cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5245
Views
0
Helpful
34
Replies

Cisco asa vpn ipsec connected to cisco 887vaw

Hamid Amir
Level 1
Level 1

Hi

 

I have cisco asa connected to cisco 887vaw router with dsl internet connection.

I have internet connection working on both. I have configured vpn IPsec on cisco asa, I can connect from inside but I can not connect from remote.

can you help please?

 

 

34 Replies 34

Hamid

 

The port forwarding looks to be correct. I am surprised that there is no debug output when you attempt to establish a VPN session from a source in the Internet. Is it possible that there is some connectivity issue, or perhaps some DNS issue that prevents the VPN traffic? From the source in the Internet can you ping the ISP address?

 

HTH

 

Rick

HTH

Rick

Hi Richard

I did ping for wan ip and dns-server in puTTY , Success rate is 100 percent.

 

Kind Regards

Hamid

I looked at the router config that you posted in the earlier post and I wonder if the static nat in it impacts the port forwarding that you are doing for ISAKMP and ESP

ip nat inside source static 10.10.10.1 interface Dialer0

 

I am not clear why this static nat is in the config and I suggest (at least as a test) that you remove it and see if ISAKMP works then.

 

HTH

 

Rick

HTH

Rick

Hi Richard

Thank you very much for your reply.

I did remove the the static nat ,but still doesn't work and I can not get any

information when I use debug crypto isakmp.

any other suggestion please?

 

Kind Regards

 

Hamid 

Hamid

 

Would you post the output of show xlate on the router? Perhaps it would help if you also post a fresh copy of the current config of the router.

 

HTH

 

Rick

HTH

Rick

Hi Richard

Thank you for your reply.

As requested.

 

Kind regards

Hi Richard
Thank you for your reply.
As requested (the updated version)

 

Kind Regards 

Hamid

Hamid

 

Thanks for the additional information. What I wanted to see was the translation table on the router. What is in your post is the translation table from the ASA.

 

HTH

 

Rick

HTH

Rick

Hi Richard

 

Sorry about that, I thought Xlate is for cisco asa.

Please see the attachments .

 

Kind Regards

 

Hamid

 

 

Hamid

 

Thanks for the output showing the translation table from the router. I am sorry that I complicated things by suggesting syntax that was not right. The table does confirm static translations for ISAKMP and for ESP. I am puzzled that it seems that the ISAKMP request is not getting to the ASA. Perhaps you could post a fresh copy of the router config?

 

HTH

 

Rick

HTH

Rick

Hi Richard,

Thank you very much for not leaving me alone struggling.

Please see the attchemnets as requested.

Kind Regards

Hamid

!

 

Hamid

 

Thanks for posting the router config. I do not see anything obvious that prevents forwarding ISAKMP but I do see a couple things that I would suggest changing.

In this first line I am not clear what this is doing and I do not find any pool named LAN. So I suspect it is not doing much and suggest that you remove it

ip nat source list LAN pool LAN

 

These next two lines seem to duplicate themselves. I think the first one is better because its ACL is more specific. I suggest that you remove the second one which uses the any ACL 
ip nat inside source list LAN interface Dialer0 overload
ip nat inside source list any interface Dialer0 overload

 

HTH

 

Rick

HTH

Rick

Hi Richard

Thanks you for your reply.

I did the changes, but did not work.

please see the attachments.

 

Kind Regards

Hamid

 

Hamid

 

Thanks for the update. I notice this line in the config

 

no crypto ipsec nat-transparency udp-encapsulation

 

I do not remember it in previous versions of the config. But I suggest that you change it

crypto ipsec nat-transparency udp-encapsulation

 

HTH

 

Rick

HTH

Rick

Hi Richard,

 

Sorry about that, I don't know how it happened.

I did correct it, but still same problem.

Kind Regards

Hamid