10-30-2015 05:39 AM
I'm really stuck...
We have a VPN tunnel between two ASA FWs but we're moving one FW off of it's dedicated circuit. We'd like to connect the tunnels with a router in the middle but the tunnels are not coming up. (one FW is MM_WAIT_MSG2 the other MM_WAIT_MSG3).
any thoughts?
10-30-2015 09:46 AM
Is the router in the middle doing any NAT ?
If it isn't then check your routing tables on both firewalls and the router as you now have a L3 hop in between the firewalls.
Jon
10-30-2015 09:48 AM
Yes the router in the middle is doing NAT
10-30-2015 09:57 AM
Have you enabled NAT-T (NAT Traversal) on the ASAs ?
Jon
10-31-2015 06:56 AM
If the router is doing NAT does it have a static translation for the traffic between ASAs? A dynamic translation is likely to be a problem since a dynamic translation typically allows traffic initiated from inside to outside and responses but does not allow traffic initiated from outside.
HTH
Rick
11-02-2015 06:51 AM
I've configured a static NAT on the router and enabled NAT-T on one of the FWs (I have access to this one) but I have to depend on the user to ensure he configured NAT-T on his end.
12-29-2015 08:17 AM
Sorry for the late post, but I figured out the issue was on the customer side he did not have the same pre-shared key for the FWs, when he changed it the tunnel came up.
Thanks everyone.
12-29-2015 08:27 AM
Thanks for posting back to the forum to let us know that you have solved this issue and that the problem was a mis-matched shared key.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide