Solved: Re: Site-to-Site VPN : Multiple Remote Networks - Page 2

new_networker · ‎12-03-2008

The ASA Site-to-Site VPN configuration examples that I have come across has only one network across both the sites.

If the remote network/site has multiple networks for e.g. DMZ1, DMZ2, INSIDE etc how can it be added via Site-to-Site VPN ASDM wizard.

Thanks.

new_networker · ‎12-05-2008

Ok. I can now initiate VPN connection between the networks on the inside on two ASA's. However, it is only from Site A to Site B. I cannot ping from site B to Site A even though the configurations on both the ASAs is exactly the same. Also the local host NIC configurations on both the networks is the same.

On Site A ASDM, I can see ICMP teardowns for the incoming icmp requests from Site B.

Please assist.

Thanks.

Jon Marshall · ‎12-05-2008

Can you post latest configs for each ASA and also the source & destination IP addresses you are testing ping between.

Jon

new_networker · ‎12-05-2008

Please find below the configs. Through logs on ASA both the sides, I have verified that Phase 1 and Phase 2 SA completes successfully. Local hosts on both ends have ASA inside as the default gateway.

Thanks.

SITE A Config

(Ping from Site A local network to Site B remote network works)

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 85.23.77.115 255.255.255.224

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 40.40.40.1 255.255.255.0

!

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

access-list outside_20_cryptomap extended permit ip 40.40.40.0 255.255.255.0 172.16.161.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 40.40.40.0 255.255.255.0 172.16.161.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any inside

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

nat (inside) 0 access-list inside_nat0_outbound

route outside 0.0.0.0 0.0.0.0 85.23.77.116 1

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 20 match address outside_20_cryptomap

crypto map outside_map 20 set pfs

crypto map outside_map 20 set peer 85.23.77.116

crypto map outside_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group 85.23.77.116 type ipsec-l2l

tunnel-group 85.23.77.116 ipsec-attributes

pre-shared-key *

!

-------------------------------

SITE B Config

(Ping from Site B local network to Site A remote network does not work)

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 85.23.77.116 255.255.255.224

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 172.16.161.50 255.255.255.0

!

dns server-group DefaultDNS

domain-name default.domain.invalid

access-list outside_20_cryptomap extended permit ip 172.16.161.0 255.255.255.0

40.40.40.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.16.161.0 255.255.255.0

40.40.40.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any inside

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

nat (inside) 0 access-list inside_nat0_outbound

route outside 0.0.0.0 0.0.0.0 85.23.77.115 1

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 20 match address outside_20_cryptomap

crypto map outside_map 20 set pfs

crypto map outside_map 20 set peer 85.23.77.115

crypto map outside_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group 85.23.77.115 type ipsec-l2l

tunnel-group 85.23.77.115 ipsec-attributes

pre-shared-key *

Jon Marshall · ‎12-05-2008

Okay they do look the same to me so it's not obvious what is happening.

Are you pinging from a host behind one of the ASA devices to a host behind the other ASA device ?

When you try to initiate from Site B to Site A can you confirm the tunnel is formed correctly.

Are these the full configs ?

Jon

new_networker · ‎12-05-2008

More info...

I ran ethereal on local host of Site A network and initiated ping from remote host of Site B network.

I can see the ping request hitting the local host but there is no reply to the packet.

Is the packet dropping at local host of Site A.

Regards.

new_networker · ‎12-05-2008

Yes, I am pinging from a host behind one of the ASA devices to a host behind the other ASA device.

I can confirm the tunnel formation, as in the ASDM logging I can see the Phase 1 and Phase 2 association getting completed.

Yes, these are the full/related configs.

Query:

If I run a ping from both the ends, should the active tunnels be 1 or 2.

Jon Marshall · ‎12-05-2008

"If I run a ping from both the ends, should the active tunnels be 1 or 2."

The actual tunnels that transfer the data ie. the IPSEC sa's are unidirectional. So for a site-to-site VPN there are for each connection 2 IPSEC sa's, one in each direction.

For each entry in your crypto map access-list there will be 2 sa's formed so if you ping from Site A and ping from Site B if they are using the same line in the access-list (and they are in your configuration) that will be 2 IPSEC sa's - 1 from A -> B and 1 from B -> A. Which is the same as if you only started the ping from one side.

Can you check on host A that there isn't a firewall running that is blocking incoming echo requests.

Jon

new_networker · ‎12-05-2008

Great.

Thanks a lot Jon. I had checked Windows firewall setting but wasn't sure that pings were blocked on recently installed Symantec Client firewall.

apdatasoft · ‎02-09-2009

Hi,

There will be only one active tunnel. Thats for sure.

Were you able to resolve the issue, if so could you please share the configuration since i do have a similar issue

Regards

AP