Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Cannot establish site-site vpn tunnel through ASA 9.1(2)

Hi,

We use ASA 9.1(2) to filter traffic in/out of our organisation. A dept within the organisation also have a firewall. They want to establish a site-site VPN tunnel with a remote firewall. We have allowed full access between the public address of the dept firewall and the remote firewall and full access between the remote firewall address and the dept firewall address . We do not use NAT.

The site-site VPN tunnel fails to establish.

The dept sysadmin has requested that we enable IPSec Passthrough. From my reading this will not make any difference as we allow full access between the firewalls in both directions. Is that correct?

Has anyone encountered issues with ASA 9.1(2) interfering with site-site tunnels?

Regards

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Purple

>The dept sysadmin has

>The dept sysadmin has requested that we enable IPSec Passthrough. From my reading this will not make any difference as we allow full access between the firewalls in both directions. Is that correct?

Yes, in that case, no IPsec-pass-through is needed. All you need is (in both directions):

  • UDP/500
  • UDP/4500 (also if you don't use NAT, the remote gateway could be located behind a NAT gateway)
  • IP/50
  • for testing ICMP/Echo

If you allowed full IP-access between these two endpoints, it is more than enough.

  1. When they start testing, do you see a connection on your ASA. There should be at least UDP/500 traffic.
  2. Can the two gateways ping each other? 

 

1 REPLY
VIP Purple

>The dept sysadmin has

>The dept sysadmin has requested that we enable IPSec Passthrough. From my reading this will not make any difference as we allow full access between the firewalls in both directions. Is that correct?

Yes, in that case, no IPsec-pass-through is needed. All you need is (in both directions):

  • UDP/500
  • UDP/4500 (also if you don't use NAT, the remote gateway could be located behind a NAT gateway)
  • IP/50
  • for testing ICMP/Echo

If you allowed full IP-access between these two endpoints, it is more than enough.

  1. When they start testing, do you see a connection on your ASA. There should be at least UDP/500 traffic.
  2. Can the two gateways ping each other? 

 

66
Views
0
Helpful
1
Replies
CreatePlease to create content