cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
637
Views
9
Helpful
11
Replies

site-to-site asa 5505 not working

robbhanMid
Level 1
Level 1

Hi,

I had a working site-to-site VPN until I had to change the external outside interface ip address on one of the ASA's. Now it's not working anymore.

When I try to generate traffic from one site to the other, nothing gets to the other side.

Suggested traffic flow:

192.168.100.12 -> 192.168.100.1 -> 213.136.41.181 -> internet -> 79.136.112.50 -> 192.168.1.5

The configs:

First asa:

access-list l2l_list extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 79.136.112.49 1

route outside 192.168.100.0 255.255.255.0 213.136.41.181 1

crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac

crypto map abcmap 1 match address l2l_list

crypto map abcmap 1 set peer 213.136.41.181

crypto map abcmap 1 set transform-set FirstSet

crypto map abcmap interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 43200

tunnel-group 213.136.41.181 type ipsec-l2l

Second asa:

access-list l2l_list extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list outside_access_in extended permit icmp any any

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 213.136.41.182 1

route outside 192.168.200.0 255.255.255.0 79.136.112.50 1

route outside 192.168.1.0 255.255.255.0 79.136.112.50 1

crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac

crypto map abcmap 1 match address l2l_list

crypto map abcmap 1 set peer 79.136.112.50

crypto map abcmap 1 set transform-set FirstSet

crypto map abcmap interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 43200

no vpn-addr-assign aaa

tunnel-group 79.x.112.50 type ipsec-l2l

tunnel-group 79.x.112.50 ipsec-attributes

pre-shared-key *

11 Replies 11

andrew.prince
Level 10
Level 10

Your interesting VPN traffic access-lists are incorrect, assuming the "first asa" has a LAN address subnet of 192.168.100.0/24 change the config to:-

access-list l2l_list extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0

And change the second ASA config to:-

access-list l2l_list extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

HTH>

Ok, so it should be: ?

access-list l2l_list extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 79.136.112.49 1

route outside 192.168.100.0 255.255.255.0 213.136.41.181 1

crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac

crypto map abcmap 1 match address l2l_list

crypto map abcmap 1 set peer 213.136.41.181

crypto map abcmap 1 set transform-set FirstSet

crypto map abcmap interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 43200

tunnel-group 213.136.41.181 type ipsec-l2l

It depends on which device you are talking about - I can tell you from the config output above the ACL's should actually be:-

access-list l2l_list extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

The reason why is because of this line:-

route outside 192.168.100.0 255.255.255.0 213.136.41.181 1

Which indicates - that the local IP subnet is 192.168.1.0 255.255.255.0 - correct??

yes, that's correct. the 192.168.1.0 subnet and the 192.168.100.0 subnet are behind two different asa's. hence the routing entry. I guess I need it right?

yes - but which one is which, you have got yourself confused in regards what should be encrypteds from src to dst, and what should be expemt to NAT.

To be honest looking at your config, this VPN has never worked if the only thing that has changed is an external IP address.

Post BOTH full configs - remove passwords, this will help to get to the bottom of this.

The 192.168.1.0 is behind the 79.136.112.50. The 192.168.100.0 is behind the 213.136.41.181.

A picture paints a thousand words.

HTH>

Oh thanx! will give it a try.

Are you sure the route settings on the two host are correct?

Yes - pretty sure.

You can always add the changes to the exising config, then see which acl lines get hits.

Got it working. thanx a bunch.

np - glad to help.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: