10-14-2008 10:58 AM - edited 02-21-2020 03:59 PM
Am trying to get a site-to-site VPN up and running between a satellite office and our main office. I have the settings in place but am trying to determine if it is my settings or the DSL provider, Verizon.
They have a 5505 with a static IP connected through cable modem. From their 5505 I can ping the outside IP address of my 5510 no problem. All the settings are correct on both sides; they reflect the same settings and yet the Static VPN does not come up.
Is there some sort of CLI command I must issue to bring it up?
Also, I am wondering if perhaps my 2821 is stopping any VPN traffic in as it does have to be re-NAT'ed to get to the 192.168.250.0/23 and the 192.168.252.0/24 subnets.
This is simply about getting traffic from their 192.168.40.0 subnet into our 192.168.250.0/23 VOIP subnet.
Am attaching a basic diagram. I can provide the configs for nearly everything
Solved! Go to Solution.
10-15-2008 12:29 PM
Hello,
you have two instances of crypto map sequence with similar settings(except tranform set) . Get rid of following crypto map sequences:
On Satellite ASA:
no crypto map outside_map 2 match address outside_cryptomap
no crypto map outside_map 2 set pfs
no crypto map outside_map 2 set peer smivpn.sorensonmedia.com
no crypto map outside_map 2 set transform-set ESP-3DES-MD5
no crypto map outside_map 2 set security-association lifetime seconds 28800
no crypto map outside_map 2 set security-association lifetime kilobytes 4608000
no crypto map outside_map 2 set reverse-route
On Corporate ASA:
no crypto map outside_map 1 match address outside_1_cryptomap_1
no crypto map outside_map 1 set pfs
no crypto map outside_map 1 set peer cda.asa5505
no crypto map outside_map 1 set transform-set ESP-3DES-SHA
no crypto map outside_map 1 set security-association lifetime seconds 28800
no crypto map outside_map 1 set security-association lifetime kilobytes 4608000
no crypto map outside_map 1 set reverse-route
Then check and capture debugs.
HTH
Saju
10-14-2008 12:01 PM
Can you post VPN configs of both vpn end devices?
10-14-2008 12:09 PM
Sure thing. Thanks for your time.
The satellite config is for the remote location and the corporate config is for the main office.
10-14-2008 12:10 PM
10-14-2008 12:56 PM
Can you make Crypto ACL as simple ACLs(no object groups ) and then check.
Corporate ASA
no access-list outside_1_cryptomap
access-list outside_1_cryptomap extended permit ip 192.168.252.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.250.0 255.255.254.0 192.168.40.0 255.255.255.0
Satellite ASA
no access-list outside_2_cryptomap_1
access-list outside_2_cryptomap_1 extended permit ip 192.168.40.0 255.255.255.0 192.168.252.0 255.255.255.0
access-list outside_2_cryptomap_1 extended permit ip 192.168.40.0 255.255.255.0 192.168.250.0 255.255.254.0
Also try removing PFS from both sides . First make the basic tunnel come up , later on you can add PFS etc.
HTH
Saju
Pls rate helpful posts
10-14-2008 01:15 PM
I did as you suggested and changed the access-lists on both corporate and satellite. I am still unable to ping inside addresses. Traceroute is unable to route. The PtP VPN is not coming up.
At corporate:
cisco# ping 192.168.40.101
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.40.101, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
At satellite:
cisco# ping 192.168.250.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.250.11, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
Here is the latest set of configs, plus the 2821 router config that sits between the ASA5510 and the 192.168.250.0/24 and 192.168.252.0/24 subnets.
Thanks in advance.
10-15-2008 05:45 AM
Add following route on Corporate ASA:
Corporate ASA
route inside 192.168.250.0 255.255.254.0 172.17.10.2
Enable debugs: "debug crypto isakmp " and "debug crypto ipsec" on both ASA , initiate ipsec traffic and capture debugs and post them .
HTH
Saju
10-15-2008 11:45 AM
I am making some progress here. I followed the instructions on the following page: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080950890.shtml
I was never able to get much debug output as the remote VPNs kept showing up.
So, here is a screenshot of the syslog output from the ASDM on the satellite firewall. It is nearly there.
Here are the latest running-configs from both corporate and satellite.
Thanks.
10-15-2008 12:18 PM
Hello,
you have two instances of crypto map sequence with similar settings(except tranform set) . Get rid of following crypto map sequences:
On Satellite ASA:
no crypto map outside_map 2 match address outside_cryptomap
no crypto map outside_map 2 set pfs
no crypto map outside_map 2 set peer smivpn.sorensonmedia.com
no crypto map outside_map 2 set transform-set ESP-3DES-MD5
no crypto map outside_map 2 set security-association lifetime seconds 28800
no crypto map outside_map 2 set security-association lifetime kilobytes 4608000
no crypto map outside_map 2 set reverse-route
On Corporate ASA:
no crypto map outside_map 1 match address outside_1_cryptomap_1
no crypto map outside_map 1 set pfs
no crypto map outside_map 1 set peer cda.asa5505
no crypto map outside_map 1 set transform-set ESP-3DES-SHA
no crypto map outside_map 1 set security-association lifetime seconds 28800
no crypto map outside_map 1 set security-association lifetime kilobytes 4608000
no crypto map outside_map 1 set reverse-route
Then check and capture debugs.
HTH
Saju
10-15-2008 12:04 PM
10-15-2008 12:05 PM
10-15-2008 12:29 PM
Hello,
you have two instances of crypto map sequence with similar settings(except tranform set) . Get rid of following crypto map sequences:
On Satellite ASA:
no crypto map outside_map 2 match address outside_cryptomap
no crypto map outside_map 2 set pfs
no crypto map outside_map 2 set peer smivpn.sorensonmedia.com
no crypto map outside_map 2 set transform-set ESP-3DES-MD5
no crypto map outside_map 2 set security-association lifetime seconds 28800
no crypto map outside_map 2 set security-association lifetime kilobytes 4608000
no crypto map outside_map 2 set reverse-route
On Corporate ASA:
no crypto map outside_map 1 match address outside_1_cryptomap_1
no crypto map outside_map 1 set pfs
no crypto map outside_map 1 set peer cda.asa5505
no crypto map outside_map 1 set transform-set ESP-3DES-SHA
no crypto map outside_map 1 set security-association lifetime seconds 28800
no crypto map outside_map 1 set security-association lifetime kilobytes 4608000
no crypto map outside_map 1 set reverse-route
Then check and capture debugs.
HTH
Saju
10-15-2008 01:46 PM
There are actually 2 crypto maps on the satellite VPN. You'll notice that the one went to sdihq.com and the other to sorensonmedia.com. sdihq.com is the former parent company. We want this satellite office to be part of us now. sdihq.com is in place as a backup measure. But we want the phones to come directly to us and NOT to route to them and then down to us, as per the network image.
I am making the changes as appropriate and will post debug here shortly.
10-15-2008 02:22 PM
10-15-2008 02:30 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide