Solved: VPN site to site & VPN client on ASA 5520 on same outside

josue jonathan rivero herrera · ‎06-22-2012

hi, i am jonathan rivero.

i have an ASA 5520 Version 8.0(2), i configured the VPN site to site and works fine, in the other apliance i configured the VPN Client for remote users, and works fine, but i try to cofigure the 2 VPNs on ASA 5520 on the same outside interface and i have the line "crypto map outside_map interface outside (for VPN client)", but when I configure the "crypto map VPNL2L interface outside, it overwrites the command", and therefore I can only have one connection.

the show run.

ASA1(config)# sh run

: Saved

:

ASA Version 8.0(2)

!

hostname ASA1

enable password 7esAUjZmKQSFDCZX encrypted

names

!

interface Ethernet0/0

nameif inside

security-level 100

ip address 172.16.3.2 255.255.255.0

!

interface Ethernet0/1

nameif outside

security-level 0

ip address 200.20.20.1 255.255.255.0

!

interface Ethernet0/1.1

vlan 1

nameif outside1

security-level 0

no ip address

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/5

shutdown

no nameif

no security-level

no ip address

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

object-group network net-local

network-object 172.16.0.0 255.255.255.0

network-object 172.16.1.0 255.255.255.0

network-object 172.16.2.0 255.255.255.0

network-object 172.16.3.0 255.255.255.0

object-group network net-remote

network-object 172.16.100.0 255.255.255.0

network-object 172.16.101.0 255.255.255.0

network-object 172.16.102.0 255.255.255.0

network-object 172.16.103.0 255.255.255.0

object-group network net-poolvpn

network-object 192.168.11.0 255.255.255.0

access-list nat-outside extended permit ip object-group net-local any

access-list nonat extended permit ip object-group net-local object-group net-remote

access-list nonat extended permit ip object-group net-local object-group net-poolvpn

access-list splittun-vpngroup1 extended permit ip object-group net-local object-group net-poolvpn

pager lines 24

mtu inside 1500

mtu outside 1500

mtu outside1 1500

ip local pool ippool 192.168.11.1-192.168.11.100 mask 255.255.255.0

no failover

icmp unreachable rate-limit 100 burst-size 10

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 access-list nat-outside

route outside 0.0.0.0 0.0.0.0 200.20.20.1 1

route inside 172.16.0.0 255.255.255.0 172.16.3.2 1

route inside 172.16.1.0 255.255.255.0 172.16.3.2 1

route inside 172.16.2.0 255.255.255.0 172.16.3.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 86400

crypto ipsec security-association lifetime kilobytes 400000

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map VPNL2L 1 match address nonat

crypto map VPNL2L 1 set peer 200.30.30.1

crypto map VPNL2L 1 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

!

group-policy vpngroup1 internal

group-policy vpngroup1 attributes

banner value ++++Welcome to Cisco Systems 7.0.+++++

dns-server value 192.168.0.1 192.168.1.1

split-tunnel-policy tunnelspecified

split-tunnel-network-list value splittun-vpngroup1

default-domain value ad-domain.local

split-dns value ad-domain.local

address-pools value ippool

username asa1 password VRTlLlJ48/PoDKjS encrypted privilege 15

tunnel-group 200.30.30.1 type ipsec-l2l

tunnel-group 200.30.30.1 ipsec-attributes

pre-shared-key *

tunnel-group vpngroup1 type remote-access

tunnel-group vpngroup1 general-attributes

address-pool ippool

default-group-policy vpngroup1

tunnel-group vpngroup1 ipsec-attributes

pre-shared-key *

prompt hostname context

Cryptochecksum:00000000000000000000000000000000

: end

ASA2(config)#sh run

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association lifetime kilobytes 400000
crypto map VPNL2L 1 match address nonat
crypto map VPNL2L 1 set peer 200.30.30.1
crypto map VPNL2L 1 set transform-set ESP-3DES-MD5
crypto map VPNL2L interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400

tunnel-group 200.30.30.1 type ipsec-l2l
tunnel-group 200.30.30.1 ipsec-attributes
pre-shared-key cisco

my topology:

i try with the next links but didn`t work

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080912cfd.shtml

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

Best Regards...

rizwanr74 · ‎07-11-2012

"I thing so of the force the ASA with the new route outside, why this? "

without the route ASA pushes traffic to inside, by default.

Anyway, this must have been a learning experience.

I hope, this has been any help.

Please rate, all helful post.

thanks

Rizwan Rafeek.

View solution in original post

Karsten Iwen · ‎06-23-2012

> crypto map VPNL2L 1 match address nonat

As you have seen, there can only be one crypto-map at the interface. So everything has to go into one crypto-map which can be achieved with the help of the sequence-numbers (the "1" above).

What you need is:

crypto map YOUR-CRYPTO-MAP-NAME 1 match address nonat

crypto map YOUR-CRYPTO-MAP-NAME 1 set peer 200.30.30.1

crypto map YOUR-CRYPTO-MAP-NAME 1 set transform-set ESP-3DES-MD5

crypto map YOUR-CRYPTO-MAP-NAME 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map YOUR-CRYPTO-MAP-NAME interface outside

Just make sure that the dynamic entries always have a higher seq-# than the site-2-site sequence-numbers.

HTH, Karsten

rizwanr74 · ‎07-10-2012

Hi Jonathan,

I am trying to understand, what is that you are trying to achieve, as your description is not clear.

You have remote-vpn client login into one of your ASA and you want remote vpn-client to be able to access both site-to-site remote networks, is this right?

thanks

josue jonathan rivero herrera · ‎07-10-2012

Hi riz....let me explained.

I have 2 VPN (remote and site to site), the VPN remote is successful or UP, the VPN site to site is down, the 2 VPN is configured on same ASA (TresASA1) and the same outside.

I try configure VPN site to site with ASDM and CLI but unsuccessful. the configuration current is posted.

thk for help me!!!

rizwanr74 · ‎07-10-2012

Please post your most current config as an attachement.

thanks

rizwanr74 · ‎07-10-2012

Is this configuration running on real hardware or you are trying this out of some software based simulators?

josue jonathan rivero herrera · ‎07-10-2012

this real appliance ASA5520, and this is my current configuration.

TresASA1(config)# sh run

: Saved

:

ASA Version 8.2(5)

!

hostname TresASA1

enable password E0HXgOXKEFi9sKqd encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0/0

nameif inside

security-level 100

ip address 172.16.3.2 255.255.255.0

!

interface GigabitEthernet0/1

nameif outside

security-level 0

ip address 200.20.20.1 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa825-k8.bin

ftp mode passive

object-group network net-local

network-object 172.16.0.0 255.255.255.0

network-object 172.16.1.0 255.255.255.0

network-object 172.16.2.0 255.255.255.0

network-object 172.16.3.0 255.255.255.0

network-object 172.16.4.0 255.255.255.0

network-object 172.16.5.0 255.255.255.0

network-object 172.16.6.0 255.255.255.0

network-object 172.16.7.0 255.255.255.0

network-object 172.16.8.0 255.255.255.0

network-object 172.16.9.0 255.255.255.0

network-object 172.16.11.0 255.255.255.0

object-group network net-remote

network-object 172.16.100.0 255.255.255.0

network-object 172.16.101.0 255.255.255.0

network-object 172.16.102.0 255.255.255.0

network-object 172.16.103.0 255.255.255.0

object-group network net-poolvpn

network-object 192.168.11.0 255.255.255.0

access-list nat extended permit ip object-group net-local any

access-list nonat extended permit ip object-group net-local object-group net-remote

access-list nonat extended permit ip object-group net-local object-group net-poolvpn

access-list nonat1 extended permit ip object-group net-local object-group net-remote

access-list splittun-vpngroup1 extended permit ip object-group net-local object-group net-poolvpn

pager lines 24

logging console debugging

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu management 1500

ip local pool ippool 192.168.11.1-192.168.11.100 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 access-list nat

route outside 0.0.0.0 0.0.0.0 200.20.20.2 1

route inside 172.16.1.0 255.255.255.0 172.16.3.1 1

route inside 172.16.2.0 255.255.255.0 172.16.3.1 1

route inside 172.16.4.0 255.255.255.0 172.16.3.1 1

route inside 172.16.5.0 255.255.255.0 172.16.3.1 1

route inside 172.16.6.0 255.255.255.0 172.16.3.1 1

route inside 172.16.7.0 255.255.255.0 172.16.3.1 1

route inside 172.16.8.0 255.255.255.0 172.16.3.1 1

route inside 172.16.9.0 255.255.255.0 172.16.3.1 1

route inside 172.16.10.0 255.255.255.0 172.16.3.1 1

route inside 172.16.11.0 255.255.255.0 172.16.3.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

aaa authentication http console LOCAL

aaa authentication enable console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 86400

crypto ipsec security-association lifetime kilobytes 400000

crypto dynamic-map dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map dyn_map 65535 set transform-set ESP-3DES-SHA

crypto map vpns 1 match address nonat1

crypto map vpns 1 set peer 200.30.30.1

crypto map vpns 1 set transform-set ESP-3DES-MD5

crypto map vpns 65535 ipsec-isakmp dynamic dyn_map

crypto map vpns interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

vpn-sessiondb max-session-limit 450

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

anyconnect-essentials

group-policy vpngroup1 internal

group-policy vpngroup1 attributes

banner value ++++Welcome to Cisco Systems.+++++ PROPIEDAD PRIVADA, CUALQUIER PERSONA AJENA AL CORPORATIVO, SERA CONSIGNADA A LAS AUTORIDADES

dns-server value 200.57.64.85 200.57.64.86

vpn-simultaneous-logins 20

split-tunnel-policy tunnelspecified

split-tunnel-network-list value splittun-vpngroup1

default-domain value ad-domain.local

split-dns value ad-domain.local

address-pools value ippool

username ho1a password DXK.iozVseM0AOzr encrypted privilege 15

username ciscouser password z4c9KJvMNAA7soAj encrypted privilege 15

username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15

tunnel-group 200.30.30.1 type ipsec-l2l

tunnel-group 200.30.30.1 ipsec-attributes

pre-shared-key *****

tunnel-group vpngroup1 type remote-access

tunnel-group vpngroup1 general-attributes

address-pool ippool

default-group-policy vpngroup1

tunnel-group vpngroup1 ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:fea2b3d94bac70f546123d723bb6f06a

: end

TresASA1(config)#

-------------------------

TresASA2(config)# sh run

isakmp policy 20 is superceded by identical policy 1

: Saved

:

ASA Version 8.2(5)

!

hostname TresASA2

enable password E0HXgOXKEFi9sKqd encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0/0

nameif inside

security-level 100

ip address 172.16.103.2 255.255.255.0

!

interface GigabitEthernet0/1

nameif outside

security-level 0

ip address 200.30.30.1 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa825-k8.bin

ftp mode passive

object-group network net-local

network-object 172.16.100.0 255.255.255.0

network-object 172.16.101.0 255.255.255.0

network-object 172.16.102.0 255.255.255.0

network-object 172.16.103.0 255.255.255.0

object-group network net-remote

network-object 172.16.0.0 255.255.255.0

network-object 172.16.1.0 255.255.255.0

network-object 172.16.2.0 255.255.255.0

network-object 172.16.3.0 255.255.255.0

network-object 172.16.4.0 255.255.255.0

network-object 172.16.5.0 255.255.255.0

network-object 172.16.6.0 255.255.255.0

network-object 172.16.7.0 255.255.255.0

network-object 172.16.8.0 255.255.255.0

network-object 172.16.9.0 255.255.255.0

network-object 172.16.11.0 255.255.255.0

access-list nat extended permit ip object-group net-local any

access-list nonat extended permit ip object-group net-local object-group net-remote

access-list nonat1 extended permit ip object-group net-local object-group net-remote

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 access-list nat

route outside 0.0.0.0 0.0.0.0 200.20.20.1 1

route inside 172.16.100.0 255.255.255.0 172.16.103.2 1

route inside 172.16.101.0 255.255.255.0 172.16.103.2 1

route inside 172.16.102.0 255.255.255.0 172.16.103.2 1

route inside 172.16.103.0 255.255.255.0 172.16.103.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication enable console LOCAL

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 86400

crypto ipsec security-association lifetime kilobytes 400000

crypto map vpns 1 match address nonat1

crypto map vpns 1 set peer 200.20.20.1

crypto map vpns 1 set transform-set ESP-3DES-MD5

crypto map vpns interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 172.16.103.3-172.16.103.254 inside

dhcpd enable inside

!

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

anyconnect-essentials

username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15

tunnel-group 200.20.20.1 type ipsec-l2l

tunnel-group 200.20.20.1 ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:9eb55d1b2d70db50cd19d7c07b7afe0b

: end

TresASA2(config)#

regards!!!

rizwanr74 · ‎07-10-2012

On device TresASA2

interface GigabitEthernet0/1

nameif outside

security-level 0

ip address 200.30.30.1 255.255.255.0

default route is: "route outside 0.0.0.0 0.0.0.0 200.20.20.1 1"

"VPN site to site is down, the 2 VPN is configured on same ASA (TresASA1) and the same outside."

your default gateway on device: TresASA2 and outside interface are not on the same subnet, not routable and so there is no wonder you cannot establish site-to-site vpn tunnel.

thanks

josue jonathan rivero herrera · ‎07-10-2012

yes, I see my error, but the tunnel is down jet...

-------------------------------------

TresASA2(config)#

TresASA2(config)# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is 200.30.30.1 to network 0.0.0.0

S 172.16.100.0 255.255.255.0 [1/0] via 172.16.103.2, inside

S 172.16.101.0 255.255.255.0 [1/0] via 172.16.103.2, inside

S 172.16.102.0 255.255.255.0 [1/0] via 172.16.103.2, inside

C 172.16.103.0 255.255.255.0 is directly connected, inside

C 200.30.30.0 255.255.255.0 is directly connected, outside

S* 0.0.0.0 0.0.0.0 [1/0] via 200.30.30.1, outside

TresASA2(config)#

-----------------------------------------------------------------------------------------

TresASA1(config)#

TresASA1(config)# ping 200.30.30.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 200.30.30.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

TresASA1(config)# ping 172.16.103.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.103.1, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

TresASA1(config)# sh cry

TresASA1(config)# sh crypto isa

TresASA1(config)# sh crypto isakmp sa

There are no isakmp sas

TresASA1(config)# sh cry

TresASA1(config)# sh crypto ipse

TresASA1(config)# sh crypto ipsec sa

There are no ipsec sas

TresASA1(config)#

:-(

rizwanr74 · ‎07-10-2012

Hi there,

Please apply hightlighted "inspect icmp" on the global_policy from both firewall and then ping outside both IP address from each FW.

policy-map global_policy

class inspection_default

inspect icmp

Please post the output from the below command from device: TresASA2.

show run | in route

Is default route "0.0.0.0 0.0.0.0" is being pushed to outside interface itself on TresASA2, rather than to default gateway?

Please update.

thanks

josue jonathan rivero herrera · ‎07-10-2012

ok I changue the route on TresASA2, add the inpect ICMP in both ASA5520 and send the ping to both ASAs.

thk for you help....

rizwanr74 · ‎07-10-2012

If you are able to ping both outside interfaces, then initiate the traffice from one end to other from interesting network ip address to other side and see if tunnels come up.

update please

thanks

josue jonathan rivero herrera · ‎07-10-2012

no, the tunnel is down.

you thing so of the trouble is the version, I can try with asa844-k8 version but I don't know configure NAT and VPN site to site on this version. Between try with enable the debug crypto isa and debug crypto ipsec but no show me information.

rizwanr74 · ‎07-10-2012

"I can try with asa844-k8 version"

Version 8.44 is more complex nat and no-nats, so stick with your version for now.

Please add this static route on ASA2

route outside 172.16.0.0 255.255.0.0 200.30.30.2

Please add this static route on ASA1, as well.

route outside 172.16.0.0 255.255.0.0 200.20.20.2

When you initiate the tunnel, you must initiate the tunnel from source network address, you cannot initiate the tunnel from firewall itself, it won't work.

please update.

thanks

Karsten Iwen · ‎07-10-2012

Your testing is wrong. With that ping the tunnel is not triggered as the ping is sent from the outside IP of the ASA. But that source-IP is not included in your encryption definition.

It's best to test from a PC in your local network to a PC in the remote network.