site-to-site asa 5505 not working

Unanswered Question
Aug 4th, 2008
User Badges:

Hi,

I had a working site-to-site VPN until I had to change the external outside interface ip address on one of the ASA's. Now it's not working anymore.


When I try to generate traffic from one site to the other, nothing gets to the other side.


Suggested traffic flow:

192.168.100.12 -> 192.168.100.1 -> 213.136.41.181 -> internet -> 79.136.112.50 -> 192.168.1.5



The configs:


First asa:

access-list l2l_list extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 79.136.112.49 1

route outside 192.168.100.0 255.255.255.0 213.136.41.181 1

crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac

crypto map abcmap 1 match address l2l_list

crypto map abcmap 1 set peer 213.136.41.181

crypto map abcmap 1 set transform-set FirstSet

crypto map abcmap interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 43200

tunnel-group 213.136.41.181 type ipsec-l2l


Second asa:

access-list l2l_list extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list outside_access_in extended permit icmp any any

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 213.136.41.182 1

route outside 192.168.200.0 255.255.255.0 79.136.112.50 1

route outside 192.168.1.0 255.255.255.0 79.136.112.50 1

crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac

crypto map abcmap 1 match address l2l_list

crypto map abcmap 1 set peer 79.136.112.50

crypto map abcmap 1 set transform-set FirstSet

crypto map abcmap interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 43200

no vpn-addr-assign aaa

tunnel-group 79.x.112.50 type ipsec-l2l

tunnel-group 79.x.112.50 ipsec-attributes

pre-shared-key *


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.

Your interesting VPN traffic access-lists are incorrect, assuming the "first asa" has a LAN address subnet of 192.168.100.0/24 change the config to:-


access-list l2l_list extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0


And change the second ASA config to:-


access-list l2l_list extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0


HTH>

robbhanMid Mon, 08/04/2008 - 05:13
User Badges:

Ok, so it should be: ?



access-list l2l_list extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 79.136.112.49 1

route outside 192.168.100.0 255.255.255.0 213.136.41.181 1

crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac

crypto map abcmap 1 match address l2l_list

crypto map abcmap 1 set peer 213.136.41.181

crypto map abcmap 1 set transform-set FirstSet

crypto map abcmap interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 43200

tunnel-group 213.136.41.181 type ipsec-l2l

It depends on which device you are talking about - I can tell you from the config output above the ACL's should actually be:-


access-list l2l_list extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0


The reason why is because of this line:-

route outside 192.168.100.0 255.255.255.0 213.136.41.181 1


Which indicates - that the local IP subnet is 192.168.1.0 255.255.255.0 - correct??


robbhanMid Mon, 08/04/2008 - 05:24
User Badges:

yes, that's correct. the 192.168.1.0 subnet and the 192.168.100.0 subnet are behind two different asa's. hence the routing entry. I guess I need it right?

yes - but which one is which, you have got yourself confused in regards what should be encrypteds from src to dst, and what should be expemt to NAT.


To be honest looking at your config, this VPN has never worked if the only thing that has changed is an external IP address.


Post BOTH full configs - remove passwords, this will help to get to the bottom of this.

robbhanMid Mon, 08/04/2008 - 06:01
User Badges:

Oh thanx! will give it a try.

Are you sure the route settings on the two host are correct?

Actions

This Discussion