings so we can restrict certain protocols and source/destinations. If I could do that, then I'd know where to enable logging to see that traffic but the firewall doesn't seem to identify the VPN networks as a source or destination.

What's the best steps to track down why the traffic isn't passing through the IPSec tunnels we have established?

Thanks,


John

1 REPLY 1

sveinskogen
Beginner
Beginner

You can see traffic counters in the status->vpn-status->IPSec Status page.

As for passing the traffic via the tunnels, have you set the ip ranges correctly in the VPN Policy page (i.e. remote: 192.168.2.0/24 and local 192.168.4.0/24, not "any any"), and similarly via the ACLs on the ASA (the ASA runs an IOS derivate, does it not)?

//Svein

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: