07-10-2008 01:17 PM - edited 03-09-2019 09:03 PM
Hi
Bet no one can solve this one
I have a cisco ASA and 2 877
The outside interface is connected to the internet, nothing on the inside
The 2 877 are also connected to the internet.
I have 2 VPN's that connect to the outside of the ASA.
Both tunnels are up.
But am unable to ping from one 877 to the other 877 via the VPN's.
I have intra interface enabled and sysopt connection permit-vpn
Tho I did set the vpn's up with match address statments.
I have been on this for ove a week and im starting to lose the plot.
Any help very much appricated.
Richard
Solved! Go to Solution.
07-11-2008 12:41 AM
access-list 100 extended permit ip 10.20.30.0 255.255.255.0 10.20.40.0 255.255.255.0
no access-list 100 extended permit ip any any
access-list 101 extended permit ip 10.20.40.0 255.255.255.0 10.20.30.0 255.255.255.0
no access-list 101 extended permit ip any any
and modify ACL on the spokes accordingly
after that
initiate traffic from one spoke to another
and show
sh crypto isakmp sa
sh crypto ipsec sa
on all devices
07-10-2008 02:20 PM
show ASA's configuration
07-10-2008 11:31 PM
ciscoasa# sh run
: Saved
:
ASA Version 8.0(3)
!
hostname ciscoasa
enable password xxx
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address *.*.*.* 255.255.255.252
!
interface GigabitEthernet0/1
nameif HQ
security-level 0
no ip address
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.200 255.255.240.0
!
passwd xxx
ftp mode passive
same-security-traffic permit intra-interface
access-list 100 extended permit ip 10.20.30.0 255.255.255.0 10.20.40.0 255.255.255.0
access-list 100 extended permit ip any any
access-list 101 extended permit ip 10.20.40.0 255.255.255.0 10.20.30.0 255.255.255.0
access-list 101 extended permit ip any any
pager lines 24
mtu outside 1500
mtu HQ 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
route outside 0.0.0.0 0.0.0.0 195.*.*.*
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set intra esp-3des esp-sha-hmac
crypto map Labs 10 match address 100
crypto map Labs 10 set peer *.*.*.*
crypto map Labs 10 set transform-set intra
crypto map Labs 10 set security-association lifetime seconds 86400
crypto map Labs 11 match address 101
crypto map Labs 11 set peer *.*.*.*
crypto map Labs 11 set transform-set intra
crypto map Labs 11 set security-association lifetime seconds 86400
crypto map Labs interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.0.0 255.255.240.0 management
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
tunnel-group *.*.*.* type ipsec-l2l
tunnel-group *.*.*.* ipsec-attributes
pre-shared-key *
tunnel-group 88.*.*.* type ipsec-l2l
tunnel-group 88.*.*.* ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:xxx
: end
ciscoasa#
07-11-2008 12:41 AM
access-list 100 extended permit ip 10.20.30.0 255.255.255.0 10.20.40.0 255.255.255.0
no access-list 100 extended permit ip any any
access-list 101 extended permit ip 10.20.40.0 255.255.255.0 10.20.30.0 255.255.255.0
no access-list 101 extended permit ip any any
and modify ACL on the spokes accordingly
after that
initiate traffic from one spoke to another
and show
sh crypto isakmp sa
sh crypto ipsec sa
on all devices
07-11-2008 01:00 AM
Thanks m8
Not really a CCIE question was it.
Been messing around with everything but so obvious.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide