Good morning - I have a Cisco ASA5505 that I am trying to establish a vpn connection to a remote site, and I cannot get phase 1 to establish. When I execute the command sh crypto isakmp sa I get the following output: There are no isakmp sas. I am running ver 8.2(5). Is there another command I can run to se why Phase 1 is not even attempting connection? The configuration is posted below. Any suggestions are greatly appreciated!
Good point regarding checking static route, but I believe it should work.
Please have a look for this ACL -->
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 any
I'm not really sure that it should be like this, unless you have some other networks behind 192.168.1.0/24. Better to define some perticular IP address/network as destination. Because, if you will have ACL like this, your 192.168.1.0/24 subnet will not be able to reach internet.
Once you will finish with this one, please try to generate a traffic with packet tracer:
# packet-tra in inside icmp 192.168.1.100 8 0 $remote side ip$ detail
Output you can post here.
Other thing, that you can use folowwing debugs:
# debug crypto isa 140
# debug crypto ips 140
From this you will be able to understand background process of ISAKMP/IKE negotiation.
If your tunnel will not brings up till now, please also attach outputs from this debug commands.
Thank you both for responding! The acl-inside is set to "any" because this is to our access provider's network firewall. Unfortunately, there is no way around directing all traffic, including internet traffic through them. While on support with them, I could not get them to provide their inside IP, so I had to use the "any" option. I really do not want internet traffic governed by our provider, but in this scenario I have no option!
As for Phase 1 not establishing, that was my fault - I was trying to use the GUI because I needed it done quickly, and the authentication was set to "crack" not pre-share" as it was on the other end. It is correct in the output above because I made the change right before posting this thread. Apparently I wasn't patient enough, because the session established shortly thereafter.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...