Solved: Site to Site VPN ISSUE - Page 2

Julio Coral Orbes · ‎09-12-2012

Hi, im triying to configure a Site to Site VPN with a ASA 5510 in one side, and other vendor firewall (chekcpoint) on the other side. However the VPN never gets up

In my side im behind a router that makes static PAT for ports UDP 500 and 4500 (ie ASA has a private address on outside interface), and in the remote side a public ip is assigned direclty to the firewall.

i tried enabling and disabling NAT-T on my side but the only difference i get is a log message that says "Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end IS behind a NAT device", Im not sure if this message is just imformtional, or is the cause for the VPN tunnel dont working.

The output of debug crypto isakmp is:

*i replaced the real public IP of the remote Firewall by 190.190.190.190

%ASA-7-713906: NAT-T disabled in crypto map outside_map 1.

2012-09-12 11:54:45 Local4.Notice 192.168.202.2 %ASA-5-713041: IP = 190.190.190.190, IKE Initiator: New Phase 1, Intf outside, IKE Peer 190.190.190.190 local Proxy Address 192.168.202.2, remote Proxy Address 190.190.190.190, Crypto map (outside_map)

2012-09-12 11:54:45 Local4.Debug 192.168.202.2 %ASA-7-715046: IP = 190.190.190.190, constructing ISAKMP SA payload

2012-09-12 11:54:45 Local4.Debug 192.168.202.2 %ASA-7-715046: IP = 190.190.190.190, constructing Fragmentation VID + extended capabilities payload

2012-09-12 11:54:45 Local4.Debug 192.168.202.2 %ASA-7-713236: IP = 190.190.190.190, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108

2012-09-12 11:54:45 Local4.Debug 192.168.202.2 %ASA-7-609001: Built local-host outside:190.190.190.190

2012-09-12 11:54:45 Local4.Info 192.168.202.2 %ASA-6-302015: Built outbound UDP connection 83198007 for outside:190.190.190.190/500 (190.190.190.190/500) to identity:192.168.202.2/500 (192.168.202.2/500)

2012-09-12 11:54:45 Local4.Info 192.168.202.2 %ASA-6-725007: SSL session with client Inside:192.168.51.15/3006 terminated.

2012-09-12 11:54:45 Local4.Info 192.168.202.2 %ASA-6-302020: Built outbound ICMP connection for faddr 192.168.23.253/0 gaddr 192.168.32.80/0 laddr 192.168.32.80/0

2012-09-12 11:54:45 Local4.Debug 192.168.202.2 %ASA-7-713236: IP = 190.190.190.190, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + NONE (0) total length : 84

2012-09-12 11:54:45 Local4.Debug 192.168.202.2 %ASA-7-715047: IP = 190.190.190.190, processing SA payload

2012-09-12 11:54:45 Local4.Debug 192.168.202.2 %ASA-7-713906: IP = 190.190.190.190, Oakley proposal is acceptable

2012-09-12 11:54:45 Local4.Debug 192.168.202.2 %ASA-7-715046: IP = 190.190.190.190, constructing ke payload

2012-09-12 11:54:45 Local4.Debug 192.168.202.2 %ASA-7-715046: IP = 190.190.190.190, constructing nonce payload

2012-09-12 11:54:45 Local4.Debug 192.168.202.2 %ASA-7-715046: IP = 190.190.190.190, constructing Cisco Unity VID payload

2012-09-12 11:54:45 Local4.Debug 192.168.202.2 %ASA-7-715046: IP = 190.190.190.190, constructing xauth V6 VID payload

2012-09-12 11:54:45 Local4.Debug 192.168.202.2 %ASA-7-715048: IP = 190.190.190.190, Send IOS VID

2012-09-12 11:54:45 Local4.Debug 192.168.202.2 %ASA-7-715038: IP = 190.190.190.190, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)

2012-09-12 11:54:45 Local4.Debug 192.168.202.2 %ASA-7-715046: IP = 190.190.190.190, constructing VID payload

2012-09-12 11:54:45 Local4.Debug 192.168.202.2 %ASA-7-715048: IP = 190.190.190.190, Send Altiga/Cisco VPN3000/Cisco ASA GW VID

2012-09-12 11:54:45 Local4.Debug 192.168.202.2 %ASA-7-713236: IP = 190.190.190.190, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256

2012-09-12 11:54:45 Local4.Info 192.168.202.2 %ASA-6-302020: Built outbound ICMP connection for faddr 192.168.23.253/0 gaddr 192.168.32.80/0 laddr 192.168.32.80/0

2012-09-12 11:54:45 Local4.Debug 192.168.202.2 %ASA-7-713236: IP = 190.190.190.190, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 184

2012-09-12 11:54:45 Local4.Debug 192.168.202.2 %ASA-7-715047: IP = 190.190.190.190, processing ke payload

2012-09-12 11:54:45 Local4.Debug 192.168.202.2 %ASA-7-715047: IP = 190.190.190.190, processing ISA_KE payload

2012-09-12 11:54:45 Local4.Debug 192.168.202.2 %ASA-7-715047: IP = 190.190.190.190, processing nonce payload

2012-09-12 11:54:45 Local4.Debug 192.168.202.2 %ASA-7-713906: IP = 190.190.190.190, Connection landed on tunnel_group 190.190.190.190

2012-09-12 11:54:45 Local4.Debug 192.168.202.2 %ASA-7-713906: Group = 190.190.190.190, IP = 190.190.190.190, Generating keys for Initiator...

2012-09-12 11:54:45 Local4.Debug 192.168.202.2 %ASA-7-715046: Group = 190.190.190.190, IP = 190.190.190.190, constructing ID payload

2012-09-12 11:54:45 Local4.Debug 192.168.202.2 %ASA-7-715046: Group = 190.190.190.190, IP = 190.190.190.190, constructing hash payload

2012-09-12 11:54:45 Local4.Debug 192.168.202.2 %ASA-7-715076: Group = 190.190.190.190, IP = 190.190.190.190, Computing hash for ISAKMP

2012-09-12 11:54:45 Local4.Debug 192.168.202.2 %ASA-7-715046: Group = 190.190.190.190, IP = 190.190.190.190, constructing dpd vid payload

2012-09-12 11:54:45 Local4.Debug 192.168.202.2 %ASA-7-713236: IP = 190.190.190.190, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84

If someone can help, many thanks in advance.

david.tran · ‎09-18-2012

No wonder Cisco TAC support is not getting any better.

#1: the checkpoint link that you provided the user is about ten years old. Nobody uses Checkpoint VPN in traditional mode anymore. It is all about Simplified mode now (aka VPN community).

#2: Checkpoint will not work with UDP/4500 over Site-to-Site VPN, at least the last time I checked. It will work with udp/4500 or udp/2646 for remote access VPN (i.e. NAT Traversal). Disable NAT-T on the ASA for the VPN tunnel with the checkpoint firewalls

#3: You do NOT need to static NAT 1-1 on the router. You only need to static PAT for udp/500 and ESP (proto 50) on the router. That will work as well.

Julio Coral Orbes · ‎09-19-2012

yes, i just realized that i don't need to make a 1-to-1 NAT (

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094ecd.shtml) however it is already configured...

as i said the vpn tunnel goes up, but the ASA is not encrypting packets. i checked the Crypto map acl, the interface ACL and the NAT 0 statements and are fine, so i don't know what else can cause this behavior on the ASA...

any idea would be appreciated

Many Thanks.

david.tran · ‎09-19-2012

I have an exact VPN setup in my lab and it is working fine between a Pix 8.0(4) and a Checkpoint firewall R70.50 firewall.

The Checkpoint firewall has public IP address while the Pix is sitting a cisco 2600 router. The cisco router has public IP address while the pix "outside" has private address.

Here is what I have on the cisco 2600 router:

ip access-list extended allow

permit icmp any any log

permit ip any any

ip route 0.0.0.0 0.0.0.0 1.1.1.1

interface f0/0

desc public facing

ip nat outside

ip add 1.1.1.2 255.255.255.252

ip access-group allow in

interface f0/1

desc internal facing

ip address 192.168.1.254 255.255.255.0

ip nat inside

ip access-group allow in

ip nat inside source static udp 192.168.1.1 500 interface f0/0 500

ip nat inside source static esp 192.168.1.1 interface f0/0

assuming that your ASA "outside" interface ip address is 192.168.1.1 and that you configure VPN correctly between the ASA and the checkpoint firewall, it will work. It is not difficult at all. It is working as we speak. On the router, do "show ip nat trans" and see if you address is being translated properly by the router.

Julio Coral Orbes · ‎09-19-2012

Thanks for help

everyones answers were so helpfull and let me understand a lot of things about the vpns that i didnt know.

the problem about the ASA not encrypting packets was because the ACL that define the crypto map was disabled.

now the VPN is up and transmmiting traffic, the only issue i found is it is soo slow... but the important stuff is done..

Javier Portuguez · ‎09-21-2012

Hi Julio,

I am not sure how come we omitted the "inactive" ACL...

On the other hand, are you experiencing slow traffic with TCP applications such as RDP or FTP?

At this point I would suggest opening a new post for the slow performance issue and mark this one as answered.

Please rate any posts you that you considered helpful.

Thanks