Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

urgent help with asa site-site phase 2 is not up !!

heloo  all ,

from where i need start roubleshoot phase 2  in the site-site vpn ???

what commands required from me to show ?

8 REPLIES
Hall of Fame Super Silver

urgent help with asa site-site phase 2 is not up !!

Is it correct to assume from your question that phase 1 is working correctly? If so that addresses multiple potential issues such as IP connectivity issues and peer addressing. If phase 2 is not coming up a common cause of the problem is that the access lists that identify traffic for IPSec do not match between the peers. So I would start with checking the configs for both peers to be sure that they match (especially for access list content but also checking to make sure that things like PFS match as well).

If you check the configs and it looks like they do match up then I would suggest running debug crypto ipsec and post the debug output.

HTH

Rick

New Member

urgent help with asa site-site phase 2 is not up !!

hi ,

you mean that you need to initiate the traffic so that phase 2 is up ???

does that wt u mean ?

regards

Hall of Fame Super Blue

urgent help with asa site-site phase 2 is not up !!

To initiate the traffic choose a host one one side and send traffic (that is meant to be sent via the VPN) to a host on the other side and then see what the debugs are showing.

It is best to do it from a host rather than trying from the ASA itself as this can sometimes give confusing results.

Jon

New Member

urgent help with asa site-site phase 2 is not up !!

hi all ,

thanks alot ,  i think that there was an issue in my nat rules and i fixed it ,

still not sure that tunnel is 100 % i will put two pcs and see the ping ,

but now :

assume thatg i need to let the asa get the internet traffic from proxy , for http

assume i have proxy 1.2.3.4 with port 6070 and want the user when they request the http go to the proxy ,

does the asa support that ???

also , again ,

the easy vpn , can it be done  on my asa with license above ?

regards

Hall of Fame Super Blue

urgent help with asa site-site phase 2 is not up !!

The ASA does support WCCP which allows you to redirect traffic to a proxy server.

See this link for configuration details -

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/access_wccp.html

Jon

New Member

urgent help with asa site-site phase 2 is not up !!

ohh imso sorry , my question wasnt clear

agian ,

the proxy is not directly connected

i mean assume my asa  has ip of 12.3.4.5  and ther proxy server is far in the internet

i thunk wccp will fail ,

as i understood i can user PRB & router map but i think that ht eproxy serve rmust be direcctly connected so that i set ip next hop in the router map

but again ,

wt if the proxy server is far away with many hops from the asa ???

as i remeber ive did it on mikrotik server , it was an easy task in mikrotik , but not usre in the asa

also i have an idea  to di this and not sure from it ,

as the proxy server is far , i think that i need to make destination nat

i mean that i want to say :

if the users  requsted any traffic with port 80 , go and change thier destination to x.x.x.x and thier port to yyy

where x.x.x.x is the proxy srver ip and yyy is the port

is my think correct ??

regards

Hall of Fame Super Blue

urgent help with asa site-site phase 2 is not up !!

if the users  requsted any traffic with port 80 , go and change thier destination to x.x.x.x and thier port to yyy

where x.x.x.x is the proxy srver ip and yyy is the port

I think that is what you need to do but i can't say whether it would work or not because i have never done it. Basically you would need to translate every single internet IP that users went to to for http to the proxy and i don't know how practical that is.

I'm not that familiar with NAT after 8.3 code so it may be possible.

Perhaps you could post into the Firewalling forum.

Jon

New Member

urgent help with asa site-site phase 2 is not up !!

me too ive never tried it ,

i thunk that asa is more powerfull than router especialy in Natting

i found that router cant do destiantion nat , but as i see the asa is better

but still not sure

ive googled but didnt find somebody saying  as same wt i said !

98
Views
10
Helpful
8
Replies