Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1135
Views
0
Helpful
3
Replies

Changed IP for ASA VPN endpoint, not remote access vpn not working

slee
Level 1
Level 1

‎11-03-2012 05:53 PM - edited ‎02-21-2020 06:27 PM

Hello all,

In my organization we have 2 sites.  These 2 sites have ASA 5520s, and the l2l between each ASA.  The interface that is forming the VPN tunnel is on the ASA, NATed on the router.  These ASAs sit behind the router, which are then connected to the ISPs.  Recently, we had to change the ISP that we were creating the tunnel on, from Comcast to Sprint on our remote site.  I reNATed the interface, and the l2l tunnel came back up after editing the tunnel-group, cryptomaps, and reapplying the crypto map to the interface.  However, our remote access VPN no longer works on the ASA that we changed the IP on. The other side was never changed, and still works fine.  When I tried using debug cry isa and debug cry ipsec on the firewall, nothing shows when we attempt to connect.  We are using IPsec over TCP.  On the ASDM log, it says:









Deny TCP (no connection) from xx.xx.xx.xx/49907 to xx.xx.xx.xx/10000 flags RST  on interface WAN.

The VPN worked fine before, could it be an ACL thing?  All we changed was the IP so that's what I'm inclined to believe, but on the router none of the interfaces have an ACL that's applied to them.  It can't be on the ASA, because I believe we have the option to ignore the ACL enabled, but I might be incorrect about this.  I'm new at ASA/VPNs in general. 

I would upload the configs, but is there a pertinent output that would help, or just a general sh run? 

Labels:
0 Helpful
3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

‎11-03-2012 06:37 PM

A general "show run" would help to start with.

And also to confirm, on the router, you are doing one to one static NAT, not static PAT, right?

0 Helpful

slee
Level 1
Level 1
In response to Jennifer Halim

‎11-03-2012 07:21 PM

Actually, I figured it out.  The issue is that the gateway of last resort was set to our Comcast line, whereas the IP address that the VPN endpoint was NATed to is a Sprint IP.  When I changed it, it worked.  Now the issue is, what effect will that have on our network.  I think I might be better served to ask this in the router forum, but does anyone know if we use PAT for our Users, will changing the gateway of last resort have an affect on them?  I'm mostly worried about the bandwidth on the Sprint T1s, as they are 3 Mb, whereas the Comcast that we had it on previously is 50 Mb.

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to slee

‎11-03-2012 07:27 PM

OK, thanks for the update.

In regards to bandwidth, it really depends on how busy your network is. But it is probably better if you post that question on the router forum as you might get more replies from people who might have done it before.

0 Helpful
Customers Also Viewed These Support Documents