Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1508
Views
0
Helpful
3
Replies

Creating a VPN using ASDM 6.2(5)

Go to solution
charles.e.davis
Level 1
Level 1

‎09-25-2010 12:13 PM

I configured on 2 ASA 5510s a VPN between them.  I used the IPsec wizard and ensured that each rule was mirrored on the other device.  I did select to have the traffic NATed because this is eventually going to be a point to multipoint environment, with the same IP addresses within each enclave.  What will seperate them will be the public addresses assigned to them.  Looking at my my log files on both devices, I see the same errors. Any help would be greatly appreciated.

4|Sep 25 2010|12:01:18|113019|||||Group = 207.98.185.25, Username = 207.98.185.25, IP = 207.98.185.25, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: User Requested
5|Sep 25 2010|12:01:18|713259|||||Group = 207.98.185.25, IP = 207.98.185.25, Session is being torn down. Reason: User Requested
3|Sep 25 2010|12:01:18|713902|||||Group = 207.98.185.25, IP = 207.98.185.25, Removing peer from correlator table failed, no match!
5|Sep 25 2010|12:01:18|713050|||||Group = 207.98.185.25, IP = 207.98.185.25, Connection terminated for peer 207.98.185.25.  Reason: Peer Terminate  Remote Proxy N/A, Local Proxy N/A
5|Sep 25 2010|12:01:18|713068|||||Group = 207.98.185.25, IP = 207.98.185.25, Received non-routine Notify message: Invalid ID info (18)
5|Sep 25 2010|12:01:18|713119|||||Group = 207.98.185.25, IP = 207.98.185.25, PHASE 1 COMPLETED
6|Sep 25 2010|12:01:18|113009|||||AAA retrieved default group policy (DfltGrpPolicy) for user = 207.98.185.25
6|Sep 25 2010|12:01:18|713172|||||Group = 207.98.185.25, IP = 207.98.185.25, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end is NOT behind a NAT device
5|Sep 25 2010|12:01:18|713041|||||IP = 207.98.185.25, IKE Initiator: New Phase 1, Intf Inside, IKE Peer 207.98.185.25  local Proxy Address 207.98.185.20, remote Proxy Address 207.98.185.24,  Crypto map (Outside_map)
5|Sep 25 2010|12:01:18|713904|||||IP = 207.98.185.25, Received encrypted packet with no matching SA, dropping
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to charles.e.davis

‎09-25-2010 07:00 PM

It does not look like it's mirror image ACL.

Can you please advise what subnet is in Enterprise_A/29 and Enterprise_B/29?

On the first ASA you have:

Local Network: 207.98.185.28

Remote Network: Enterprise_A/29

On the other ASA, it should be the mirror image as follows:

Local Network: Enterprise_A/29

Remote Network: 207.98.185.28

However, you have the following on the other ASA:

Local network: 207.98.185.20   --> is this the same as Enterprise_A/29 ip address?

Remote Network: Enterprise_B/29 --> is this the same as 207.98.185.28?

Also, how are they being NATed? static NAT or PAT? as if you are performing PAT, traffic can only be initiated from the PAT end, hence, you can't configure PAT for both end of the ASA. Plus the crypto ACL needs to match the NATed address.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
charles.e.davis
Level 1
Level 1

‎09-25-2010 12:30 PM

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to charles.e.davis

‎09-25-2010 07:00 PM

It does not look like it's mirror image ACL.

Can you please advise what subnet is in Enterprise_A/29 and Enterprise_B/29?

On the first ASA you have:

Local Network: 207.98.185.28

Remote Network: Enterprise_A/29

On the other ASA, it should be the mirror image as follows:

Local Network: Enterprise_A/29

Remote Network: 207.98.185.28

However, you have the following on the other ASA:

Local network: 207.98.185.20   --> is this the same as Enterprise_A/29 ip address?

Remote Network: Enterprise_B/29 --> is this the same as 207.98.185.28?

Also, how are they being NATed? static NAT or PAT? as if you are performing PAT, traffic can only be initiated from the PAT end, hence, you can't configure PAT for both end of the ASA. Plus the crypto ACL needs to match the NATed address.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents