12-03-2008 09:34 AM
The ASA Site-to-Site VPN configuration examples that I have come across has only one network across both the sites.
If the remote network/site has multiple networks for e.g. DMZ1, DMZ2, INSIDE etc how can it be added via Site-to-Site VPN ASDM wizard.
Thanks.
Solved! Go to Solution.
12-05-2008 08:54 AM
Ok. I can now initiate VPN connection between the networks on the inside on two ASA's. However, it is only from Site A to Site B. I cannot ping from site B to Site A even though the configurations on both the ASAs is exactly the same. Also the local host NIC configurations on both the networks is the same.
On Site A ASDM, I can see ICMP teardowns for the incoming icmp requests from Site B.
Please assist.
Thanks.
12-05-2008 10:45 AM
Can you post latest configs for each ASA and also the source & destination IP addresses you are testing ping between.
Jon
12-05-2008 11:32 AM
Please find below the configs. Through logs on ASA both the sides, I have verified that Phase 1 and Phase 2 SA completes successfully. Local hosts on both ends have ASA inside as the default gateway.
Thanks.
SITE A Config
(Ping from Site A local network to Site B remote network works)
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 85.23.77.115 255.255.255.224
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 40.40.40.1 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list outside_20_cryptomap extended permit ip 40.40.40.0 255.255.255.0 172.16.161.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 40.40.40.0 255.255.255.0 172.16.161.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_nat0_outbound
route outside 0.0.0.0 0.0.0.0 85.23.77.116 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer 85.23.77.116
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 85.23.77.116 type ipsec-l2l
tunnel-group 85.23.77.116 ipsec-attributes
pre-shared-key *
!
-------------------------------
SITE B Config
(Ping from Site B local network to Site A remote network does not work)
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 85.23.77.116 255.255.255.224
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.16.161.50 255.255.255.0
!
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list outside_20_cryptomap extended permit ip 172.16.161.0 255.255.255.0
40.40.40.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.161.0 255.255.255.0
40.40.40.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_nat0_outbound
route outside 0.0.0.0 0.0.0.0 85.23.77.115 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer 85.23.77.115
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 85.23.77.115 type ipsec-l2l
tunnel-group 85.23.77.115 ipsec-attributes
pre-shared-key *
12-05-2008 11:43 AM
Okay they do look the same to me so it's not obvious what is happening.
Are you pinging from a host behind one of the ASA devices to a host behind the other ASA device ?
When you try to initiate from Site B to Site A can you confirm the tunnel is formed correctly.
Are these the full configs ?
Jon
12-05-2008 11:44 AM
More info...
I ran ethereal on local host of Site A network and initiated ping from remote host of Site B network.
I can see the ping request hitting the local host but there is no reply to the packet.
Is the packet dropping at local host of Site A.
Regards.
12-05-2008 11:47 AM
Yes, I am pinging from a host behind one of the ASA devices to a host behind the other ASA device.
I can confirm the tunnel formation, as in the ASDM logging I can see the Phase 1 and Phase 2 association getting completed.
Yes, these are the full/related configs.
Query:
If I run a ping from both the ends, should the active tunnels be 1 or 2.
12-05-2008 12:07 PM
"If I run a ping from both the ends, should the active tunnels be 1 or 2."
The actual tunnels that transfer the data ie. the IPSEC sa's are unidirectional. So for a site-to-site VPN there are for each connection 2 IPSEC sa's, one in each direction.
For each entry in your crypto map access-list there will be 2 sa's formed so if you ping from Site A and ping from Site B if they are using the same line in the access-list (and they are in your configuration) that will be 2 IPSEC sa's - 1 from A -> B and 1 from B -> A. Which is the same as if you only started the ping from one side.
Can you check on host A that there isn't a firewall running that is blocking incoming echo requests.
Jon
12-05-2008 12:22 PM
Great.
Thanks a lot Jon. I had checked Windows firewall setting but wasn't sure that pings were blocked on recently installed Symantec Client firewall.
02-09-2009 11:36 PM
Hi,
There will be only one active tunnel. Thats for sure.
Were you able to resolve the issue, if so could you please share the configuration since i do have a similar issue
Regards
AP
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide