vpn lan to lan issue - only one side can initiate traffic

Unanswered Question
Jan 21st, 2009

i have a lan to lan using 2 asa's. from site B i can not ping anything on site A network. From site A i can ping site B and then Site B is able to ping that Ip at site A for a while and then will timeout after some inactivity. i will attach the relevent part of my configs. One question i have is that Site A specifies a few servers on its side but on site b it specifies the whole subnet. Do these access-lists have to match up perfectly? I only want site B to have access to certain servers at site A. IF there is a better way to limit the traffic let me know.

Site A

OBJECT GROUPS

object-group network vpn

network-object 10.23.16.0 255.255.240.0

network-object 172.16.200.0 255.255.252.0

object-group network vpn.resources

network-object 192.168.1.10 255.255.255.255

network-object 192.168.1.5 255.255.255.255

network-object 192.168.1.8 255.255.255.255

network-object 192.168.1.68 255.255.255.255

network-object 192.168.1.121 255.255.255.255

network-object 192.168.1.176 255.255.255.255

network-object 192.168.1.144 255.255.255.255

network-object 192.168.1.156 255.255.255.255

No NAT Access List

access-list inside.nat0.outbound extended permit ip object-group vpn.resources object-group vpn log

access-list inside.nat0.outbound extended permit ip object-group vpn object-group vpn.resources log

Crypto Access List

access-list MD_VPN extended permit ip object-group vpn.resources object-group vpn log

access-list MD_VPN extended permit ip object-group vpn object-group vpn.resources log

!--- PHASE 1 CONFIGURATION ---!

crypto ipsec transform-set MDSet esp-3des esp-md5-hmac

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 28800

!--- PHASE 2 CONFIGURATION ---!

crypto map myDCP 150 match address MD_VPN

crypto map myDCP 150 set peer xx.xx.xx.66

crypto map myDCP 150 set transform-set MDSet

crypto map myDCP 150 set security-association lifetime seconds 86400

tunnel-group xx.xx.xx.66 type ipsec-l2l

tunnel-group xx.xx.xx.66 ipsec-attributes

pre-shared-key *

Site B

!--- PHASE 1 CONFIGURATION ---!

isakmp key * address xx.xx.xx.130 netmask 255.255.255.255

crypto isakmp policy 2

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 28800

No NAT Access List

access-list nonat permit ip 10.23.16.0 255.255.240.0 192.168.1.0 255.255.255.0

Crypto Access List

access-list dcp permit ip 10.23.16.0 255.255.240.0 192.168.1.0 255.255.255.0

!--- PHASE 2 CONFIGURATION ---!

crypto ipsec transform-set 3des esp-3des esp-md5-hmac

crypto map ahmd1 45 match address dcp

crypto map ahmd1 45 set peer xx.xx.xx.130

crypto map ahmd1 45 set transform-set 3des

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
pstebner10 Wed, 01/21/2009 - 18:13

It looks like the 192 network is at site A and the 10.23.16.0 and 172 networks are at site B?

At site B only a packet sourced from the 10.23.16.0 network should be able to bring up the tunnel according to this, but your access lists at site A are a bit confusing. Can you post the whole config from both sites?

Actions

This Discussion