03-04-2014 06:22 AM - edited 03-07-2019 06:31 PM
heloo all ,
from where i need start roubleshoot phase 2 in the site-site vpn ???
what commands required from me to show ?
03-04-2014 08:32 AM
Is it correct to assume from your question that phase 1 is working correctly? If so that addresses multiple potential issues such as IP connectivity issues and peer addressing. If phase 2 is not coming up a common cause of the problem is that the access lists that identify traffic for IPSec do not match between the peers. So I would start with checking the configs for both peers to be sure that they match (especially for access list content but also checking to make sure that things like PFS match as well).
If you check the configs and it looks like they do match up then I would suggest running debug crypto ipsec and post the debug output.
HTH
Rick
03-04-2014 10:39 AM
hi ,
you mean that you need to initiate the traffic so that phase 2 is up ???
does that wt u mean ?
regards
03-04-2014 10:42 AM
To initiate the traffic choose a host one one side and send traffic (that is meant to be sent via the VPN) to a host on the other side and then see what the debugs are showing.
It is best to do it from a host rather than trying from the ASA itself as this can sometimes give confusing results.
Jon
03-04-2014 11:42 AM
hi all ,
thanks alot , i think that there was an issue in my nat rules and i fixed it ,
still not sure that tunnel is 100 % i will put two pcs and see the ping ,
but now :
assume thatg i need to let the asa get the internet traffic from proxy , for http
assume i have proxy 1.2.3.4 with port 6070 and want the user when they request the http go to the proxy ,
does the asa support that ???
also , again ,
the easy vpn , can it be done on my asa with license above ?
regards
03-04-2014 11:49 AM
The ASA does support WCCP which allows you to redirect traffic to a proxy server.
See this link for configuration details -
Jon
03-04-2014 11:56 AM
ohh imso sorry , my question wasnt clear
agian ,
the proxy is not directly connected
i mean assume my asa has ip of 12.3.4.5 and ther proxy server is far in the internet
i thunk wccp will fail ,
as i understood i can user PRB & router map but i think that ht eproxy serve rmust be direcctly connected so that i set ip next hop in the router map
but again ,
wt if the proxy server is far away with many hops from the asa ???
as i remeber ive did it on mikrotik server , it was an easy task in mikrotik , but not usre in the asa
also i have an idea to di this and not sure from it ,
as the proxy server is far , i think that i need to make destination nat
i mean that i want to say :
if the users requsted any traffic with port 80 , go and change thier destination to x.x.x.x and thier port to yyy
where x.x.x.x is the proxy srver ip and yyy is the port
is my think correct ??
regards
03-04-2014 12:04 PM
if the users requsted any traffic with port 80 , go and change thier destination to x.x.x.x and thier port to yyy
where x.x.x.x is the proxy srver ip and yyy is the port
I think that is what you need to do but i can't say whether it would work or not because i have never done it. Basically you would need to translate every single internet IP that users went to to for http to the proxy and i don't know how practical that is.
I'm not that familiar with NAT after 8.3 code so it may be possible.
Perhaps you could post into the Firewalling forum.
Jon
03-04-2014 12:12 PM
me too ive never tried it ,
i thunk that asa is more powerfull than router especialy in Natting
i found that router cant do destiantion nat , but as i see the asa is better
but still not sure
ive googled but didnt find somebody saying as same wt i said !
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: