cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1142
Views
3
Helpful
10
Replies

IPSEC L2L question

rlloveras
Level 1
Level 1

Hi i have a network running eigrp and my default gateway is the ASA 5510. THe network runs find but i want to set up remote connectivity through the other site incase they loose link with IPSEC tunneling. I have establish Ipsec between sites (ASA and Remote site) but i can not get to the LAN behind the ASA. My version of ASA is 7.2...Do i have to upgrade to 8.0 just to get it to work.

LAN---CORE---->ASA--->(CLOUD)<-----Remote

LAN: 192.168.4.1

CORE2ASA: 192.168.200.1 -.2

REMOTE: 192.168.15.2

PLease help and thank you

10 Replies 10

dongdongliu
Level 1
Level 1

hi

sorry,I have some more question

1. if core receive a packet from LAN want to go to REMOTE,how does it do,

2. acl of two side for interesting traffic must be mirroring each other, are`t they?

3. when IPSec built, pls traceroute from LAN to REMOTE and look at what will happen.

regards

dongdong

Hello

1. When i trigger interesting traffic from remote to lan I see the tunnel comes up active but packet seems to go no where. To me it seems to die out of the ASA.

2.ACL does mirror each site since tunnel comes up active but it seems that EIGRP neigbor relationship is not establish.

3.( I will try this one next)

thanks

dongdong

I have a ttached a better picture of the network. Currently i am running 7.2 on the ASA. I have been reading a lot on L2L IPsec and i have a few questions just to clear things up.

1. Does EIGRP run on L2L IPSEC tunnel and base on my diagram is it possible that i can get EIGRP relationship between sites. I have heard that it can not be establish since it goes thrugh the tunnel unicast.

2.Considering the option of upgrading to 8.03 to run EIGRP between the static routes (diagram). Would this actually even solve my problem?

3. Do i have to configure the GRE tunnel within IPSEC to get this to work?

Thanks everyone for their inputs. I have been working on this thing for weeks now and its kickin me all day long.

I have enabled reverse route on ASA 5510 and it is replying to the icmp packets and remote and lan is working. But also it give a new problem to my situation. Reverse route injection puts a static route on my routing table even when the tunnel is not up. This causes issue routing issue when the tunnel is not up and the static route for the remote site is still on the ASA routing table. Is there anyway to have it that when the tunnel is not in use or incative that the Static route on the ASA for teh remote site to dissapear.

dongdongliu
Level 1
Level 1

hi

have you set a policy that traffic from LAN to REMOTE is not NATed?

regards

dongdong

Hi dongdong

Yes i have specified that lan to remote not to be natted. It seems that the ASA dont know what to do with it since i am not running dynamic protocol such as OSPF or EIGRP between the router CORE--->ASA its static between these two links.

have you configured routing on the ASA for the remote network? Either a static or using the reverse-route command on the crypto map entry?

This is what i have currently....

(EIGRP) LAN---CORE---->ASA--->(CLOUD)<--Remote(EIGRP)

Between the ASA and the CORE i have not configured any routing protocol. Between the CORE and ASA only static. However i do have eigrp running between the Core and LAN. I have not configured reverse-route yet on my crypto-map.

The purpose of this configuration is incase of remote site loose connectivity over frame-relay. The remote site can connect back to the CORE lan via IPSEC tunnel.

I do apologize and thank everyone for helping and inputs. This is the first time i have work with ASA so thank you again.

no problem! your asa should know how to to get to the remote VPN peer, so you will need some sort of routing out of the asa covering the remote peer device. (static default for example).

besides this you will also need to have a route for the remote (private network) This can be installed one of two ways: manually, or using the reverse-route command on your crypto map config.

Can you post your config?

Ping works between:

ASA---->CORE

ASA---->Remote

LAN---->ASA inside and outside interface

LAN---->Remote does not work. IPSEC is establish between remote and ASA just can pass through the ASA to get through the LAN. I will have to clean up the config but it will take sometime. Thanks again.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: