Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN site-to-site trouble

Hi. I'm creating a VPN site-to-site tunnel between two locations(one under my control, other side is controlled by a bussines partner). On my side I have an ASA 5510 Version 8.2(3).

I have entered the configuration thrugh CLI and when I wanted to test the configuration through packet tracer(because other side isn't configured yet) it says the following:

Drop-reason: (acl-drop) Flow is denied by configured rule

I think I got everything on right but no matter what I cannot get a pass through the packet tracer. It seems that an ACL is dropping the traffic, at least that is my interpretation. The trouble is I don't think that is correct as on my inside interface all traffic is allowed.

My VPN config is as follows(relevant info only):

access-list crypto_ACL extended permit ip x.x.x.x 255.254.0.0 y.y.y.y 255.255.255.0

access-list inside_nat0_outbound extended permit ip x.x.x.x 255.254.0.0 y.y.y.y 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

crypto isakmp policy 70

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

crypto map VPN 120 match address crypto_ACL

crypto map VPN 120 set pfs group5

crypto map VPN 120 set peer x.x.x.x

crypto map VPN 120 set transform-set X_transform

crypto ipsec transform-set X_transform esp-aes esp-sha-hmac

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key *********

Any help on this would be most welcome.

4 REPLIES

VPN site-to-site trouble

Hi Igor,

2 things in relates to VPN config..

1. Have you enabled isakmp on outside interface?

2. You need to apply crypto map 'VPN' to outside interface.

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_site2site.html

If all are in pace and still see the acl deny, then it may relates to different IP source.

hth

MS

New Member

VPN site-to-site trouble

The crypto map is applied to the outside interface and isakmp is enabled on the outside interface. Other VPN tunnels are working all right.

VPN site-to-site trouble

Then I would configure the other end see if there is any issue in passing the traffic across the tunnel.

Thx

MS

New Member

VPN site-to-site trouble

The network administrator for the other side of the VPN tunnel contacted me and it seems that the problem is on the other side.

Thanks for your help.

347
Views
5
Helpful
4
Replies
CreatePlease login to create content