cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
607
Views
0
Helpful
3
Replies

VPN Connection Problems

donleycomputers
Level 1
Level 1

I have recently started working for a client who has 2 ASA 5505 with version 6.0(2) running on them.  At some point after firing his last tech his VPN no longer works, I don't know the story except it doesn't work anymore.

At his office the ASA has a public IP address so it isn't behind a NAT device. The office network behind the device is 192.168.0.0  At home he has a residential cable modem with a dynamic IP and the device is behind the device and having NAT applied to it. So it's WAN IP is 10.0.0.3 and it has a couple VLANs behind it (192.168.1.0 and 192.168.5.0) Running packet-tracer it makes it through all 9 phases with ICMP and TCP. I can see in the office log that Phase 1 is completed.  I do not see anyything being logged as to blocking traffic. I can see that it is encapsulating packets at the home side, but it appears nothing is reaching the office side. Most of the tutorials and help I see are using the newer ASA so the commands don't always work.  I also see a map titled 'abcmap' but it does not show up in the ASDM anywhere, I only see it while at the command line which is making me wonder if there are some additional things that are causing a problem that I am not able to see.

When I was attempting to do this with a dynamic IP on the home side no connection was forming at all.  Was hoping if I got it working with their current IP I would then be able to set it up again with dynamic or alter the configuration.

I have attached both configuration files.

Any help is much appreciated!

Steven

1 Accepted Solution

Accepted Solutions

shine pothen
Level 3
Level 3

checked your config and you have not mapped crypto dynamic to any interface.

crypto dynamic-map cisco 1 set transform-set myset

crypto map dyn-map 20 ipsec-isakmp dynamic cisco

crypto map dyn-map interface outside

View solution in original post

3 Replies 3

shine pothen
Level 3
Level 3

checked your config and you have not mapped crypto dynamic to any interface.

crypto dynamic-map cisco 1 set transform-set myset

crypto map dyn-map 20 ipsec-isakmp dynamic cisco

crypto map dyn-map interface outside

Thanks for looking. Sorry if I wasn't clear, at first I was getting nowhere with the dynamic setting so I redid it using their current iP, 68.61.131.177, as I've seen references to remove the static and convert it into a dynamic setup afterwards.  I might be wrong in that thought though.

now you have static ip on both the end. then configuration would be easy.

other wise remove the current ip and redo the config with dynamic map and make sure you attach the  crypto dynamic map to the external interface outside.

use this url for reference

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/63876-pix-dyntostat-ipsec-nat.html