10-07-2013 12:43 PM
10-07-2013 01:42 PM
Hi,
Would seem to me that the configurations are mostly fine. But naturally they can be different from the ones that the remote site has. We dont know what the configurations on the other site of this L2L VPN connection are.
The NAT0 configuration has a line that is not needed (line below)
access-list inside_nat0_outbound extended permit ip lan-imp 255.255.255.0 1.1.1.0 255.255.255.0
You could use the "packet-tracer" on the CLI side to check what happens to the traffic first
packet-tracer input inside tcp 1.1.1.100 12345 192.168.1.100 80
I assume that the LAN IP address is changed for some reason so replace the above IP addresses with some random IP addresses from the LAN and REMOTE LAN if needed.
Issue the above command twice. If the second output still stops at VPN Phase DROP then there is some problems on either side of the L2L VPN connection in the configurations.
You can check the output of the following command after issuing the "packet-tracer" command above also to check what happens to the Phase1 of the L2L VPN negotiation
show crypto isakmp sa
If that goes through then I would start looking for a problem with the configurations related to the "crypto map" configurations.
- Jouni
10-07-2013 01:46 PM
Also,
I am wondering what the actual configuration line of this line is
static (inside,outside) MY-IP netmask 255.255.255.255
I hope you are not doing Static NAT for some internal IP address to the actual "interface" IP address of the "outside".
This might cause problems. If you are using the IP address of "outside" for some type of NAT it should only be for Dynamic PAT usuall (as you also have configured)
- Jouni
10-07-2013 01:12 PM
I'm still new at the ASA but maybe i can offer some advice. What are the logging from ASDM showing you? Are you at least passing phase 1? Your configs look normal.
Jonathan,
10-07-2013 01:42 PM
Hi,
Would seem to me that the configurations are mostly fine. But naturally they can be different from the ones that the remote site has. We dont know what the configurations on the other site of this L2L VPN connection are.
The NAT0 configuration has a line that is not needed (line below)
access-list inside_nat0_outbound extended permit ip lan-imp 255.255.255.0 1.1.1.0 255.255.255.0
You could use the "packet-tracer" on the CLI side to check what happens to the traffic first
packet-tracer input inside tcp 1.1.1.100 12345 192.168.1.100 80
I assume that the LAN IP address is changed for some reason so replace the above IP addresses with some random IP addresses from the LAN and REMOTE LAN if needed.
Issue the above command twice. If the second output still stops at VPN Phase DROP then there is some problems on either side of the L2L VPN connection in the configurations.
You can check the output of the following command after issuing the "packet-tracer" command above also to check what happens to the Phase1 of the L2L VPN negotiation
show crypto isakmp sa
If that goes through then I would start looking for a problem with the configurations related to the "crypto map" configurations.
- Jouni
10-07-2013 01:46 PM
Also,
I am wondering what the actual configuration line of this line is
static (inside,outside) MY-IP netmask 255.255.255.255
I hope you are not doing Static NAT for some internal IP address to the actual "interface" IP address of the "outside".
This might cause problems. If you are using the IP address of "outside" for some type of NAT it should only be for Dynamic PAT usuall (as you also have configured)
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide