Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

traffic between VPN sites

I have multiple l2l VPNs set up on an ASA 5505 at my central site.

both remote sites also run ASA 5505. (remote networks are 172.18.5.0/24 and 172.18.7.0/24)

I can ping these sites from my central ASA (10.100.32.0/24)

I can ping the central ASA from both remote sites.

But I can NOT ping from one remote site to the other.

I've attached a sanitized copy of the running config of the central ASA

ASA Version 8.2(1)
!
hostname *


interface Vlan1
nameif inside
security-level 100
ip address 10.100.32.134 255.255.254.0
!
interface Vlan2
nameif outside
security-level 0
ip address *.*.*.* 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
!
ftp mode passive
object-group network internalnets

network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
object-group network VPN-sites
  network-object 172.18.7.0 255.255.255.0
  network-object 172.18.5.0 255.255.255.0

access-list outside_access_in extended permit ip object-group VPN-sites object-group internalnets
access-list inside_nat0_outbound extended permit ip object-group internalnets any
access-list outside_cryptomap_OKC extended permit ip object-group internalnets 172.18.7.0 255.255.255.0
access-list inside_access_in extended permit ip object-group internalnets object-group VPN-sites
access-list tcp-traffic extended permit tcp any any
access-list outside_cryptomap_WR extended permit ip object-group DRS-Nets 172.18.5.0 255.255.255.0
access-list outside_cryptomap_WR extended permit udp object-group DRS-Nets C3-WR 255.255.255.0


no monitor-interface inside
no monitor-interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside

nat (inside) 0 access-list inside_nat0_outbound
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 70.88.132.30 1
route inside 10.10.16.0 255.255.255.0 10.100.32.1 1
route inside 10.100.0.0 255.255.0.0 10.100.32.1 1
route inside 172.17.1.0 255.255.255.0 10.100.21.2 1
route inside 172.27.0.0 255.255.0.0 10.100.21.2 1
route inside 192.168.0.0 255.255.0.0 10.100.32.1 1

management-access inside

no threat-detection basic-threat
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption des-sha1
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec

!
class-map tcp-traffic
match access-list tcp-traffic
!
!
policy-map global_policy
class tcp-traffic
  set connection advanced-options allow-probes
!
service-policy global_policy global

: end

1 REPLY

Re: traffic between VPN sites

241
Views
0
Helpful
1
Replies
CreatePlease to create content