Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1537
Views
0
Helpful
5
Replies

VPN IPsec site-to-site ASA X Check-Point

stlourenco
Level 1
Level 1

‎04-29-2016 01:01 PM - edited ‎02-21-2020 08:47 PM

Hello guys

I'm having trouble closing a VPN ipsec site-to-site between a Cisco ASA 5512 firewall for check-point. This is a VPN my company with one of the suppliers. The problem is that the VPN closes, but does not encrypt or encapsulates it only decrypts as logs below:

Fw-ASA# show crypto ipsec sa peer 187.32.5.130
peer address: 187.32.5.130
    Crypto map tag: outside2_map, seq num: 2, local addr: 200.199.228.146

      access-list VPN-CELG extended permit ip 172.30.70.0 255.255.255.0 172.17.230.0 255.255.255.0
      local ident (addr/mask/prot/port): (172.30.70.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (172.17.230.0/255.255.255.0/0/0)
      current_peer: 187.32.5.130


      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 192, #pkts decrypt: 192, #pkts verify: 192
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 200.199.228.146/0, remote crypto endpt.: 187.32.5.130/0
      path mtu 1500, ipsec overhead 58(36), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: 26D75ADF
      current inbound spi : 3C990446
              
    inbound esp sas:
      spi: 0x3C990446 (1016661062)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
         slot: 0, conn_id: 48914432, crypto-map: outside2_map
         sa timing: remaining key lifetime (kB/sec): (4373988/2643)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x26D75ADF (651647711)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
         slot: 0, conn_id: 48914432, crypto-map: outside2_map
         sa timing: remaining key lifetime (kB/sec): (4374000/2643)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
2   IKE Peer: 187.32.5.130
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE
2   IKE Peer: 187.32.5.130
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE
    Encrypt : 3des            Hash    : SHA       
    Auth    : preshared       Lifetime: 86400
    Lifetime Remaining: 85358
Attached is the configuration that exists in my Firewall ASA 5512 and the status of the VPN side of my supplier to the check-point.
Who can help me with this I thank you.
Labels:
Preview file
119 KB
Preview file
2 KB
0 Helpful
5 Replies 5

Aditya Ganjoo
Cisco Employee
Cisco Employee

‎04-29-2016 07:23 PM

Hi,

It seems the config is in place.

Could you also check routing for this remote subnet 172.17.230.0 255.255.255.0 ?

And can you check your crypto ACL on the remote peer ?

Is it matching the ACL on ASA ?

What does the packet tracer output show for this traffic ?

Regards,

Aditya

Please rate helpful posts.

0 Helpful

stlourenco
Level 1
Level 1
In response to Aditya Ganjoo

‎04-30-2016 10:13 AM

Hi, Aditya,

This is the routing configuration that is configured on the ASA:

Fw-ASA # show route 172.17.230.0

Routing entry is 172.17.230.0 255.255.255.0
   Known via "static", distance 1, metric 0
   Routing Descriptor Blocks:
   * 200 199 228 145 via outside
       Route metric is 0, traffic share count is 1

Fw-ASA # show running-config route | i 172.17.230.0
route outside 172.17.230.0 255.255.255.0 200,199,228,145 1
outside2 route 172.17.230.0 255.255.255.0 177.53.41.129 2

Preview file
90 KB
0 Helpful

stlourenco
Level 1
Level 1
In response to Aditya Ganjoo

‎05-01-2016 06:58 AM

Does anyone have an idea of what has to be done? Because the ASA configuration is correct.

0 Helpful

Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to stlourenco

‎05-01-2016 07:52 PM

Hi,

Please use captures on the ASA to check if the traffic is even reaching the ASA.

Try making the CELG interface as the management-access interface.

management-access celg

Try pinging the remote IP using the source as CELG:

ping celg <remote ip>

And if you can also try pinging the celg IP from the remote end and check if we are able to ping it.

Regards,

Aditya

Please rate helpful posts.

0 Helpful

stlourenco
Level 1
Level 1
In response to Aditya Ganjoo

‎05-02-2016 11:59 AM

Hi, Aditya.

I am unable to capture the traffic from the remote site VPN:

Fw-ASA#show capture                                                    
capture VPN type isakmp ikev1 packet-length 32810 interface outside circular-buffer [Capturing - 0 bytes]
  match ip host 172.17.230.53 any

This was the setting of catch what I did:

Fw-ASA(config)#capture VPN TYpe isakmp ikev1 interface outside circular-buffer match ip host 172.17.230.53 any

Where am I going wrong?

0 Helpful
Customers Also Viewed These Support Documents