01-21-2009 05:02 PM
i have a lan to lan using 2 asa's. from site B i can not ping anything on site A network. From site A i can ping site B and then Site B is able to ping that Ip at site A for a while and then will timeout after some inactivity. i will attach the relevent part of my configs. One question i have is that Site A specifies a few servers on its side but on site b it specifies the whole subnet. Do these access-lists have to match up perfectly? I only want site B to have access to certain servers at site A. IF there is a better way to limit the traffic let me know.
Site A
OBJECT GROUPS
object-group network vpn
network-object 10.23.16.0 255.255.240.0
network-object 172.16.200.0 255.255.252.0
object-group network vpn.resources
network-object 192.168.1.10 255.255.255.255
network-object 192.168.1.5 255.255.255.255
network-object 192.168.1.8 255.255.255.255
network-object 192.168.1.68 255.255.255.255
network-object 192.168.1.121 255.255.255.255
network-object 192.168.1.176 255.255.255.255
network-object 192.168.1.144 255.255.255.255
network-object 192.168.1.156 255.255.255.255
No NAT Access List
access-list inside.nat0.outbound extended permit ip object-group vpn.resources object-group vpn log
access-list inside.nat0.outbound extended permit ip object-group vpn object-group vpn.resources log
Crypto Access List
access-list MD_VPN extended permit ip object-group vpn.resources object-group vpn log
access-list MD_VPN extended permit ip object-group vpn object-group vpn.resources log
!--- PHASE 1 CONFIGURATION ---!
crypto ipsec transform-set MDSet esp-3des esp-md5-hmac
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
!--- PHASE 2 CONFIGURATION ---!
crypto map myDCP 150 match address MD_VPN
crypto map myDCP 150 set peer xx.xx.xx.66
crypto map myDCP 150 set transform-set MDSet
crypto map myDCP 150 set security-association lifetime seconds 86400
tunnel-group xx.xx.xx.66 type ipsec-l2l
tunnel-group xx.xx.xx.66 ipsec-attributes
pre-shared-key *
Site B
!--- PHASE 1 CONFIGURATION ---!
isakmp key * address xx.xx.xx.130 netmask 255.255.255.255
crypto isakmp policy 2
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
No NAT Access List
access-list nonat permit ip 10.23.16.0 255.255.240.0 192.168.1.0 255.255.255.0
Crypto Access List
access-list dcp permit ip 10.23.16.0 255.255.240.0 192.168.1.0 255.255.255.0
!--- PHASE 2 CONFIGURATION ---!
crypto ipsec transform-set 3des esp-3des esp-md5-hmac
crypto map ahmd1 45 match address dcp
crypto map ahmd1 45 set peer xx.xx.xx.130
crypto map ahmd1 45 set transform-set 3des
01-21-2009 06:13 PM
It looks like the 192 network is at site A and the 10.23.16.0 and 172 networks are at site B?
At site B only a packet sourced from the 10.23.16.0 network should be able to bring up the tunnel according to this, but your access lists at site A are a bit confusing. Can you post the whole config from both sites?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: