10-24-2008 06:45 PM - edited 03-11-2019 07:02 AM
Hi,
I have a 5505 ASA and a Cisco 837 router and I am trying to establish a site to site VPN, but I am able to bring up the tunnel. I have attached the two configs.
Thanks
Mayamba
Solved! Go to Solution.
10-24-2008 11:57 PM
Hi,
You cannot ping from the ASA itself to bring up the tunnel. You have to ping from a device behind the ASA. Or you can ping from the router using an extended ping like your previous testing.
Please post debug outputs from both the router an ASA when you ping from the router.
Regards,
Arul
*Pls rate if it helps*
10-24-2008 08:02 PM
Hi,
Couple of things,
1. You need to bypass NAT for IPSEC Traffic.
access-list 100 extended permit ip 192.168.10.0 255.255.255.0 host 1.1.1.1
nat (inside) 0 access-list 100
2. I dont see a default route configured on ASA. Looks like you are lab testing this set up, so you may want to point your default gateway to next hop which is the router.
3. Similary, configure a default route on the router and point it to the ASA.
Try bringing up the tunnel after you make the above changes. If the tunnel still does not work, please post the outputs of both "deb cry is" and "deb cry ipse" from the ASA and router.
Regards,
Arul
*Pls rate if it helps*
10-24-2008 08:32 PM
10-24-2008 09:09 PM
Hi,
Couple of things,
1. Can you change the DH Group to 2 under the isakmp policy on both the ASA and Router.
2. Retype the Pre-Shared Key on the ASA
3. Include no-xauth at the end of this line:
crypto isakmp key 0 cisco address 172.16.10.1 no-xauth
Also, post the debug outputs from the Router and ASA.
debug crypto isakmp 255
debug crypto ipsec 255
Also, try pinging an ip address that is behind the ASA and not the ASA itself.
Regards,
Arul
*Pls rate if it helps*
10-24-2008 10:29 PM
10-24-2008 11:57 PM
Hi,
You cannot ping from the ASA itself to bring up the tunnel. You have to ping from a device behind the ASA. Or you can ping from the router using an extended ping like your previous testing.
Please post debug outputs from both the router an ASA when you ping from the router.
Regards,
Arul
*Pls rate if it helps*
10-26-2008 02:12 PM
Hi,
This solved the problem, I also added ICMP inspection on the global policy map to be able to ping from the ASA.
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: