05-24-2010 01:04 AM - edited 03-11-2019 10:49 AM
Hello all,
I have 2 sites connected to a central hub via VPN. I need the 2 remote sites to talk to each other. This all works correctly by hairpinning on the outside interface of the hub, except that the SA between remote site A and the hub does not get established for the subnet at remote site B when pinging from site B to site A. I have to ping from both remote sites to the opposite remote subnet for the SAs to be established and traffic to pass correctly..
Does anyone know how I can get the SAs to establish on both tunnels by sending traffic in 1 direction only?
Please let me know if you need any further details.
Thanks
Solved! Go to Solution.
05-25-2010 01:03 AM
Hi James,
How come the configuration on the HUB that you have posted earlier does not correspond to the SA:
From the output of SA on the HUB:
Crypto map tag: outside_map, seq num: 320, local addr: 3.3.3.3
access-list outside_cryptomap_10_1 extended permit ip 10.0.0.0 255.0.0.0 10.13.0.0 255.255.0.0
Crypto map tag: outside_map, seq num: 320, local addr: 3.3.3.3
access-list outside_cryptomap_10_1 extended permit ip 10.0.0.0 255.0.0.0 10.13.0.0 255.255.0.0
Crypto map tag: outside_map, seq num: 120, local addr: 3.3.3.3
access-list outside_cryptomap_120 extended permit ip 10.0.0.0 255.0.0.0 10.30.0.0 255.255.0.0
while the configuration that you have posted earlier does not match as follows:
access-list outside_cryptomap_10_1 extended permit ip 10.20.0.0 255.255.0.0 10.13.0.0 255.255.0.0
access-list outside_cryptomap_10_1 extended permit ip 10.30.0.0 255.255.0.0 10.13.0.0 255.255.0.0
access-list outside_cryptomap_20_1 extended permit ip 10.20.0.0 255.255.0.0 10.30.0.0 255.255.0.0
access-list outside_cryptomap_20_1 extended permit ip 10.13.0.0 255.255.0.0 10.30.0.0 255.255.0.0
Crypto ACL needs to be mirror image between 2 sites, and it seems that you do not have mirror image crypto ACL. On the HUB, you have configured class A (10.0.0.0/8), while on the remote sites, you have configured class B (10.20.0.0/16). Please change the crypto ACL on the HUB to be mirror image as the remote sites crypto ACL.
05-24-2010 01:11 AM
Sounds like both remote sites have dynamic public ip address assigned on its outside interface (vpn termination interface).
If that is a true statement, then you would need to ping both way as each remote site needs to establish the VPN towards the hub first before they can ping each other.
If both remote sites have static public ip addresses assigned, then pls share the config from all 3 sites.
05-24-2010 02:59 AM
Hi, thanks for the reply. I have static IPs at all sites. Here's the relevant bits of the config:
Remote site 1
interface Ethernet0/0
nameif inside
security-level 100
ip address 10.13.1.1 255.255.0.0
!
interface Ethernet0/1
nameif dmz
security-level 50
ip address 10.14.1.1 255.255.255.0
!
interface Ethernet0/2
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.0
boot system disk0:/asa805-k8.bin
access-list inside_access_in extended permit ip 10.13.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list outside_cryptomap_10_1 extended permit ip 10.13.0.0 255.255.0.0 10.20.0.0 255.255.0.0
access-list outside_cryptomap_10_1 extended permit ip 10.13.0.0 255.255.0.0 10.30.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 10.13.0.0 255.255.0.0 10.0.0.0 255.0.0.0
global (inside) 1 interface
global (dmz) 1 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.13.0.0 255.255.0.0
nat (dmz) 1 10.14.0.0 255.255.255.0
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map_1 10 match address outside_cryptomap_10_1
crypto map outside_map_1 10 set peer 3.3.3.3
crypto map outside_map_1 10 set transform-set ESP-AES-128-SHA
crypto map outside_map_1 interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
tunnel-group 3.3.3.3 type ipsec-l2l
tunnel-group 3.3.3.3 ipsec-attributes
pre-shared-key *
____________________________________________________________
Remote site 2
interface Ethernet0/0
nameif inside
security-level 100
ip address 10.30.1.1 255.255.0.0
!
interface Ethernet0/1
nameif dmz
security-level 50
ip address 10.31.1.1 255.255.255.0
!
interface Ethernet0/2
nameif outside
security-level 0
ip address 2.2.2.2 255.255.255.0
boot system disk0:/asa805-k8.bin
access-list inside_access_in extended permit ip 10.30.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list outside_cryptomap_10_1 extended permit ip 10.30.0.0 255.255.0.0 10.20.0.0 255.255.0.0
access-list outside_cryptomap_10_1 extended permit ip 10.30.0.0 255.255.0.0 10.13.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 10.30.0.0 255.255.0.0 10.0.0.0 255.0.0.0
global (inside) 1 interface
global (dmz) 1 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.30.0.0 255.255.0.0
nat (dmz) 1 10.31.0.0 255.255.255.0
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map_1 10 match address outside_cryptomap_10_1
crypto map outside_map_1 10 set peer 3.3.3.3
crypto map outside_map_1 10 set transform-set ESP-AES-128-SHA
crypto map outside_map_1 interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
tunnel-group 3.3.3.3 type ipsec-l2l
tunnel-group 3.3.3.3 ipsec-attributes
pre-shared-key *
________________________________________________________________________
Hub site:
interface Ethernet0/0
nameif inside
security-level 100
ip address 10.20.1.1 255.255.0.0
!
interface Ethernet0/1
nameif dmz
security-level 50
ip address 10.21.1.1 255.255.255.0
!
interface Ethernet0/2
nameif outside
security-level 0
ip address 3.3.3.3 255.255.255.0
boot system disk0:/asa805-k8.bin
same-security-traffic permit intra-interface
access-list inside_access_in extended permit ip 10.20.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list outside_cryptomap_10_1 extended permit ip 10.20.0.0 255.255.0.0 10.13.0.0 255.255.0.0
access-list outside_cryptomap_10_1 extended permit ip 10.30.0.0 255.255.0.0 10.13.0.0 255.255.0.0
access-list outside_cryptomap_20_1 extended permit ip 10.20.0.0 255.255.0.0 10.30.0.0 255.255.0.0
access-list outside_cryptomap_20_1 extended permit ip 10.13.0.0 255.255.0.0 10.30.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0
access-list outside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0
global (inside) 1 interface
global (dmz) 1 interface
global (outside) 1 interface
nat (outside) 0 access-list outside_nat0_outbound
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.20.0.0 255.255.0.0
nat (dmz) 1 10.21.0.0 255.255.255.0
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map_1 10 match address outside_cryptomap_10_1
crypto map outside_map_1 10 set peer 1.1.1.1
crypto map outside_map_1 10 set transform-set ESP-AES-128-SHA
crypto map outside_map_1 20 match address outside_cryptomap_20_1
crypto map outside_map_1 20 set peer 2.2.2.2
crypto map outside_map_1 20 set transform-set ESP-AES-128-SHA
crypto map outside_map_1 interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key *
Please let me know if there's anything else you would like to see.
James
05-24-2010 04:56 AM
Configuration looks perfect, except 1 line that is not required on the HUB ASA:
nat (outside) 0 access-list outside_nat0_outbound
Please remove the nat 0 with ACL on the outside interface as it is not required, and "clear xlate".
Clear the SA on all 3 ASAs, and please test ping from 1 site (ie: remote 1 LAN) with 20 ping packets towards remote 2 LAN, and grab the output of the following from all 3 ASAs:
show crypto ipsec sa
05-24-2010 06:40 AM
I have removed that line of config and all still works as before. Strange as I had always needed this in the past to allow RA VPN users to hairpin back out to other remote subnets...
Here's the SA's, looks just the same as before with decaps at hub but no ecaps going out to second remote site.
Remote site 1
remotesite1# sh crypto ipsec sa peer 3.3.3.3
peer address: 3.3.3.3
Crypto map tag: outside_map_1, seq num: 80, local addr: 1.1.1.1
access-list outside_cryptomap_80_1 extended permit ip 10.13.0.0 255.255.0.0 10.20.0.0 255.255.0.0
local ident (addr/mask/prot/port): (10.13.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.30.0.0/255.255.0.0/0/0)
current_peer: 3.3.3.3
#pkts encaps: 20, #pkts encrypt: 20, #pkts digest: 20
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 20, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 3.3.3.3
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 0847389F
current inbound spi : 517A7F5E
inbound esp sas:
spi: 0x517A7F5E (1366982494)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 15597568, crypto-map: outside_map_1
sa timing: remaining key lifetime (kB/sec): (4374000/99854)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x0847389F (138885279)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 15597568, crypto-map: outside_map_1
sa timing: remaining key lifetime (kB/sec): (4373998/99854)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: outside_map_1, seq num: 80, local addr: 1.1.1.1
access-list outside_cryptomap_80_1 extended permit ip 10.13.0.0 255.255.0.0 10.30.0.0 255.255.0.0
local ident (addr/mask/prot/port): (10.13.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.20.0.0/255.255.0.0/0/0)
current_peer: 3.3.3.3
#pkts encaps: 4847, #pkts encrypt: 4847, #pkts digest: 4847
#pkts decaps: 5477, #pkts decrypt: 5477, #pkts verify: 5477
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4847, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 3.3.3.3
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: CF6965BD
current inbound spi : 86269FF7
inbound esp sas:
spi: 0x86269FF7 (2250678263)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 15597568, crypto-map: outside_map_1
sa timing: remaining key lifetime (kB/sec): (4369467/99777)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xCF6965BD (3479791037)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 15597568, crypto-map: outside_map_1
sa timing: remaining key lifetime (kB/sec): (4372358/99774)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Remote site 2
remotesite2# sh crypto ipsec sa peer 3.3.3.3
peer address: 3.3.3.3
Crypto map tag: outside_map_1, seq num: 80, local addr: 2.2.2.2
access-list outside_cryptomap_10_1 extended permit ip 10.30.0.0 255.255.0.0 10.20.0.0 255.255.0.0
local ident (addr/mask/prot/port): (10.30.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.20.0.0/255.255.0.0/0/0)
current_peer: 3.3.3.3
#pkts encaps: 870, #pkts encrypt: 870, #pkts digest: 870
#pkts decaps: 875, #pkts decrypt: 875, #pkts verify: 875
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 870, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.2, remote crypto endpt.: 3.3.3.3
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: A8BEB3DF
current inbound spi : 82ED8AA0
inbound esp sas:
spi: 0x82ED8AA0 (2196605600)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 10899456, crypto-map: outside_map_1
sa timing: remaining key lifetime (kB/sec): (4373755/99444)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xA8BEB3DF (2831070175)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 10899456, crypto-map: outside_map_1
sa timing: remaining key lifetime (kB/sec): (4373715/99444)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Hub site
hubsite# sh crypto ipsec sa peer 1.1.1.1
peer address: 1.1.1.1
Crypto map tag: outside_map, seq num: 320, local addr: 3.3.3.3
access-list outside_cryptomap_10_1 extended permit ip 10.0.0.0 255.0.0.0 10.13.0.0 255.255.0.0
local ident (addr/mask/prot/port): (10.20.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.13.0.0/255.255.0.0/0/0)
current_peer: 1.1.1.1
#pkts encaps: 10118, #pkts encrypt: 10118, #pkts digest: 10118
#pkts decaps: 8897, #pkts decrypt: 8897, #pkts verify: 8897
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 10118, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 3.3.3.3, remote crypto endpt.: 1.1.1.1
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 86269FF7
current inbound spi : CF6965BD
inbound esp sas:
spi: 0xCF6965BD (3479791037)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 240832512, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3911628/99290)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x86269FF7 (2250678263)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 240832512, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3907245/99290)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: outside_map, seq num: 320, local addr: 3.3.3.3
access-list outside_cryptomap_10_1 extended permit ip 10.0.0.0 255.0.0.0 10.13.0.0 255.255.0.0
local ident (addr/mask/prot/port): (10.30.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.13.0.0/255.255.0.0/0/0)
current_peer: 1.1.1.1
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 20, #pkts decrypt: 20, #pkts verify: 20
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 3.3.3.3, remote crypto endpt.: 1.1.1.1
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 517A7F5E
current inbound spi : 0847389F
inbound esp sas:
spi: 0x0847389F (138885279)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 240832512, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914998/99363)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x001FFFFF
outbound esp sas:
spi: 0x517A7F5E (1366982494)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 240832512, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3915000/99362)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
hubsite# sh crypto ipsec sa peer 2.2.2.2
peer address: 2.2.2.2
Crypto map tag: outside_map, seq num: 120, local addr: 3.3.3.3
access-list outside_cryptomap_120 extended permit ip 10.0.0.0 255.0.0.0 10.30.0.0 255.255.0.0
local ident (addr/mask/prot/port): (10.20.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.30.0.0/255.255.0.0/0/0)
current_peer: 2.2.2.2
#pkts encaps: 1708, #pkts encrypt: 1708, #pkts digest: 1708
#pkts decaps: 1681, #pkts decrypt: 1681, #pkts verify: 1681
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1708, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 3.3.3.3, remote crypto endpt.: 2.2.2.2
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 82ED8AA0
current inbound spi : A8BEB3DF
inbound esp sas:
spi: 0xA8BEB3DF (2831070175)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 240865280, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914471/99013)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x82ED8AA0 (2196605600)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 240865280, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914535/99013)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
I cant see anything in the isakmp debugs on the hub site... Any other suggestions greatly appreciated.
Thanks again,
James
05-25-2010 12:33 AM
Any other ideas on what could stopping the traffic going out over the second VPN from the hub site?
Is there anything else I can do on the hub to see what's happening? All devices have sysopt connection permit-vpn on so guessing it wont be an access-list issue...
05-25-2010 01:03 AM
Hi James,
How come the configuration on the HUB that you have posted earlier does not correspond to the SA:
From the output of SA on the HUB:
Crypto map tag: outside_map, seq num: 320, local addr: 3.3.3.3
access-list outside_cryptomap_10_1 extended permit ip 10.0.0.0 255.0.0.0 10.13.0.0 255.255.0.0
Crypto map tag: outside_map, seq num: 320, local addr: 3.3.3.3
access-list outside_cryptomap_10_1 extended permit ip 10.0.0.0 255.0.0.0 10.13.0.0 255.255.0.0
Crypto map tag: outside_map, seq num: 120, local addr: 3.3.3.3
access-list outside_cryptomap_120 extended permit ip 10.0.0.0 255.0.0.0 10.30.0.0 255.255.0.0
while the configuration that you have posted earlier does not match as follows:
access-list outside_cryptomap_10_1 extended permit ip 10.20.0.0 255.255.0.0 10.13.0.0 255.255.0.0
access-list outside_cryptomap_10_1 extended permit ip 10.30.0.0 255.255.0.0 10.13.0.0 255.255.0.0
access-list outside_cryptomap_20_1 extended permit ip 10.20.0.0 255.255.0.0 10.30.0.0 255.255.0.0
access-list outside_cryptomap_20_1 extended permit ip 10.13.0.0 255.255.0.0 10.30.0.0 255.255.0.0
Crypto ACL needs to be mirror image between 2 sites, and it seems that you do not have mirror image crypto ACL. On the HUB, you have configured class A (10.0.0.0/8), while on the remote sites, you have configured class B (10.20.0.0/16). Please change the crypto ACL on the HUB to be mirror image as the remote sites crypto ACL.
05-25-2010 01:36 AM
Hi, yes I had just figured this out and was coming back to update... The configs i had posted above I had modified as each config is actually around 1000 -2000 lines long. I had not realised I had posted the ACL's incorrectly.
The network is actually substantially larger that just these 3 sites.. 58 sites and 3 hubs in total, and the design is quite complex. I was hoping to have the blanket 10.0.0.0/8 statement on the hub site for all remote sites, otherwise I will need 57 match statements per peer on each hub site, and there'll be 57 peers... That's a lot of ACL entries!
Back to the drawing board I guess.....
Thanks for the help.
James
07-02-2013 12:05 AM
Hi James,
i have one query about hairpin vpn. does it support non other vendor firewall.
cause in my scenario at HUB site i have Cisco ASA 5520 & spoke end i have fortigate firewall, between ASA & fortigate I have configured dynamic VPN. now i want my two fortigate inside subnet should talk to each other.
I am confuse how do i do it..please assist if you have any idea.
Suhas B.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: