cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
750
Views
4
Helpful
14
Replies

2ISP only one ASA5500 (VPN) has problem

join_sn09
Level 1
Level 1

Dear All,

Now i had problem with VPN site to site(ASA5500).The tunnel is up but i cannot ping HQ to branch. when i show

crypto ipsec sa then i see pkts encaps as below :

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 778, #pkts decrypt: 778, #pkts verify: 778

Note: At HQ office one tunnel Branch_ISP1 is ok i mean HQ can communication to Branch

but tunnel VPN Branch_ISP2 is up, cannot ping to HQ and HQ cannot ping to Branch.

Pleae see in the attach file HQ and branch site.

please help me to solve this problem !!!!

Best Regards,

Join

14 Replies 14

Marwan ALshawi
VIP Alumni
VIP Alumni

i havt checked ur config yet

before that

i wanna know are you looking to achieve load balncing through two ISPs ?

if that the case with ASA u can do load balnacing with two ISPs trhough a vpn tunnels or two connections

u can achieve perimary and backup vpn

have a look at the following link might be helpful

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

please if helpful Rate

Hi marwanshawi,

On my configuration i just to do in the HQ use 2 ISP for VPN only.i mean some branch use ISP1 and other Branch use ISP2 only.

and your weblink that you gave me, it not for do VPN connection, it show backup.....

could you tell let me know on ASA 5500 it can do VPN 2 wan interface or not? if can could you see in my attach file as above this is correct or not?

Best Regards,

join

u have those ACLs

access-list Branch_ISP1 extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list Branch_ISP2 extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0

and this map

rypto map Branch 2 match address Branch_ISP1

crypto map Branch 2 set peer 50.50.50.60

crypto map Branch 2 set transform-set Branch

crypto map Branch 3 match address Branch_ISP2

crypto map Branch 3 set peer 206.206.206.2

crypto map Branch 3 set transform-set Branch

will send the packet matched to 50.50.50.50 host

becsue ur ACl isp1 and two the same source and dist

u need to make diffrent distination in this case the map and remote host will be selcted based on the matched ACl

for example make the brach lan u sent me 192.168.3.0 then change the HQ ACl2 to

access-list Branch_ISP2 extended permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0

in this case will selct the branch map 3 through 206.206.206.2 host

!!also include this new ACL with the nat 0 for nat exemption !!!

and make sure befor that u can ping that host in other words u have connectivity to it

good luck

Dear marwanshawi,

Thank you for you help me :)

i follow up from you it ok for VPN but i have problem on my branch lan ( i mean that when we assigned ip add 192.168.3.0 and 192.168.2.0 so my client have two subnet. and some client use 192.168.3.x and some client use 192.168.2.x so it cannot communication.How can do 192.168.2.0 and 192.168.3.0 can communication ?

Nopte: let me tell that i want, i would like my branch have ASA5505 2 units and 2 ISP connect to HQ.

Best Regards,

Join

have a look at the foloowing usefull link

and i wish willl be helpful for u

and then if have any more issues just tell me

but see this link might solve ur issue

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807f9a89.shtml

good luck

if helpful Rate

Dear Marwanshawi,

Thank you for your fully support :)

i read the web link that you gate me already but i'm not clear some command, could i ask you some question...So on document it tell us only one wan interface(1ISP) but my system i had 2 wan interface(2ISP, so when i follow ACL from document is it possible for Branch to Branch( i mean one branch i use ISP1 and other Branch ISP2 and it different:

-crypto map ABC interface ISP1

-crypto map ABC interface ISP2

-crypto isakmp enable ISP1

-crypto isakmp enable ISP2

by the way do you idea for add route or do something on ASA01 can communication to ASA02?

Please see in the attach file.

Best Regards,

Join

first

is this two ASAs in the branch one office?

are the clients in 192.168.50.x/24 in one network?

if yes,

why u want them communicate through the HQ ASA!!! it is gonna be slower over the ISP then LAN???!!! let me know about this point!!

if u wanna all communication to go from ASA1 to HQ asa then ASA2 and vis versa u need to make the LAN connected to each branch ASA in diffrent subnet then we can achive it through VPN or routing whatever

just let me kow about ur goals and what u wanna achieve because i got confused about first point i asked u about it above !!

u can make VPN HQ to barnch and make the branch ASAs one primary and other as back up !! if u want

Dear Marwanshawi,

Yes, i had two ASA in the branch one office, some client use 192.168.2.x/24 and some client use 192.168.50.x/24.

i use like this because ISP1 have 128Kbps and ISP2 have 512Kbps so i need to use 2 connections for link to HQ if i use only one connection it cannot support my client.

Could you recommend me how can i do 2 wan interface like this for the standard diagram?

on my diagram that i showed you it can do fallover or not?

Best Regards,

Join

and u dont need any traffic between the branch client to go through vpn right?

i mean from PC on the branch to pc on the the same branch!!!

Dear Marwanshawi,

No, i need PC on the branch to Pc on the same branch and other branch too.

i mean all the branch and all the connection can communication.

Best Regards,

Join

Join u confused me

how many branches u have

the following ifo based on the following

PCs on the branch based on the diagram u sent me will comunicate directly because they are on the same network

and because u have divided them to two half based on the ASA default gateway

lets say

u have ur IPs in range of 192.168.50.1 to 192.168.50.254

and from 1 to 126 they use ASA isp1 as default gateway

and from 129 to 254 they use the ASA isp2

u can dot through dividing the remote subnet which is /24 to two subnets on the VPN ACL

for example lets say the first half of the remote supnet use ISP1 andd the second one use ISP2

icould be done like

access-list 100 permite ip 192.168.0.0 255.255.255.0 192.168.50.0 255.255.255.128

access-list 100 permite ip 192.168.0.0 255.255.255.0 192.168.50.128 255.255.255.128

attached is a chnaged config of ur HQ ASA try it

if u have other branches then this will be diffrent topology than the one u have sent me

good luck

try it and let me now

Dear marwanshawi,

As i assigned ip add 192.168.50.1-126 and other ip add 192.168.50.129-254 on the branch i think my client still cannot communication because it 2 subnet.

Best Regards,

Join

no

ur clients on the branch lets say connected to switch

al on the subnet 255.255.255.0

just through ur DHCP if u have or staticly

client from 1 to 126 put thier defaultgateway as ASA1 and the rest ASA2 i though u already done this idea as u mentioned before !!

the 255.255.255.128 only on the ASA ACL to match half the subnet

dose it make sense now!!!

Dear Marwanshawi,

Thank very much for your help!!!! :)

i understood that you told me .....

Good idea !!!!!

Best Regards,

Join

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: