Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
357
Views
0
Helpful
3
Replies

VPN Client times out when connecting

doug_summersett
Level 1
Level 1

‎01-15-2015 12:37 PM

Hi I'm new to managing our Cisco environment so please bear with me. We have two Cisco 5510 ASAs setup but one of them will be decommissioned soon. The one being shut down handles all VPN traffic and is working just fine. I'm trying to get VPN access setup on the second ASA. I've built the profiles, configured the group policy, authorization and tunneling. I've also got the VPN Client configured with the Group Name, PSK and the new IP address. 

I've never had to build a new profile on my own but I was able to create a new one on the working VPN ASA without any problems so I don't think it's an issue with the profiles. I think the problem is the second ASA isn't allowing the VPN traffic to pass through to begin with. From outside I can ping the current VPN ASA but can't hit the second one. I have an Access Rule that allows all ICMP traffic on the outside interface and I have inspect ICMP traffic turned on under Service Policy Rules. 

Anyone have any suggestions of where I might try to look next? Thanks!!!

Labels:
0 Helpful
3 Replies 3

Owensteam
Level 1
Level 1

‎01-15-2015 03:12 PM

Hi Doug,

Are these internet facing firewalls performing NAT? If so then unless you have a NAT rule on the outside ASA, the inside ASA will be invisible to traffic. Also if you have one ASA inside the other (as is implied by the question?) won't all your traffic stop once you decommision the outside ASA?

 

Gareth

0 Helpful

doug_summersett
Level 1
Level 1
In response to Owensteam

‎01-19-2015 08:53 AM

Gareth,

Thanks for the reply. Both ASAs are outward facing and one is not inside the other. They are both in two offices and and one office is closing so all their equipment is coming here. I'm not as familiar with NAT rules but they both have their NAT rules setup the same. 

0 Helpful

rizwanr74
Level 7
Level 7

‎01-19-2015 10:14 AM

Hi Doug,

 

Please make sure you have copied below two lines on your ASA.  This is a user defined value "Your-CRYPTO_MAP" and replace it with your crypto instance name.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - 

crypto isakmp enable outside

crypto map Your-CRYPTO_MAP interface outside

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - 

 

Thanks

Rizwan Rafeek

 

 

0 Helpful
Customers Also Viewed These Support Documents