Posted by: manilageek | July 16, 2012

How to check Site to Site VPN on Cisco ASA Firewall

#show run crypto map                                  ! to check vpn crypto on running configuration

crypto map VPNMAP_Outside_1 2 match address XXXXX_IPSEC_ACL

crypto map VPNMAP_Outside_1 2 set peer 170.2.52.28

crypto map VPNMAP_Outside_1 2 set transform-set ESP-AES-256-MD5

crypto map VPNMAP_Outside_1 2 set security-association lifetime seconds 3600

crypto map VPNMAP_Outside_1 2 set nat-t-disable

crypto map VPNMAP_Outside_1 interface Outside-1

#show run access-list XXXXX_IPSEC_ACL

access-list XXXXX _IPSEC_ACL extended permit ip host 192.168.17.17 object-group XXXXX_S2S_Resource

access-list XXXXX _IPSEC_ACL extended permit ip host 192.168.17.17 object-group XXXXX_S2S_Resource-v02

#show run object-grou id XXXXX_S2S_Resource-v02

object-group network XXXXX_S2S_Resource-v02

 description XXXXX S2S VPN resources

 network-object host xx.xx.xx.190

 network-object host xx.xx.xx.193

 network-object host xx.xx.xx.196

#show vpn-sessiondb l2l             ! to check if VPN tunnel is up. On the output below we can see that tunnel is up but no received packets (Rx=0) from remote end.

Session Type: LAN-to-LAN

Connection         : XX.XX.XX.28

Index                    : 1                                           IP Addr : XX.XX.XX.28

Protocol               : IPSecLAN2LAN                                Encryption          : AES256

Hashing                                : MD5

Bytes Tx               : 200                                       Bytes Rx               : 0

Login Time          : 11:30:16 PHST Fri Jul…

Duration              : 0h:13m:14s

Filter Name        :

#show crypto ipsec sa    ! Encrypt packets are egress traffic and decrypt are ingress traffic. So base on the output below we are transmitting packets but not receiving since decrypt is equal to 0.

Interface: Outside-1

                Crypto map tag: VPNMAP_Outside_1, seq num:2, local addr: YY.YY.YY.8

                Access-list XXXXX_IPSEC_ACL extended permit ip host XX.XX.XX.17 hot CC.CC.CC.11

                Local ident…

                #pkts encap: 189, #pkts encrypt: 189, #pkts digest: 189

                #pkts decaps: 22, #pkts decrypt: 0, #pkts verify: 0

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Categories

%d bloggers like this: