Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Site to Site Tunnel Connectivity Issue

Hi, I am trying to create STS Tunnel and when I execute the command then it shows that tunnel is active but both network are not able to connect with each other.

Please suggest.

22 REPLIES
Community Member

Re: Site to Site Tunnel Connectivity Issue

Please suggest urgent...

Re: Site to Site Tunnel Connectivity Issue

It looks like you forgot to do NAT-exemption

or have a problem with routing.

Community Member

Re: Site to Site Tunnel Connectivity Issue

i have checked everthing several times as all other tunnels are respondinf well. Is there any other way???

Re: Site to Site Tunnel Connectivity Issue

Could you show the configuration?

Community Member

Re: Site to Site Tunnel Connectivity Issue

Site 1

name 172.17.80.247 MTN_SMPP_Server description MTN_SMPP_Server

!

!

interface Vlan2

description Voxiva, DC - External Interface

nameif outside

security-level 0

ip address 65.x.x.34 255.255.255.0

!

!

passwd xxx

boot system disk0:/asa803-k8.bin

ftp mode passive

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

access-list inside_nat0_outbound extended permit ip vdc_inside-network 255.255.255.0 host MTN_SMPP_Server

access-list inside_nat0_outbound extended permit ip vdc_inside-voip-network 255.255.255.0 host MTN_SMPP_Server

access-list inside_nat0_outbound extended permit ip vdc_dmz-network 255.255.255.0 host MTN_SMPP_Server

access-list outside_4_cryptomap extended permit ip vdc_inside-network 255.255.255.0 host MTN_SMPP_Server

access-list outside_4_cryptomap extended permit ip vdc_dmz-network 255.255.255.0 host MTN_SMPP_Server

access-list outside_4_cryptomap extended permit ip vdc_inside-voip-network 255.255.255.0 host MTN_SMPP_Server

crypto map outside_map 4 match address outside_4_cryptomap

crypto map outside_map 4 set pfs

crypto map outside_map 4 set peer 196.44.248.66

crypto map outside_map 4 set transform-set ESP-DES-MD5

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 50

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

tunnel-group 196.44.248.66 type ipsec-l2l

tunnel-group 196.44.248.66 ipsec-attributes

pre-shared-key *

Site 2

name 65.205.4.34 VOXIVADC_VPN_Peer2

object-group network MTNRwanda

network-object host 172.17.80.247

object-group network VOXIVADC2

network-object host VOXIVADC_VPN_Peer2

access-list from-free-in extended permit udp host 196.44.248.66 host VOXIVADC_VPN_Peer2 eq isakmp

access-list from-free-in extended permit esp host 196.44.248.66 host VOXIVADC_VPN_Peer2

access-list MTNVPNVOXIVA extended permit ip object-group MTNRwanda object-group VOXIVADC2

access-list MTNVPNVOXIVA extended permit ip host 172.17.80.247 192.168.100.0 255.255.255.0

access-list MTNVPNVOXIVA extended permit ip host 172.17.80.247 192.168.200.0 255.255.255.0

access-list MTNVPNVOXIVA extended permit ip host 172.17.80.247 192.168.10.0 255.255.255.0

access-list MTNVPNVOXIVADC extended permit ip host 172.17.80.247 192.168.100.0 255.255.255.0

access-list MTNVPNVOXIVADC extended permit ip host 172.17.80.247 192.168.200.0 255.255.255.0

access-list MTNVPNVOXIVADC extended permit ip host 172.17.80.247 192.168.10.0 255.255.255.0

nat (intf2) 0 access-list MTNVPNVOXIVA

crypto ipsec transform-set ASPECT_MTNR esp-des esp-md5-hmac

crypto map ASPECT_MTNR 180 match address MTNVPNVOXIVADC

crypto map ASPECT_MTNR 180 set pfs

crypto map ASPECT_MTNR 180 set peer VOXIVADC_VPN_Peer2

crypto map ASPECT_MTNR 180 set transform-set ASPECT_MTNR

crypto map ASPECT_MTNR 180 set security-association lifetime kilobytes 10000

crypto map ASPECT_MTNR interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

tunnel-group 65.205.4.34 type ipsec-l2l

tunnel-group 65.205.4.34 ipsec-attributes

pre-shared-key *

Please advice urgent

Community Member

Re: Site to Site Tunnel Connectivity Issue

Please respond urgent

Re: Site to Site Tunnel Connectivity Issue

try to remove this

crypto map ASPECT_MTNR 180 set security-association lifetime kilobytes 10000

Community Member

Re: Site to Site Tunnel Connectivity Issue

Done but still its not working

Community Member

Re: Site to Site Tunnel Connectivity Issue

Please respond asap...

Re: Site to Site Tunnel Connectivity Issue

Could you show configuration of site 2?

also check the you have enabled NAT-T

crypto isakmp nat-traversal 20

Community Member

Re: Site to Site Tunnel Connectivity Issue

name 65.205.4.34 VOXIVADC_VPN_Peer2

object-group network MTNRwanda

network-object host 172.17.80.247

object-group network VOXIVADC2

network-object host VOXIVADC_VPN_Peer2

access-list from-free-in extended permit udp host 196.44.248.66 host VOXIVADC_VPN_Peer2 eq isakmp

access-list from-free-in extended permit esp host 196.44.248.66 host VOXIVADC_VPN_Peer2

access-list MTNVPNVOXIVA extended permit ip object-group MTNRwanda object-group VOXIVADC2

access-list MTNVPNVOXIVA extended permit ip host 172.17.80.247 192.168.100.0 255.255.255.0

access-list MTNVPNVOXIVA extended permit ip host 172.17.80.247 192.168.200.0 255.255.255.0

access-list MTNVPNVOXIVA extended permit ip host 172.17.80.247 192.168.10.0 255.255.255.0

access-list MTNVPNVOXIVADC extended permit ip host 172.17.80.247 192.168.100.0 255.255.255.0

access-list MTNVPNVOXIVADC extended permit ip host 172.17.80.247 192.168.200.0 255.255.255.0

access-list MTNVPNVOXIVADC extended permit ip host 172.17.80.247 192.168.10.0 255.255.255.0

nat (intf2) 0 access-list MTNVPNVOXIVA

crypto ipsec transform-set ASPECT_MTNR esp-des esp-md5-hmac

crypto map ASPECT_MTNR 180 match address MTNVPNVOXIVADC

crypto map ASPECT_MTNR 180 set pfs

crypto map ASPECT_MTNR 180 set peer VOXIVADC_VPN_Peer2

crypto map ASPECT_MTNR 180 set transform-set ASPECT_MTNR

crypto map ASPECT_MTNR 180 set security-association lifetime kilobytes 10000

crypto map ASPECT_MTNR interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

tunnel-group 65.205.4.34 type ipsec-l2l

tunnel-group 65.205.4.34 ipsec-attributes

pre-shared-key *

Please advice urgent

Re: Site to Site Tunnel Connectivity Issue

This is only part of the configuration

and I asked you before to remove the following line from the configuration

crypto map ASPECT_MTNR 180 set security-association lifetime kilobytes 10000

after that try to do the following

no crypto map ASPECT_MTNR interface outside

crypto map ASPECT_MTNR interface outside

this will clear all ipsec sa (sometimes it works better than just "clear crypto ipsec sa")

Re: Site to Site Tunnel Connectivity Issue

Waiting :)

Community Member

Re: Site to Site Tunnel Connectivity Issue

But it will effect the other VPN

238
Views
0
Helpful
22
Replies
CreatePlease to create content