Solved: Re: site-to-site VPN config issue

gnaveen · ‎10-20-2010

I am trying to configure site-to-site vpn on a ASA.

What I am trying to do is that there is a remote server - 66.94.3.71 and I
have a local server 10.15.10.45 which should be seen by the outside world as
38.105.120.78.
 
[ASA] ---38.105.120.66 --- INTERNET --- 97.65.105.5 -- [Remote] --- (66.94.3.71)
!
!
38.105.120.78
!
(10.15.10.45)

Config
++++++

name 10.15.10.45 SMPP-internal
name 38.105.120.78 SMPP-external

static (inside,outside) SMPP-external SMPP-internal netmask 255.255.255.255 

object-group network mob_SMPP_Networks
 network-object 66.94.3.71 255.255.255.255

crypto isakmp enable outside

crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

access-list outside_SMPP extended permit ip host SMPP-internal host mob_SMPP_Networks

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 1 match address outside_SMPP
crypto map outside_map 1 set peer 66.94.3.71
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 3600

crypto map outside_map interface outside

tunnel-group 97.65.105.5 type ipsec-l2l
tunnel-group 97.65.105.5 ipsec-attributes
 pre-shared-key *

Marcin Latosiewicz · ‎10-20-2010

NG,

What is the other side expecting you to encrypt? Can you maybe provide their configuration?

In anyway, please collect this debug and we'll see if there is anything to change on our side:

-------

debu cry isa 127

debug cryp ipsec 127

-------

Collect this output while you're trying to initiate and get an output of "show crypto isa" "show crypto ipsec" and snips of configuration "show run tunnel-g" "show run group-policy"

Marcin

View solution in original post

Marcin Latosiewicz · ‎10-20-2010


Here's one problem:

access-list outside_SMPP extended permit ip host SMPP-internal host mob_SMPP_Networks

static (inside,outside) SMPP-external SMPP-internal netmask 255.255.255.255


Matching of access-list for crypto is done AFTER NAT. 

So your access-list will not match SMPP-internal, unless you also have a nat exemption statement you didn't show us? 

Marcin

gnaveen · ‎10-20-2010

Do you mean that I need to add

nat (inside) 0 access-list inside_SMPP

-NG

Marcin Latosiewicz · ‎10-20-2010

NG,

That's one of the possibilities.

But you mentioned that the server needs to be available via it's public IP address and not private?

In which case you would need to modify the crypto access-list to make sure that the source is the external IP address (post NAT).

You can go either way, just remember both sides need to have crypto access-list mirrored ;-)

Marcin

gnaveen · ‎10-20-2010

Marcin,

I changed the configs as you suggested. But, still having issues for the tunnels to come up.

name 10.15.10.45 SMPP-internal
name 38.105.120.78 SMPP-external

object-group network mob_SMPP_Networks
network-object 66.94.3.71 255.255.255.255

static (inside,outside) SMPP-external SMPP-internal netmask 255.255.255.255

access-list outside_SMPP extended permit ip host SMPP-external host mob_SMPP_Networks

-NG

Marcin Latosiewicz · ‎10-20-2010

NG,

What is the other side expecting you to encrypt? Can you maybe provide their configuration?

In anyway, please collect this debug and we'll see if there is anything to change on our side:

-------

debu cry isa 127

debug cryp ipsec 127

-------

Collect this output while you're trying to initiate and get an output of "show crypto isa" "show crypto ipsec" and snips of configuration "show run tunnel-g" "show run group-policy"

Marcin

gnaveen · ‎10-21-2010

Thanks Marcin!

-NG