L2L with 3 sites

alsayed · ‎11-10-2009

Hello

I m imlementing a scenario like the attached diagram by connection the LAN behind ASA-1 toward network behind ASA-2 and ASA-3 using vpn

L2L,the tunnel is in up State between ASA-1 and ASA-2 while it didn't come up between ASA-1 and ASA-3

I attached the the config + THE TOpology of each ASA's,so plz guid me for a working and ideal config

10xs and Appreciate

acomiskey · ‎11-10-2009

This should help. You don't want to use the same match acl for each of your tunnels. You want to split them up, 1 for each tunnel. You also don't need the icmp lines in your match acl, they won't do anything. You were also missing the nonat for the 2nd tunnel to asa 3.

ASA - 1

access-list inf extended permit ip 10.11.11.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list inf2 extended permit ip 10.11.11.0 255.255.255.0 15.15.15.0 255.255.255.0

access-list nonat extended permit ip 10.11.11.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list nonat extended permit ip 10.11.11.0 255.255.255.0 15.15.15.0 255.255.255.0

crypto map MAP 10 match address inf

crypto map MAP 20 match address inf2

ASA - 3

access-list inf extended permit ip 15.15.15.0 255.255.255.0 10.11.11.0 255.255.255.0

access-list nonat extended permit ip 15.15.15.0 255.255.255.0 10.11.11.0 255.255.255.0

crypto map MAP 10 match address inf

alsayed · ‎11-10-2009

hello

Thanks man,u sure like this will work?

thanks

alsayed · ‎11-13-2009

hello

okay the tunnel came up Just With Command"""sysopt connection permit-vpn""": |

|

ciscoasa(config)# sh crypto isakmp sa

Active SA: 2

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 2

1 IKE Peer: 192.1.1.10

Type : L2L Role : initiator

Rekey : no State : MM_ACTIVE

2 IKE Peer: 192.168.1.10

Type : L2L Role : initiator

Rekey : no State : MM_ACTIVE

ciscoasa(config)#

BUT I COULDN'T ABLE TO PING FROM HOSTS BEHIND ASA-3 toward Hosts behind ASAS-1

Pinging 10.11.11.100 with 32 bytes of data:

Request timed out.

ASA-3 access-list

--------------------

ciscoasa(config)# sh access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

alert-interval 300

access-list inf; 1 elements

access-list inf line 1 extended permit ip 15.15.15.0 255.255.255.0 10.11.11.0 255.255.255.0 (hitcnt=1) 0x83edf381

access-list nonat; 1 elements

access-list nonat line 1 extended permit ip 15.15.15.0 255.255.255.0 10.11.11.0 255.255.255.0 (hitcnt=0) 0x78b10b58

ciscoasa(config)#

ASA-1 access-list

---------------------

ciscoasa(config)# sh access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

alert-interval 300

access-list inf; 1 elements

access-list inf line 1 extended permit ip 10.11.11.0 255.255.255.0 10.10.10.0 255.255.255.0 (hitcnt=72) 0x3e362915

access-list nonat; 2 elements

access-list nonat line 1 extended permit ip 10.11.11.0 255.255.255.0 10.10.10.0 255.255.255.0 (hitcnt=0) 0x1ad3390

access-list nonat line 2 extended permit ip 10.11.11.0 255.255.255.0 15.15.15.0 255.255.255.0 (hitcnt=0) 0x4fe97626

access-list inf2; 1 elements

access-list inf2 line 1 extended permit ip 10.11.11.0 255.255.255.0 15.15.15.0 255.255.255.0 (hitcnt=18) 0x32f7b868

ciscoasa(config)#

Ping statistics for 10.11.11.100:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Now how can i fix that Please?

Thanks and Appreciate

acomiskey · ‎11-13-2009

Can you post the whole configs?

alsayed · ‎11-17-2009

hello

freind,already attached along this post,just added ur suggestion