Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
415
Views
0
Helpful
4
Replies

Intra interface

Go to solution
richard.gosling
Level 1
Level 1

‎07-10-2008 01:17 PM - edited ‎03-09-2019 09:03 PM

Hi

Bet no one can solve this one

I have a cisco ASA and 2 877

The outside interface is connected to the internet, nothing on the inside

The 2 877 are also connected to the internet.

I have 2 VPN's that connect to the outside of the ASA.

Both tunnels are up.

But am unable to ping from one 877 to the other 877 via the VPN's.

I have intra interface enabled and sysopt connection permit-vpn

Tho I did set the vpn's up with match address statments.

I have been on this for ove a week and im starting to lose the plot.

Any help very much appricated.

Richard

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
a.alekseev
Level 7
Level 7
In response to richard.gosling

‎07-11-2008 12:41 AM

access-list 100 extended permit ip 10.20.30.0 255.255.255.0 10.20.40.0 255.255.255.0

no access-list 100 extended permit ip any any

access-list 101 extended permit ip 10.20.40.0 255.255.255.0 10.20.30.0 255.255.255.0

no access-list 101 extended permit ip any any

and modify ACL on the spokes accordingly

after that

initiate traffic from one spoke to another

and show

sh crypto isakmp sa

sh crypto ipsec sa

on all devices

View solution in original post

0 Helpful
4 Replies 4

Go to solution
a.alekseev
Level 7
Level 7

‎07-10-2008 02:20 PM

show ASA's configuration

0 Helpful

Go to solution
richard.gosling
Level 1
Level 1
In response to a.alekseev

‎07-10-2008 11:31 PM

ciscoasa# sh run

: Saved

:

ASA Version 8.0(3)

!

hostname ciscoasa

enable password xxx

names

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address *.*.*.* 255.255.255.252

!

interface GigabitEthernet0/1

nameif HQ

security-level 0

no ip address

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.200 255.255.240.0

!

passwd xxx

ftp mode passive

same-security-traffic permit intra-interface

access-list 100 extended permit ip 10.20.30.0 255.255.255.0 10.20.40.0 255.255.255.0

access-list 100 extended permit ip any any

access-list 101 extended permit ip 10.20.40.0 255.255.255.0 10.20.30.0 255.255.255.0

access-list 101 extended permit ip any any

pager lines 24

mtu outside 1500

mtu HQ 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

route outside 0.0.0.0 0.0.0.0 195.*.*.*

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set intra esp-3des esp-sha-hmac

crypto map Labs 10 match address 100

crypto map Labs 10 set peer *.*.*.*

crypto map Labs 10 set transform-set intra

crypto map Labs 10 set security-association lifetime seconds 86400

crypto map Labs 11 match address 101

crypto map Labs 11 set peer *.*.*.*

crypto map Labs 11 set transform-set intra

crypto map Labs 11 set security-association lifetime seconds 86400

crypto map Labs interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 192.168.0.0 255.255.240.0 management

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

tunnel-group *.*.*.* type ipsec-l2l

tunnel-group *.*.*.* ipsec-attributes

pre-shared-key *

tunnel-group 88.*.*.* type ipsec-l2l

tunnel-group 88.*.*.* ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:xxx

: end

ciscoasa#

0 Helpful

Go to solution
a.alekseev
Level 7
Level 7
In response to richard.gosling

‎07-11-2008 12:41 AM

access-list 100 extended permit ip 10.20.30.0 255.255.255.0 10.20.40.0 255.255.255.0

no access-list 100 extended permit ip any any

access-list 101 extended permit ip 10.20.40.0 255.255.255.0 10.20.30.0 255.255.255.0

no access-list 101 extended permit ip any any

and modify ACL on the spokes accordingly

after that

initiate traffic from one spoke to another

and show

sh crypto isakmp sa

sh crypto ipsec sa

on all devices

0 Helpful

Go to solution
richard.gosling
Level 1
Level 1
In response to a.alekseev

‎07-11-2008 01:00 AM

Thanks m8

Not really a CCIE question was it.

Been messing around with everything but so obvious.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents