Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

VPN site to site & VPN client on ASA 5520 on same outside

   hi, i am jonathan rivero.

i have an ASA 5520 Version 8.0(2), i configured the VPN site to site and works fine, in the other apliance i configured the VPN Client for remote users, and works fine, but i try to cofigure the 2 VPNs on ASA 5520 on the same outside interface and i have the line   "crypto map outside_map interface outside (for VPN client)", but when I configure  the "crypto map VPNL2L interface outside, it overwrites the command", and therefore I can only have one connection.

the show run.

ASA1(config)# sh run

: Saved

:

ASA Version 8.0(2)

!

hostname ASA1

enable password 7esAUjZmKQSFDCZX encrypted

names

!

interface Ethernet0/0

nameif inside

security-level 100

ip address 172.16.3.2 255.255.255.0

!

interface Ethernet0/1

nameif outside

security-level 0

ip address 200.20.20.1 255.255.255.0

!

interface Ethernet0/1.1

vlan 1

nameif outside1

security-level 0

no ip address

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/5

shutdown

no nameif

no security-level

no ip address

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

object-group network net-local

network-object 172.16.0.0 255.255.255.0

network-object 172.16.1.0 255.255.255.0

network-object 172.16.2.0 255.255.255.0

network-object 172.16.3.0 255.255.255.0

object-group network net-remote

network-object 172.16.100.0 255.255.255.0

network-object 172.16.101.0 255.255.255.0

network-object 172.16.102.0 255.255.255.0

network-object 172.16.103.0 255.255.255.0

object-group network net-poolvpn

network-object 192.168.11.0 255.255.255.0

access-list nat-outside extended permit ip object-group net-local any

access-list nonat extended permit ip object-group net-local object-group net-remote

access-list nonat extended permit ip object-group net-local object-group net-poolvpn

access-list splittun-vpngroup1 extended permit ip object-group net-local object-group net-poolvpn

pager lines 24

mtu inside 1500

mtu outside 1500

mtu outside1 1500

ip local pool ippool 192.168.11.1-192.168.11.100 mask 255.255.255.0

no failover

icmp unreachable rate-limit 100 burst-size 10

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 access-list nat-outside

route outside 0.0.0.0 0.0.0.0 200.20.20.1 1

route inside 172.16.0.0 255.255.255.0 172.16.3.2 1

route inside 172.16.1.0 255.255.255.0 172.16.3.2 1

route inside 172.16.2.0 255.255.255.0 172.16.3.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 86400

crypto ipsec security-association lifetime kilobytes 400000

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map VPNL2L 1 match address nonat

crypto map VPNL2L 1 set peer 200.30.30.1

crypto map VPNL2L 1 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

!

!

group-policy vpngroup1 internal

group-policy vpngroup1 attributes

banner value ++++Welcome to Cisco Systems 7.0.+++++

dns-server value 192.168.0.1 192.168.1.1

split-tunnel-policy tunnelspecified

split-tunnel-network-list value splittun-vpngroup1

default-domain value ad-domain.local

split-dns value ad-domain.local

address-pools value ippool

username asa1 password VRTlLlJ48/PoDKjS encrypted privilege 15

tunnel-group 200.30.30.1 type ipsec-l2l

tunnel-group 200.30.30.1 ipsec-attributes

pre-shared-key *

tunnel-group vpngroup1 type remote-access

tunnel-group vpngroup1 general-attributes

address-pool ippool

default-group-policy vpngroup1

tunnel-group vpngroup1 ipsec-attributes

pre-shared-key *

prompt hostname context

Cryptochecksum:00000000000000000000000000000000

: end

ASA2(config)#sh run

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association lifetime kilobytes 400000
crypto map VPNL2L 1 match address nonat
crypto map VPNL2L 1 set peer 200.30.30.1
crypto map VPNL2L 1 set transform-set ESP-3DES-MD5
crypto map VPNL2L interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400

tunnel-group 200.30.30.1 type ipsec-l2l
tunnel-group 200.30.30.1 ipsec-attributes
pre-shared-key cisco

my topology:

topology ASA_VPN.PNG

i try with the next links but didn`t work

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080912cfd.shtml

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

Best Regards...

1 ACCEPTED SOLUTION

Accepted Solutions

VPN site to site & VPN client on ASA 5520 on same outside

"I thing so of the force the ASA with the new route outside, why this? "

without the route ASA pushes traffic to inside, by default.

Anyway, this must have been a learning experience.

I hope, this has been any help.

Please rate, all helful post.

thanks

Rizwan Rafeek.

28 REPLIES
VIP Purple

VPN site to site & VPN client on ASA 5520 on same outside

> crypto map VPNL2L 1 match address nonat

As you have seen, there can only be one crypto-map at the interface. So everything has to go into one crypto-map which can be achieved with the help of the sequence-numbers (the "1" above).

What you need is:

crypto map YOUR-CRYPTO-MAP-NAME 1 match address nonat

crypto map YOUR-CRYPTO-MAP-NAME 1 set peer 200.30.30.1

crypto map YOUR-CRYPTO-MAP-NAME 1 set transform-set ESP-3DES-MD5

crypto map YOUR-CRYPTO-MAP-NAME 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map YOUR-CRYPTO-MAP-NAME interface outside

Just make sure that the dynamic entries always have a higher seq-# than the site-2-site sequence-numbers.

HTH, Karsten


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni

Re: VPN site to site & VPN client on ASA 5520 on same outside

Hi Jonathan,

I am trying to understand, what is that you are trying to achieve, as your description is not clear.

You have remote-vpn client login into one of your ASA and you want remote vpn-client to be able to access both site-to-site remote networks, is this right?

thanks

Re: VPN site to site & VPN client on ASA 5520 on same outside

Hi riz....let me explained.

I have 2 VPN (remote and site to site), the VPN remote is successful or UP, the VPN site to site is down, the 2 VPN is configured on same ASA (TresASA1) and the same outside.

I try configure VPN site to site with ASDM and CLI but unsuccessful. the configuration current is posted.

thk for help me!!!

VPN site to site & VPN client on ASA 5520 on same outside

Please post your most current config as an attachement.

thanks

VPN site to site & VPN client on ASA 5520 on same outside

Is this configuration running on real hardware or you are trying this out of some software based simulators?

Re: VPN site to site & VPN client on ASA 5520 on same outside

this real appliance ASA5520, and this is my current configuration.

TresASA1(config)# sh run

: Saved

:

ASA Version 8.2(5)

!

hostname TresASA1

enable password E0HXgOXKEFi9sKqd encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0/0

nameif inside

security-level 100

ip address 172.16.3.2 255.255.255.0

!

interface GigabitEthernet0/1

nameif outside

security-level 0

ip address 200.20.20.1 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa825-k8.bin

ftp mode passive

object-group network net-local

network-object 172.16.0.0 255.255.255.0

network-object 172.16.1.0 255.255.255.0

network-object 172.16.2.0 255.255.255.0

network-object 172.16.3.0 255.255.255.0

network-object 172.16.4.0 255.255.255.0

network-object 172.16.5.0 255.255.255.0

network-object 172.16.6.0 255.255.255.0

network-object 172.16.7.0 255.255.255.0

network-object 172.16.8.0 255.255.255.0

network-object 172.16.9.0 255.255.255.0

network-object 172.16.11.0 255.255.255.0

object-group network net-remote

network-object 172.16.100.0 255.255.255.0

network-object 172.16.101.0 255.255.255.0

network-object 172.16.102.0 255.255.255.0

network-object 172.16.103.0 255.255.255.0

object-group network net-poolvpn

network-object 192.168.11.0 255.255.255.0

access-list nat extended permit ip object-group net-local any

access-list nonat extended permit ip object-group net-local object-group net-remote

access-list nonat extended permit ip object-group net-local object-group net-poolvpn

access-list nonat1 extended permit ip object-group net-local object-group net-remote

access-list splittun-vpngroup1 extended permit ip object-group net-local object-group net-poolvpn

pager lines 24

logging console debugging

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu management 1500

ip local pool ippool 192.168.11.1-192.168.11.100 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 access-list nat

route outside 0.0.0.0 0.0.0.0 200.20.20.2 1

route inside 172.16.1.0 255.255.255.0 172.16.3.1 1

route inside 172.16.2.0 255.255.255.0 172.16.3.1 1

route inside 172.16.4.0 255.255.255.0 172.16.3.1 1

route inside 172.16.5.0 255.255.255.0 172.16.3.1 1

route inside 172.16.6.0 255.255.255.0 172.16.3.1 1

route inside 172.16.7.0 255.255.255.0 172.16.3.1 1

route inside 172.16.8.0 255.255.255.0 172.16.3.1 1

route inside 172.16.9.0 255.255.255.0 172.16.3.1 1

route inside 172.16.10.0 255.255.255.0 172.16.3.1 1

route inside 172.16.11.0 255.255.255.0 172.16.3.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

aaa authentication http console LOCAL

aaa authentication enable console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 86400

crypto ipsec security-association lifetime kilobytes 400000

crypto dynamic-map dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map dyn_map 65535 set transform-set ESP-3DES-SHA

crypto map vpns 1 match address nonat1

crypto map vpns 1 set peer 200.30.30.1

crypto map vpns 1 set transform-set ESP-3DES-MD5

crypto map vpns 65535 ipsec-isakmp dynamic dyn_map

crypto map vpns interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash md5

group 2     

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

vpn-sessiondb max-session-limit 450

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

anyconnect-essentials

group-policy vpngroup1 internal

group-policy vpngroup1 attributes

banner value ++++Welcome to Cisco Systems.+++++ PROPIEDAD PRIVADA, CUALQUIER PERSONA AJENA AL CORPORATIVO, SERA CONSIGNADA A LAS AUTORIDADES

dns-server value 200.57.64.85 200.57.64.86

vpn-simultaneous-logins 20

split-tunnel-policy tunnelspecified

split-tunnel-network-list value splittun-vpngroup1

default-domain value ad-domain.local

split-dns value ad-domain.local

address-pools value ippool

username ho1a password DXK.iozVseM0AOzr encrypted privilege 15

username ciscouser password z4c9KJvMNAA7soAj encrypted privilege 15

username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15

tunnel-group 200.30.30.1 type ipsec-l2l

tunnel-group 200.30.30.1 ipsec-attributes

pre-shared-key *****

tunnel-group vpngroup1 type remote-access

tunnel-group vpngroup1 general-attributes

address-pool ippool

default-group-policy vpngroup1

tunnel-group vpngroup1 ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters  

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:fea2b3d94bac70f546123d723bb6f06a

: end

TresASA1(config)#

-------------------------

TresASA2(config)# sh run

isakmp policy 20 is superceded by identical policy 1

: Saved

:

ASA Version 8.2(5)

!

hostname TresASA2

enable password E0HXgOXKEFi9sKqd encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0/0

nameif inside

security-level 100

ip address 172.16.103.2 255.255.255.0

!

interface GigabitEthernet0/1

nameif outside

security-level 0

ip address 200.30.30.1 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!            

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa825-k8.bin

ftp mode passive

object-group network net-local

network-object 172.16.100.0 255.255.255.0

network-object 172.16.101.0 255.255.255.0

network-object 172.16.102.0 255.255.255.0

network-object 172.16.103.0 255.255.255.0

object-group network net-remote

network-object 172.16.0.0 255.255.255.0

network-object 172.16.1.0 255.255.255.0

network-object 172.16.2.0 255.255.255.0

network-object 172.16.3.0 255.255.255.0

network-object 172.16.4.0 255.255.255.0

network-object 172.16.5.0 255.255.255.0

network-object 172.16.6.0 255.255.255.0

network-object 172.16.7.0 255.255.255.0

network-object 172.16.8.0 255.255.255.0

network-object 172.16.9.0 255.255.255.0

network-object 172.16.11.0 255.255.255.0

access-list nat extended permit ip object-group net-local any

access-list nonat extended permit ip object-group net-local object-group net-remote

access-list nonat1 extended permit ip object-group net-local object-group net-remote

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 access-list nat

route outside 0.0.0.0 0.0.0.0 200.20.20.1 1

route inside 172.16.100.0 255.255.255.0 172.16.103.2 1

route inside 172.16.101.0 255.255.255.0 172.16.103.2 1

route inside 172.16.102.0 255.255.255.0 172.16.103.2 1

route inside 172.16.103.0 255.255.255.0 172.16.103.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication enable console LOCAL

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 86400

crypto ipsec security-association lifetime kilobytes 400000

crypto map vpns 1 match address nonat1

crypto map vpns 1 set peer 200.20.20.1

crypto map vpns 1 set transform-set ESP-3DES-MD5

crypto map vpns interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 172.16.103.3-172.16.103.254 inside

dhcpd enable inside

!

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

anyconnect-essentials

username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15

tunnel-group 200.20.20.1 type ipsec-l2l

tunnel-group 200.20.20.1 ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:9eb55d1b2d70db50cd19d7c07b7afe0b

: end        

TresASA2(config)#

regards!!!

Re: VPN site to site & VPN client on ASA 5520 on same outside

On device TresASA2

interface GigabitEthernet0/1

nameif outside

security-level 0

ip address 200.30.30.1 255.255.255.0

default route is: "route outside 0.0.0.0 0.0.0.0 200.20.20.1 1"

"VPN site to site is down, the 2 VPN is configured on same ASA (TresASA1) and the same outside."

your default gateway on device: TresASA2 and outside interface are not on the same subnet, not routable and so there is no wonder you cannot establish site-to-site vpn tunnel.

thanks

Re: VPN site to site & VPN client on ASA 5520 on same outside

yes, I see my error, but the tunnel is down jet...

-------------------------------------

TresASA2(config)#

TresASA2(config)# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

       * - candidate default, U - per-user static route, o - ODR

       P - periodic downloaded static route

Gateway of last resort is 200.30.30.1 to network 0.0.0.0

S    172.16.100.0 255.255.255.0 [1/0] via 172.16.103.2, inside

S    172.16.101.0 255.255.255.0 [1/0] via 172.16.103.2, inside

S    172.16.102.0 255.255.255.0 [1/0] via 172.16.103.2, inside

C    172.16.103.0 255.255.255.0 is directly connected, inside

C    200.30.30.0 255.255.255.0 is directly connected, outside

S*   0.0.0.0 0.0.0.0 [1/0] via 200.30.30.1, outside

TresASA2(config)#

-----------------------------------------------------------------------------------------

TresASA1(config)#

TresASA1(config)# ping 200.30.30.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 200.30.30.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

TresASA1(config)# ping 172.16.103.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.103.1, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

TresASA1(config)# sh cry

TresASA1(config)# sh crypto isa

TresASA1(config)# sh crypto isakmp sa

TresASA1(config)# sh crypto isakmp sa

There are no isakmp sas

TresASA1(config)# sh cry

TresASA1(config)# sh crypto  ipse

TresASA1(config)# sh crypto  ipsec sa

There are no ipsec sas

TresASA1(config)#

:-(

Re: VPN site to site & VPN client on ASA 5520 on same outside

Hi there,

Please apply hightlighted "inspect icmp" on the global_policy from both firewall and then ping outside both IP address from each FW.

policy-map global_policy

  class inspection_default  

   inspect icmp

Please post the output from the below command from device: TresASA2. 

show run | in route

Is default route "0.0.0.0 0.0.0.0" is being pushed to outside interface itself on TresASA2, rather than to default gateway?

Please update.

thanks

Re: VPN site to site & VPN client on ASA 5520 on same outside

ok I changue the route on TresASA2, add the inpect ICMP in both ASA5520 and send the ping to both ASAs.

thk for you help....

Re: VPN site to site & VPN client on ASA 5520 on same outside

If you are able to ping both outside interfaces, then initiate the traffice from one end to other from interesting network ip address to other side and see if tunnels come up.

update please

thanks

Re: VPN site to site & VPN client on ASA 5520 on same outside

no, the tunnel is down.

you thing so of the trouble is the version, I can try with asa844-k8 version but I don't know configure NAT and VPN site to site  on this version. Between try with enable the debug crypto isa and debug crypto ipsec but no show me information.

Re: VPN site to site & VPN client on ASA 5520 on same outside

"I can try with asa844-k8 version"

Version 8.44 is more complex nat and no-nats, so stick with your version for now.

Please add this static route on ASA2

route outside 172.16.0.0 255.255.0.0 200.30.30.2

Please add this static route on ASA1, as well.

route outside 172.16.0.0 255.255.0.0 200.20.20.2

When you initiate the tunnel, you must initiate the tunnel from source network address, you cannot initiate the tunnel from firewall itself, it won't work.

please update.

thanks

VIP Purple

Re: VPN site to site & VPN client on ASA 5520 on same outside

Your testing is wrong. With that ping the tunnel is not triggered as the ping is sent from the outside IP of the ASA. But that source-IP is not included in your encryption definition.

It's best to test from a PC in your local network to a PC in the remote network.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni

Re: VPN site to site & VPN client on ASA 5520 on same outside

hi karsten/riswanr74

yes yesterday  I try from LAN to LAN, but now re-configure the 2 ASA (same configuration copy and paste) and now test the tunnel and both tunnel the TresASA1 is up (site to site and remote), but in TresASA2 don't pass traffic across the tunnel, input the show crypto ipsec sa command and view of the numbers (#pkts encaps:  #pkts encrypt: , #pkts digest: 99) mismatch....

the configuration the access-list is:

TresASA1(config)# sh run access-list

access-list nat extended permit ip object-group net-local any

access-list nonat extended permit ip object-group net-local object-group net-remote

access-list nonat extended permit ip object-group net-local object-group net-poolvpn

access-list nonat1 extended permit ip object-group net-local object-group net-remote

access-list splittun-vpngroup1 extended permit ip object-group net-local object-group net-poolvpn

TresASA1(config)# sh run crypto

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 86400

crypto ipsec security-association lifetime kilobytes 400000

crypto dynamic-map dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map dyn_map 65535 set transform-set ESP-3DES-SHA

crypto map vpns 1 match address nonat1

crypto map vpns 1 set peer 200.30.30.1

crypto map vpns 1 set transform-set ESP-3DES-MD5

crypto map vpns 65535 ipsec-isakmp dynamic dyn_map

crypto map vpns interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

TresASA1(config)# sh run tunnel

tunnel-group 200.30.30.1 type ipsec-l2l

tunnel-group 200.30.30.1 ipsec-attributes

pre-shared-key *****

tunnel-group vpngroup1 type remote-access

tunnel-group vpngroup1 general-attributes

address-pool ippool

default-group-policy vpngroup1

tunnel-group vpngroup1 ipsec-attributes

pre-shared-key *****

TresASA1(config)# sh run nat

nat (inside) 0 access-list nonat

nat (inside) 1 access-list nat

TresASA1(config)# sh run global

global (outside) 1 interface

TresASA1(config)#

---------------------------------------

TresASA2(config)# sh run access-list

access-list nat extended permit ip object-group net-local any

access-list nonat extended permit ip object-group net-local object-group net-remote

access-list nonat1 extended permit ip object-group net-local object-group net-remote

TresASA2(config)# sh run nat

nat (inside) 0 access-list nonat

nat (inside) 1 access-list nat

TresASA2(config)# sh run cryt

TresASA2(config)# sh run cryptoi

TresASA2(config)# sh run cryptto

TresASA2(config)# sh run crypto

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 86400

crypto ipsec security-association lifetime kilobytes 400000

crypto map vpns 1 match address nonat1

crypto map vpns 1 set peer 200.20.20.1

crypto map vpns 1 set transform-set ESP-3DES-MD5

crypto map vpns interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2     

lifetime 86400

TresASA2(config)# sh run globa

global (outside) 1 interface

TresASA2(config)#

thk !!!

VIP Purple

Re: VPN site to site & VPN client on ASA 5520 on same outside

So you have packets flowing from ASA2 to ASA1 but nothing comes back. Are there any relevant log-messages on ASA1 while testing?

While testing you could do a packet-capture on ASA1 to see if the test-packets come back to the ASA (in the following form not while peak-hours):

ASA# capture CAP1 interface inside real-time



--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni

Re: VPN site to site & VPN client on ASA 5520 on same outside

ok this is the output:

TresASA1(config)# capture CAP1 interface inside real-time

Warning: using this option with a slow console connection may

         result in an excessive amount of non-displayed packets

         due to performance limitations.

Use ctrl-c to terminate real-time capture

   1: 16:50:50.959239 172.16.103.1 > 172.16.3.1: icmp: echo request

   2: 16:50:52.959316 172.16.103.1 > 172.16.3.1: icmp: echo request

   3: 16:50:54.959667 172.16.103.1 > 172.16.3.1: icmp: echo request

   4: 16:50:56.959972 172.16.103.1 > 172.16.3.1: icmp: echo request

   5: 16:50:58.959911 172.16.103.1 > 172.16.3.1: icmp: echo request

   6: 16:51:00.960323 172.16.103.1 > 172.16.3.1: icmp: echo request

   7: 16:51:02.960353 172.16.103.1 > 172.16.3.1: icmp: echo request

   8: 16:51:04.960613 172.16.103.1 > 172.16.3.1: icmp: echo request

   9: 16:51:06.960948 172.16.103.1 > 172.16.3.1: icmp: echo request

  10: 16:51:08.960994 172.16.103.1 > 172.16.3.1: icmp: echo request

  11: 16:51:10.961376 172.16.103.1 > 172.16.3.1: icmp: echo request

  12: 16:51:12.961421 172.16.103.1 > 172.16.3.1: icmp: echo request

  13: 16:51:14.961650 172.16.103.1 > 172.16.3.1: icmp: echo request

  14: 16:51:16.962001 172.16.103.1 > 172.16.3.1: icmp: echo request

  15: 16:51:18.962062 172.16.103.1 > 172.16.3.1: icmp: echo request

  16: 16:51:20.962413 172.16.103.1 > 172.16.3.1: icmp: echo request

  17: 16:51:22.962505 172.16.103.1 > 172.16.3.1: icmp: echo request

  18: 16:51:24.962734 172.16.103.1 > 172.16.3.1: icmp: echo request

  19: 16:51:26.963054 172.16.103.1 > 172.16.3.1: icmp: echo request

  20: 16:51:28.963115 172.16.103.1 > 172.16.3.1: icmp: echo request

  21: 16:51:30.963527 172.16.103.1 > 172.16.3.1: icmp: echo request

  22: 16:51:32.963527 172.16.103.1 > 172.16.3.1: icmp: echo request

  23: 16:51:34.963756 172.16.103.1 > 172.16.3.1: icmp: echo request

  24: 16:51:36.964122 172.16.103.1 > 172.16.3.1: icmp: echo request

  25: 16:51:38.964183 172.16.103.1 > 172.16.3.1: icmp: echo request

  26: 16:51:40.964564 172.16.103.1 > 172.16.3.1: icmp: echo request

  27: 16:51:42.964610 172.16.103.1 > 172.16.3.1: icmp: echo request

  28: 16:51:44.964809 172.16.103.1 > 172.16.3.1: icmp: echo request

  29: 16:51:46.965190 172.16.103.1 > 172.16.3.1: icmp: echo request

  30: 16:51:48.965221 172.16.103.1 > 172.16.3.1: icmp: echo request

  31: 16:51:50.965602 172.16.103.1 > 172.16.3.1: icmp: echo request

  32: 16:51:52.965678 172.16.103.1 > 172.16.3.1: icmp: echo request

  33: 16:51:54.965892 172.16.103.1 > 172.16.3.1: icmp: echo request

  34: 16:51:56.966273 172.16.103.1 > 172.16.3.1: icmp: echo request

  35: 16:51:58.966273 172.16.103.1 > 172.16.3.1: icmp: echo request

  36: 16:52:00.966640 172.16.103.1 > 172.16.3.1: icmp: echo request

  37: 16:52:02.966716 172.16.103.1 > 172.16.3.1: icmp: echo request

  38: 16:52:04.966929 172.16.103.1 > 172.16.3.1: icmp: echo request

  39: 16:52:06.967326 172.16.103.1 > 172.16.3.1: icmp: echo request

  40: 16:52:08.967357 172.16.103.1 > 172.16.3.1: icmp: echo request

  41: 16:52:10.967723 172.16.103.1 > 172.16.3.1: icmp: echo request

  42: 16:52:12.967784 172.16.103.1 > 172.16.3.1: icmp: echo request

  43: 16:52:14.967982 172.16.103.1 > 172.16.3.1: icmp: echo request

  44: 16:52:16.968348 172.16.103.1 > 172.16.3.1: icmp: echo request

  45: 16:52:18.968410 172.16.103.1 > 172.16.3.1: icmp: echo request

  46: 16:52:20.968776 172.16.103.1 > 172.16.3.1: icmp: echo request

  47: 16:52:22.968852 172.16.103.1 > 172.16.3.1: icmp: echo request

  48: 16:52:24.969111 172.16.103.1 > 172.16.3.1: icmp: echo request

  49: 16:52:26.969432 172.16.103.1 > 172.16.3.1: icmp: echo request

  50: 16:52:28.969462 172.16.103.1 > 172.16.3.1: icmp: echo request

  51: 16:52:30.969874 172.16.103.1 > 172.16.3.1: icmp: echo request

  52: 16:52:32.969951 172.16.103.1 > 172.16.3.1: icmp: echo request

  53: 16:52:34.970118 172.16.103.1 > 172.16.3.1: icmp: echo request

  54: 16:52:36.970469 172.16.103.1 > 172.16.3.1: icmp: echo request

  55: 16:52:38.970546 172.16.103.1 > 172.16.3.1: icmp: echo request

  56: 16:52:40.970912 172.16.103.1 > 172.16.3.1: icmp: echo request

  57: 16:52:42.970973 172.16.103.1 > 172.16.3.1: icmp: echo request

  58: 16:52:44.971171 172.16.103.1 > 172.16.3.1: icmp: echo request

  59: 16:52:46.971522 172.16.103.1 > 172.16.3.1: icmp: echo request

  60: 16:52:48.971583 172.16.103.1 > 172.16.3.1: icmp: echo request

  61: 16:52:50.971949 172.16.103.1 > 172.16.3.1: icmp: echo request

  62: 16:52:52.972117 172.16.103.1 > 172.16.3.1: icmp: echo request

  63: 16:52:54.972239 172.16.103.1 > 172.16.3.1: icmp: echo request

  64: 16:52:56.972651 172.16.103.1 > 172.16.3.1: icmp: echo request

  65: 16:52:57.772939 arp who-has 172.16.3.4 tell 172.16.3.8

  66: 16:52:58.972651 172.16.103.1 > 172.16.3.1: icmp: echo request

  67: 16:53:00.973017 172.16.103.1 > 172.16.3.1: icmp: echo request

  68: 16:53:02.973109 172.16.103.1 > 172.16.3.1: icmp: echo request

  69: 16:53:04.973292 172.16.103.1 > 172.16.3.1: icmp: echo request

  70: 16:53:07.001678 172.16.103.1 > 172.16.3.1: icmp: echo request

  71: 16:53:09.001754 172.16.103.1 > 172.16.3.1: icmp: echo request

  72: 16:53:11.002197 172.16.103.1 > 172.16.3.1: icmp: echo request

  73: 16:53:13.002197 172.16.103.1 > 172.16.3.1: icmp: echo request

  74: 16:53:15.002456 172.16.103.1 > 172.16.3.1: icmp: echo request

  75: 16:53:17.002761 172.16.103.1 > 172.16.3.1: icmp: echo request

  76: 16:53:19.002822 172.16.103.1 > 172.16.3.1: icmp: echo request

  77: 16:53:21.003173 172.16.103.1 > 172.16.3.1: icmp: echo request

  78: 16:53:23.003372 172.16.103.1 > 172.16.3.1: icmp: echo request

  79: 16:53:25.003494 172.16.103.1 > 172.16.3.1: icmp: echo request

  80: 16:53:27.003829 172.16.103.1 > 172.16.3.1: icmp: echo request

  81: 16:53:29.003890 172.16.103.1 > 172.16.3.1: icmp: echo request

  82: 16:53:31.004424 172.16.103.1 > 172.16.3.1: icmp: echo request

  83: 16:53:33.004333 172.16.103.1 > 172.16.3.1: icmp: echo request

  84: 16:53:35.004592 172.16.103.1 > 172.16.3.1: icmp: echo request

  85: 16:53:37.004867 172.16.103.1 > 172.16.3.1: icmp: echo request

  86: 16:53:39.004913 172.16.103.1 > 172.16.3.1: icmp: echo request

  87: 16:54:19.243410 arp who-has 172.16.3.5 tell 172.16.3.4

  88: 16:57:58.513767 arp who-has 172.16.3.8 tell 172.16.3.4

  89: 16:58:11.834841 arp who-has 172.16.3.1 tell 172.16.3.5

89 packets shown.

0 packets not shown due to performance limitations.

TresASA1(config)#

let me tell you that I do ping from 172.16.103.1 to 172.16.3.1 the ping is unsuccessful, but I do ping from 172.16.3.1 to 172.16.103.1 the ping is successful.

CORE_Tres(config)#do sh ip interface br

Interface              IP-Address      OK? Method Status                Protocol

Vlan1                  unassigned      YES NVRAM  up                    up     

Vlan2                  172.16.2.1      YES manual up                    up     

Vlan4                  172.16.4.1      YES manual up                    up     

Vlan5                  172.16.5.1      YES manual up                    up     

Vlan7                  172.16.7.1      YES manual up                    up     

Vlan8                  172.16.8.1      YES manual up                    up     

Vlan9                  172.16.9.1      YES manual up                    up     

Vlan10                 172.16.10.1     YES manual up                    up     

Vlan11                 172.16.11.1     YES manual up                    up     

Vlan99                 172.16.99.1     YES manual up                    up     

Vlan101                unassigned      YES NVRAM  administratively down down   

Vlan152                172.16.3.1      YES NVRAM  up                    up     

Vlan153                unassigned      YES manual up                    up     

FastEthernet2/0/1      unassigned      YES manual down                  down   

FastEthernet2/0/2      unassigned      YES manual down                  down   

FastEthernet2/0/3      unassigned      YES unset  down                  down   

FastEthernet2/0/4      unassigned      YES unset  down                  down   

FastEthernet2/0/5      unassigned      YES unset  up                    up     

FastEthernet2/0/6      unassigned      YES unset  down                  down   

FastEthernet2/0/7      unassigned      YES unset  down                  down   

FastEthernet2/0/8      unassigned      YES unset  down                  down   

FastEthernet2/0/9      unassigned      YES unset  up                    up     

CORE_Tres(config)#do ping 172.16.103.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.103.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms

CORE_Tres(config)#do telnet 172.16.103.1

Trying 172.16.103.1 ... Open

User Access Verification

Username: tresland

Password:

TresLAND#

so I think so that is the packet do not come back to TresASA2....

what do you think?

VIP Purple

Re: VPN site to site & VPN client on ASA 5520 on same outside

could it be, that 172.16.3.1 is filtering the incoming ICMP-packets?


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni

Re: VPN site to site & VPN client on ASA 5520 on same outside

mmm, no, this is the access-list configure on TresASA1:

TresASA1(config)# sh run access-list

access-list nat extended permit ip object-group net-local any

access-list nonat extended permit ip object-group net-local object-group net-remote

access-list nonat extended permit ip object-group net-local object-group net-poolvpn

access-list nonat1 extended permit ip object-group net-local object-group net-remote

access-list splittun-vpngroup1 extended permit ip object-group net-local object-group net-poolvpn

VIP Purple

Re: VPN site to site & VPN client on ASA 5520 on same outside

not the ASA, the router that you try to ping.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni

Re: VPN site to site & VPN client on ASA 5520 on same outside

Hi there,

Please make sure, your internal switch have a static-route in placed to push all remote-network segments (which are going over IPSec tunnel)  to its local firewall inside address.  This static must exists from both ends on internal switch.

thanks

Re: VPN site to site & VPN client on ASA 5520 on same outside

yes...

TresASA2(config)# sh run object-group

object-group network net-local

network-object 172.16.100.0 255.255.255.0

network-object 172.16.101.0 255.255.255.0

network-object 172.16.102.0 255.255.255.0

network-object 172.16.103.0 255.255.255.0

object-group network net-remote

network-object 172.16.0.0 255.255.255.0

network-object 172.16.1.0 255.255.255.0

network-object 172.16.2.0 255.255.255.0

network-object 172.16.3.0 255.255.255.0

network-object 172.16.4.0 255.255.255.0

network-object 172.16.5.0 255.255.255.0

network-object 172.16.6.0 255.255.255.0

network-object 172.16.7.0 255.255.255.0

network-object 172.16.8.0 255.255.255.0

network-object 172.16.9.0 255.255.255.0

network-object 172.16.11.0 255.255.255.0

TresASA2(config)# sh run route

route outside 0.0.0.0 0.0.0.0 200.30.30.2 1

route inside 172.16.100.0 255.255.255.0 172.16.103.2 1

route inside 172.16.101.0 255.255.255.0 172.16.103.2 1

route inside 172.16.102.0 255.255.255.0 172.16.103.2 1

route inside 172.16.103.0 255.255.255.0 172.16.103.2 1

TresASA2(config)# ping 172.16.100.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.100.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

TresASA2(config)# ping 172.16.101.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.101.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

TresASA2(config)# ping 172.16.103.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.103.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

TresASA2(config)# ping 172.16.102.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.102.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

TresASA2(config)#

TresASA2(config)#

TresASA2(config)#

TresLAND(config-if)#exit

TresLAND(config)#

TresLAND(config)#

TresLAND(config)#do sh run | inc ip route

ip route 0.0.0.0 0.0.0.0 172.16.103.2

TresLAND(config)#ping 172.16.103.1

                  ^

% Invalid input detected at '^' marker.

TresLAND(config)#do ping 172.16.103.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.103.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

TresLAND(config)#

-----------------------------------------------------------------------------------------------------

TresASA1(config)# sh run object-group

object-group network net-local

network-object 172.16.0.0 255.255.255.0

network-object 172.16.1.0 255.255.255.0

network-object 172.16.2.0 255.255.255.0

network-object 172.16.3.0 255.255.255.0

network-object 172.16.4.0 255.255.255.0

network-object 172.16.5.0 255.255.255.0

network-object 172.16.6.0 255.255.255.0

network-object 172.16.7.0 255.255.255.0

network-object 172.16.8.0 255.255.255.0

network-object 172.16.9.0 255.255.255.0

network-object 172.16.11.0 255.255.255.0

object-group network net-remote

network-object 172.16.100.0 255.255.255.0

network-object 172.16.101.0 255.255.255.0

network-object 172.16.102.0 255.255.255.0

network-object 172.16.103.0 255.255.255.0

object-group network net-poolvpn

network-object 192.168.11.0 255.255.255.0

TresASA1(config)# sh run route

route outside 0.0.0.0 0.0.0.0 200.20.20.2 1

route inside 172.16.1.0 255.255.255.0 172.16.3.1 1

route inside 172.16.2.0 255.255.255.0 172.16.3.1 1

route inside 172.16.4.0 255.255.255.0 172.16.3.1 1

route inside 172.16.5.0 255.255.255.0 172.16.3.1 1

route inside 172.16.6.0 255.255.255.0 172.16.3.1 1

route inside 172.16.7.0 255.255.255.0 172.16.3.1 1

route inside 172.16.8.0 255.255.255.0 172.16.3.1 1

route inside 172.16.9.0 255.255.255.0 172.16.3.1 1

route inside 172.16.10.0 255.255.255.0 172.16.3.1 1

route inside 172.16.11.0 255.255.255.0 172.16.3.1 1

TresASA1(config)# ping 172.16.3.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.3.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

TresASA1(config)# ping 172.16.11.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.11.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

TresASA1(config)#

CORE_Tres>

CORE_Tres>

CORE_Tres>en

Password:

CORE_Tres#sh run | inc ip route

ip route 0.0.0.0 0.0.0.0 172.16.3.2

CORE_Tres#sh ip interface br

Interface              IP-Address      OK? Method Status                Protocol

Vlan1                  unassigned      YES NVRAM  up                    up     

Vlan2                  172.16.2.1      YES manual up                    up     

Vlan4                  172.16.4.1      YES manual up                    up     

Vlan5                  172.16.5.1      YES manual up                    up     

Vlan7                  172.16.7.1      YES manual up                    up     

Vlan8                  172.16.8.1      YES manual up                    up     

Vlan9                  172.16.9.1      YES manual up                    up     

Vlan10                 172.16.10.1     YES manual up                    up     

Vlan11                 172.16.11.1     YES manual up                    up     

Vlan99                 172.16.99.1     YES manual up                    up     

Vlan101                unassigned      YES NVRAM  administratively down down   

Vlan152                172.16.3.1      YES NVRAM  up                    up     

Vlan153                unassigned      YES manual up                    up     

FastEthernet2/0/1      unassigned      YES manual down                  down   

FastEthernet2/0/2      unassigned      YES manual down                  down   

FastEthernet2/0/3      unassigned      YES unset  down                  down   

FastEthernet2/0/4      unassigned      YES unset  down                  down   

FastEthernet2/0/5      unassigned      YES unset  up                    up     

FastEthernet2/0/6      unassigned      YES unset  down                  down   

FastEthernet2/0/7      unassigned      YES unset  down                  down   

FastEthernet2/0/8      unassigned      YES unset  down                  down   

FastEthernet2/0/9      unassigned      YES unset  up                    up     

CORE_Tres#

Re: VPN site to site & VPN client on ASA 5520 on same outside

Please post your current config from both firewall as an attachedment, please as an attachement.

thanks

Re: VPN site to site & VPN client on ASA 5520 on same outside

ok, the configuration is attached in notepad

VPN site to site & VPN client on ASA 5520 on same outside

Can you please add this static route on both devices.

Please add this static route on ASA2

route outside 172.16.0.0 255.255.0.0 200.30.30.2

Please add this static route on ASA1, as well.

route outside 172.16.0.0 255.255.0.0 200.20.20.2

Please remove this line from ASA2.

crypto isakmp identity address

Please update.

thanks

Re: VPN site to site & VPN client on ASA 5520 on same outside

hi rizwanr74

After the create the route the VPN site to site is successful ping (LAN to LAN) and the same time is successful VPN remote.

TresLAND#sh ip interface br

Interface                  IP-Address      OK? Method Status                Protocol

GigabitEthernet0/0         unassigned      YES unset  administratively down down   

GigabitEthernet0/1         172.16.103.1    YES manual up                    up     

Serial0/2/0                unassigned      YES unset  administratively down down   

Serial0/2/1                unassigned      YES unset  administratively down down   

Loopback0                  172.16.100.1    YES manual up                    up     

Loopback1                  172.16.101.1    YES manual up                    up     

Loopback2                  172.16.102.1    YES manual up                    up     

Loopback4                  unassigned      YES unset  up                    up     

TresLAND#ping 172.16.3.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.3.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

CORE_Tres#

CORE_Tres#ping 172.16.103.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.103.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/9 ms

CORE_Tres#

now the most complicated is the explication... I thing so of the force the ASA with the new route outside, why this? if I have the route outside default (route 0.0.0.0 0.0.0.0 ).

VPN site to site & VPN client on ASA 5520 on same outside

"I thing so of the force the ASA with the new route outside, why this? "

without the route ASA pushes traffic to inside, by default.

Anyway, this must have been a learning experience.

I hope, this has been any help.

Please rate, all helful post.

thanks

Rizwan Rafeek.

Re: VPN site to site & VPN client on ASA 5520 on same outside

I understand, I try with GNS3 in version 8.0.2 and I dont had trouble, but as you tell me "experience".

thk for all and this is my MSN a24042004@hotmail.com

1732
Views
0
Helpful
28
Replies