Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
326
Views
10
Helpful
2
Replies

Cisco ASA 5520 with 2 Internet Interfaces: VPN Creation Problem

t4tauseef33
Level 1
Level 1

‎02-10-2009 09:10 AM - edited ‎03-04-2019 03:30 AM

Hi, I have a cisco ASA 5520 firewall that has 2 interfaces connected to internet lets say Internet-1 and Internet-2. The default route is via Internet-1 192.167.67.67

All the VPN's are build up on Internet-1 interface. Now i am trying to migrate one VPN on the Internet-2 interface and its not working.

I have enabled the ISAKMP on Internet-2. interface. static Route to route the VPN remote end IP to the Internet-2 Router. But when i trigger the interesting traffic, i can see the the traffic on my firewall but it is not trigering the VPN buildup on Internet-2 Interface. If i rebuild that vpn on Interface-2, i can see the vpn triggering (attributes exchange etc). Is there any specifiv thing i have to do on my firewall so that the VPN on Internet-2 interface will be triggered? Any trouble shooting steps? Please help me.

Labels:
0 Helpful
2 Replies 2

branfarm1
Level 4
Level 4

‎02-10-2009 01:01 PM

I can think of a few things to double-check:

1. Make sure the crypto map is applied to your Internet-2 interface

2. Double check that the interesting traffic ACL on your end is an exact mirror of the ACL on the remote end.

3. Double check your debug for exactly when the VPN build up is stopping. If it's in phase 1, then check your ISAKMP settings and verifiy you are using matching settings. If it's in phase 2 (IPsec) then double check your crypto map settings.

Good luck!

Mohamed Sobair
Level 7
Level 7

‎02-10-2009 02:28 PM

Hi,

The following is required when you set an IPsec tunnel on a Firwall:

Phase1( ISAKMP - Key session):

1- ISAKMP -- Key

2- Authentication

3- Encryption

4- Hash algorithm

Phase2 (IPsec):

1- Key

2- Encryption

3- Hash Algorithm

You should make sure ur ISAKMP Sa peers are established and your IPsec session as well.

Your Crypto-map Ipsec should have a new sequence number configured or change the peer address to the new one.

Assigne the Crypto-map to the appropriate interface.

Verify with:

sh crypto isakmp peer (verify IKE peer)

sh crypto session (verify IPsec)

sh crypto session detail (Verify IPsec counting packets).

HTH

Mohamed

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card