Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Creating a VPN using ASDM 6.2(5)

I configured on 2 ASA 5510s a VPN between them.  I used the IPsec wizard and ensured that each rule was mirrored on the other device.  I did select to have the traffic NATed because this is eventually going to be a point to multipoint environment, with the same IP addresses within each enclave.  What will seperate them will be the public addresses assigned to them.  Looking at my my log files on both devices, I see the same errors. Any help would be greatly appreciated.

4|Sep 25 2010|12:01:18|113019|||||Group = 207.98.185.25, Username = 207.98.185.25, IP = 207.98.185.25, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: User Requested
5|Sep 25 2010|12:01:18|713259|||||Group = 207.98.185.25, IP = 207.98.185.25, Session is being torn down. Reason: User Requested
3|Sep 25 2010|12:01:18|713902|||||Group = 207.98.185.25, IP = 207.98.185.25, Removing peer from correlator table failed, no match!
5|Sep 25 2010|12:01:18|713050|||||Group = 207.98.185.25, IP = 207.98.185.25, Connection terminated for peer 207.98.185.25.  Reason: Peer Terminate  Remote Proxy N/A, Local Proxy N/A
5|Sep 25 2010|12:01:18|713068|||||Group = 207.98.185.25, IP = 207.98.185.25, Received non-routine Notify message: Invalid ID info (18)
5|Sep 25 2010|12:01:18|713119|||||Group = 207.98.185.25, IP = 207.98.185.25, PHASE 1 COMPLETED
6|Sep 25 2010|12:01:18|113009|||||AAA retrieved default group policy (DfltGrpPolicy) for user = 207.98.185.25
6|Sep 25 2010|12:01:18|713172|||||Group = 207.98.185.25, IP = 207.98.185.25, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end is NOT behind a NAT device
5|Sep 25 2010|12:01:18|713041|||||IP = 207.98.185.25, IKE Initiator: New Phase 1, Intf Inside, IKE Peer 207.98.185.25  local Proxy Address 207.98.185.20, remote Proxy Address 207.98.185.24,  Crypto map (Outside_map)
5|Sep 25 2010|12:01:18|713904|||||IP = 207.98.185.25, Received encrypted packet with no matching SA, dropping

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Creating a VPN using ASDM 6.2(5)

It does not look like it's mirror image ACL.

Can you please advise what subnet is in Enterprise_A/29 and Enterprise_B/29?

On the first ASA you have:

Local Network: 207.98.185.28

Remote Network: Enterprise_A/29

On the other ASA, it should be the mirror image as follows:

Local Network: Enterprise_A/29

Remote Network: 207.98.185.28

However, you have the following on the other ASA:

Local network: 207.98.185.20   --> is this the same as Enterprise_A/29 ip address?

Remote Network: Enterprise_B/29 --> is this the same as 207.98.185.28?

Also, how are they being NATed? static NAT or PAT? as if you are performing PAT, traffic can only be initiated from the PAT end, hence, you can't configure PAT for both end of the ASA. Plus the crypto ACL needs to match the NATed address.

3 REPLIES
New Member

Re: Creating a VPN using ASDM 6.2(5)

New Member

Re: Creating a VPN using ASDM 6.2(5)

Cisco Employee

Re: Creating a VPN using ASDM 6.2(5)

It does not look like it's mirror image ACL.

Can you please advise what subnet is in Enterprise_A/29 and Enterprise_B/29?

On the first ASA you have:

Local Network: 207.98.185.28

Remote Network: Enterprise_A/29

On the other ASA, it should be the mirror image as follows:

Local Network: Enterprise_A/29

Remote Network: 207.98.185.28

However, you have the following on the other ASA:

Local network: 207.98.185.20   --> is this the same as Enterprise_A/29 ip address?

Remote Network: Enterprise_B/29 --> is this the same as 207.98.185.28?

Also, how are they being NATed? static NAT or PAT? as if you are performing PAT, traffic can only be initiated from the PAT end, hence, you can't configure PAT for both end of the ASA. Plus the crypto ACL needs to match the NATed address.

1261
Views
0
Helpful
3
Replies
CreatePlease to create content