08-10-2012 09:53 PM - edited 02-21-2020 06:15 PM
I'm having trouble configuring an ASA5505 on version 8.31 code for an IPSec tunnel. I've done this multiple times on 8.2.5 but can't seem to get my tunnel to even attempt to come up on this ASA. Not sure if it's relevent or not, but this remote ASA has never been used for another VPN tunnel before. When I attempt to ping a host on the other side of my tunnel, I just see the following:
8108# sho crypto isa sa
There are no isakmp sas
Please see attached config and help. My local network is 10.1.1.X/24 and my remote peer network contains 66.37.227.X/24. I've been working on this for the better part of the day and would love to get it resolved. Thank you!
08-10-2012 11:36 PM
Joshua,
I noticed you dont have a nat statement to exempt the traffic to the remote network. You mentioned that the remote end hasnt been configured but you are looking to see if the debugs show the packet attempting to bring the tunnel up but not exactly come up?
You can try to debug crypto isakmp, and enter the following nat statement so that the source network doesnt get translated:
object network remote
subnet 66.37.227.0 255.255.255.0
nat (inside,outside) source static obj-Sirius obj-Sirius destination static remote remote
Then try to ping the remote end.
Here is the section on configuring twice nat:
http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_rules.html#wp1231100
Thanks,
Tarik Admani
*Please rate helpful posts*
08-11-2012 12:55 PM
I added your suggested NAT line and it still doesn't work. When I run packet tracer program, and ping from 10.1.1.10 or another random inside address other than 10.1.1.1 the simulation works, but it doesn't work when I put 10.1.1.1 as the source.
Sorry for the confusion, but the other side of the tunnel is configured and I have verified all settings such as Crypto map, encryption domain, pre-shared key, and ISAKMP as well as IPSEC configurations. But when I ping from my side to the remote end, it's as though it doesn't even attempt to bring up the tunnel. At least when I ping from the remote side, (I have access to both) that side brings up a tunnel with a WAIT_ MSG_2.
Thank you for your assistance.
08-11-2012 10:21 PM
Can you issue the command "management-access inside" and then try to ping the destination address?
Please make sure the nat statements on the other end are correct.
Thanks,
Tarik Admani
*Please rate helpful posts*
08-11-2012 10:34 PM
Done. Please see attached config.
As for the NAT on the other side, this is my office's head ASA and we NAT for many customers on this ASA currently. All I usually add for a remote customer (which would be represented as my remote ASA "8108," in this case) is the following ACL:
access-list Josh extended permit ip 66.37.227.0 255.255.255.0 10.1.204.0 255.255.255.0
The ping still failed after I added the management command. Not sure what that did.
08-11-2012 10:52 PM
Try clearing the xlate for the 10.1.1.1 and the connections for this host and see if the pings then succeed. Also are you allowing pings through in your policy map?
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ip-options
inspect icmp
Thanks,
Tarik Admani
*Please rate helpful posts*
08-12-2012 08:07 AM
Thank you for the continued support, but it's still not working after those changes. I cleared xlates and added the policy map but still the pings fail. I think it's some configuration that is simply not allowing the traffic over the tunnel or not recognizing that it needs to atleast attempt to open the tunnel, because when I ping from the other side of the tunnel, it sends traffic over the tunnel and I get "WAIT_MSG_2" but on this side, when I'm pinging, I just keep typing:
"show crypto isa sa" and I just get:
8108(config)# sho crypto isa sa
There are no isakmp sas
Like it's not even trying. As I'm sure you've seen, I have "crypto isakmp enable outside" which was what I first thought it was, but now I'm stumped.
Suggestions? Updated config attached.
08-13-2012 12:22 AM
Josh,
How about this command:
crypto map outside_map interface outside
Thanks,
Tarik Admani
*Please rate helpful posts*
08-28-2012 07:54 PM
So, I've started trying to get this to work again and now I get the tunnel to atleast try and come up but I'm getting the following Log results when I try to ping a 66.37.227.28 address:
%ASA-3-713042: IKE Initiator unable to find policy: Intf inside, Src: 10.1.204.164, Dst: 66.37.227.28
To add some clarity to my attached configuration, I'm trying to NAT my real addresses in the 10.1.1.0/24 range to a 10.1.204.0/24 if they are to travel over the VPN tunnel to the destination 66.37.227.0/24. If they are not using the tunnel, then just normal interface NAT would apply.
Please see my attached config and try to help me find out why.
Thank you!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide