11-10-2009 11:02 AM
Hello
I m imlementing a scenario like the attached diagram by connection the LAN behind ASA-1 toward network behind ASA-2 and ASA-3 using vpn
L2L,the tunnel is in up State between ASA-1 and ASA-2 while it didn't come up between ASA-1 and ASA-3
I attached the the config + THE TOpology of each ASA's,so plz guid me for a working and ideal config
10xs and Appreciate
11-10-2009 11:10 AM
This should help. You don't want to use the same match acl for each of your tunnels. You want to split them up, 1 for each tunnel. You also don't need the icmp lines in your match acl, they won't do anything. You were also missing the nonat for the 2nd tunnel to asa 3.
ASA - 1
access-list inf extended permit ip 10.11.11.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list inf2 extended permit ip 10.11.11.0 255.255.255.0 15.15.15.0 255.255.255.0
access-list nonat extended permit ip 10.11.11.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list nonat extended permit ip 10.11.11.0 255.255.255.0 15.15.15.0 255.255.255.0
crypto map MAP 10 match address inf
crypto map MAP 20 match address inf2
ASA - 3
access-list inf extended permit ip 15.15.15.0 255.255.255.0 10.11.11.0 255.255.255.0
access-list nonat extended permit ip 15.15.15.0 255.255.255.0 10.11.11.0 255.255.255.0
crypto map MAP 10 match address inf
11-10-2009 11:28 AM
hello
Thanks man,u sure like this will work?
thanks
11-13-2009 04:01 AM
hello
okay the tunnel came up Just With Command"""sysopt connection permit-vpn""": |
|
ciscoasa(config)# sh crypto isakmp sa
Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2
1 IKE Peer: 192.1.1.10
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
2 IKE Peer: 192.168.1.10
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
ciscoasa(config)#
BUT I COULDN'T ABLE TO PING FROM HOSTS BEHIND ASA-3 toward Hosts behind ASAS-1
Pinging 10.11.11.100 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
ASA-3 access-list
--------------------
ciscoasa(config)# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list inf; 1 elements
access-list inf line 1 extended permit ip 15.15.15.0 255.255.255.0 10.11.11.0 255.255.255.0 (hitcnt=1) 0x83edf381
access-list nonat; 1 elements
access-list nonat line 1 extended permit ip 15.15.15.0 255.255.255.0 10.11.11.0 255.255.255.0 (hitcnt=0) 0x78b10b58
ciscoasa(config)#
ASA-1 access-list
---------------------
ciscoasa(config)# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list inf; 1 elements
access-list inf line 1 extended permit ip 10.11.11.0 255.255.255.0 10.10.10.0 255.255.255.0 (hitcnt=72) 0x3e362915
access-list nonat; 2 elements
access-list nonat line 1 extended permit ip 10.11.11.0 255.255.255.0 10.10.10.0 255.255.255.0 (hitcnt=0) 0x1ad3390
access-list nonat line 2 extended permit ip 10.11.11.0 255.255.255.0 15.15.15.0 255.255.255.0 (hitcnt=0) 0x4fe97626
access-list inf2; 1 elements
access-list inf2 line 1 extended permit ip 10.11.11.0 255.255.255.0 15.15.15.0 255.255.255.0 (hitcnt=18) 0x32f7b868
ciscoasa(config)#
Ping statistics for 10.11.11.100:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Now how can i fix that Please?
Thanks and Appreciate
11-13-2009 05:43 AM
Can you post the whole configs?
11-17-2009 09:15 AM
hello
freind,already attached along this post,just added ur suggestion
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: