07-25-2008 01:33 AM - edited 03-11-2019 06:20 AM
Hi, I am trying to create STS Tunnel and when I execute the command then it shows that tunnel is active but both network are not able to connect with each other.
Please suggest.
07-25-2008 01:51 AM
Please suggest urgent...
07-25-2008 02:21 AM
It looks like you forgot to do NAT-exemption
or have a problem with routing.
07-25-2008 02:35 AM
i have checked everthing several times as all other tunnels are respondinf well. Is there any other way???
07-25-2008 02:39 AM
Could you show the configuration?
07-25-2008 02:54 AM
Site 1
name 172.17.80.247 MTN_SMPP_Server description MTN_SMPP_Server
!
!
interface Vlan2
description Voxiva, DC - External Interface
nameif outside
security-level 0
ip address 65.x.x.34 255.255.255.0
!
!
passwd xxx
boot system disk0:/asa803-k8.bin
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
access-list inside_nat0_outbound extended permit ip vdc_inside-network 255.255.255.0 host MTN_SMPP_Server
access-list inside_nat0_outbound extended permit ip vdc_inside-voip-network 255.255.255.0 host MTN_SMPP_Server
access-list inside_nat0_outbound extended permit ip vdc_dmz-network 255.255.255.0 host MTN_SMPP_Server
access-list outside_4_cryptomap extended permit ip vdc_inside-network 255.255.255.0 host MTN_SMPP_Server
access-list outside_4_cryptomap extended permit ip vdc_dmz-network 255.255.255.0 host MTN_SMPP_Server
access-list outside_4_cryptomap extended permit ip vdc_inside-voip-network 255.255.255.0 host MTN_SMPP_Server
crypto map outside_map 4 match address outside_4_cryptomap
crypto map outside_map 4 set pfs
crypto map outside_map 4 set peer 196.44.248.66
crypto map outside_map 4 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
tunnel-group 196.44.248.66 type ipsec-l2l
tunnel-group 196.44.248.66 ipsec-attributes
pre-shared-key *
Site 2
name 65.205.4.34 VOXIVADC_VPN_Peer2
object-group network MTNRwanda
network-object host 172.17.80.247
object-group network VOXIVADC2
network-object host VOXIVADC_VPN_Peer2
access-list from-free-in extended permit udp host 196.44.248.66 host VOXIVADC_VPN_Peer2 eq isakmp
access-list from-free-in extended permit esp host 196.44.248.66 host VOXIVADC_VPN_Peer2
access-list MTNVPNVOXIVA extended permit ip object-group MTNRwanda object-group VOXIVADC2
access-list MTNVPNVOXIVA extended permit ip host 172.17.80.247 192.168.100.0 255.255.255.0
access-list MTNVPNVOXIVA extended permit ip host 172.17.80.247 192.168.200.0 255.255.255.0
access-list MTNVPNVOXIVA extended permit ip host 172.17.80.247 192.168.10.0 255.255.255.0
access-list MTNVPNVOXIVADC extended permit ip host 172.17.80.247 192.168.100.0 255.255.255.0
access-list MTNVPNVOXIVADC extended permit ip host 172.17.80.247 192.168.200.0 255.255.255.0
access-list MTNVPNVOXIVADC extended permit ip host 172.17.80.247 192.168.10.0 255.255.255.0
nat (intf2) 0 access-list MTNVPNVOXIVA
crypto ipsec transform-set ASPECT_MTNR esp-des esp-md5-hmac
crypto map ASPECT_MTNR 180 match address MTNVPNVOXIVADC
crypto map ASPECT_MTNR 180 set pfs
crypto map ASPECT_MTNR 180 set peer VOXIVADC_VPN_Peer2
crypto map ASPECT_MTNR 180 set transform-set ASPECT_MTNR
crypto map ASPECT_MTNR 180 set security-association lifetime kilobytes 10000
crypto map ASPECT_MTNR interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
tunnel-group 65.205.4.34 type ipsec-l2l
tunnel-group 65.205.4.34 ipsec-attributes
pre-shared-key *
Please advice urgent
07-25-2008 03:07 AM
Please respond urgent
07-25-2008 03:16 AM
try to remove this
crypto map ASPECT_MTNR 180 set security-association lifetime kilobytes 10000
07-25-2008 03:26 AM
Done but still its not working
07-25-2008 03:52 AM
Please respond asap...
07-25-2008 04:03 AM
Could you show configuration of site 2?
also check the you have enabled NAT-T
crypto isakmp nat-traversal 20
07-25-2008 04:09 AM
name 65.205.4.34 VOXIVADC_VPN_Peer2
object-group network MTNRwanda
network-object host 172.17.80.247
object-group network VOXIVADC2
network-object host VOXIVADC_VPN_Peer2
access-list from-free-in extended permit udp host 196.44.248.66 host VOXIVADC_VPN_Peer2 eq isakmp
access-list from-free-in extended permit esp host 196.44.248.66 host VOXIVADC_VPN_Peer2
access-list MTNVPNVOXIVA extended permit ip object-group MTNRwanda object-group VOXIVADC2
access-list MTNVPNVOXIVA extended permit ip host 172.17.80.247 192.168.100.0 255.255.255.0
access-list MTNVPNVOXIVA extended permit ip host 172.17.80.247 192.168.200.0 255.255.255.0
access-list MTNVPNVOXIVA extended permit ip host 172.17.80.247 192.168.10.0 255.255.255.0
access-list MTNVPNVOXIVADC extended permit ip host 172.17.80.247 192.168.100.0 255.255.255.0
access-list MTNVPNVOXIVADC extended permit ip host 172.17.80.247 192.168.200.0 255.255.255.0
access-list MTNVPNVOXIVADC extended permit ip host 172.17.80.247 192.168.10.0 255.255.255.0
nat (intf2) 0 access-list MTNVPNVOXIVA
crypto ipsec transform-set ASPECT_MTNR esp-des esp-md5-hmac
crypto map ASPECT_MTNR 180 match address MTNVPNVOXIVADC
crypto map ASPECT_MTNR 180 set pfs
crypto map ASPECT_MTNR 180 set peer VOXIVADC_VPN_Peer2
crypto map ASPECT_MTNR 180 set transform-set ASPECT_MTNR
crypto map ASPECT_MTNR 180 set security-association lifetime kilobytes 10000
crypto map ASPECT_MTNR interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
tunnel-group 65.205.4.34 type ipsec-l2l
tunnel-group 65.205.4.34 ipsec-attributes
pre-shared-key *
Please advice urgent
07-25-2008 04:20 AM
This is only part of the configuration
and I asked you before to remove the following line from the configuration
crypto map ASPECT_MTNR 180 set security-association lifetime kilobytes 10000
after that try to do the following
no crypto map ASPECT_MTNR interface outside
crypto map ASPECT_MTNR interface outside
this will clear all ipsec sa (sometimes it works better than just "clear crypto ipsec sa")
07-25-2008 04:44 AM
Waiting :)
07-25-2008 04:47 AM
But it will effect the other VPN
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide