- Posts: 107
- Thank you received: 0
Problem with VPN ASA 5520
15 years 5 months ago #30458
by r0nni3
Currently working as Cisco Engineer at Neon-Networking.
Certifications:
CCNA - Have it
CCNA Security - Have it
CCSP - Almost!!!!
CCIE Security - Not so far away dream
Problem with VPN ASA 5520 was created by r0nni3
Hey all,
I have a weird problem with a VPN i have to configure.
All the config is correct and the VPN is up and running (so it seems).
I do get inbound traffic but no outbound when i look in the ASDM i get the following syslog message:
%ASA-3-713042: IKE Initiator unable to find policy: Intf
outside, Src: 172.23.1.12, Dst: 10.100.3.115
I have never seen this problem before and Cisco advises to check the access-lists but these are correct. Has any one experienced this problem before ? and if so what did you do to fix it ?
Ill post the bits of the config that matter here:
[code:1]
access-list nonat extended permit ip host 172.23.1.12 10.100.2.0 255.255.255.0
access-list nonat extended permit ip host 172.23.1.12 10.100.3.0 255.255.255.0
nat (inside) 0 access-list nonat
access-list VPNordina extended permit ip host 172.23.1.12 10.100.2.0 255.255.255.0
access-list VPNordina extended permit ip host 172.23.1.12 10.100.3.0 255.255.255.0
crypto map remote 10 match address VPNordina
crypto map remote 10 set peer 81.XXX.XXX.XXX
crypto map remote 10 set transform-set standaard
2 IKE Peer: 81.XXX.XXX.XXX
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
local ident (addr/mask/prot/port): (172.23.1.12/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.100.2.0/255.255.254.0/0/0)
current_peer: 81.XXX.XXX.XXX
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 99, #pkts decrypt: 99, #pkts verify: 99
[/code:1]
Thanks in advance!
I have a weird problem with a VPN i have to configure.
All the config is correct and the VPN is up and running (so it seems).
I do get inbound traffic but no outbound when i look in the ASDM i get the following syslog message:
%ASA-3-713042: IKE Initiator unable to find policy: Intf
outside, Src: 172.23.1.12, Dst: 10.100.3.115
I have never seen this problem before and Cisco advises to check the access-lists but these are correct. Has any one experienced this problem before ? and if so what did you do to fix it ?
Ill post the bits of the config that matter here:
[code:1]
access-list nonat extended permit ip host 172.23.1.12 10.100.2.0 255.255.255.0
access-list nonat extended permit ip host 172.23.1.12 10.100.3.0 255.255.255.0
nat (inside) 0 access-list nonat
access-list VPNordina extended permit ip host 172.23.1.12 10.100.2.0 255.255.255.0
access-list VPNordina extended permit ip host 172.23.1.12 10.100.3.0 255.255.255.0
crypto map remote 10 match address VPNordina
crypto map remote 10 set peer 81.XXX.XXX.XXX
crypto map remote 10 set transform-set standaard
2 IKE Peer: 81.XXX.XXX.XXX
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
local ident (addr/mask/prot/port): (172.23.1.12/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.100.2.0/255.255.254.0/0/0)
current_peer: 81.XXX.XXX.XXX
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 99, #pkts decrypt: 99, #pkts verify: 99
[/code:1]
Thanks in advance!
Currently working as Cisco Engineer at Neon-Networking.
Certifications:
CCNA - Have it
CCNA Security - Have it
CCSP - Almost!!!!
CCIE Security - Not so far away dream
15 years 5 months ago #30466
by Blake
Replied by Blake on topic Re: Problem with VPN ASA 5520
Can you post a sanitized config?
15 years 5 months ago #30490
by ramasamy
Replied by ramasamy on topic Re: Problem with VPN ASA 5520
Hi,
The firewall you are checking is a responder. You need to check the access-list on the peer device (Initiator) as the error message is from Initiator.
The firewall you are checking is a responder. You need to check the access-list on the peer device (Initiator) as the error message is from Initiator.
15 years 5 months ago #30501
by r0nni3
Currently working as Cisco Engineer at Neon-Networking.
Certifications:
CCNA - Have it
CCNA Security - Have it
CCSP - Almost!!!!
CCIE Security - Not so far away dream
Replied by r0nni3 on topic Re: Problem with VPN ASA 5520
Well the problem was at the other side...they messed up their access-list. They reconfigured the access-list and the tunnel worked perfectly.
This is exactly the reason why i dont like making VPN tunnels with a 3rd party. >.<
This is exactly the reason why i dont like making VPN tunnels with a 3rd party. >.<
Currently working as Cisco Engineer at Neon-Networking.
Certifications:
CCNA - Have it
CCNA Security - Have it
CCSP - Almost!!!!
CCIE Security - Not so far away dream
Time to create page: 0.120 seconds