06-22-2012 11:42 AM - edited 02-21-2020 06:09 PM
hi, i am jonathan rivero.
i have an ASA 5520 Version 8.0(2), i configured the VPN site to site and works fine, in the other apliance i configured the VPN Client for remote users, and works fine, but i try to cofigure the 2 VPNs on ASA 5520 on the same outside interface and i have the line "crypto map outside_map interface outside (for VPN client)", but when I configure the "crypto map VPNL2L interface outside, it overwrites the command", and therefore I can only have one connection.
the show run.
ASA1(config)# sh run
: Saved
:
ASA Version 8.0(2)
!
hostname ASA1
enable password 7esAUjZmKQSFDCZX encrypted
names
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 172.16.3.2 255.255.255.0
!
interface Ethernet0/1
nameif outside
security-level 0
ip address 200.20.20.1 255.255.255.0
!
interface Ethernet0/1.1
vlan 1
nameif outside1
security-level 0
no ip address
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
object-group network net-local
network-object 172.16.0.0 255.255.255.0
network-object 172.16.1.0 255.255.255.0
network-object 172.16.2.0 255.255.255.0
network-object 172.16.3.0 255.255.255.0
object-group network net-remote
network-object 172.16.100.0 255.255.255.0
network-object 172.16.101.0 255.255.255.0
network-object 172.16.102.0 255.255.255.0
network-object 172.16.103.0 255.255.255.0
object-group network net-poolvpn
network-object 192.168.11.0 255.255.255.0
access-list nat-outside extended permit ip object-group net-local any
access-list nonat extended permit ip object-group net-local object-group net-remote
access-list nonat extended permit ip object-group net-local object-group net-poolvpn
access-list splittun-vpngroup1 extended permit ip object-group net-local object-group net-poolvpn
pager lines 24
mtu inside 1500
mtu outside 1500
mtu outside1 1500
ip local pool ippool 192.168.11.1-192.168.11.100 mask 255.255.255.0
no failover
icmp unreachable rate-limit 100 burst-size 10
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 access-list nat-outside
route outside 0.0.0.0 0.0.0.0 200.20.20.1 1
route inside 172.16.0.0 255.255.255.0 172.16.3.2 1
route inside 172.16.1.0 255.255.255.0 172.16.3.2 1
route inside 172.16.2.0 255.255.255.0 172.16.3.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association lifetime kilobytes 400000
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map VPNL2L 1 match address nonat
crypto map VPNL2L 1 set peer 200.30.30.1
crypto map VPNL2L 1 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
!
group-policy vpngroup1 internal
group-policy vpngroup1 attributes
banner value ++++Welcome to Cisco Systems 7.0.+++++
dns-server value 192.168.0.1 192.168.1.1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittun-vpngroup1
default-domain value ad-domain.local
split-dns value ad-domain.local
address-pools value ippool
username asa1 password VRTlLlJ48/PoDKjS encrypted privilege 15
tunnel-group 200.30.30.1 type ipsec-l2l
tunnel-group 200.30.30.1 ipsec-attributes
pre-shared-key *
tunnel-group vpngroup1 type remote-access
tunnel-group vpngroup1 general-attributes
address-pool ippool
default-group-policy vpngroup1
tunnel-group vpngroup1 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:00000000000000000000000000000000
: end
ASA2(config)#sh run
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association lifetime kilobytes 400000
crypto map VPNL2L 1 match address nonat
crypto map VPNL2L 1 set peer 200.30.30.1
crypto map VPNL2L 1 set transform-set ESP-3DES-MD5
crypto map VPNL2L interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
tunnel-group 200.30.30.1 type ipsec-l2l
tunnel-group 200.30.30.1 ipsec-attributes
pre-shared-key cisco
my topology:
i try with the next links but didn`t work
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080912cfd.shtml
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml
Best Regards...
Solved! Go to Solution.
07-11-2012 12:24 PM
"I thing so of the force the ASA with the new route outside, why this? "
without the route ASA pushes traffic to inside, by default.
Anyway, this must have been a learning experience.
I hope, this has been any help.
Please rate, all helful post.
thanks
Rizwan Rafeek.
06-23-2012 03:03 PM
> crypto map VPNL2L 1 match address nonat
As you have seen, there can only be one crypto-map at the interface. So everything has to go into one crypto-map which can be achieved with the help of the sequence-numbers (the "1" above).
What you need is:
crypto map YOUR-CRYPTO-MAP-NAME 1 match address nonat
crypto map YOUR-CRYPTO-MAP-NAME 1 set peer 200.30.30.1
crypto map YOUR-CRYPTO-MAP-NAME 1 set transform-set ESP-3DES-MD5
crypto map YOUR-CRYPTO-MAP-NAME 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map YOUR-CRYPTO-MAP-NAME interface outside
Just make sure that the dynamic entries always have a higher seq-# than the site-2-site sequence-numbers.
HTH, Karsten
07-10-2012 11:29 AM
Hi Jonathan,
I am trying to understand, what is that you are trying to achieve, as your description is not clear.
You have remote-vpn client login into one of your ASA and you want remote vpn-client to be able to access both site-to-site remote networks, is this right?
thanks
07-10-2012 11:37 AM
Hi riz....let me explained.
I have 2 VPN (remote and site to site), the VPN remote is successful or UP, the VPN site to site is down, the 2 VPN is configured on same ASA (TresASA1) and the same outside.
I try configure VPN site to site with ASDM and CLI but unsuccessful. the configuration current is posted.
thk for help me!!!
07-10-2012 11:50 AM
Please post your most current config as an attachement.
thanks
07-10-2012 11:54 AM
Is this configuration running on real hardware or you are trying this out of some software based simulators?
07-10-2012 01:05 PM
this real appliance ASA5520, and this is my current configuration.
TresASA1(config)# sh run
: Saved
:
ASA Version 8.2(5)
!
hostname TresASA1
enable password E0HXgOXKEFi9sKqd encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 172.16.3.2 255.255.255.0
!
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 200.20.20.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa825-k8.bin
ftp mode passive
object-group network net-local
network-object 172.16.0.0 255.255.255.0
network-object 172.16.1.0 255.255.255.0
network-object 172.16.2.0 255.255.255.0
network-object 172.16.3.0 255.255.255.0
network-object 172.16.4.0 255.255.255.0
network-object 172.16.5.0 255.255.255.0
network-object 172.16.6.0 255.255.255.0
network-object 172.16.7.0 255.255.255.0
network-object 172.16.8.0 255.255.255.0
network-object 172.16.9.0 255.255.255.0
network-object 172.16.11.0 255.255.255.0
object-group network net-remote
network-object 172.16.100.0 255.255.255.0
network-object 172.16.101.0 255.255.255.0
network-object 172.16.102.0 255.255.255.0
network-object 172.16.103.0 255.255.255.0
object-group network net-poolvpn
network-object 192.168.11.0 255.255.255.0
access-list nat extended permit ip object-group net-local any
access-list nonat extended permit ip object-group net-local object-group net-remote
access-list nonat extended permit ip object-group net-local object-group net-poolvpn
access-list nonat1 extended permit ip object-group net-local object-group net-remote
access-list splittun-vpngroup1 extended permit ip object-group net-local object-group net-poolvpn
pager lines 24
logging console debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu management 1500
ip local pool ippool 192.168.11.1-192.168.11.100 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 access-list nat
route outside 0.0.0.0 0.0.0.0 200.20.20.2 1
route inside 172.16.1.0 255.255.255.0 172.16.3.1 1
route inside 172.16.2.0 255.255.255.0 172.16.3.1 1
route inside 172.16.4.0 255.255.255.0 172.16.3.1 1
route inside 172.16.5.0 255.255.255.0 172.16.3.1 1
route inside 172.16.6.0 255.255.255.0 172.16.3.1 1
route inside 172.16.7.0 255.255.255.0 172.16.3.1 1
route inside 172.16.8.0 255.255.255.0 172.16.3.1 1
route inside 172.16.9.0 255.255.255.0 172.16.3.1 1
route inside 172.16.10.0 255.255.255.0 172.16.3.1 1
route inside 172.16.11.0 255.255.255.0 172.16.3.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
aaa authentication enable console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association lifetime kilobytes 400000
crypto dynamic-map dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map dyn_map 65535 set transform-set ESP-3DES-SHA
crypto map vpns 1 match address nonat1
crypto map vpns 1 set peer 200.30.30.1
crypto map vpns 1 set transform-set ESP-3DES-MD5
crypto map vpns 65535 ipsec-isakmp dynamic dyn_map
crypto map vpns interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
vpn-sessiondb max-session-limit 450
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
group-policy vpngroup1 internal
group-policy vpngroup1 attributes
banner value ++++Welcome to Cisco Systems.+++++ PROPIEDAD PRIVADA, CUALQUIER PERSONA AJENA AL CORPORATIVO, SERA CONSIGNADA A LAS AUTORIDADES
dns-server value 200.57.64.85 200.57.64.86
vpn-simultaneous-logins 20
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittun-vpngroup1
default-domain value ad-domain.local
split-dns value ad-domain.local
address-pools value ippool
username ho1a password DXK.iozVseM0AOzr encrypted privilege 15
username ciscouser password z4c9KJvMNAA7soAj encrypted privilege 15
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
tunnel-group 200.30.30.1 type ipsec-l2l
tunnel-group 200.30.30.1 ipsec-attributes
pre-shared-key *****
tunnel-group vpngroup1 type remote-access
tunnel-group vpngroup1 general-attributes
address-pool ippool
default-group-policy vpngroup1
tunnel-group vpngroup1 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:fea2b3d94bac70f546123d723bb6f06a
: end
TresASA1(config)#
-------------------------
TresASA2(config)# sh run
isakmp policy 20 is superceded by identical policy 1
: Saved
:
ASA Version 8.2(5)
!
hostname TresASA2
enable password E0HXgOXKEFi9sKqd encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 172.16.103.2 255.255.255.0
!
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 200.30.30.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa825-k8.bin
ftp mode passive
object-group network net-local
network-object 172.16.100.0 255.255.255.0
network-object 172.16.101.0 255.255.255.0
network-object 172.16.102.0 255.255.255.0
network-object 172.16.103.0 255.255.255.0
object-group network net-remote
network-object 172.16.0.0 255.255.255.0
network-object 172.16.1.0 255.255.255.0
network-object 172.16.2.0 255.255.255.0
network-object 172.16.3.0 255.255.255.0
network-object 172.16.4.0 255.255.255.0
network-object 172.16.5.0 255.255.255.0
network-object 172.16.6.0 255.255.255.0
network-object 172.16.7.0 255.255.255.0
network-object 172.16.8.0 255.255.255.0
network-object 172.16.9.0 255.255.255.0
network-object 172.16.11.0 255.255.255.0
access-list nat extended permit ip object-group net-local any
access-list nonat extended permit ip object-group net-local object-group net-remote
access-list nonat1 extended permit ip object-group net-local object-group net-remote
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 access-list nat
route outside 0.0.0.0 0.0.0.0 200.20.20.1 1
route inside 172.16.100.0 255.255.255.0 172.16.103.2 1
route inside 172.16.101.0 255.255.255.0 172.16.103.2 1
route inside 172.16.102.0 255.255.255.0 172.16.103.2 1
route inside 172.16.103.0 255.255.255.0 172.16.103.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association lifetime kilobytes 400000
crypto map vpns 1 match address nonat1
crypto map vpns 1 set peer 200.20.20.1
crypto map vpns 1 set transform-set ESP-3DES-MD5
crypto map vpns interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 172.16.103.3-172.16.103.254 inside
dhcpd enable inside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
tunnel-group 200.20.20.1 type ipsec-l2l
tunnel-group 200.20.20.1 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:9eb55d1b2d70db50cd19d7c07b7afe0b
: end
TresASA2(config)#
regards!!!
07-10-2012 01:28 PM
On device TresASA2
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 200.30.30.1 255.255.255.0
default route is: "route outside 0.0.0.0 0.0.0.0 200.20.20.1 1"
"VPN site to site is down, the 2 VPN is configured on same ASA (TresASA1) and the same outside."
your default gateway on device: TresASA2 and outside interface are not on the same subnet, not routable and so there is no wonder you cannot establish site-to-site vpn tunnel.
thanks
07-10-2012 01:38 PM
yes, I see my error, but the tunnel is down jet...
-------------------------------------
TresASA2(config)#
TresASA2(config)# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 200.30.30.1 to network 0.0.0.0
S 172.16.100.0 255.255.255.0 [1/0] via 172.16.103.2, inside
S 172.16.101.0 255.255.255.0 [1/0] via 172.16.103.2, inside
S 172.16.102.0 255.255.255.0 [1/0] via 172.16.103.2, inside
C 172.16.103.0 255.255.255.0 is directly connected, inside
C 200.30.30.0 255.255.255.0 is directly connected, outside
S* 0.0.0.0 0.0.0.0 [1/0] via 200.30.30.1, outside
TresASA2(config)#
-----------------------------------------------------------------------------------------
TresASA1(config)#
TresASA1(config)# ping 200.30.30.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.30.30.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
TresASA1(config)# ping 172.16.103.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.103.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
TresASA1(config)# sh cry
TresASA1(config)# sh crypto isa
TresASA1(config)# sh crypto isakmp sa
TresASA1(config)# sh crypto isakmp sa
There are no isakmp sas
TresASA1(config)# sh cry
TresASA1(config)# sh crypto ipse
TresASA1(config)# sh crypto ipsec sa
There are no ipsec sas
TresASA1(config)#
:-(
07-10-2012 04:41 PM
Hi there,
Please apply hightlighted "inspect icmp" on the global_policy from both firewall and then ping outside both IP address from each FW.
policy-map global_policy
class inspection_default
inspect icmp
Please post the output from the below command from device: TresASA2.
show run | in route
Is default route "0.0.0.0 0.0.0.0" is being pushed to outside interface itself on TresASA2, rather than to default gateway?
Please update.
thanks
07-10-2012 05:40 PM
ok I changue the route on TresASA2, add the inpect ICMP in both ASA5520 and send the ping to both ASAs.
thk for you help....
07-10-2012 06:13 PM
If you are able to ping both outside interfaces, then initiate the traffice from one end to other from interesting network ip address to other side and see if tunnels come up.
update please
thanks
07-10-2012 06:27 PM
no, the tunnel is down.
you thing so of the trouble is the version, I can try with asa844-k8 version but I don't know configure NAT and VPN site to site on this version. Between try with enable the debug crypto isa and debug crypto ipsec but no show me information.
07-10-2012 06:42 PM
"I can try with asa844-k8 version"
Version 8.44 is more complex nat and no-nats, so stick with your version for now.
Please add this static route on ASA2
route outside 172.16.0.0 255.255.0.0 200.30.30.2
Please add this static route on ASA1, as well.
route outside 172.16.0.0 255.255.0.0 200.20.20.2
When you initiate the tunnel, you must initiate the tunnel from source network address, you cannot initiate the tunnel from firewall itself, it won't work.
please update.
thanks
07-10-2012 10:15 PM
Your testing is wrong. With that ping the tunnel is not triggered as the ping is sent from the outside IP of the ASA. But that source-IP is not included in your encryption definition.
It's best to test from a PC in your local network to a PC in the remote network.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: