Trouble with enhanced Spoke-to-Spoke VPN configuration

kyleking · ‎10-25-2006

Scenario: I have 2 PIXes (PIX1 and PIX2) at remote sites each connected with a site-to-site VPN to the

central ASA (ASA1). I can ping to and from the ASA1 from either site but I can't ping from one remote

site to the other remote site (PIX1 to PIX2).

PIX1 Internet traffic goes through ASA1 thru the VPN to PIX1.

Internet traffic for PIX2 is through it's gateway.

I'm using the "Enhanced Spoke-to-Spoke config" example to assist me but I still can't get it to work:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804675ac.shtm

l

In reference to the above document:

I?m using site-to-site VPNs between the Hub (ASA1) and spokes (PIX1 and PIX2).

ASA1 = PIX1 in the config example (internal network of 172.17.16.0)

PIX2 = PIX2 in the config example (internal network of 10.100.101.0)

PIX3 = PIX3 in the config example (internal network of 10.100.102.0)

[Please see attached file as I am unable to post it directly here]

I would prefer to do this method, but if not possible, should I be creating a 3rd VPN connection between PIX2 and PIX3 instead?

kyleking · ‎10-26-2006

the link above was cutoff, see below:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804675ac.shtml

in the example above, do you have to use a dynamic L2L? or can you use Static L2Ls for both tunnels?

jgervia_2 · ‎10-28-2006

Hello,

Spent a bit going over your configuration - I hope what I've found fixes you.

Basically from your symptoms, it sounds like the VPN tunnels are up and running (so we're not troubleshooting keys and all that) - that let me break down what I was looking for in each configuration:

1) NAT

2) same security (on the ASA)

3) interesting traffic matching (match-address)

4) routing

So here's what I found:

ASA1

Had same-security-traffic intra interface :GOOD

Had no nat statements for all networks it was trying to reach over VPN. : GOOD

Interesting Traffic:

map20 --> 172.x to 10.100.102.x peer XXX.XX: needs change

map40 --> any to 10.100.101.x peer XXX.YY : GOOD

map 60 --> ANY to 10.100.103.0 peer XXX.ZZ: don't know - peer not in file

Crypto map 20 needs to say from the hub to the spoke *and* the spoke to the other spoke is marked for encryption. You currently have:

access-list Outside_cryptomap_20_1 extended permit ip 172.17.16.0 255.255.255.0 10.100.102.0

You also need

access-list Outside_cryptomap_20_1 extended permit ip 10.100.101.0 255.255.255.0 10.100.102.0 255.255.255.0

PIX 2

Everything looked good here:

NAT: everything is not natted

Interesting traffic: everything is sent over VPN and matches crypto map at hub.

Route: routing exists

PIX 3

Has a few issues:

NAT: only has no nat to hub - you need no nat to other spoke as well. You currently have:

access-list inside_outbound_nat0_acl permit ip 10.100.102.0 255.255.255.0 Volvo 255.255.255.0

You also need this command:

access-list inside_outbound_nat0_acl permit ip 10.100.102.0 255.255.255.0 10.100.101.0 255.255.255.0

Interesting traffic: only has traffic to hub - you need traffic to other spoke as well. You currently have:

access-list outside_cryptomap_20 permit ip 10.100.102.0 255.255.255.0 Volvo 255.255.255.0

you also need this command:

access-list outside_cryptomap_20 permit ip 10.100.102.0 255.255.255.0 10.100.101.0 255.255.255.0

Routing looked good.

I think where you got in trouble is that example has dynamic VPNs for one of the spokes and didn't give you the L2L configuration you'd need for that portion.

You'll have to clear the SAs on the ASA and Pix3 once you've made the changes on both ends:

Perform PIX commands in config mode:

clear crypto isakmp sa

!--Clears the Phase 1 SAs

clear crypto ipsec sa

!--Clears the Phase 2 SAs

I hope this helps, don't forget to rate!

--Jason