09-18-2008 02:48 AM
Dear Experts,
I have set a site to site VPN in two ASA5510 Firewall.
The setting of IKE, ENCRYPTION are the same. But don't know why I do some actions such as ping and telnet, the result also request timeout.
Attached document shows two logs from the ASA when I do the ping action, although the ping action dose not work. But I can see the VPN connection seems to be established.
Here is some information.
Site A: 202.120.70.70
LOCAL IP: 192.168.96.0
Site B: 217.17.146.46
LOCAL IP : 10.1.1.0
VPN SETTING IN BOTH SIDE.
IKE : 3DES, SHA, DHG : 2
ENCRYTION: 3DES, SHA, PFS: DHG2
PROTECTED NETWORK
Local Remote Site
192.168.96.0 & 10.1.1.0 A
10.1.1.0 & 192.168.96.0 B
Experts, Any problems, any trouble shoot skills?
09-18-2008 04:11 AM
do u have NAT 0 configured corectly ? i mean nat exmption
09-19-2008 01:53 AM
I use the ADSM for setting the VPN, I think it automatically processed and should be default setting.
Do you have any format of the statement?
I mean such as:
Site a, INF outside, allow, Site A IP / Site B IP.
Thanks Very Much
09-18-2008 05:50 AM
If you have properly applied Nat exemption for your protected networks traffic,
Can you remove PFS from both sides and then check ?
HTH
Saju
Pls rate helpful posts
09-19-2008 01:56 AM
One of my firewall is 5510 K9 with security license, I can not disable the PFS on that Firewall, I think it set to DFG 2 by default.
But I have tested to remove the Nat Exemption on both side, still nothing changed.
Sorry, I am a beginner, thanks for your patient.
Thanks! Experts!
09-19-2008 03:01 AM
can u do on the fire wall
show run
and put the config here
09-22-2008 06:15 AM
Suppose I want to post the running config here,
But , today, I found that, When I re-config a VPN (one end is using cisco 5510, one end is using netscreen firewall), The VPN I think has been established, But It is so strange, I can ping some servers / pc from netscreen 's network to Cisco's network, but some can not ping, I can reach some web server's page in the cisco's network, but some can not.
But the access-rule I already set permit all the communication between two site's device.
What do you think?
sometime,
when I do the ping, the ping was request timeout, But in the log of the 5510, I saw the build icmp from the log, then teardown it.
But no reasons and no errors.
Do you think it is caused by the switch, not the rule of firewall?
And sometime,
When I do some ping to some of the servers in 5510's network, it displayed a message such as no translation from IP of the src and dst IP.
But suppose two networks are fully permitted.
Please, help me.
Thanks !!!
09-21-2008 01:09 AM
have you allowed icmp at the outside interface and telnet too.
try :
icmp permit any outside .
Remember , you can't access the device from outside interface without ipsec enabled.What it means is , you need to make a secure tunnel first, then give telnet permissions.I would personally suggest you to use SSH.
Type
ssh 0.0.0.0 0.0.0.0 outside
09-21-2008 06:25 PM
Thanks,
I already set (src)Any (dst)Any IP on outside interface.
It seems still not work.
09-22-2008 07:07 AM
can you post the configs of both so we can see the whole configuration?
09-23-2008 07:44 PM
Finally, I do a command of "show crypto ipsec sa" and "show crypto isakmp"
Attached the mentioned config files of two ASA 5510.
Current status:
The VPN tunnel I think has already set up. I have some web sites on the 217's sub network (10.1.1.0) and suppose 202's sub network(192.168.96.0)'s client can browse it.
However, some of the web sites on 10.1.1.0 can display but some can not.
In the Firewall Log, I saw the no error messages but automatic tear down the sessions.
I am now wondering the problems were caused from security level of the interfaces?
Because I think the access-lists did not have problems.
(PS: the security level of outside and inside interface also were 100, Both Firewall, all sub servers are connected to a 2960 switch which connected to the inside interface of the firewall)
I also attached the "show running-config" of the 217 network 's Firewall. 217 contains some Web Servers in "Inside" Interface.
Please advise, Thanks
09-23-2008 08:13 PM
Sorry, the past post has not attach the "show" config file.
nameif WebServer), because it is not relate to my current problems. Thanks>
Finally, I do a command of "show crypto ipsec sa" and "show crypto isakmp"
Attached the mentioned config files of two ASA 5510.
Current status:
The VPN tunnel I think has already set up. I have some web sites on the 217's sub network (10.1.1.0) and suppose 202's sub network(192.168.96.0)'s client can browse it.
However, some of the web sites on 10.1.1.0 can display but some can not.
In the Firewall Log, I saw the no error messages but automatic tear down the sessions.
I am now wondering the problems were caused from security level of the interfaces?
Because I think the access-lists did not have problems.
(PS: the security level of outside and inside interface also were 100, Both Firewall, all sub servers are connected to a 2960 switch which connected to the inside interface of the firewall)
I also attached the "show running-config" of the 217 network 's Firewall. 217 contains some Web Servers in "Inside" Interface.
Please advise, Thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: