ASA 5510 and site to site VPN to 7206

Unanswered Question
Jan 7th, 2010
User Badges:

I am trying to get our new 5510 configured but having a hell of a time.

I have been able to get it so that I can not get net access ect going.

Where I am stuck is I am trying to connect to one of our partners (for satelite tracking) via VPN.

We have an asa 5510 they have a 7206 and we need to have NAT enabled as well.  I have tired the wizard as well but I am not able to get this to conect on the VPN.

I dont even know where it is failing.  Another device thatI have I can get connected on phase I but this asa5510 is what  I need to use.

we also have tunels to 2 other sites.  I have included our config in hopes that someone can help us.

HELP and thank you

Andrew Rae

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Yudong Wu Thu, 01/07/2010 - 22:30
User Badges:
  • Gold, 750 points or more

You need find out if it is phase 1 (show crypto isa sa) or phase 2 (show crypto ipsec sa) issue first.

I think you need to use "nat 0" to let vpn traffic bypass NAT translation as well.

If the above two show commands do not provide anything, you can run "debug crypto isa" and "debug crypto ipsec" and post the output here.

duciscohardware Fri, 01/08/2010 - 05:20
User Badges:

All 4 commands gave me 0 output.

So I assume that I am not even close.

I used the site to site wizzard on this ASA  5510 to try to connect.

I followed a guide for guide for etting up the site to site ipsec.

in this setup we are also trying to connect 2 pix 501's to the asa5510 but that is a secondary objective right now.

We actaully had a cisco guy come in and try to set it all up but obviously he did not do it correctly.

Yudong Wu Fri, 01/08/2010 - 10:22
User Badges:
  • Gold, 750 points or more

You need initiate some traffic which need to go throught the tunnel first to bring up the IPSec tunnel and then caputre those two show commands.

Before you bring up the tunnel, you need to enable those two debug commands and remember to set logging level to debug as well so that you can see the debug output when the tunnel is trying to establish.

duciscohardware Fri, 01/08/2010 - 10:28
User Badges:

Now I feel stupid what is best way to initiate traffice woudl a somepl ping be enough?

Yudong Wu Fri, 01/08/2010 - 11:35
User Badges:
  • Gold, 750 points or more

ping is good. Source IP and destination IP should match the defined ACL for interested traffic.

duciscohardware Sat, 01/09/2010 - 07:40
User Badges:

Well I have been able to connect on phase 1 on the VPN but fail on phase 2. I have included the error output for you to have a peek as as well as the newer config.

let me know.

thanks again

again the main vpn i am trying to get up and running is the one with our shaw tracking. ill owrry about the other offices when i get this one done.

Yudong Wu Sat, 01/09/2010 - 11:45
User Badges:
  • Gold, 750 points or more

Make sure all configures for phase 2 such as transform-set matchs the config on the remote 7206.

If you could provide related config on 7206, it would be help.

Otherwise, you have to enable full debug "debug crypto isa 255" "debug cryp ipsec 255" and then capture the debug output when you try to bring the tunnel up.


This Discussion

Related Content