L2L VPN to ASA 5510 via a router

Unanswered Question
Jul 19th, 2007
User Badges:

We have a remote site with only 1 public IP address. This has been assigned to the outside interface on the router and that redirects traffic on a port by port basis to the ASA 5510 firewall.


I have created a L2L VPn from a Symantec security firewall to the ASA firewall however I have used the Public IP address of the router as one peer address and the Symantec fireall as the other peer address. Then I am port redirecting 50 & 51 for IKE and port 500 IPSEC on the router to the ASA device.


However we cant see a tunnel - can someone please offer any advice on what else I need to do to get the tunnel working.


nat (Internal) 0 access-list Internal_nat0_outbound

access-list Internal_nat0_outbound extended permit ip Internal-Network 255.255.255.0 X.X.X.X 255.255.255.0

access-list External_cryptomap_20 extended permit ip Internal-Network 255.255.255.0 X.X.X.x 255.255.255.0


crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map External_map 20 match address External_cryptomap_20

crypto map External_map 20 set peer X.X.X.X of remote firewall

crypto map External_map 20 set transform-set ESP-3DES-SHA

crypto map External_map interface External

isakmp enable External

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

tunnel-group X.X.X.X of remote firewall type ipsec-l2l

tunnel-group X.X.X.X of remote firewall ipsec-attributes

pre-shared-key


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
sbilgi Wed, 07/25/2007 - 13:45
User Badges:
  • Silver, 250 points or more

If there is no indication that an IPSec VPN tunnel comes up at all, it possibly is due to the fact that ISAKMP has not been enabled. Be sure that you have enabled ISAKMP on your devices.

michaeltedeschi Wed, 07/25/2007 - 20:11
User Badges:

Run debug crypto ipsec and isakmp. Do you see the tunnel trying to set up?

ggilbert Thu, 07/26/2007 - 09:11
User Badges:
  • Cisco Employee,

Run the commands,


deb cry isa 200

deb cry ipsec 200


On the ASA and send the output. We can check to see where the problem might be.


Thanks

Gilbert

Actions

This Discussion