Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
941
Views
0
Helpful
2
Replies

VPN between 878 router and ASA-5505

Go to solution
Olaf
Level 1
Level 1

‎10-25-2011 02:36 AM

Hi everyone,

I've been struggling for quite a few days now getting a VPN connection to work.

The situation

Two offices need to be connected to eachother with a VPN. Both sides have a WAN cable connection.

The tunnel between the locations comes up fine but communication fails in almost any way.

The hosts cannot ping eachother and also from inside the router and ASA pings fail.

The only ping that will work is from inside Site2 to the inside interface of the router on side 1 (192.168.1.100 to 192.168.0.250)

NAT works fine on both locations from behind the router/asa.

I think I'm doing something wrong with routes or access lists but after 7 days, numerous reloads, resets, driving from one end of the state to the other to reset stupid moves breaking and resoldering my console cable and completely facory-default things starting over for like 10 times, i'm through, i honestly do not know where to look anymore...

Tech. Specs:

Site1: has a cable-modem which gives out a WAN IP address with DHCP

This modem connects to a Cisco 878 Router (Fastethernet0)

The router serves as a DHCP server and NAT gateway for the office and provides vpn connectivity to the other office

Site2: has a cable-modem/router (Cisco 3925), which does NAT, this modem/router gives out a class-C private IP address (192.168.178.x)

This modem/router connects to a Cisco ASA 5505 (Fastethernet0)

The ASA also server as a DHCP server and NAT gateway for the office and provides vpn connectivity to the other office.

So in a line it looks like this:

Office 1 --> Cisco878 --> WAN-Cloud <---cablemodemrouter <--- ASA5505 <--- Office 2

Ip ranges:

Office 1

Network               192.168.0.0

Subnetmask         255.255.255.0

Gateway              192.168.0.250

WAN IP               XXXX

Office 2

Network               192.168.1.0

Subnetmak          255.255.255.0

Gateway              192.168.1.1

WAN IP               XXXX

On the office 2 location there is a NAT router between ASA and WAN. range is 192.168.178.x 255.255.255.0

The modemrouter is a Cisco 3925, on which IPSEC passthrough is off course enabled.

The Configs:

Site 1:

CISCO 878 Router

Site 2

ASA-5505

I hope someone has a chance to look through my config and tell me what I have been doing wrong this week

Even if you can't help me but still read through to here: THANKS!

(As my problem has been solved, i removed the configs from this post. If for any reason you want a working config for these devices, please send me a PM)

Message was edited by: laaf de lijf - Reason: Problem solved, removed configs and private stuff for obvious reasons ;)

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
cadet alain
VIP Alumni
VIP Alumni

‎10-25-2011 05:01 AM

Hi,

ping site2 client from site 1 client and do sh crypto isakmp sa and sh crypto ipsec sa  on router.

if sh crypto isakmp sa gives QM_Idle and ping fails and you've got no packets in the sh cypto ipsec sa then do a debug crypto ipsec

if sh crypto isakmp gives MM_NoState then do a debug crypto isakmp

One remark though, you should have static ip addresses at least on the side initiating the tunnel otherwise it won't work when ip address changes.

Regards.

Alain.

Don't forget to rate helpful posts.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
cadet alain
VIP Alumni
VIP Alumni

‎10-25-2011 05:01 AM

Hi,

ping site2 client from site 1 client and do sh crypto isakmp sa and sh crypto ipsec sa  on router.

if sh crypto isakmp sa gives QM_Idle and ping fails and you've got no packets in the sh cypto ipsec sa then do a debug crypto ipsec

if sh crypto isakmp gives MM_NoState then do a debug crypto isakmp

One remark though, you should have static ip addresses at least on the side initiating the tunnel otherwise it won't work when ip address changes.

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
Olaf
Level 1
Level 1
In response to cadet alain

‎10-25-2011 11:59 AM

Hi cadet alain,

Thanks for your reply, it really helped and I got it functioning now!

I learned a lesson today, sometimes you have to take a few steps away from a problem (i.e. post it here ) and do something else.

while being in the progress of doing something different after 7 days today, apparently i killed the windows firewall on one of the two clients.

When i read your reply, i started the ping and suddenly it worked hehe... all this time it was something simple like that.

I was looking for the solution in the really complex stuff, apparently all this time the tunnel already worked, just like the router and asa told me haha.

Thank you again! problem solved!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents