Issue's creating a site-to-site vpn

Answered Question
Asim Malik Mon, 08/16/2010 - 10:49

Hi,

ASA 1 is using incorrect source in the acl 100 and ASA 3 is missing the

crypto map outside_map 20 match address statement.

Also check the nat exempt on both. whatever is the correct source, need to be part of access list 100 and  "no nat" acl

I fixed those 2 items and have gone back through the config.

When I run show crypto ipsec sa I get "There are no ipsec sas"  this is the same for when I do a show crypto isakmp sa.  So the tunnel is not being created.  I have L2 connectivity between them.  Running debug on FW1(asa1) for Crypto ipsec gives me no results.  Very very confusing.  I have done this in the past using 2 5505's with no problems.

Asim Malik Mon, 08/16/2010 - 11:23

I see you defined 10.1.1.x network in the acls on ASA1

access-list 100 extended permit ip 10.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat extended permit ip 10.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0

On ASA3


access-list 100 extended permit ip 192.168.2.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list nonat extended permit ip 192.168.2.0 255.255.255.0 172.16.1.0 255.255.255.0
pager lines 24

I assume you want to encrypt traffic from 172.16.1.x to 192.168.2.x and vice versa. If that is the case make sure acls on ASA1 look like that

access-list 100 extended permit ip 172.16.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat extended permit ip 172.16.1.0 255.255.255.0 192.168.2.0 255.255.255.0

Also add the nat exempt on ASA3

nat (inside) 0 access-list nonat

How are you trying to initiate the tunnel, I assume you are pinging from a  host on 172.16.1.x subnet to 192.168.2.x subnet or vice versa.

Get these debugsfrom both devices

debug crypto isakmp 128

debug crypto ipsec 128

Yes I am using ping to establish the tunnel.  I have the debug set to 128 and I get no debug out

puts to the console or do the log buffer. 

When I do a ping from the ASDM I get "Routing failed to locate next hop for udp from NP Identity Ifc:172.16.1.1/448 to inside:192.168.2.1/39554" however when I look at the nat config's for both devices they seem(are) correct.

ASA1

global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0

ASA2

global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0

Correct Answer
Asim Malik Mon, 08/16/2010 - 12:52

Try this if you are pinging from ASA

management-access inside

jill.johnson Tue, 08/17/2010 - 06:07

Michael,

May I ask you a question?  Are you connecting both the outside interfaces of the ASA to the same switch?  I want to setup a test to do a site-to-site VPN before I go out to the Remote site.  If you have any suggestions on how to setup a lab for site-to-site VPN, please let me know.  Thanks.

Jill,

Yes I was connecting the 2 outside interfaces to each other via a VLan on a switch to test the IPSec tunnel, but this was just part 1 of a larger project I'm working on.  I actually have 3 ASA's that I'm setting up for remote locations that once in place will have redundency back if one of the ASA's or IPSec tunnels fails it would be able to travers the other tunnel.

Mike

Actions

This Discussion