Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
796
Views
0
Helpful
3
Replies

ASA5505 VPN ISSUE

Go to solution
pl.mailloux
Level 1
Level 1

‎10-07-2013 12:43 PM

1

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎10-07-2013 01:42 PM

Hi,

Would seem to me that the configurations are mostly fine. But naturally they can be different from the ones that the remote site has. We dont know what the configurations on the other site of this L2L VPN connection are.

The NAT0 configuration has a line that is not needed (line below)

access-list inside_nat0_outbound extended permit ip lan-imp 255.255.255.0 1.1.1.0 255.255.255.0

You could use the "packet-tracer" on the CLI side to check what happens to the traffic first

packet-tracer input inside tcp 1.1.1.100 12345 192.168.1.100 80

I assume that the LAN IP address is changed for some reason so replace the above IP addresses with some random IP addresses from the LAN and REMOTE LAN if needed.

Issue the above command twice. If the second output still stops at VPN Phase DROP then there is some problems on either side of the L2L VPN connection in the configurations.

You can check the output of the following command after issuing the "packet-tracer" command above also to check what happens to the Phase1 of the L2L VPN negotiation

show crypto isakmp sa

If that goes through then I would start looking for a problem with the configurations related to the "crypto map" configurations.

- Jouni

View solution in original post

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎10-07-2013 01:46 PM

Also,

I am wondering what the actual configuration line of this line is

static (inside,outside) MY-IP netmask 255.255.255.255

I hope you are not doing Static NAT for some internal IP address to the actual "interface" IP address of the "outside".

This might cause problems. If you are using the IP address of "outside" for some type of NAT it should only be for Dynamic PAT usuall (as you also have configured)

- Jouni

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jonathancert_2
Level 1
Level 1

‎10-07-2013 01:12 PM

I'm still new at the ASA but maybe i can offer some advice.   What are the logging from ASDM showing you?   Are you at least passing phase 1?  Your configs look normal.

Jonathan,

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎10-07-2013 01:42 PM

Hi,

Would seem to me that the configurations are mostly fine. But naturally they can be different from the ones that the remote site has. We dont know what the configurations on the other site of this L2L VPN connection are.

The NAT0 configuration has a line that is not needed (line below)

access-list inside_nat0_outbound extended permit ip lan-imp 255.255.255.0 1.1.1.0 255.255.255.0

You could use the "packet-tracer" on the CLI side to check what happens to the traffic first

packet-tracer input inside tcp 1.1.1.100 12345 192.168.1.100 80

I assume that the LAN IP address is changed for some reason so replace the above IP addresses with some random IP addresses from the LAN and REMOTE LAN if needed.

Issue the above command twice. If the second output still stops at VPN Phase DROP then there is some problems on either side of the L2L VPN connection in the configurations.

You can check the output of the following command after issuing the "packet-tracer" command above also to check what happens to the Phase1 of the L2L VPN negotiation

show crypto isakmp sa

If that goes through then I would start looking for a problem with the configurations related to the "crypto map" configurations.

- Jouni

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎10-07-2013 01:46 PM

Also,

I am wondering what the actual configuration line of this line is

static (inside,outside) MY-IP netmask 255.255.255.255

I hope you are not doing Static NAT for some internal IP address to the actual "interface" IP address of the "outside".

This might cause problems. If you are using the IP address of "outside" for some type of NAT it should only be for Dynamic PAT usuall (as you also have configured)

- Jouni

0 Helpful
Customers Also Viewed These Support Documents