06-07-2007 09:35 AM
Hello, I am having trouble getting a Lan 2 Lan vpn to allow 2 way traffic. I am able to bring up the VPN and send/recieve from my end, the remote end can sometimes bring up the vpn, but can't seem to reach my inside network no matter what.
Any ideas where I may have misconfigured this?
I am using ASA5510
Remote site = sidewinder
06-07-2007 10:13 AM
Check ASA config for
version 7.0,7.1
isakmp nat-traversal
version 7.2
crypto isakmp nat-traversal
06-07-2007 10:34 AM
I am running version 7.2 here is the output of the sh crypto command, the line you asked about is there.
ciscoasa# sh run crypto isakmp
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 20
Anything else? how do I tell if the problem is my end or thiers?
06-07-2007 10:41 AM
Oh, lan 2 lan tunnel, sorry.
Can you post the ASA config minus passwords etc. Also is the topology just like this, no other firewalls etc.?
your inside -- ASA -- Internet -- Sidewinder -- their inside
06-07-2007 11:09 AM
Yes, that is the basic topology
My Inside--ASA--Internet--Sidewinder--Thier Inside
Here is a slimmed down output of my sh run. I tried to delete IP's and most of the stuff that doesn't pertain to this, if I removed too much please let me know, and I'll try to get it right.
Thanks
Rob
vpn-tunnel-protocol l2tp-ipsec
group-policy DefaultRAGroup_1 internal
group-policy DefaultRAGroup_1 attributes
dns-server value A.A.A.199
vpn-tunnel-protocol l2tp-ipsec
!
Deleted
!
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 140 set transform-set TRANS_ESP_3DES_SHA
crypto dynamic-map outside_dyn_map 160 set transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_cryptomap_8
crypto map outside_map 1 set peer REMOTE VPN PROBLEM IP C.C.C.193
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 1 set phase1-mode aggressive
!
Deleted
!
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
!
Deleted
!
isakmp keepalive disable
tunnel-group REMOTE VPN PROBLEM IP C.C.C.193 type ipsec-l2l
tunnel-group REMOTE VPN PROBLEM IP C.C.C.193 ipsec-attributes
pre-shared-key *
isakmp keepalive disable
!
Deleted
!
06-07-2007 11:29 AM
Can you log on the ASA as they try to bring up the tunnel?
debug crypto isakmp
debug crypto ipsec
06-07-2007 11:41 AM
Hey, good idea, why do I always forget that command.
Ok, tried it, shows nothing, had it tear down and reset the tunnel twice. no debug entries.
Bummer.
06-07-2007 11:45 AM
debug crypto isakmp 7
debug crypto ipsec 7
06-07-2007 11:24 AM
Heres another tidbit. I have been getting this error message whenever the remote side tries to set a connection
3 Jun 07 2007 13:21:39 713042 IKE Initiator unable to find policy: Intf outside, Src: MY-INSIDE-IP, Dst:THIER-INSIDE-IP
Hope this helps someone
06-07-2007 11:30 AM
can you post your access-list outside_cryptomap_8?
06-07-2007 12:23 PM
Arg, er.. good news!
the remote site finally got it fixed. seems it WAS on thier end.
thanks for all your help
Rob
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: