cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1279
Views
0
Helpful
5
Replies

VPN IPsec site-to-site ASA X Check-Point

stlourenco
Level 1
Level 1

Hello guys

I'm having trouble closing a VPN ipsec site-to-site between a Cisco ASA 5512 firewall for check-point. This is a VPN my company with one of the suppliers. The problem is that the VPN closes, but does not encrypt or encapsulates it only decrypts as logs below:

Fw-ASA# show crypto ipsec sa peer 187.32.5.130
peer address: 187.32.5.130
    Crypto map tag: outside2_map, seq num: 2, local addr: 200.199.228.146

      access-list VPN-CELG extended permit ip 172.30.70.0 255.255.255.0 172.17.230.0 255.255.255.0
      local ident (addr/mask/prot/port): (172.30.70.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (172.17.230.0/255.255.255.0/0/0)
      current_peer: 187.32.5.130


      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 192, #pkts decrypt: 192, #pkts verify: 192
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 200.199.228.146/0, remote crypto endpt.: 187.32.5.130/0
      path mtu 1500, ipsec overhead 58(36), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: 26D75ADF
      current inbound spi : 3C990446
              
    inbound esp sas:
      spi: 0x3C990446 (1016661062)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
         slot: 0, conn_id: 48914432, crypto-map: outside2_map
         sa timing: remaining key lifetime (kB/sec): (4373988/2643)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x26D75ADF (651647711)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
         slot: 0, conn_id: 48914432, crypto-map: outside2_map
         sa timing: remaining key lifetime (kB/sec): (4374000/2643)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
2   IKE Peer: 187.32.5.130
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE
2   IKE Peer: 187.32.5.130
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE
    Encrypt : 3des            Hash    : SHA       
    Auth    : preshared       Lifetime: 86400
    Lifetime Remaining: 85358
Attached is the configuration that exists in my Firewall ASA 5512 and the status of the VPN side of my supplier to the check-point.
Who can help me with this I thank you.
5 Replies 5

Aditya Ganjoo
Cisco Employee
Cisco Employee

Hi,

It seems the config is in place.

Could you also check routing for this remote subnet 172.17.230.0 255.255.255.0 ?

And can you check your crypto ACL on the remote peer ?

Is it matching the ACL on ASA ?

What does the packet tracer output show for this traffic ?

Regards,

Aditya

Please rate helpful posts.

Hi, Aditya,

This is the routing configuration that is configured on the ASA:

Fw-ASA # show route 172.17.230.0

Routing entry is 172.17.230.0 255.255.255.0
   Known via "static", distance 1, metric 0
   Routing Descriptor Blocks:
   * 200 199 228 145 via outside
       Route metric is 0, traffic share count is 1

Fw-ASA # show running-config route | i 172.17.230.0
route outside 172.17.230.0 255.255.255.0 200,199,228,145 1
outside2 route 172.17.230.0 255.255.255.0 177.53.41.129 2

Does anyone have an idea of what has to be done? Because the ASA configuration is correct.

Hi,

Please use captures on the ASA to check if the traffic is even reaching the ASA.

Try making the CELG interface as the management-access interface.

management-access celg

Try pinging the remote IP using the source as CELG:

ping celg <remote ip>

And if you can also try pinging the celg IP from the remote end and check if we are able to ping it.

Regards,

Aditya

Please rate helpful posts.

Hi, Aditya.

I am unable to capture the traffic from the remote site VPN:

Fw-ASA#show capture                                                    
capture VPN type isakmp ikev1 packet-length 32810 interface outside circular-buffer [Capturing - 0 bytes]
  match ip host 172.17.230.53 any

This was the setting of catch what I did:

Fw-ASA(config)#capture VPN TYpe isakmp ikev1 interface outside circular-buffer match ip host 172.17.230.53 any

Where am I going wrong?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: