10-20-2010 07:23 AM - edited 03-11-2019 11:57 AM
I am trying to configure site-to-site vpn on a ASA.
What I am trying to do is that there is a remote server - 66.94.3.71 and I
have a local server 10.15.10.45 which should be seen by the outside world as
38.105.120.78.
[ASA] ---38.105.120.66 --- INTERNET --- 97.65.105.5 -- [Remote] --- (66.94.3.71)
!
!
38.105.120.78
!
(10.15.10.45)
Config
++++++
name 10.15.10.45 SMPP-internal
name 38.105.120.78 SMPP-external
static (inside,outside) SMPP-external SMPP-internal netmask 255.255.255.255
object-group network mob_SMPP_Networks
network-object 66.94.3.71 255.255.255.255
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
access-list outside_SMPP extended permit ip host SMPP-internal host mob_SMPP_Networks
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_SMPP
crypto map outside_map 1 set peer 66.94.3.71
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 3600
crypto map outside_map interface outside
tunnel-group 97.65.105.5 type ipsec-l2l
tunnel-group 97.65.105.5 ipsec-attributes
pre-shared-key *
Solved! Go to Solution.
10-20-2010 08:52 AM
NG,
What is the other side expecting you to encrypt? Can you maybe provide their configuration?
In anyway, please collect this debug and we'll see if there is anything to change on our side:
-------
debu cry isa 127
debug cryp ipsec 127
-------
Collect this output while you're trying to initiate and get an output of "show crypto isa" "show crypto ipsec" and snips of configuration "show run tunnel-g" "show run group-policy"
Marcin
10-20-2010 08:11 AM
Here's one problem:
access-list outside_SMPP extended permit ip host SMPP-internal host mob_SMPP_Networks
static (inside,outside) SMPP-external SMPP-internal netmask 255.255.255.255
Matching of access-list for crypto is done AFTER NAT.
So your access-list will not match SMPP-internal, unless you also have a nat exemption statement you didn't show us?
Marcin
10-20-2010 08:16 AM
Do you mean that I need to add
nat (inside) 0 access-list inside_SMPP
-NG
10-20-2010 08:34 AM
NG,
That's one of the possibilities.
But you mentioned that the server needs to be available via it's public IP address and not private?
In which case you would need to modify the crypto access-list to make sure that the source is the external IP address (post NAT).
You can go either way, just remember both sides need to have crypto access-list mirrored ;-)
Marcin
10-20-2010 08:47 AM
Marcin,
I changed the configs as you suggested. But, still having issues for the tunnels to come up.
name 10.15.10.45 SMPP-internal
name 38.105.120.78 SMPP-external
object-group network mob_SMPP_Networks
network-object 66.94.3.71 255.255.255.255
static (inside,outside) SMPP-external SMPP-internal netmask 255.255.255.255
access-list outside_SMPP extended permit ip host SMPP-external host mob_SMPP_Networks
-NG
10-20-2010 08:52 AM
NG,
What is the other side expecting you to encrypt? Can you maybe provide their configuration?
In anyway, please collect this debug and we'll see if there is anything to change on our side:
-------
debu cry isa 127
debug cryp ipsec 127
-------
Collect this output while you're trying to initiate and get an output of "show crypto isa" "show crypto ipsec" and snips of configuration "show run tunnel-g" "show run group-policy"
Marcin
10-21-2010 12:12 PM
Thanks Marcin!
-NG
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: