Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

ASA 5520 VPN

Hi, I am trying to set up a site to site VPN between ASA 5520 and the check point firewall using the site to site VPN tunnel wizard from the ASDM. The checkpoint firewall is configured by the technicians on the third party site. we verified that all the configurations including pre-shared keys are the same. but it is not working.

How do I troubleshoot what the problem is? is there a way to force the tunnel to connect?

2 REPLIES
Hall of Fame Super Blue

Re: ASA 5520 VPN

emmanuel.shoroma wrote:

Hi, I am trying to set up a site to site VPN between ASA 5520 and the check point firewall using the site to site VPN tunnel wizard from the ASDM. The checkpoint firewall is configured by the technicians on the third party site. we verified that all the configurations including pre-shared keys are the same. but it is not working.

How do I troubleshoot what the problem is? is there a way to force the tunnel to connect?

Emmanuel

You need to do some debugging. The 2most useful debugs are "debu crypto ipsec" and "debug crypto isa" - see the command reference for details -

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/d1_72.html

To force the tunnel to try and connect you need to generate some "interesting" traffic ie. when you setup the VPN you defined the local and remote subnets that were allowed to communicate and on what ports/protocols.

Jon

New Member

Re: ASA 5520 VPN

Hi, Thanks. I managed to see what the problem is. the issue is with the crypto map access lists. when I specify the other site host network adress, I get erro log saying (" no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy x.x.x.x/x.x.x.x/x/x) if I allow any on the crypto map access lists to our network x.x.x.x/x.x.x.x, then it works.

Any Idea why can't it work when I specify the remote site network and why is it showing remote site as 0.0.0.0/0.0.0.0?

Your help will be highly appreciated.

Regards,

1135
Views
0
Helpful
2
Replies
CreatePlease to create content