cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
331
Views
5
Helpful
2
Replies

site-to-site vpn

robbhanMid
Level 1
Level 1

Hi, I can't get my site-to-site vpn to work. When I try to generate traffic from one internal host another. The trafic never arrives.

Traffic flow:

192.168.100.12 -> 192.168.100.1 -> 213.136.41.180 -> internet -> 79.136.112.50 -> 192.168.1.5

If the ipadresses on the other side of my tunnel are private 192.168.x.x, I need to add a route to outside ip address of that firewall right?

For example: route outside 192.168.100.0 255.255.255.0 213.136.41.180 1

One of my 5505:

access-list l2l_list extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 1 0.0.0.0 0.0.0.0

static (dmz,outside) tcp interface ftp 192.168.200.2 ftp netmask 255.255.255.255

static (dmz,outside) tcp interface 8080 192.168.200.2 8080 netmask 255.255.255.255

static (dmz,outside) tcp interface www 192.168.200.2 www netmask 255.255.255.255

access-group 8080_access_in in interface outside

access-group dmz_access_in in interface dmz

route outside 0.0.0.0 0.0.0.0 79.136.112.49 1

route outside 192.168.100.0 255.255.255.0 213.136.41.180 1

crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac

crypto map abcmap 1 match address l2l_list

crypto map abcmap 1 set peer 213.136.41.180

crypto map abcmap 1 set transform-set FirstSet

crypto map abcmap interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 43200

tunnel-group 213.136.41.180 type ipsec-l2l

tunnel-group 213.136.41.180 ipsec-attributes

pre-shared-key *

The Other one:

access-list l2l_list extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 213.136.41.182 1

route outside 192.168.1.0 255.255.255.0 79.136.112.50 1

crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac

crypto map abcmap 1 match address l2l_list

crypto map abcmap 1 set peer 79.136.112.50

crypto map abcmap 1 set transform-set FirstSet

crypto map abcmap interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 43200

tunnel-group 79.136.112.50 type ipsec-l2l

tunnel-group 79.136.112.50 ipsec-attributes

pre-shared-key *

2 Replies 2

acomiskey
Level 10
Level 10

"If the ipadresses on the other side of my tunnel are private 192.168.x.x, I need to add a route to outside ip address of that firewall right?"

-NO

Add nat exemption to the ASA's.

First ASA-

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

Second ASA-

access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

Thanx, it works now!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: