02-19-2009 01:32 PM - edited 02-21-2020 04:09 PM
Hi All
I am having problems with L2L ipsec VPN, as the tunnel is not initiating at all... I have ASA on the A-end and PIX on B-end. The ASA on the A-end is also doing NAT of both source and destination and it is also tunnel endpoint.
the topology is like this. Note the LAN addresses specified are not directly connected but behind the ASA and PIX
(10.1.1.0/24) ----- --A-end - (ASA)--------------------------- INTERNET -------------------- B-end PIX ---- (10.20.20.0/24)
NAT ON ASA -
10.1.1.1/32 (server) NAT'ed TO 80.2.2.2/32 - SO B-end see's this server as 80.2.2.2 address
10.2.2.0/24 NAT TO 10.20.20.0/24 - So A-end see's B-end subnet as 10.2.2.0/24
The problem is that the tunnel is not even initiating... i have attached config...
A-end ASA
ASA Version 7.2(3)
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 90.1.1.1 255.255.255.128 standby 90.1.1.2
!
interface GigabitEthernet0/2
nameif outside
security-level 0
ip address 80.1.1.1 255.255.255.128 standby 80.1.1.2
access-list proxy_acl extended permit ip host 80.2.2.2 10.20.10.32 10.20.20.0 255.255.255.0
access-list proxy_acl extended permit ip 10.20.20.0 255.255.255.0 80.2.2.2 255.255.255.255
access-list outside extended permit icmp any any
access-list outside extended permit esp any any
access-list outside extended permit udp any any eq isakmp
access-list inside extended permit ip any any
access-list policy-nat-1 extended permit ip 10.0.0.0 255.0.0.0 any
access-list policy-nat-1 extended permit ip 172.16.0.0 255.240.0.0 any
global (outside) 1 100.1.1.1
nat (inside) 1 access-list policy-nat-1
static (inside,outside) 80.2.2.2 10.1.1.1 netmask 255.255.255.255
static (outside,inside) 10.2.2.0 10.20.20.0 netmask 255.255.255.0
access-group inside in interface inside
access-group outside in interface outside
route inside 172.16.0.0 255.240.0.0 90.1.1.5
route inside 10.0.0.0 255.0.0.0 90.1.1.5
route outside 0.0.0.0 0.0.0.0 80.1.1.5
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map CRY-MAP 10 match address proxy_acl
crypto map CRY-MAP 10 set peer 60.1.1.1
crypto map CRY-MAP 10 set transform-set ESP-3DES-SHA
crypto map CRY-MAP 10 set security-association lifetime seconds 28800
crypto map CRY-MAP interface outside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
!
tunnel-group 60.1.1.1 type ipsec-l2l
tunnel-group 60.1.1.1 ipsec-attributes
pre-shared-key *
B-end PIX
access-list proxy-acl permit ip 10.20.20.0 255.255.255.0 8.2.2.2 255.255.255.255
access-list no_nat permit ip 10.20.20.0 255.255.255.0 8.2.2.2 255.255.255.255
nat (data) 0 access-list no_nat
crypto ipsec transform-set 3dessha1 esp-3des esp-sha-hmac
crypto map vpn 10 ipsec-isakmp
crypto map vpn 10 match address proxy-acl
crypto map vpn 10 set peer 80.1.1.1
crypto map vpn 10 set transform-set 3dessha1
crypto map vpn interface outside
isakmp key ******** address 80.1.1.1 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
02-20-2009 06:54 AM
ASA config:-
- There is no route for 10.20.10.32 - you have a route for 10/8 pointing to the inside. add another route:-
route outside 10.20.10.32 255.255.255.255 80.1.1.5
PIX Config:-
- you have the acl access-list proxy-acl permit ip 10.20.20.0 255.255.255.0 8.2.2.2 255.255.255.255
BUT you are natting the host to address 80.2.2.2 - the IP's dont match.
Also make sure you have a route.
HTH>
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide