Only 1 way traffic on a 2 way VPN

Unanswered Question
Jun 7th, 2007
User Badges:

Hello, I am having trouble getting a Lan 2 Lan vpn to allow 2 way traffic. I am able to bring up the VPN and send/recieve from my end, the remote end can sometimes bring up the vpn, but can't seem to reach my inside network no matter what.

Any ideas where I may have misconfigured this?


I am using ASA5510

Remote site = sidewinder

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Thu, 06/07/2007 - 10:13
User Badges:
  • Green, 3000 points or more

Check ASA config for


version 7.0,7.1

isakmp nat-traversal


version 7.2

crypto isakmp nat-traversal

rschling22 Thu, 06/07/2007 - 10:34
User Badges:

I am running version 7.2 here is the output of the sh crypto command, the line you asked about is there.


ciscoasa# sh run crypto isakmp

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp nat-traversal 20


Anything else? how do I tell if the problem is my end or thiers?

acomiskey Thu, 06/07/2007 - 10:41
User Badges:
  • Green, 3000 points or more

Oh, lan 2 lan tunnel, sorry.


Can you post the ASA config minus passwords etc. Also is the topology just like this, no other firewalls etc.?

your inside -- ASA -- Internet -- Sidewinder -- their inside

rschling22 Thu, 06/07/2007 - 11:09
User Badges:

Yes, that is the basic topology

My Inside--ASA--Internet--Sidewinder--Thier Inside


Here is a slimmed down output of my sh run. I tried to delete IP's and most of the stuff that doesn't pertain to this, if I removed too much please let me know, and I'll try to get it right.


Thanks

Rob


vpn-tunnel-protocol l2tp-ipsec

group-policy DefaultRAGroup_1 internal

group-policy DefaultRAGroup_1 attributes

dns-server value A.A.A.199

vpn-tunnel-protocol l2tp-ipsec

!

Deleted

!

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 140 set transform-set TRANS_ESP_3DES_SHA

crypto dynamic-map outside_dyn_map 160 set transform-set ESP-3DES-SHA

crypto map outside_map 1 match address outside_cryptomap_8

crypto map outside_map 1 set peer REMOTE VPN PROBLEM IP C.C.C.193

crypto map outside_map 1 set transform-set ESP-3DES-MD5

crypto map outside_map 1 set phase1-mode aggressive

!

Deleted

!

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

!

Deleted

!

isakmp keepalive disable

tunnel-group REMOTE VPN PROBLEM IP C.C.C.193 type ipsec-l2l

tunnel-group REMOTE VPN PROBLEM IP C.C.C.193 ipsec-attributes

pre-shared-key *

isakmp keepalive disable

!

Deleted

!


acomiskey Thu, 06/07/2007 - 11:29
User Badges:
  • Green, 3000 points or more

Can you log on the ASA as they try to bring up the tunnel?


debug crypto isakmp

debug crypto ipsec

rschling22 Thu, 06/07/2007 - 11:41
User Badges:

Hey, good idea, why do I always forget that command.


Ok, tried it, shows nothing, had it tear down and reset the tunnel twice. no debug entries.

Bummer.


acomiskey Thu, 06/07/2007 - 11:45
User Badges:
  • Green, 3000 points or more

debug crypto isakmp 7

debug crypto ipsec 7

rschling22 Thu, 06/07/2007 - 11:24
User Badges:

Heres another tidbit. I have been getting this error message whenever the remote side tries to set a connection


3 Jun 07 2007 13:21:39 713042 IKE Initiator unable to find policy: Intf outside, Src: MY-INSIDE-IP, Dst:THIER-INSIDE-IP


Hope this helps someone


acomiskey Thu, 06/07/2007 - 11:30
User Badges:
  • Green, 3000 points or more

can you post your access-list outside_cryptomap_8?

rschling22 Thu, 06/07/2007 - 12:23
User Badges:

Arg, er.. good news!


the remote site finally got it fixed. seems it WAS on thier end.


thanks for all your help


Rob


Actions

This Discussion