Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5505 to Watchguard x1000

Trying to get a VPN tunnel up from an ASA 5505 to a Watchguard X1000 firewall at our colo. I'm a total newb at Cisco VPN configs, so I've probably got something monkeyed up...

By the debugs, it looks like Phase 1 and Phase 2 both are coming up, but the tunnel gets closed out immediately. 1.2.3.4 is the ASA 5505, 5.6.7.8 is the X1000:

9:43 AM IP = 5.6.7.8, IKE Initiator: New Phase 1, Intf 0, IKE Peer 5.6.7.8 local Proxy Address 10.20.2.0, remote Proxy Address 10.1.0.0, Crypto map (mdc-vpn-map)

9:43 AM Group = 5.6.7.8, IP = 5.6.7.8, Freeing previously allocated memory for authorization-dn-attributes

9:43 AM AAA retrieved default group policy (DfltGrpPolicy) for user = 5.6.7.8

9:43 AM Group = 5.6.7.8, IP = 5.6.7.8, PHASE 1 COMPLETED

9:43 AM Group = 5.6.7.8, IP = 5.6.7.8, Security negotiation complete for LAN-to-LAN Group (5.6.7.8) Initiator, Inbound SPI = 0x6c81df4e, Outbound SPI = 0x68bee110

9:43 AM IPSEC: An outbound LAN-to-LAN SA (SPI= 0x68BEE110) between 1.2.3.4 and 5.6.7.8 (user= 5.6.7.8) has been created.

9:43 AM IPSEC: An inbound LAN-to-LAN SA (SPI= 0x6C81DF4E) between 1.2.3.4 and 5.6.7.8 (user= 5.6.7.8) has been created.

9:43 AM Group = 5.6.7.8, IP = 5.6.7.8, PHASE 2 COMPLETED (msgid=6b391f01)

9:43 AM Group = 5.6.7.8, IP = 5.6.7.8, Connection terminated for peer 5.6.7.8. Reason: Peer Terminate Remote Proxy 10.1.0.0, Local Proxy 10.20.2.0

9:43 AM IPSEC: An inbound LAN-to-LAN SA (SPI= 0x6C81DF4E) between 1.2.3.4 and 5.6.7.8 (user= 5.6.7.8) has been deleted.

9:43 AM IPSEC: An outbound LAN-to-LAN SA (SPI= 0x68BEE110) between 1.2.3.4 and 5.6.7.8 (user= 5.6.7.8) has been deleted.

9:43 AM Group = 5.6.7.8, Username = 5.6.7.8, IP = 5.6.7.8, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: User Requested

9:43 AM User 'username' executed the 'ping inside 10.1.0.2' command.

Any clues? Debug text and the config file are attached...

ASA 5505, ASA v7.2(1)

Watchguard Firebox X1000, Fireware v9.1

1 REPLY
New Member

Re: ASA 5505 to Watchguard x1000

9:43 AM Group = 5.6.7.8, IP = 5.6.7.8, Connection terminated for peer 5.6.7.8. Reason: Peer Terminate Remote Proxy 10.1.0.0, Local Proxy 10.20.2.0

This would suggest that your rules for encryption do not match or has a problem (acl mgc). We need to sure you side matches the inverse of the Watchguard. Of course you need to make sure you are sending the data to Watchdog as a private 10.20.2.0/24 address. This led me to look at your NAT rules. I noticed that all internal addresses PAT to the outside interface address. I think you should add a nonat rule for the VPN traffic. Something like

access-list nonat permit ip 10.20.2.0 255.255.255.0 10.1.0.0 255.255.255.0

nat (inside) 0 access-list nonat

This will prevent the inside addresses from NAT when going across the VPN to Watchguard. I would not reuse the mgc acl. Defining a separate acl gives you flexibility in the future.

If you still are having trouble check the Watchguard rules for encryption.

779
Views
0
Helpful
1
Replies
CreatePlease login to create content