Problems with ipsec betwen Cisco ASA 5505 and Juniper ssg5

cisco-asaipsecjuniper

I am trying to set up an ipsec tunnel between our ASA 5505 and a Juniper ssg5.
The tunnel is up and running, but I cannot get any data through it.

The local network I am on is 172.16.1.0 and the remote is 192.168.70.0. But I cannot ping anything on their network. I receive a "Phase 2 OK" when I set up the ipsec.

I think this is the part of the config that is applicable. It seems like the data is not routed through the tunnel, but I am not sure…

object network our-network
 subnet 172.16.1.0 255.255.255.0
object network their-network
 subnet 192.168.70.0 255.255.255.0
access-list outside_cryptomap extended permit ip object our-network object their-network 
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs 
crypto map outside_map 1 set peer THEIR_IP
crypto map outside_map 1 set ikev1 phase1-mode aggressive 
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-MD5
crypto map outside_map 1 set ikev2 pre-shared-key *****
crypto map outside_map 1 set reverse-route
crypto map outside_map interface outside

webvpn
group-policy GroupPolicy_THEIR_IP internal
group-policy GroupPolicy_THEIR_IP attributes
 vpn-filter value outside_cryptomap
 ipv6-vpn-filter none
 vpn-tunnel-protocol ikev1 
tunnel-group THEIR_IP type ipsec-l2l
tunnel-group THEIR_IP general-attributes
 default-group-policy GroupPolicy_THEIR_IP
tunnel-group THEIR_IP ipsec-attributes
 ikev1 pre-shared-key *****
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication crack
 encryption aes-256
 hash sha
 group 2
 lifetime 86400

Tihis is the output of the packet tracer. I user my ip as source, their firewall as destination and IP with protocol 0 on interface OUR

ROUTE-LOOKUP
Type -ROUTE-LOOKUP Action -ALLOW
Info
in 0.0.0.0 0.0.0.0 outsied
IT-OPTIONS
Type -IP-OPtions Action -ALLOW
NAT
Tyope -NAT Action -DROP Show rule in NAT Rules table.
Config
object network obj_any
nat (any,outside) dynamic interface
RESULT - The packet is dropped
Input Interface: OUR
Output  Interface:outside
Info: (acl-drop) Flow is denied by configured rule

Best Answer

You config looks sane at first glance, even though I don't see the need for the reverse-route. You forgot to add the isakmp policy which starts with "crypto isakmp policy ", although entering Phase 2 obviously means Phase 1 completed.

1) Do you let it bypass the normal ACL (by config: sysopt connection permit-vpn)?

2) Can you do a packet-tracer and paste the result?

Related Topic