TakedaT
asked on
L2L VPN Tunnel on ASA 5510
I am trying to establish a business-to-business vpn tunnel from my company to another company. While I can get the tunnel up, something seems to prevent traffic returning to my end. The other company says that they do see hits on their end ACL for interesting traffic and that I should be able to telnet to certain ports on a specific IP. When I try to telnet, I get this a timeout and this is what the logs on the ASA show:
6 Dec 17 2009 04:38:57 302014 xxx.xxx.141.254 35031 192.168.1.49 2915 Teardown TCP connection 62666814 for Outside:xxx.xxx.141.254/35 031 to Inside:192.168.1.49/2915 duration 0:00:30 bytes 0 SYN Timeout
6 Dec 17 2009 04:38:27 302013 xxx.xxx.141.254 35031 192.168.1.49 2915 Built outbound TCP connection 62666814 for Outside:xxx.xxx.141.254/35 031 (xxx.xxx.141.254/35031) to Inside:192.168.1.49/2915 (xxx.xxx.27.122/33472)
SYN Timeout Force termination after 30 seconds awaiting three-way handshake completion.
I do not have access to see the config on the other end. All my internal private addresses are NAT'd to a publicly routable address before being forwarded through the tunnel. I have attached my relevant config. Anyone have any ideas?
TIA
6 Dec 17 2009 04:38:57 302014 xxx.xxx.141.254 35031 192.168.1.49 2915 Teardown TCP connection 62666814 for Outside:xxx.xxx.141.254/35
6 Dec 17 2009 04:38:27 302013 xxx.xxx.141.254 35031 192.168.1.49 2915 Built outbound TCP connection 62666814 for Outside:xxx.xxx.141.254/35
SYN Timeout Force termination after 30 seconds awaiting three-way handshake completion.
I do not have access to see the config on the other end. All my internal private addresses are NAT'd to a publicly routable address before being forwarded through the tunnel. I have attached my relevant config. Anyone have any ideas?
TIA
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
access-list B2B_1_NAT extended permit ip 192.168.0.0 255.255.0.0 xxx.xxx.141.0 255.255.255.0
access-list B2B_1_NETWORKS extended permit ip xxx.xxx.27.122 255.255.255.255 xxx.xxx.141.0 255.255.255.0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map Outside_map 30 match address B2B_1_NETWORKS
crypto map Outside_map 30 set peer xxx.xxx.130.208
crypto map Outside_map 30 set transform-set ESP-3DES-SHA
crypto map Outside_map 30 set security-association lifetime seconds 28800
crypto map Outside_map interface Outside
nat (inside) 2 access-list B2B_1_NAT
global (outside) 2 xxx.xxx.27.122
tunnel-group xxx.xxx.130.208 type ipsec-l2l
tunnel-group xxx.xxx.130.208 ipsec-attributes
pre-shared-key *
route Outside xxx.xxx.130.0 255.255.255.255 xxx.xxx.27.126 1
route Outside xxx.xxx.141.0 255.255.255.0 xxx.xxx.27.126 1
ASKER
Thanks for the response. I actually have done that already a few times when testing the past few days. Also, I cant test this now as it will interrupt services for about 500 employees. Currently, the 2 route commands:
route Outside xxx.xxx.130.0 255.255.255.255 xxx.xxx.27.126 1
route Outside xxx.xxx.141.0 255.255.255.0 xxx.xxx.27.126 1
actually point to a different internal router that has a frame-relay connection to the same company, rather than point to my public gateway like above. The L2L is supposed to replace that. I need to test between 1am and 4am. When I do test, I remove the above route commands and add the ones above which makes those services unavailable while I am testing, unless of course the tunnel was to actually work.
route Outside xxx.xxx.130.0 255.255.255.255 xxx.xxx.27.126 1
route Outside xxx.xxx.141.0 255.255.255.0 xxx.xxx.27.126 1
actually point to a different internal router that has a frame-relay connection to the same company, rather than point to my public gateway like above. The L2L is supposed to replace that. I need to test between 1am and 4am. When I do test, I remove the above route commands and add the ones above which makes those services unavailable while I am testing, unless of course the tunnel was to actually work.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
clear crypto isakmp sa
clear crypto ipsec sa
Then retest
At a glance, I don't see anything in the config, but I can devote more time if the cleared tunnels don't help.