Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

site-to-site asa 5505 not working

Hi,

I had a working site-to-site VPN until I had to change the external outside interface ip address on one of the ASA's. Now it's not working anymore.

When I try to generate traffic from one site to the other, nothing gets to the other side.

Suggested traffic flow:

192.168.100.12 -> 192.168.100.1 -> 213.136.41.181 -> internet -> 79.136.112.50 -> 192.168.1.5

The configs:

First asa:

access-list l2l_list extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 79.136.112.49 1

route outside 192.168.100.0 255.255.255.0 213.136.41.181 1

crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac

crypto map abcmap 1 match address l2l_list

crypto map abcmap 1 set peer 213.136.41.181

crypto map abcmap 1 set transform-set FirstSet

crypto map abcmap interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 43200

tunnel-group 213.136.41.181 type ipsec-l2l

Second asa:

access-list l2l_list extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list outside_access_in extended permit icmp any any

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 213.136.41.182 1

route outside 192.168.200.0 255.255.255.0 79.136.112.50 1

route outside 192.168.1.0 255.255.255.0 79.136.112.50 1

crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac

crypto map abcmap 1 match address l2l_list

crypto map abcmap 1 set peer 79.136.112.50

crypto map abcmap 1 set transform-set FirstSet

crypto map abcmap interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 43200

no vpn-addr-assign aaa

tunnel-group 79.x.112.50 type ipsec-l2l

tunnel-group 79.x.112.50 ipsec-attributes

pre-shared-key *

11 REPLIES

Re: site-to-site asa 5505 not working

Your interesting VPN traffic access-lists are incorrect, assuming the "first asa" has a LAN address subnet of 192.168.100.0/24 change the config to:-

access-list l2l_list extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0

And change the second ASA config to:-

access-list l2l_list extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

HTH>

New Member

Re: site-to-site asa 5505 not working

Ok, so it should be: ?

access-list l2l_list extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 79.136.112.49 1

route outside 192.168.100.0 255.255.255.0 213.136.41.181 1

crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac

crypto map abcmap 1 match address l2l_list

crypto map abcmap 1 set peer 213.136.41.181

crypto map abcmap 1 set transform-set FirstSet

crypto map abcmap interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 43200

tunnel-group 213.136.41.181 type ipsec-l2l

Re: site-to-site asa 5505 not working

It depends on which device you are talking about - I can tell you from the config output above the ACL's should actually be:-

access-list l2l_list extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

The reason why is because of this line:-

route outside 192.168.100.0 255.255.255.0 213.136.41.181 1

Which indicates - that the local IP subnet is 192.168.1.0 255.255.255.0 - correct??

New Member

Re: site-to-site asa 5505 not working

yes, that's correct. the 192.168.1.0 subnet and the 192.168.100.0 subnet are behind two different asa's. hence the routing entry. I guess I need it right?

Re: site-to-site asa 5505 not working

yes - but which one is which, you have got yourself confused in regards what should be encrypteds from src to dst, and what should be expemt to NAT.

To be honest looking at your config, this VPN has never worked if the only thing that has changed is an external IP address.

Post BOTH full configs - remove passwords, this will help to get to the bottom of this.

New Member

Re: site-to-site asa 5505 not working

The 192.168.1.0 is behind the 79.136.112.50. The 192.168.100.0 is behind the 213.136.41.181.

Re: site-to-site asa 5505 not working

A picture paints a thousand words.

HTH>

New Member

Re: site-to-site asa 5505 not working

Oh thanx! will give it a try.

Are you sure the route settings on the two host are correct?

Re: site-to-site asa 5505 not working

Yes - pretty sure.

You can always add the changes to the exising config, then see which acl lines get hits.

New Member

Re: site-to-site asa 5505 not working

Got it working. thanx a bunch.

Re: site-to-site asa 5505 not working

np - glad to help.

151
Views
9
Helpful
11
Replies