cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
808
Views
0
Helpful
22
Replies

Site to Site Tunnel Connectivity Issue

nikuhappy2010
Level 1
Level 1

Hi, I am trying to create STS Tunnel and when I execute the command then it shows that tunnel is active but both network are not able to connect with each other.

Please suggest.

22 Replies 22

nikuhappy2010
Level 1
Level 1

Please suggest urgent...

It looks like you forgot to do NAT-exemption

or have a problem with routing.

i have checked everthing several times as all other tunnels are respondinf well. Is there any other way???

Could you show the configuration?

Site 1

name 172.17.80.247 MTN_SMPP_Server description MTN_SMPP_Server

!

!

interface Vlan2

description Voxiva, DC - External Interface

nameif outside

security-level 0

ip address 65.x.x.34 255.255.255.0

!

!

passwd xxx

boot system disk0:/asa803-k8.bin

ftp mode passive

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

access-list inside_nat0_outbound extended permit ip vdc_inside-network 255.255.255.0 host MTN_SMPP_Server

access-list inside_nat0_outbound extended permit ip vdc_inside-voip-network 255.255.255.0 host MTN_SMPP_Server

access-list inside_nat0_outbound extended permit ip vdc_dmz-network 255.255.255.0 host MTN_SMPP_Server

access-list outside_4_cryptomap extended permit ip vdc_inside-network 255.255.255.0 host MTN_SMPP_Server

access-list outside_4_cryptomap extended permit ip vdc_dmz-network 255.255.255.0 host MTN_SMPP_Server

access-list outside_4_cryptomap extended permit ip vdc_inside-voip-network 255.255.255.0 host MTN_SMPP_Server

crypto map outside_map 4 match address outside_4_cryptomap

crypto map outside_map 4 set pfs

crypto map outside_map 4 set peer 196.44.248.66

crypto map outside_map 4 set transform-set ESP-DES-MD5

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 50

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

tunnel-group 196.44.248.66 type ipsec-l2l

tunnel-group 196.44.248.66 ipsec-attributes

pre-shared-key *

Site 2

name 65.205.4.34 VOXIVADC_VPN_Peer2

object-group network MTNRwanda

network-object host 172.17.80.247

object-group network VOXIVADC2

network-object host VOXIVADC_VPN_Peer2

access-list from-free-in extended permit udp host 196.44.248.66 host VOXIVADC_VPN_Peer2 eq isakmp

access-list from-free-in extended permit esp host 196.44.248.66 host VOXIVADC_VPN_Peer2

access-list MTNVPNVOXIVA extended permit ip object-group MTNRwanda object-group VOXIVADC2

access-list MTNVPNVOXIVA extended permit ip host 172.17.80.247 192.168.100.0 255.255.255.0

access-list MTNVPNVOXIVA extended permit ip host 172.17.80.247 192.168.200.0 255.255.255.0

access-list MTNVPNVOXIVA extended permit ip host 172.17.80.247 192.168.10.0 255.255.255.0

access-list MTNVPNVOXIVADC extended permit ip host 172.17.80.247 192.168.100.0 255.255.255.0

access-list MTNVPNVOXIVADC extended permit ip host 172.17.80.247 192.168.200.0 255.255.255.0

access-list MTNVPNVOXIVADC extended permit ip host 172.17.80.247 192.168.10.0 255.255.255.0

nat (intf2) 0 access-list MTNVPNVOXIVA

crypto ipsec transform-set ASPECT_MTNR esp-des esp-md5-hmac

crypto map ASPECT_MTNR 180 match address MTNVPNVOXIVADC

crypto map ASPECT_MTNR 180 set pfs

crypto map ASPECT_MTNR 180 set peer VOXIVADC_VPN_Peer2

crypto map ASPECT_MTNR 180 set transform-set ASPECT_MTNR

crypto map ASPECT_MTNR 180 set security-association lifetime kilobytes 10000

crypto map ASPECT_MTNR interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

tunnel-group 65.205.4.34 type ipsec-l2l

tunnel-group 65.205.4.34 ipsec-attributes

pre-shared-key *

Please advice urgent

Please respond urgent

try to remove this

crypto map ASPECT_MTNR 180 set security-association lifetime kilobytes 10000

Done but still its not working

Please respond asap...

Could you show configuration of site 2?

also check the you have enabled NAT-T

crypto isakmp nat-traversal 20

name 65.205.4.34 VOXIVADC_VPN_Peer2

object-group network MTNRwanda

network-object host 172.17.80.247

object-group network VOXIVADC2

network-object host VOXIVADC_VPN_Peer2

access-list from-free-in extended permit udp host 196.44.248.66 host VOXIVADC_VPN_Peer2 eq isakmp

access-list from-free-in extended permit esp host 196.44.248.66 host VOXIVADC_VPN_Peer2

access-list MTNVPNVOXIVA extended permit ip object-group MTNRwanda object-group VOXIVADC2

access-list MTNVPNVOXIVA extended permit ip host 172.17.80.247 192.168.100.0 255.255.255.0

access-list MTNVPNVOXIVA extended permit ip host 172.17.80.247 192.168.200.0 255.255.255.0

access-list MTNVPNVOXIVA extended permit ip host 172.17.80.247 192.168.10.0 255.255.255.0

access-list MTNVPNVOXIVADC extended permit ip host 172.17.80.247 192.168.100.0 255.255.255.0

access-list MTNVPNVOXIVADC extended permit ip host 172.17.80.247 192.168.200.0 255.255.255.0

access-list MTNVPNVOXIVADC extended permit ip host 172.17.80.247 192.168.10.0 255.255.255.0

nat (intf2) 0 access-list MTNVPNVOXIVA

crypto ipsec transform-set ASPECT_MTNR esp-des esp-md5-hmac

crypto map ASPECT_MTNR 180 match address MTNVPNVOXIVADC

crypto map ASPECT_MTNR 180 set pfs

crypto map ASPECT_MTNR 180 set peer VOXIVADC_VPN_Peer2

crypto map ASPECT_MTNR 180 set transform-set ASPECT_MTNR

crypto map ASPECT_MTNR 180 set security-association lifetime kilobytes 10000

crypto map ASPECT_MTNR interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

tunnel-group 65.205.4.34 type ipsec-l2l

tunnel-group 65.205.4.34 ipsec-attributes

pre-shared-key *

Please advice urgent

This is only part of the configuration

and I asked you before to remove the following line from the configuration

crypto map ASPECT_MTNR 180 set security-association lifetime kilobytes 10000

after that try to do the following

no crypto map ASPECT_MTNR interface outside

crypto map ASPECT_MTNR interface outside

this will clear all ipsec sa (sometimes it works better than just "clear crypto ipsec sa")

Waiting :)

But it will effect the other VPN

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: