Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5510 VPN Site To Site problems

Dear Experts,

I have set a site to site VPN in two ASA5510 Firewall.

The setting of IKE, ENCRYPTION are the same. But don't know why I do some actions such as ping and telnet, the result also request timeout.

Attached document shows two logs from the ASA when I do the ping action, although the ping action dose not work. But I can see the VPN connection seems to be established.

Here is some information.

Site A: 202.120.70.70

LOCAL IP: 192.168.96.0

Site B: 217.17.146.46

LOCAL IP : 10.1.1.0

VPN SETTING IN BOTH SIDE.

IKE : 3DES, SHA, DHG : 2

ENCRYTION: 3DES, SHA, PFS: DHG2

PROTECTED NETWORK

Local Remote Site

192.168.96.0 & 10.1.1.0 A

10.1.1.0 & 192.168.96.0 B

Experts, Any problems, any trouble shoot skills?

11 REPLIES

Re: ASA 5510 VPN Site To Site problems

do u have NAT 0 configured corectly ? i mean nat exmption

New Member

Re: ASA 5510 VPN Site To Site problems

I use the ADSM for setting the VPN, I think it automatically processed and should be default setting.

Do you have any format of the statement?

I mean such as:

Site a, INF outside, allow, Site A IP / Site B IP.

Thanks Very Much

Silver

Re: ASA 5510 VPN Site To Site problems

If you have properly applied Nat exemption for your protected networks traffic,

Can you remove PFS from both sides and then check ?

HTH

Saju

Pls rate helpful posts

New Member

Re: ASA 5510 VPN Site To Site problems

One of my firewall is 5510 K9 with security license, I can not disable the PFS on that Firewall, I think it set to DFG 2 by default.

But I have tested to remove the Nat Exemption on both side, still nothing changed.

Sorry, I am a beginner, thanks for your patient.

Thanks! Experts!

Re: ASA 5510 VPN Site To Site problems

can u do on the fire wall

show run

and put the config here

New Member

Re: ASA 5510 VPN Site To Site problems

Suppose I want to post the running config here,

But , today, I found that, When I re-config a VPN (one end is using cisco 5510, one end is using netscreen firewall), The VPN I think has been established, But It is so strange, I can ping some servers / pc from netscreen 's network to Cisco's network, but some can not ping, I can reach some web server's page in the cisco's network, but some can not.

But the access-rule I already set permit all the communication between two site's device.

What do you think?

sometime,

when I do the ping, the ping was request timeout, But in the log of the 5510, I saw the build icmp from the log, then teardown it.

But no reasons and no errors.

Do you think it is caused by the switch, not the rule of firewall?

And sometime,

When I do some ping to some of the servers in 5510's network, it displayed a message such as no translation from IP of the src and dst IP.

But suppose two networks are fully permitted.

Please, help me.

Thanks !!!

New Member

Re: ASA 5510 VPN Site To Site problems

have you allowed icmp at the outside interface and telnet too.

try :

icmp permit any outside .

Remember , you can't access the device from outside interface without ipsec enabled.What it means is , you need to make a secure tunnel first, then give telnet permissions.I would personally suggest you to use SSH.

Type

ssh 0.0.0.0 0.0.0.0 outside

New Member

Re: ASA 5510 VPN Site To Site problems

Thanks,

I already set (src)Any (dst)Any IP on outside interface.

It seems still not work.

New Member

Re: ASA 5510 VPN Site To Site problems

can you post the configs of both so we can see the whole configuration?

New Member

Re: ASA 5510 VPN Site To Site problems

Finally, I do a command of "show crypto ipsec sa" and "show crypto isakmp"

Attached the mentioned config files of two ASA 5510.

Current status:

The VPN tunnel I think has already set up. I have some web sites on the 217's sub network (10.1.1.0) and suppose 202's sub network(192.168.96.0)'s client can browse it.

However, some of the web sites on 10.1.1.0 can display but some can not.

In the Firewall Log, I saw the no error messages but automatic tear down the sessions.

I am now wondering the problems were caused from security level of the interfaces?

Because I think the access-lists did not have problems.

(PS: the security level of outside and inside interface also were 100, Both Firewall, all sub servers are connected to a 2960 switch which connected to the inside interface of the firewall)

I also attached the "show running-config" of the 217 network 's Firewall. 217 contains some Web Servers in "Inside" Interface.

Please advise, Thanks

New Member

Re: ASA 5510 VPN Site To Site problems

Sorry, the past post has not attach the "show" config file.

nameif WebServer), because it is not relate to my current problems. Thanks>

Finally, I do a command of "show crypto ipsec sa" and "show crypto isakmp"

Attached the mentioned config files of two ASA 5510.

Current status:

The VPN tunnel I think has already set up. I have some web sites on the 217's sub network (10.1.1.0) and suppose 202's sub network(192.168.96.0)'s client can browse it.

However, some of the web sites on 10.1.1.0 can display but some can not.

In the Firewall Log, I saw the no error messages but automatic tear down the sessions.

I am now wondering the problems were caused from security level of the interfaces?

Because I think the access-lists did not have problems.

(PS: the security level of outside and inside interface also were 100, Both Firewall, all sub servers are connected to a 2960 switch which connected to the inside interface of the firewall)

I also attached the "show running-config" of the 217 network 's Firewall. 217 contains some Web Servers in "Inside" Interface.

Please advise, Thanks

252
Views
0
Helpful
11
Replies