L2L with 3 sites

Unanswered Question

Hello

I m imlementing a scenario like the attached diagram by connection the LAN behind ASA-1 toward network behind ASA-2 and ASA-3 using vpn

L2L,the tunnel is in up State between ASA-1 and ASA-2 while it didn't come up between ASA-1 and ASA-3

I attached the the config + THE TOpology of each ASA's,so plz guid me for a working and ideal config

10xs and Appreciate

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
acomiskey Tue, 11/10/2009 - 11:10

This should help. You don't want to use the same match acl for each of your tunnels. You want to split them up, 1 for each tunnel. You also don't need the icmp lines in your match acl, they won't do anything. You were also missing the nonat for the 2nd tunnel to asa 3.

ASA - 1

access-list inf extended permit ip 10.11.11.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list inf2 extended permit ip 10.11.11.0 255.255.255.0 15.15.15.0 255.255.255.0

access-list nonat extended permit ip 10.11.11.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list nonat extended permit ip 10.11.11.0 255.255.255.0 15.15.15.0 255.255.255.0

crypto map MAP 10 match address inf

crypto map MAP 20 match address inf2

ASA - 3

access-list inf extended permit ip 15.15.15.0 255.255.255.0 10.11.11.0 255.255.255.0

access-list nonat extended permit ip 15.15.15.0 255.255.255.0 10.11.11.0 255.255.255.0

crypto map MAP 10 match address inf

hello

okay the tunnel came up Just With Command"""sysopt connection permit-vpn""": |

|

ciscoasa(config)# sh crypto isakmp sa

Active SA: 2

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 2

1 IKE Peer: 192.1.1.10

Type : L2L Role : initiator

Rekey : no State : MM_ACTIVE

2 IKE Peer: 192.168.1.10

Type : L2L Role : initiator

Rekey : no State : MM_ACTIVE

ciscoasa(config)#

BUT I COULDN'T ABLE TO PING FROM HOSTS BEHIND ASA-3 toward Hosts behind ASAS-1

Pinging 10.11.11.100 with 32 bytes of data:

Request timed out.

Request timed out.

Request timed out.

Request timed out.

ASA-3 access-list

--------------------

ciscoasa(config)# sh access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

alert-interval 300

access-list inf; 1 elements

access-list inf line 1 extended permit ip 15.15.15.0 255.255.255.0 10.11.11.0 255.255.255.0 (hitcnt=1) 0x83edf381

access-list nonat; 1 elements

access-list nonat line 1 extended permit ip 15.15.15.0 255.255.255.0 10.11.11.0 255.255.255.0 (hitcnt=0) 0x78b10b58

ciscoasa(config)#

ASA-1 access-list

---------------------

ciscoasa(config)# sh access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

alert-interval 300

access-list inf; 1 elements

access-list inf line 1 extended permit ip 10.11.11.0 255.255.255.0 10.10.10.0 255.255.255.0 (hitcnt=72) 0x3e362915

access-list nonat; 2 elements

access-list nonat line 1 extended permit ip 10.11.11.0 255.255.255.0 10.10.10.0 255.255.255.0 (hitcnt=0) 0x1ad3390

access-list nonat line 2 extended permit ip 10.11.11.0 255.255.255.0 15.15.15.0 255.255.255.0 (hitcnt=0) 0x4fe97626

access-list inf2; 1 elements

access-list inf2 line 1 extended permit ip 10.11.11.0 255.255.255.0 15.15.15.0 255.255.255.0 (hitcnt=18) 0x32f7b868

ciscoasa(config)#

Ping statistics for 10.11.11.100:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Now how can i fix that Please?

Thanks and Appreciate

Actions

This Discussion