Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
422
Views
0
Helpful
2
Replies

ASA 5505 - cannot establish natted VPN - firmware problem ?

mschlee
Level 1
Level 1

‎10-18-2017 06:20 AM - edited ‎03-12-2019 04:38 AM

I am new to Cisco. We are about to establish a natted VPN connection to a truck company who operates a bunch of these VPNs to their customers to download and upload confidential data via ftp (cannot be changed to anything else yet). I installed an ASA 5505, did the basic configuration and granted access to the truck company's IT department in order to let them configure the VPN. The truck company's IT guy says that this is usually a matter of 5 minutes and he has successfully installed a test VPN on his test ASA 5505 which works. Then he tried our ASA and worked on it for 2,5 days w/o success (he says). The problem is that after phase 1 has been completed the error 

"Rejecting IPSec tunnel: no matching crypto map entry for remote proxy <IP>,255.255.255.255/0/0 ..."

shows up. Both ASAs have different firmware versions: ours is ASA Version 9.1(6) ADSM Version: 9.5(2) which does not work, the other one has a newer release: ASA Version 9.2(4)22 ADSM Version: 7.6(2)150.

The truck company says that they don't know why our ASA does not work.

So my questions:

Do you think that a firmware issue in ASA Version 9.1(6) can cause this problem ?

If this is the case, am I entitled to download a newer firmware somewhere ?

 

Thank you very much.

M.

Labels:
0 Helpful
2 Replies 2

GioGonza
Level 4
Level 4

‎10-18-2017 06:25 AM

Hello @mschlee

 

The problem here is that you are not matching the Security Association on your ASA, you are checking the crypto map configured but you are not matching any ACL in there and that´s why it is not working. What you need to do is to check with the other IT the ACL configured and verify if what you are receiving on your is the configured one. 

 

If you can, you can share your config and I can take a look... also before that message it should be one showing you that it is checking the crypto map on the based on the sequence number.

 

HTH

Gio

0 Helpful

mschlee
Level 1
Level 1
In response to GioGonza

‎10-18-2017 06:45 AM

Hello Gio,

if I understand correctly you do not see any firmware problem here. My problem is that I only have access to one side of the VPN. The truck company's IT guy can see everything but claims that the problem is impossible to fix. However, he could manage to run the stuff on their test ASA 5505. I hope that this is true.

I requested all information from the IT guy and will continue this post when I know more.

Thanks for your fast response.

M.

0 Helpful
Customers Also Viewed These Support Documents