Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5242
Views
0
Helpful
34
Replies

Cisco asa vpn ipsec connected to cisco 887vaw

Go to solution
Hamid Amir
Level 1
Level 1

‎11-10-2017 01:55 PM - edited ‎03-12-2019 04:43 AM

Hi

 

I have cisco asa connected to cisco 887vaw router with dsl internet connection.

I have internet connection working on both. I have configured vpn IPsec on cisco asa, I can connect from inside but I can not connect from remote.

can you help please?

 

 

Labels:
Preview file
11 KB
0 Helpful
34 Replies 34

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Hamid Amir

‎11-17-2017 07:13 AM

Hamid

 

The port forwarding looks to be correct. I am surprised that there is no debug output when you attempt to establish a VPN session from a source in the Internet. Is it possible that there is some connectivity issue, or perhaps some DNS issue that prevents the VPN traffic? From the source in the Internet can you ping the ISP address?

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
Hamid Amir
Level 1
Level 1
In response to Richard Burts

‎11-17-2017 02:00 PM

Hi Richard

I did ping for wan ip and dns-server in puTTY , Success rate is 100 percent.

 

Kind Regards

Hamid

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Hamid Amir

‎11-19-2017 07:01 AM

I looked at the router config that you posted in the earlier post and I wonder if the static nat in it impacts the port forwarding that you are doing for ISAKMP and ESP

ip nat inside source static 10.10.10.1 interface Dialer0

 

I am not clear why this static nat is in the config and I suggest (at least as a test) that you remove it and see if ISAKMP works then.

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
Hamid Amir
Level 1
Level 1
In response to Richard Burts

‎11-19-2017 09:52 AM

Hi Richard

Thank you very much for your reply.

I did remove the the static nat ,but still doesn't work and I can not get any

information when I use debug crypto isakmp.

any other suggestion please?

 

Kind Regards

 

Hamid 

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Hamid Amir

‎11-19-2017 10:40 AM

Hamid

 

Would you post the output of show xlate on the router? Perhaps it would help if you also post a fresh copy of the current config of the router.

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
Hamid Amir
Level 1
Level 1
In response to Richard Burts

‎11-19-2017 11:03 AM

Hi Richard

Thank you for your reply.

As requested.

 

Kind regards

Preview file
19 KB
0 Helpful

Go to solution
Hamid Amir
Level 1
Level 1
In response to Richard Burts

‎11-19-2017 12:11 PM

Hi Richard
Thank you for your reply.
As requested (the updated version)

 

Kind Regards 

Hamid

Preview file
19 KB
0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Hamid Amir

‎11-19-2017 02:25 PM

Hamid

 

Thanks for the additional information. What I wanted to see was the translation table on the router. What is in your post is the translation table from the ASA.

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
Hamid Amir
Level 1
Level 1
In response to Richard Burts

‎11-20-2017 08:51 AM

Hi Richard

 

Sorry about that, I thought Xlate is for cisco asa.

Please see the attachments .

 

Kind Regards

 

Hamid

 

 

Preview file
26 KB
0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Hamid Amir

‎11-27-2017 07:52 AM

Hamid

 

Thanks for the output showing the translation table from the router. I am sorry that I complicated things by suggesting syntax that was not right. The table does confirm static translations for ISAKMP and for ESP. I am puzzled that it seems that the ISAKMP request is not getting to the ASA. Perhaps you could post a fresh copy of the router config?

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
Hamid Amir
Level 1
Level 1
In response to Richard Burts

‎11-27-2017 12:01 PM

Hi Richard,

Thank you very much for not leaving me alone struggling.

Please see the attchemnets as requested.

Kind Regards

Hamid

!

 

Preview file
5 KB
0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Hamid Amir

‎11-28-2017 07:01 AM

Hamid

 

Thanks for posting the router config. I do not see anything obvious that prevents forwarding ISAKMP but I do see a couple things that I would suggest changing.

In this first line I am not clear what this is doing and I do not find any pool named LAN. So I suspect it is not doing much and suggest that you remove it

ip nat source list LAN pool LAN

 

These next two lines seem to duplicate themselves. I think the first one is better because its ACL is more specific. I suggest that you remove the second one which uses the any ACL 
ip nat inside source list LAN interface Dialer0 overload
ip nat inside source list any interface Dialer0 overload

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
Hamid Amir
Level 1
Level 1
In response to Richard Burts

‎11-28-2017 01:45 PM

Hi Richard

Thanks you for your reply.

I did the changes, but did not work.

please see the attachments.

 

Kind Regards

Hamid

 

Preview file
5 KB
0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Hamid Amir

‎11-28-2017 02:03 PM

Hamid

 

Thanks for the update. I notice this line in the config

 

no crypto ipsec nat-transparency udp-encapsulation

 

I do not remember it in previous versions of the config. But I suggest that you change it

crypto ipsec nat-transparency udp-encapsulation

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
Hamid Amir
Level 1
Level 1
In response to Richard Burts

‎11-28-2017 02:56 PM

Hi Richard,

 

Sorry about that, I don't know how it happened.

I did correct it, but still same problem.

Kind Regards

Hamid

Preview file
7 KB
0 Helpful
Customers Also Viewed These Support Documents