07-05-2017 07:25 PM
I have setup a new tunnel between to firewalls, 5510's both of them I used the GUI, set the peers, created the crypto maps in reverse order, set the preshared key, isakmp and ipsec are set. I enabled the tunnel on the outside interface but I am not getting any type of love between the two when I try pinging the interfaces. They both respond, but there is zero attempt to bring up the tunnel int he debug logs or the show crypto isakmp.
It has been a long while since I have tried to build a firewall from the ground up and establish I new VPN tunnel on them. What are some things I should be looking for, maybe a no nat rule here? The networks are both internal so I know its not going to be a split tunneling issue. Any guidance here would be wonderful!!
Cheers
07-05-2017 09:21 PM
Please share the output of debug crypto isa 127. Also, do you have routes to send the VPN traffic out of the outside interface (or default route).
Have you configured crypto ACLs on both sides (mirrored)
07-06-2017 12:14 AM
Her are few documents that I will suggest you check and can give you the approach to troubleshoot site to site VPN:
Basic L2L configuration - Platform Independent Approach
https://supportforums.cisco.com/document/105381/basic-l2l-configuration-platform-independent-approach
Most Common L2L and Remote Access IPsec VPN Troubleshooting Solutions
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/81824-common-ipsec-trouble.html
Regards
Dinesh Moudgil
P.S. Please rate helpful posts.
07-06-2017 08:40 PM
From the firewall I was working on last night, it is trying to pull up phase 1 at least
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: x.x.x.x
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG2
So right now I think the issue is the second firewall, and I have noticed the NATing is at least part of the issue. It still seems some funny some funny stuff is going on the second firewall, but i hope cleaning up the NATing might resolve the other issues. Trying to clean up the existing NAT statments I have this first off that needs to be removed but the ASA is not liking it when I try:
nat (inside,outside) dynamic x.x.x.x
and
nat (Hostnet,outside) dynamic interface
every time i try to remove it i get this
no nat (inside,outside) dynamic x.x.x.x
ERROR: % Invalid input detected at '^' marker.
no nat (Hostnet,outside) dynamic interface
ERROR: % Invalid input detected at '^' marker.
any clue how to remove these NAT's?
Once I remove this hopefully the no nating will work, then I can look deeper with a cleaner picture.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide