Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
722
Views
0
Helpful
2
Replies

ASA 5508 VPN tunnel not attempting to initialise

Gallain
Level 1
Level 1

‎11-17-2020 06:12 PM

Hi,

 

I'm trying to build an IPSEC tunnel from my cisco asa 5508 to another router. I've tried sending pings through to the other subnet for the 'interesting traffic'. This is from the other end of the ipsec tunnel, as well as our end. Nothing appears on the ASA.

 

The output of the logs, the debug crypto ikev1 and any show crypto isakmp sa, all show absolutely nothing. It's almost like the traffic isn't even hitting the firewall.

 

interface GigabitEthernet1/1
description WAN Interface
nameif outside
security-level 0
ip address 43.255.x.x 255.255.255.252

 

crypto ikev1 enable outside

crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400

tunnel-group 119.225.62.x type ipsec-l2l
tunnel-group 119.225.62.x ipsec-attributes
ikev1 pre-shared-key xxxxxxx

 

object network xxxxx-10.88.0.0
subnet 10.88.0.0 255.255.255.0
object network xxxx-10.0.0.0
subnet 10.0.0.0 255.255.0.0

access-list 101 extended permit ip object-group xxxx-LAN-Subnets object xxxxx-10.88.0.0

 

crypto ipsec ikev1 transform-set xxx esp-3des esp-md5-hmac

 

crypto map IPSec 10 match address 101
crypto map IPSec 10 set pfs
crypto map IPSec 10 set peer 119.225.62.x
crypto map IPSec 10 set ikev1 transform-set xxx


crypto map IPSec interface outside

 

nat (inside,outside) source static xxxx-10.0.0.0 xxxx-10.0.0.0 destination static xxxxx-10.88.0.0 xxxxx-10.88.0.0 no-proxy-arp route-lookup

 

route outside 10.88.0.0 255.255.255.0 119.225.62.x 1

 

access-list Outside-In line 41 extended permit ip host 119.225.62.x any
access-list Outside-In line 42 extended permit udp host 119.225.62.x eq isakmp any
access-list Outside-In line 43 extended permit udp host 119.225.62.x eq 4500 any

 

Any help or ideas would be appreciated.

 

Labels:
0 Helpful
2 Replies 2

Rob Ingram
VIP
VIP

‎11-18-2020 12:02 AM

Hi @Gallain 

Where are you pinging from? It should be a device in the object-group xxxx-LAN-Subnets as per your interesting traffic ACL. Not from the ASA itself.

 

You can remove that static route route outside 10.88.0.0 255.255.255.0 119.225.62.x 1 as you should have a default route to send that via the outside interface anyway, right?

 

Run packet-tracer from the CLI twice and provide the output from the second trace.

0 Helpful

kapydan88
Level 4
Level 4

‎11-18-2020 01:32 AM

Hello.

 

Is there any traffic inside this l2l?

Pls share settings from routers side.

0 Helpful
Customers Also Viewed These Support Documents