Re: Site to Site VPN Issue - CISCO ASA5506X

H3ct0r · ‎08-04-2022

My apologies but I am not well versed with CISCO configuration. I only know the basic stuff like checking config settings and other stuff.

I need help regarding our office firewall. Unfortunately, as per CISCO TAC, our device no longer have a support warranty.

Our issue is regarding the Easy VPN Client. It used to work however our ISP changed their router since we have a new business package with them. The Internet is working however our VPN connection is not. Tunel is up but there is no traffic and I couldn't figure out how to solve the issue. I tried reading posts related to the issue but nothing helps. I did not do any configuration from the ASA and the only thing ISP did I enable the DMZ from their side. Attached are the show tech and nat details (if that helps) for anyone who can help me check and advise what I need to do. Again I have little to no knowledge of CISCO nor trained as CCNA. I just learned the basics through reading the manuals.

Thank you in advance.

MHM Cisco World · ‎08-04-2022

can you draw the topology

H3ct0r · ‎08-04-2022

>>>ISP Router ------> CISCO ASA

Marvin Rhoads · ‎08-04-2022

Check with your ISP - by default their router needs to allow certain incoming traffic to your ASA. For Easy VPN, those ports are as follows:

ISAKMP - UDP 500

ESP - Protocol 50

NAT-T - UDP 4500

IPSEC Over UDP - UDP 10000 (Default)

IPSEC Over TCP - TCP 10000 (Default)

H3ct0r · ‎08-04-2022

Hi,

I did that part already and even now ISP already enabled DMZ from their router.

MHM Cisco World · ‎08-04-2022

ISP router have OUT get IP dynamic via DHCP
EasyVPN client router need static Peer IP to work, here the IP always change.
how check this point
in EasyVPN config Peer IP as shown in ISP OUT dhcp IP and check.
NOTE:- in ISP you need
NAT from OUT DHCP IP to OUT of ASA FW
for 50,500,4500 UDP ports

H3ct0r · ‎08-04-2022

Hi,

Currently, the Outside Interface is set to Static IP. Should I set it to Dynamic IP?

MHM Cisco World · ‎08-04-2022

NO static is OK.
now in ISP can I see NAT and ACL for IPsec ?

H3ct0r · ‎08-04-2022

Hi, not sure how to do that. Can I get it through CLI command?

MHM Cisco World · ‎08-05-2022

one the ISP are you config NAT for 50,500,4500 and do you config ACL to accept the IPSec initiate traffic?

H3ct0r · ‎08-05-2022

Yes. We did that too. Also as of the moment, we have the DMZ enabled from ISP to make everything open. Still we have the issue. There is a tunnel but no traffic.

MHM Cisco World · ‎08-05-2022

OK can you help me here,
share the Router EasyVPN config
share the ISP router config
share the ASA config
separately one file for each device.
note:- hide the Public IP from the config

H3ct0r · ‎08-07-2022

Hi,

I couldn't get the config of ISP router as they don't allow access to their router. However, I attached the CISCO ASA 5506 config file and vpn config. I hopt these are the correct one you are looking for. By the way I omitted the IP Addresses.

MHM Cisco World · ‎08-09-2022

THE ISP router must check, One Router behind NAT device (ISP)
the NAT device will NATing all IPSec & ISAKMP to it Interface
EasyVPN must config with set peer the IP address of ISP not the IP address of ASA
the ISP must NATing both 4500 & 500
the ISP must allow traffic for 4500 & 500 since the traffic ALWAYS initiate from EasyVPN not from ASA.

in your network there are three part
1-EasyVPN ( is this router or ASA ?? ) SHARE CONFIG
2-ISP router CHECK NOTE ABOVE
3-ASA (HQ FW) SHARE CONFIG

am I right