site-to-site vpn

Unanswered Question
Jul 29th, 2008
User Badges:

Hi, I can't get my site-to-site vpn to work. When I try to generate traffic from one internal host another. The trafic never arrives.


Traffic flow:


192.168.100.12 -> 192.168.100.1 -> 213.136.41.180 -> internet -> 79.136.112.50 -> 192.168.1.5


If the ipadresses on the other side of my tunnel are private 192.168.x.x, I need to add a route to outside ip address of that firewall right?

For example: route outside 192.168.100.0 255.255.255.0 213.136.41.180 1



One of my 5505:

access-list l2l_list extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 1 0.0.0.0 0.0.0.0

static (dmz,outside) tcp interface ftp 192.168.200.2 ftp netmask 255.255.255.255

static (dmz,outside) tcp interface 8080 192.168.200.2 8080 netmask 255.255.255.255

static (dmz,outside) tcp interface www 192.168.200.2 www netmask 255.255.255.255

access-group 8080_access_in in interface outside

access-group dmz_access_in in interface dmz

route outside 0.0.0.0 0.0.0.0 79.136.112.49 1

route outside 192.168.100.0 255.255.255.0 213.136.41.180 1

crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac

crypto map abcmap 1 match address l2l_list

crypto map abcmap 1 set peer 213.136.41.180

crypto map abcmap 1 set transform-set FirstSet

crypto map abcmap interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 43200


tunnel-group 213.136.41.180 type ipsec-l2l

tunnel-group 213.136.41.180 ipsec-attributes

pre-shared-key *


The Other one:

access-list l2l_list extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 213.136.41.182 1

route outside 192.168.1.0 255.255.255.0 79.136.112.50 1

crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac

crypto map abcmap 1 match address l2l_list

crypto map abcmap 1 set peer 79.136.112.50

crypto map abcmap 1 set transform-set FirstSet

crypto map abcmap interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 43200

tunnel-group 79.136.112.50 type ipsec-l2l

tunnel-group 79.136.112.50 ipsec-attributes

pre-shared-key *


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
acomiskey Tue, 07/29/2008 - 05:37
User Badges:
  • Green, 3000 points or more

"If the ipadresses on the other side of my tunnel are private 192.168.x.x, I need to add a route to outside ip address of that firewall right?"


-NO


Add nat exemption to the ASA's.


First ASA-

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound


Second ASA-

access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound




Actions

This Discussion