urgent help with asa site-site phase 2 is not up !!

Dr.X · ‎03-04-2014

heloo all ,

from where i need start roubleshoot phase 2 in the site-site vpn ???

what commands required from me to show ?

Richard Burts · ‎03-04-2014

Is it correct to assume from your question that phase 1 is working correctly? If so that addresses multiple potential issues such as IP connectivity issues and peer addressing. If phase 2 is not coming up a common cause of the problem is that the access lists that identify traffic for IPSec do not match between the peers. So I would start with checking the configs for both peers to be sure that they match (especially for access list content but also checking to make sure that things like PFS match as well).

If you check the configs and it looks like they do match up then I would suggest running debug crypto ipsec and post the debug output.

HTH

Rick

HTH

Rick

Dr.X · ‎03-04-2014

hi ,

you mean that you need to initiate the traffic so that phase 2 is up ???

does that wt u mean ?

regards

Jon Marshall · ‎03-04-2014

To initiate the traffic choose a host one one side and send traffic (that is meant to be sent via the VPN) to a host on the other side and then see what the debugs are showing.

It is best to do it from a host rather than trying from the ASA itself as this can sometimes give confusing results.

Jon

Dr.X · ‎03-04-2014

hi all ,

thanks alot , i think that there was an issue in my nat rules and i fixed it ,

still not sure that tunnel is 100 % i will put two pcs and see the ping ,

but now :

assume thatg i need to let the asa get the internet traffic from proxy , for http

assume i have proxy 1.2.3.4 with port 6070 and want the user when they request the http go to the proxy ,

does the asa support that ???

also , again ,

the easy vpn , can it be done on my asa with license above ?

regards

Jon Marshall · ‎03-04-2014

The ASA does support WCCP which allows you to redirect traffic to a proxy server.

See this link for configuration details -

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/access_wccp.html

Jon

Dr.X · ‎03-04-2014

ohh imso sorry , my question wasnt clear

agian ,

the proxy is not directly connected

i mean assume my asa has ip of 12.3.4.5 and ther proxy server is far in the internet

i thunk wccp will fail ,

as i understood i can user PRB & router map but i think that ht eproxy serve rmust be direcctly connected so that i set ip next hop in the router map

but again ,

wt if the proxy server is far away with many hops from the asa ???

as i remeber ive did it on mikrotik server , it was an easy task in mikrotik , but not usre in the asa

also i have an idea to di this and not sure from it ,

as the proxy server is far , i think that i need to make destination nat

i mean that i want to say :

if the users requsted any traffic with port 80 , go and change thier destination to x.x.x.x and thier port to yyy

where x.x.x.x is the proxy srver ip and yyy is the port

is my think correct ??

regards

Jon Marshall · ‎03-04-2014

if the users requsted any traffic with port 80 , go and change thier destination to x.x.x.x and thier port to yyy

where x.x.x.x is the proxy srver ip and yyy is the port

I think that is what you need to do but i can't say whether it would work or not because i have never done it. Basically you would need to translate every single internet IP that users went to to for http to the proxy and i don't know how practical that is.

I'm not that familiar with NAT after 8.3 code so it may be possible.

Perhaps you could post into the Firewalling forum.

Jon

Dr.X · ‎03-04-2014

me too ive never tried it ,

i thunk that asa is more powerfull than router especialy in Natting

i found that router cant do destiantion nat , but as i see the asa is better

but still not sure

ive googled but didnt find somebody saying as same wt i said !