Link to home
Start Free TrialLog in
Avatar of TakedaT
TakedaTFlag for United States of America

asked on

L2L VPN Tunnel on ASA 5510

I am trying to establish a business-to-business vpn tunnel from my company to another company.  While I can get the tunnel up, something seems to prevent traffic returning to my end.  The other company says that they do see hits on their end ACL for interesting traffic and that I should be able to telnet to certain ports on a specific IP.  When I try to telnet, I get this a timeout and this is what the logs on the ASA show:

6      Dec 17 2009      04:38:57      302014      xxx.xxx.141.254      35031      192.168.1.49      2915      Teardown TCP connection 62666814 for Outside:xxx.xxx.141.254/35031 to Inside:192.168.1.49/2915 duration 0:00:30 bytes 0 SYN Timeout
6      Dec 17 2009      04:38:27      302013      xxx.xxx.141.254      35031      192.168.1.49      2915      Built outbound TCP connection 62666814 for Outside:xxx.xxx.141.254/35031 (xxx.xxx.141.254/35031) to Inside:192.168.1.49/2915 (xxx.xxx.27.122/33472)

SYN Timeout      Force termination after 30 seconds awaiting three-way handshake completion.

I do not have access to see the config on the other end.  All my internal private addresses are NAT'd to a publicly routable address before being forwarded through the tunnel.  I have attached my relevant config.  Anyone have any ideas?

TIA


crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400 

access-list B2B_1_NAT extended permit ip 192.168.0.0 255.255.0.0 xxx.xxx.141.0 255.255.255.0
access-list B2B_1_NETWORKS extended permit ip xxx.xxx.27.122 255.255.255.255 xxx.xxx.141.0 255.255.255.0

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map Outside_map 30 match address B2B_1_NETWORKS
crypto map Outside_map 30 set peer xxx.xxx.130.208
crypto map Outside_map 30 set transform-set ESP-3DES-SHA
crypto map Outside_map 30 set security-association lifetime seconds 28800
crypto map Outside_map interface Outside

nat (inside) 2 access-list B2B_1_NAT
global (outside) 2 xxx.xxx.27.122

tunnel-group xxx.xxx.130.208 type ipsec-l2l
tunnel-group xxx.xxx.130.208 ipsec-attributes
 pre-shared-key *


route Outside xxx.xxx.130.0 255.255.255.255 xxx.xxx.27.126 1
route Outside xxx.xxx.141.0 255.255.255.0 xxx.xxx.27.126 1

Open in new window

Avatar of MikeKane
MikeKane
Flag of United States of America image

First, force a clear of all the tunnels:
clear crypto isakmp sa
clear crypto ipsec sa

Then retest  


At a glance, I don't see anything in the config, but I can devote more time if the cleared tunnels don't help.
Avatar of TakedaT

ASKER

Thanks for the response.  I actually have done that already a few times when testing the past few days.  Also, I cant test this now as it will interrupt services for about 500 employees.  Currently, the 2 route commands:

route Outside xxx.xxx.130.0 255.255.255.255 xxx.xxx.27.126 1
route Outside xxx.xxx.141.0 255.255.255.0 xxx.xxx.27.126 1

actually point to a different internal router that has a frame-relay connection to the same company, rather than point to my public gateway like above.  The L2L is supposed to replace that.  I need to test between 1am and 4am.  When I do test, I remove the above route commands and add the ones above which makes those services unavailable while I am testing, unless of course the tunnel was to actually work.
ASKER CERTIFIED SOLUTION
Avatar of TakedaT
TakedaT
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial