Is the router in the middle

CorwynJohnson · ‎10-30-2015

I'm really stuck...

We have a VPN tunnel between two ASA FWs but we're moving one FW off of it's dedicated circuit. We'd like to connect the tunnels with a router in the middle but the tunnels are not coming up. (one FW is MM_WAIT_MSG2 the other MM_WAIT_MSG3).

any thoughts?

Jon Marshall · ‎10-30-2015

Is the router in the middle doing any NAT ?

If it isn't then check your routing tables on both firewalls and the router as you now have a L3 hop in between the firewalls.

Jon

CorwynJohnson · ‎10-30-2015

Yes the router in the middle is doing NAT

Jon Marshall · ‎10-30-2015

Have you enabled NAT-T (NAT Traversal) on the ASAs ?

Jon

Richard Burts · ‎10-31-2015

If the router is doing NAT does it have a static translation for the traffic between ASAs? A dynamic translation is likely to be a problem since a dynamic translation typically allows traffic initiated from inside to outside and responses but does not allow traffic initiated from outside.

HTH

Rick

HTH

Rick

CorwynJohnson · ‎11-02-2015

I've configured a static NAT on the router and enabled NAT-T on one of the FWs (I have access to this one) but I have to depend on the user to ensure he configured NAT-T on his end.

CorwynJohnson · ‎12-29-2015

Sorry for the late post, but I figured out the issue was on the customer side he did not have the same pre-shared key for the FWs, when he changed it the tunnel came up.

Thanks everyone.

Richard Burts · ‎12-29-2015

Thanks for posting back to the forum to let us know that you have solved this issue and that the problem was a mis-matched shared key.

HTH

Rick

HTH

Rick

ASA VPN Tunnels