04-23-2009 11:02 PM
Guys, I have a L2L VPN setup between an ASA and a 857 - the stripped down config of the ASA is below:
access-list nonat extended permit ip <local-ip> 255.255.255.0 <remote-ip> 255.255.255.0
access-list nonat extended permit ip <local-ip2> 255.255.255.0 <remote-ip> 255.255.255.0
access-list outside_cryptomap_81 extended permit ip <local-ip> 255.255.0.0 <remote-ip> 255.255.255.0
nat (inside) 0 access-list nonat
route outside <remote-ip> 255.255.255.0 internode-gw 1
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES esp-3des esp-none
crypto map outside_map1 81 match address outside_cryptomap_81
crypto map outside_map1 81 set peer <ip-addr>
crypto map outside_map1 81 set transform-set ESP-3DES-SHA
crypto map outside_map1 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map1 interface outside
isakmp identity address
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
tunnel-group <ip-addr> type ipsec-l2l
tunnel-group <name> ipsec-attributes
pre-shared-key *
!
I am able to ping hosts from both directions (on both local subnets) - but if I specify <local-ip2> in the cryptomap acl then I am no longer able to ping devices in that subnet from the remote site.
Any help would be appreciated
Dan
04-23-2009 11:08 PM
857 config as below:
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
crypto isakmp key
crypto isakmp keepalive 30
!
!
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec df-bit clear
!
crypto map
description Tunnel to
set peer
set transform-set ESP-3DES-SHA1
match address IPSec_tunnel
!
ip nat inside source route-map RMAP_1 interface Dialer0 overload
!
ip access-list extended IPSec_tunnel
remark Tunnel these addresses
permit ip
permit ip
04-28-2009 04:00 PM
Can anyone shed any light on this problem?
Cheers
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: