Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
949
Views
0
Helpful
1
Replies

ASA 5505 to Watchguard x1000

danbackslide
Level 1
Level 1

‎10-15-2007 07:26 AM - edited ‎02-21-2020 01:43 AM

Trying to get a VPN tunnel up from an ASA 5505 to a Watchguard X1000 firewall at our colo. I'm a total newb at Cisco VPN configs, so I've probably got something monkeyed up...

By the debugs, it looks like Phase 1 and Phase 2 both are coming up, but the tunnel gets closed out immediately. 1.2.3.4 is the ASA 5505, 5.6.7.8 is the X1000:

9:43 AM IP = 5.6.7.8, IKE Initiator: New Phase 1, Intf 0, IKE Peer 5.6.7.8 local Proxy Address 10.20.2.0, remote Proxy Address 10.1.0.0, Crypto map (mdc-vpn-map)

9:43 AM Group = 5.6.7.8, IP = 5.6.7.8, Freeing previously allocated memory for authorization-dn-attributes

9:43 AM AAA retrieved default group policy (DfltGrpPolicy) for user = 5.6.7.8

9:43 AM Group = 5.6.7.8, IP = 5.6.7.8, PHASE 1 COMPLETED

9:43 AM Group = 5.6.7.8, IP = 5.6.7.8, Security negotiation complete for LAN-to-LAN Group (5.6.7.8) Initiator, Inbound SPI = 0x6c81df4e, Outbound SPI = 0x68bee110

9:43 AM IPSEC: An outbound LAN-to-LAN SA (SPI= 0x68BEE110) between 1.2.3.4 and 5.6.7.8 (user= 5.6.7.8) has been created.

9:43 AM IPSEC: An inbound LAN-to-LAN SA (SPI= 0x6C81DF4E) between 1.2.3.4 and 5.6.7.8 (user= 5.6.7.8) has been created.

9:43 AM Group = 5.6.7.8, IP = 5.6.7.8, PHASE 2 COMPLETED (msgid=6b391f01)

9:43 AM Group = 5.6.7.8, IP = 5.6.7.8, Connection terminated for peer 5.6.7.8. Reason: Peer Terminate Remote Proxy 10.1.0.0, Local Proxy 10.20.2.0

9:43 AM IPSEC: An inbound LAN-to-LAN SA (SPI= 0x6C81DF4E) between 1.2.3.4 and 5.6.7.8 (user= 5.6.7.8) has been deleted.

9:43 AM IPSEC: An outbound LAN-to-LAN SA (SPI= 0x68BEE110) between 1.2.3.4 and 5.6.7.8 (user= 5.6.7.8) has been deleted.

9:43 AM Group = 5.6.7.8, Username = 5.6.7.8, IP = 5.6.7.8, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: User Requested

9:43 AM User 'username' executed the 'ping inside 10.1.0.2' command.

Any clues? Debug text and the config file are attached...

ASA 5505, ASA v7.2(1)

Watchguard Firebox X1000, Fireware v9.1

Preview file
5 KB
Preview file
9 KB
0 Helpful
1 Reply 1

rmeans
Level 3
Level 3

‎10-15-2007 09:23 AM

9:43 AM Group = 5.6.7.8, IP = 5.6.7.8, Connection terminated for peer 5.6.7.8. Reason: Peer Terminate Remote Proxy 10.1.0.0, Local Proxy 10.20.2.0

This would suggest that your rules for encryption do not match or has a problem (acl mgc). We need to sure you side matches the inverse of the Watchguard. Of course you need to make sure you are sending the data to Watchdog as a private 10.20.2.0/24 address. This led me to look at your NAT rules. I noticed that all internal addresses PAT to the outside interface address. I think you should add a nonat rule for the VPN traffic. Something like

access-list nonat permit ip 10.20.2.0 255.255.255.0 10.1.0.0 255.255.255.0

nat (inside) 0 access-list nonat

This will prevent the inside addresses from NAT when going across the VPN to Watchguard. I would not reuse the mgc acl. Defining a separate acl gives you flexibility in the future.

If you still are having trouble check the Watchguard rules for encryption.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card