07-25-2008 01:33 AM - edited 03-11-2019 06:20 AM
Hi, I am trying to create STS Tunnel and when I execute the command then it shows that tunnel is active but both network are not able to connect with each other.
Please suggest.
07-25-2008 01:51 AM
Please suggest urgent...
07-25-2008 02:21 AM
It looks like you forgot to do NAT-exemption
or have a problem with routing.
07-25-2008 02:35 AM
i have checked everthing several times as all other tunnels are respondinf well. Is there any other way???
07-25-2008 02:39 AM
Could you show the configuration?
07-25-2008 02:54 AM
Site 1
name 172.17.80.247 MTN_SMPP_Server description MTN_SMPP_Server
!
!
interface Vlan2
description Voxiva, DC - External Interface
nameif outside
security-level 0
ip address 65.x.x.34 255.255.255.0
!
!
passwd xxx
boot system disk0:/asa803-k8.bin
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
access-list inside_nat0_outbound extended permit ip vdc_inside-network 255.255.255.0 host MTN_SMPP_Server
access-list inside_nat0_outbound extended permit ip vdc_inside-voip-network 255.255.255.0 host MTN_SMPP_Server
access-list inside_nat0_outbound extended permit ip vdc_dmz-network 255.255.255.0 host MTN_SMPP_Server
access-list outside_4_cryptomap extended permit ip vdc_inside-network 255.255.255.0 host MTN_SMPP_Server
access-list outside_4_cryptomap extended permit ip vdc_dmz-network 255.255.255.0 host MTN_SMPP_Server
access-list outside_4_cryptomap extended permit ip vdc_inside-voip-network 255.255.255.0 host MTN_SMPP_Server
crypto map outside_map 4 match address outside_4_cryptomap
crypto map outside_map 4 set pfs
crypto map outside_map 4 set peer 196.44.248.66
crypto map outside_map 4 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
tunnel-group 196.44.248.66 type ipsec-l2l
tunnel-group 196.44.248.66 ipsec-attributes
pre-shared-key *
Site 2
name 65.205.4.34 VOXIVADC_VPN_Peer2
object-group network MTNRwanda
network-object host 172.17.80.247
object-group network VOXIVADC2
network-object host VOXIVADC_VPN_Peer2
access-list from-free-in extended permit udp host 196.44.248.66 host VOXIVADC_VPN_Peer2 eq isakmp
access-list from-free-in extended permit esp host 196.44.248.66 host VOXIVADC_VPN_Peer2
access-list MTNVPNVOXIVA extended permit ip object-group MTNRwanda object-group VOXIVADC2
access-list MTNVPNVOXIVA extended permit ip host 172.17.80.247 192.168.100.0 255.255.255.0
access-list MTNVPNVOXIVA extended permit ip host 172.17.80.247 192.168.200.0 255.255.255.0
access-list MTNVPNVOXIVA extended permit ip host 172.17.80.247 192.168.10.0 255.255.255.0
access-list MTNVPNVOXIVADC extended permit ip host 172.17.80.247 192.168.100.0 255.255.255.0
access-list MTNVPNVOXIVADC extended permit ip host 172.17.80.247 192.168.200.0 255.255.255.0
access-list MTNVPNVOXIVADC extended permit ip host 172.17.80.247 192.168.10.0 255.255.255.0
nat (intf2) 0 access-list MTNVPNVOXIVA
crypto ipsec transform-set ASPECT_MTNR esp-des esp-md5-hmac
crypto map ASPECT_MTNR 180 match address MTNVPNVOXIVADC
crypto map ASPECT_MTNR 180 set pfs
crypto map ASPECT_MTNR 180 set peer VOXIVADC_VPN_Peer2
crypto map ASPECT_MTNR 180 set transform-set ASPECT_MTNR
crypto map ASPECT_MTNR 180 set security-association lifetime kilobytes 10000
crypto map ASPECT_MTNR interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
tunnel-group 65.205.4.34 type ipsec-l2l
tunnel-group 65.205.4.34 ipsec-attributes
pre-shared-key *
Please advice urgent
07-25-2008 03:07 AM
Please respond urgent
07-25-2008 03:16 AM
try to remove this
crypto map ASPECT_MTNR 180 set security-association lifetime kilobytes 10000
07-25-2008 03:26 AM
Done but still its not working
07-25-2008 03:52 AM
Please respond asap...
07-25-2008 04:03 AM
Could you show configuration of site 2?
also check the you have enabled NAT-T
crypto isakmp nat-traversal 20
07-25-2008 04:09 AM
name 65.205.4.34 VOXIVADC_VPN_Peer2
object-group network MTNRwanda
network-object host 172.17.80.247
object-group network VOXIVADC2
network-object host VOXIVADC_VPN_Peer2
access-list from-free-in extended permit udp host 196.44.248.66 host VOXIVADC_VPN_Peer2 eq isakmp
access-list from-free-in extended permit esp host 196.44.248.66 host VOXIVADC_VPN_Peer2
access-list MTNVPNVOXIVA extended permit ip object-group MTNRwanda object-group VOXIVADC2
access-list MTNVPNVOXIVA extended permit ip host 172.17.80.247 192.168.100.0 255.255.255.0
access-list MTNVPNVOXIVA extended permit ip host 172.17.80.247 192.168.200.0 255.255.255.0
access-list MTNVPNVOXIVA extended permit ip host 172.17.80.247 192.168.10.0 255.255.255.0
access-list MTNVPNVOXIVADC extended permit ip host 172.17.80.247 192.168.100.0 255.255.255.0
access-list MTNVPNVOXIVADC extended permit ip host 172.17.80.247 192.168.200.0 255.255.255.0
access-list MTNVPNVOXIVADC extended permit ip host 172.17.80.247 192.168.10.0 255.255.255.0
nat (intf2) 0 access-list MTNVPNVOXIVA
crypto ipsec transform-set ASPECT_MTNR esp-des esp-md5-hmac
crypto map ASPECT_MTNR 180 match address MTNVPNVOXIVADC
crypto map ASPECT_MTNR 180 set pfs
crypto map ASPECT_MTNR 180 set peer VOXIVADC_VPN_Peer2
crypto map ASPECT_MTNR 180 set transform-set ASPECT_MTNR
crypto map ASPECT_MTNR 180 set security-association lifetime kilobytes 10000
crypto map ASPECT_MTNR interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
tunnel-group 65.205.4.34 type ipsec-l2l
tunnel-group 65.205.4.34 ipsec-attributes
pre-shared-key *
Please advice urgent
07-25-2008 04:20 AM
This is only part of the configuration
and I asked you before to remove the following line from the configuration
crypto map ASPECT_MTNR 180 set security-association lifetime kilobytes 10000
after that try to do the following
no crypto map ASPECT_MTNR interface outside
crypto map ASPECT_MTNR interface outside
this will clear all ipsec sa (sometimes it works better than just "clear crypto ipsec sa")
07-25-2008 04:44 AM
Waiting :)
07-25-2008 04:47 AM
But it will effect the other VPN
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: