Solved: Unable to establish ipsec VPN between an ASA and Router

mayambanzumba · ‎10-24-2008

Hi,

I have a 5505 ASA and a Cisco 837 router and I am trying to establish a site to site VPN, but I am able to bring up the tunnel. I have attached the two configs.

Thanks

Mayamba

ajagadee · ‎10-24-2008

Hi,

You cannot ping from the ASA itself to bring up the tunnel. You have to ping from a device behind the ASA. Or you can ping from the router using an extended ping like your previous testing.

Please post debug outputs from both the router an ASA when you ping from the router.

Regards,

Arul

*Pls rate if it helps*

View solution in original post

ajagadee · ‎10-24-2008

Hi,

Couple of things,

1. You need to bypass NAT for IPSEC Traffic.

access-list 100 extended permit ip 192.168.10.0 255.255.255.0 host 1.1.1.1

nat (inside) 0 access-list 100

2. I dont see a default route configured on ASA. Looks like you are lab testing this set up, so you may want to point your default gateway to next hop which is the router.

3. Similary, configure a default route on the router and point it to the ASA.

Try bringing up the tunnel after you make the above changes. If the tunnel still does not work, please post the outputs of both "deb cry is" and "deb cry ipse" from the ASA and router.

Regards,

Arul

*Pls rate if it helps*

mayambanzumba · ‎10-24-2008

Hi,

Thanks, I have added the nat 0 command and configured a default route on both devices, but the tunnel is still not establishing, I have pasted the debug crypto isakmp and ipsec on the router.

Thanks

Mayamba

ajagadee · ‎10-24-2008

Hi,

Couple of things,

1. Can you change the DH Group to 2 under the isakmp policy on both the ASA and Router.

2. Retype the Pre-Shared Key on the ASA

3. Include no-xauth at the end of this line:

crypto isakmp key 0 cisco address 172.16.10.1 no-xauth

Also, post the debug outputs from the Router and ASA.

debug crypto isakmp 255

debug crypto ipsec 255

Also, try pinging an ip address that is behind the ASA and not the ASA itself.

Regards,

Arul

*Pls rate if it helps*

mayambanzumba · ‎10-24-2008

Hi,

Thanks, but it still does not work, I have included the debugs.

ajagadee · ‎10-24-2008

Hi,

You cannot ping from the ASA itself to bring up the tunnel. You have to ping from a device behind the ASA. Or you can ping from the router using an extended ping like your previous testing.

Please post debug outputs from both the router an ASA when you ping from the router.

Regards,

Arul

*Pls rate if it helps*

mayambanzumba · ‎10-26-2008

Hi,

This solved the problem, I also added ICMP inspection on the global policy map to be able to ping from the ASA.

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

!