04-22-2013 05:07 AM - edited 02-21-2020 06:50 PM
Hi All,
I am trying to create an IPsec tunnel between two ASA5515-X systems with the same levels of software in but I have found that even if I create the IPsec IKEV1 pre-shared key VPN tunnel using the VPN wizard at both ends in ASDM the tunnel never gets established. If I use the wizard to point to make an IPSec connection to an IPCop firewall I can get the ASA to say that the connectiion is up and running but am unable to ping across networks. My netork diagram is as follows:-
Datacenter 1 LAN Datacenter 1 ASA Outside Datacenter 2 ASA Outside Datacenter 2 LAN
10.3.3.0/24 x.x.x.4/28 x.x.x.4/28 10.2.3.0/24
One of the issues I have is that I have turned on debugging and used the debug commands but am not seeing either ASA trying to establish a connection as nothing is showing in the loggin asdm window for the ISAKMP or IPSec connection apart from when I fire the connection at the IPCop box.
Regards
Grant Fribbens
04-22-2013 08:17 PM
You'd need to share more of your ASA configurations to get more detailed feedback but at a high level it sounds as if you don't have an access-list applied to you interface that defines the interesting traffic for your crypto map to make it fire up the VPN tunnel (this kicking off Phase 1 and 2 negotiations).
04-23-2013 05:39 AM
Also if you dont mind post the debug outputs from debug crypto isakmp and debug crypto ipsec (santizie the external ip before pasting) for the IPCop case. Also you can provide with logs from IPCop regarding the tunnel as well. Then I might be able to give you some response about it
(enable session recording in your SSH/Telnet client)
debug crypto ipsec
debug crypto isakmp
terminal monitor
In order to see the traffic u need to start the interesting traffic (for example, pinging the remote end from internal ip address).
Message was edited by: Predrag Petrovic
04-23-2013 06:36 AM
Hi,
Thank you for your responses. I have tried using the debug commands as suggested and I get nothing at all and I am running a ping request to the other network. I am posting my configs for the ASA's and a network diagram. I am trying to achieve that all management devices are in vlan 16, and there are individual vlan's on the 3750-X switch which will also be able to have internet access via VLAN3 on either side. Also the vlans on the switch must be able to communicate to the other side via the IPSec VPN connection.
Regards
Grant Fribbens
04-27-2013 10:51 PM
That's strange, usually you would get debug output when you initialize interesting traffic. I will look the config files as soon as I get free time.
04-29-2013 08:20 PM
Hi Grant,
Please make the following changes and let me know if it helps
Datum ASA
crypto map outside_map4 1 match address outside_cryptomap_1
crypto map outside_map4 1 set pfs <<<<<<<<<<<<<
crypto map outside_map4 1 set peer xx.xx.26.4
crypto map outside_map4 1 set ikev1 transform-set myset
change the nat priority to 1
no nat (inside,outside) source static DATUM_LAN DATUM_LAN destination static PEER1_LAN PEER1_LAN
nat (inside,outside) 1 source static DATUM_LAN DATUM_LAN destination static PEER1_LAN PEER1_LAN
============================================================================================
Peer ASA
crypto map outside_map1 1 match address outside_cryptomap
crypto map outside_map1 1 set pfs <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
crypto map outside_map1 1 set peer xx.xx.89.4
crypto map outside_map1 1 set ikev1 transform-set myset
change the nat priority to 1
no nat (inside,outside) source static PEER1_LAN PEER1_LAN destination static DATUM_LAN DATUM_LAN
nat (inside,outside) 1 source static PEER1_LAN PEER1_LAN destination static DATUM_LAN DATUM_LAN
Thanks and regards
Rohan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide