I'm trying to build en Easy VPN connection between two ASA5505's. Initial configuration was simple and the tunnel is up. The problem is that I can't get any packets trough. A packet-trace in ASDM on the remote site reports IPSec spoof detected.
Here's the config of the clientside ASA. It connected to a LAN behind a NAT device.
I am having trouble getting my hands on the latest running config of the serverside. I will post it asap.
I am new to all this so I hope you can read the attached config.
Tanks in advance.
That config look sport on - if there is an issue it might be with the server end, below is a config example - check yours against it for anything that jumps out:-
I had already read that article. There are some differences between the config in the example and the serverside runningconfig. Unfortunately I cannot find the exact problem. I will post the serverside runningconfig tomorrow and would appriciate it if you would take a peek at it.
Tanks in advance...
Thanks for your reply.
I changed the serverside config, but still can't ping to a machine behind the client ASA.
I'm trying to do the same thing you are: Establishing a VPN using the ASA5505 when it is behind a NAT. Did you have to open/forward any ports from the NAT device to the ASA5505 to get the VPN connection working?
if u case like
and the vpn on the ASA
u need first static nat or portforward from the nat device to the ASA
u need the folling ports opned and nated staticly
and mybe udp 4500
to get the tunnel established
if helpful Rate
Setup is like:
Lan1 --- ASA1 --- internet --- NAT_device --- ASA2 -- LAN2
Tunnel will be initiated from ASA2 to ASA1, shouldn't the nat device handle all natting dynamicaly?
Can you enable NAT-T globally on both end ASAs and then check .
"isakmp nat-traversal 20 "
When NAT-T is enabled , the ESP packets,(which actually vcarries data payload) which gets blocked by PAT/NAT, gets encapsulated in UDP 4500 packets and since it now has ports it can easily pass through PAT.
Pls rate helpful posts