Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1290
Views
10
Helpful
10
Replies

ASA5505 to Netgear SRX bi-direction VPN tunnel

Go to solution
vlad.makarevitch
Level 1
Level 1

‎10-20-2017 08:57 AM - edited ‎03-12-2019 04:38 AM

Hey Guys, I have a VPN tunnel between CISCO ASA and Netgear SRX 5308. I don't have much access to Netgear at the moment. (Waiting for a vendor call back).

 

As of now, the tunnel is up and passing traffic only one way. I reviewed my config on the CISCO side and for the life of me can't see an issue on the ASA side.

 

I guess, I just need another pair of eyes at this point, while I'm waiting on the Netgear to call me back.

 

The help is greatly appreciated.

 

interface GigabitEthernet0/0
nameif TWC_Fiber
security-level 0
ip address 7x.xx.xx.x06 255.255.255.248
!
interface GigabitEthernet0/1
nameif DFA_Lan
security-level 100
ip address 192.168.x.1 255.255.255.0
!
object network Lan_Network
subnet 192.168.0.0 255.255.255.0
!
object network FMS_CA_Network
subnet 192.168.7.0 255.255.255.0
!
access-list TWC_Fiber_cryptomap extended permit ip object Lan_Network object FMS_CA_Network
!
nat (DFA_Lan,TWC_Fiber) source static Lan_Network Lan_Network destination static FMS_CA_Network FMS_CA_Network no-proxy-arp route-lookup
!
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-des esp-sha-hmac
!
crypto map TWC_Fiber_map 1 match address TWC_Fiber_cryptomap
crypto map TWC_Fiber_map 1 set peer 1xx.xxx.xxx.35
crypto map TWC_Fiber_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map TWC_Fiber_map 1 set pfs
crypto map TWC_Fiber_map interface TWC_Fiber
!
group-policy GroupPolicy4_1xx.xxx.xxx.35 internal
group-policy GroupPolicy4_1xx.xxx.xxx.35 attributes
vpn-tunnel-protocol ikev1
!
tunnel-group 1xx.xxx.xxx.35 type ipsec-l2l
tunnel-group 1xx.xxx.xxx.35 general-attributes
default-group-policy GroupPolicy4_1xx.xxx.xxx.35
tunnel-group 1xx.xxx.xxx.35 ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive disable
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
vlad.makarevitch
Level 1
Level 1
In response to Flavio Miranda

‎10-23-2017 06:29 PM

We found the issue. One of the NAT policy was placed in the wrong order, considering Cisco top-down policy ready. so,  this policy had to be moved above overall NATing for it to work

 

nat (DFA_Lan,TWC_Fiber) source static Lan_Network Lan_Network destination static FMS_CA_Network FMS_CA_Network no-proxy-arp route-lookup

nat (DFA_Lan,TWC_Fiber) source static Lan_Network

View solution in original post

0 Helpful
10 Replies 10

Go to solution
Flavio Miranda
VIP
VIP

‎10-20-2017 12:17 PM

Hi @vlad.makarevitch

Your tunnel looks ok. One way traffic is generally parameters mismatch between both sides. So, it is necessary to have access to both devices.

 

 

 

-If I helped you somehow, please, rate it as useful.-

0 Helpful

Go to solution
vlad.makarevitch
Level 1
Level 1
In response to Flavio Miranda

‎10-20-2017 12:24 PM - edited ‎10-20-2017 12:25 PM

Thanks Flavio Miranda, I'm actually getting a call back from the other side and will post the other config shortly if I can't see the obvious. 

 

What are some of the parameters that you think you might find most common? 

0 Helpful

Go to solution
Flavio Miranda
VIP
VIP
In response to vlad.makarevitch

‎10-20-2017 12:29 PM

I'd recommend double checking everything. But look the subnets that is being encapsulated on both sides. They must match in terms of mask and IP range.

 

-If I helped you somehow, please, rate it as useful.-

0 Helpful

Go to solution
vlad.makarevitch
Level 1
Level 1
In response to Flavio Miranda

‎10-20-2017 12:38 PM

If that was the issue, would the traffic be disabled both ways? 
I can pass traffic one way only... this is so strange.

0 Helpful

Go to solution
Flavio Miranda
VIP
VIP
In response to vlad.makarevitch

‎10-20-2017 12:41 PM

When you say one way you mean you see packet encryption but not decrypted, right?

 Or are you referring to ping? 

Can you explain?

0 Helpful

Go to solution
vlad.makarevitch
Level 1
Level 1
In response to Flavio Miranda

‎10-20-2017 12:44 PM

Sure thing; I can ping and send traffic only one way.

0 Helpful

Go to solution
Flavio Miranda
VIP
VIP
In response to vlad.makarevitch

‎10-20-2017 12:49 PM - edited ‎10-20-2017 12:50 PM

Then the VPN must be ok. I though I could see traffic being encapsulated but not decapsulated. Which happen and is usually subnet mismatch.

For your situation I'd say that Either you are missing some ACL or routing.

 Get access to the other device, validade both permissions and routing.

 

 

Go to solution
vlad.makarevitch
Level 1
Level 1
In response to Flavio Miranda

‎10-20-2017 12:51 PM

gotcha. Thanks for the quick follow ups. I should have the other config soon.

0 Helpful

Go to solution
vlad.makarevitch
Level 1
Level 1
In response to Flavio Miranda

‎10-23-2017 06:29 PM

We found the issue. One of the NAT policy was placed in the wrong order, considering Cisco top-down policy ready. so,  this policy had to be moved above overall NATing for it to work

 

nat (DFA_Lan,TWC_Fiber) source static Lan_Network Lan_Network destination static FMS_CA_Network FMS_CA_Network no-proxy-arp route-lookup

nat (DFA_Lan,TWC_Fiber) source static Lan_Network

0 Helpful

Go to solution
Flavio Miranda
VIP
VIP
In response to vlad.makarevitch

‎10-23-2017 06:34 PM

@vlad.makarevitch  thanks for sharing mate. This makes this forum better.

 

Customers Also Viewed These Support Documents