08-22-2008 07:22 PM
Dear All,
Now i had problem with VPN site to site(ASA5500).The tunnel is up but i cannot ping HQ to branch. when i show
crypto ipsec sa then i see pkts encaps as below :
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 778, #pkts decrypt: 778, #pkts verify: 778
Note: At HQ office one tunnel Branch_ISP1 is ok i mean HQ can communication to Branch
but tunnel VPN Branch_ISP2 is up, cannot ping to HQ and HQ cannot ping to Branch.
Pleae see in the attach file HQ and branch site.
please help me to solve this problem !!!!
Best Regards,
Join
08-23-2008 01:57 AM
i havt checked ur config yet
before that
i wanna know are you looking to achieve load balncing through two ISPs ?
if that the case with ASA u can do load balnacing with two ISPs trhough a vpn tunnels or two connections
u can achieve perimary and backup vpn
have a look at the following link might be helpful
please if helpful Rate
08-25-2008 12:36 AM
Hi marwanshawi,
On my configuration i just to do in the HQ use 2 ISP for VPN only.i mean some branch use ISP1 and other Branch use ISP2 only.
and your weblink that you gave me, it not for do VPN connection, it show backup.....
could you tell let me know on ASA 5500 it can do VPN 2 wan interface or not? if can could you see in my attach file as above this is correct or not?
Best Regards,
join
08-25-2008 01:40 AM
u have those ACLs
access-list Branch_ISP1 extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list Branch_ISP2 extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
and this map
rypto map Branch 2 match address Branch_ISP1
crypto map Branch 2 set peer 50.50.50.60
crypto map Branch 2 set transform-set Branch
crypto map Branch 3 match address Branch_ISP2
crypto map Branch 3 set peer 206.206.206.2
crypto map Branch 3 set transform-set Branch
will send the packet matched to 50.50.50.50 host
becsue ur ACl isp1 and two the same source and dist
u need to make diffrent distination in this case the map and remote host will be selcted based on the matched ACl
for example make the brach lan u sent me 192.168.3.0 then change the HQ ACl2 to
access-list Branch_ISP2 extended permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0
in this case will selct the branch map 3 through 206.206.206.2 host
!!also include this new ACL with the nat 0 for nat exemption !!!
and make sure befor that u can ping that host in other words u have connectivity to it
good luck
08-25-2008 11:38 PM
Dear marwanshawi,
Thank you for you help me :)
i follow up from you it ok for VPN but i have problem on my branch lan ( i mean that when we assigned ip add 192.168.3.0 and 192.168.2.0 so my client have two subnet. and some client use 192.168.3.x and some client use 192.168.2.x so it cannot communication.How can do 192.168.2.0 and 192.168.3.0 can communication ?
Nopte: let me tell that i want, i would like my branch have ASA5505 2 units and 2 ISP connect to HQ.
Best Regards,
Join
08-26-2008 04:51 AM
have a look at the foloowing usefull link
and i wish willl be helpful for u
and then if have any more issues just tell me
but see this link might solve ur issue
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807f9a89.shtml
good luck
if helpful Rate
08-26-2008 08:01 PM
Dear Marwanshawi,
Thank you for your fully support :)
i read the web link that you gate me already but i'm not clear some command, could i ask you some question...So on document it tell us only one wan interface(1ISP) but my system i had 2 wan interface(2ISP, so when i follow ACL from document is it possible for Branch to Branch( i mean one branch i use ISP1 and other Branch ISP2 and it different:
-crypto map ABC interface ISP1
-crypto map ABC interface ISP2
-crypto isakmp enable ISP1
-crypto isakmp enable ISP2
by the way do you idea for add route or do something on ASA01 can communication to ASA02?
Please see in the attach file.
Best Regards,
Join
08-26-2008 08:12 PM
first
is this two ASAs in the branch one office?
are the clients in 192.168.50.x/24 in one network?
if yes,
why u want them communicate through the HQ ASA!!! it is gonna be slower over the ISP then LAN???!!! let me know about this point!!
if u wanna all communication to go from ASA1 to HQ asa then ASA2 and vis versa u need to make the LAN connected to each branch ASA in diffrent subnet then we can achive it through VPN or routing whatever
just let me kow about ur goals and what u wanna achieve because i got confused about first point i asked u about it above !!
u can make VPN HQ to barnch and make the branch ASAs one primary and other as back up !! if u want
08-26-2008 08:50 PM
Dear Marwanshawi,
Yes, i had two ASA in the branch one office, some client use 192.168.2.x/24 and some client use 192.168.50.x/24.
i use like this because ISP1 have 128Kbps and ISP2 have 512Kbps so i need to use 2 connections for link to HQ if i use only one connection it cannot support my client.
Could you recommend me how can i do 2 wan interface like this for the standard diagram?
on my diagram that i showed you it can do fallover or not?
Best Regards,
Join
08-26-2008 08:55 PM
and u dont need any traffic between the branch client to go through vpn right?
i mean from PC on the branch to pc on the the same branch!!!
08-26-2008 09:03 PM
Dear Marwanshawi,
No, i need PC on the branch to Pc on the same branch and other branch too.
i mean all the branch and all the connection can communication.
Best Regards,
Join
08-26-2008 09:21 PM
Join u confused me
how many branches u have
the following ifo based on the following
PCs on the branch based on the diagram u sent me will comunicate directly because they are on the same network
and because u have divided them to two half based on the ASA default gateway
lets say
u have ur IPs in range of 192.168.50.1 to 192.168.50.254
and from 1 to 126 they use ASA isp1 as default gateway
and from 129 to 254 they use the ASA isp2
u can dot through dividing the remote subnet which is /24 to two subnets on the VPN ACL
for example lets say the first half of the remote supnet use ISP1 andd the second one use ISP2
icould be done like
access-list 100 permite ip 192.168.0.0 255.255.255.0 192.168.50.0 255.255.255.128
access-list 100 permite ip 192.168.0.0 255.255.255.0 192.168.50.128 255.255.255.128
attached is a chnaged config of ur HQ ASA try it
if u have other branches then this will be diffrent topology than the one u have sent me
good luck
try it and let me now
08-27-2008 12:43 AM
Dear marwanshawi,
As i assigned ip add 192.168.50.1-126 and other ip add 192.168.50.129-254 on the branch i think my client still cannot communication because it 2 subnet.
Best Regards,
Join
08-27-2008 03:40 AM
no
ur clients on the branch lets say connected to switch
al on the subnet 255.255.255.0
just through ur DHCP if u have or staticly
client from 1 to 126 put thier defaultgateway as ASA1 and the rest ASA2 i though u already done this idea as u mentioned before !!
the 255.255.255.128 only on the ASA ACL to match half the subnet
dose it make sense now!!!
09-01-2008 02:21 AM
Dear Marwanshawi,
Thank very much for your help!!!! :)
i understood that you told me .....
Good idea !!!!!
Best Regards,
Join
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: