Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Site to Site VPN between cisco ASA5505 and WatchGuard

Hi

I have created site to site vpn between cisco ASA 5505 and  watchguard, but the tunnel is not up. Kindly share the configuration details for the same.

Regards

Surendrakumar.T.R

   

 

1 REPLY

 Hello Suren, I see, please

 

Hello Suren,

 

I see, please attach, either the show tech of the ASA and indicate which the crypto map is for the Watchguard, or just copy and paste the crypto map configuration for this site to site.

 

Either ways, I have worked on cases like these one, and sometimes the issue is related to phase 2 or because the Watchguard device work on "agressive mode", but I´d rather analyze what the problem is here. I am going to attach an example of site to site configuration for ASA:

 

Phase 1:

crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

crypto isakmp enable outside

tunnel-group 20.20.20.1 type ipsec-l2l
tunnel-group 20.20.20.1 ipsec-attributes
  pre-shared-key cisco123

 

Phase 2:

access-list 100 permit ip  172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0 
crypto ipsec transform-set mytrans esp-3des esp-sha-hmac

crypto map mymap 20 set peer 20.20.20.1 --> watchguard Outside IP address
crypto map mymap 20 match address 100
crypto map mymap 20 set transform-set mytrans

crypto map mymap interface outside

Pre NAT 8.3:

access-list nonat permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0 
nat (inside) 0 access-list nonat

 

NAT 8.3:

object network obj-172.16.1.0

subnet 172.16.1.0 255.255.255.0

object network obj-192.168.1.0

subnet  192.168.1.0 255.255.255.0

 

nat (inside,outside) 1 source static obj-172.16.1.0 obj-172.16.1.0 destination static obj-192.168.1.0 obj-192.168.1.0 no-proxy-arp route-lookup

--------------------------------------------------------------------------------------------------------------------------

 

Also attach the --> show crypto isakmp sa 

 

I will wait for an update on this

 

Best Regards,

 

David Castro

Cisco TAC Support Engineer, Team VPN

1422
Views
0
Helpful
1
Replies
CreatePlease login to create content