04-23-2009 11:02 PM
Guys, I have a L2L VPN setup between an ASA and a 857 - the stripped down config of the ASA is below:
access-list nonat extended permit ip <local-ip> 255.255.255.0 <remote-ip> 255.255.255.0
access-list nonat extended permit ip <local-ip2> 255.255.255.0 <remote-ip> 255.255.255.0
access-list outside_cryptomap_81 extended permit ip <local-ip> 255.255.0.0 <remote-ip> 255.255.255.0
nat (inside) 0 access-list nonat
route outside <remote-ip> 255.255.255.0 internode-gw 1
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES esp-3des esp-none
crypto map outside_map1 81 match address outside_cryptomap_81
crypto map outside_map1 81 set peer <ip-addr>
crypto map outside_map1 81 set transform-set ESP-3DES-SHA
crypto map outside_map1 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map1 interface outside
isakmp identity address
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
tunnel-group <ip-addr> type ipsec-l2l
tunnel-group <name> ipsec-attributes
pre-shared-key *
!
I am able to ping hosts from both directions (on both local subnets) - but if I specify <local-ip2> in the cryptomap acl then I am no longer able to ping devices in that subnet from the remote site.
Any help would be appreciated
Dan
04-23-2009 11:08 PM
857 config as below:
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
crypto isakmp key
crypto isakmp keepalive 30
!
!
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec df-bit clear
!
crypto map
description Tunnel to
set peer
set transform-set ESP-3DES-SHA1
match address IPSec_tunnel
!
ip nat inside source route-map RMAP_1 interface Dialer0 overload
!
ip access-list extended IPSec_tunnel
remark Tunnel these addresses
permit ip
permit ip
04-28-2009 04:00 PM
Can anyone shed any light on this problem?
Cheers
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide