Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

vpn lan to lan issue - only one side can initiate traffic

i have a lan to lan using 2 asa's. from site B i can not ping anything on site A network. From site A i can ping site B and then Site B is able to ping that Ip at site A for a while and then will timeout after some inactivity. i will attach the relevent part of my configs. One question i have is that Site A specifies a few servers on its side but on site b it specifies the whole subnet. Do these access-lists have to match up perfectly? I only want site B to have access to certain servers at site A. IF there is a better way to limit the traffic let me know.

Site A

OBJECT GROUPS

object-group network vpn

network-object 10.23.16.0 255.255.240.0

network-object 172.16.200.0 255.255.252.0

object-group network vpn.resources

network-object 192.168.1.10 255.255.255.255

network-object 192.168.1.5 255.255.255.255

network-object 192.168.1.8 255.255.255.255

network-object 192.168.1.68 255.255.255.255

network-object 192.168.1.121 255.255.255.255

network-object 192.168.1.176 255.255.255.255

network-object 192.168.1.144 255.255.255.255

network-object 192.168.1.156 255.255.255.255

No NAT Access List

access-list inside.nat0.outbound extended permit ip object-group vpn.resources object-group vpn log

access-list inside.nat0.outbound extended permit ip object-group vpn object-group vpn.resources log

Crypto Access List

access-list MD_VPN extended permit ip object-group vpn.resources object-group vpn log

access-list MD_VPN extended permit ip object-group vpn object-group vpn.resources log

!--- PHASE 1 CONFIGURATION ---!

crypto ipsec transform-set MDSet esp-3des esp-md5-hmac

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 28800

!--- PHASE 2 CONFIGURATION ---!

crypto map myDCP 150 match address MD_VPN

crypto map myDCP 150 set peer xx.xx.xx.66

crypto map myDCP 150 set transform-set MDSet

crypto map myDCP 150 set security-association lifetime seconds 86400

tunnel-group xx.xx.xx.66 type ipsec-l2l

tunnel-group xx.xx.xx.66 ipsec-attributes

pre-shared-key *

Site B

!--- PHASE 1 CONFIGURATION ---!

isakmp key * address xx.xx.xx.130 netmask 255.255.255.255

crypto isakmp policy 2

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 28800

No NAT Access List

access-list nonat permit ip 10.23.16.0 255.255.240.0 192.168.1.0 255.255.255.0

Crypto Access List

access-list dcp permit ip 10.23.16.0 255.255.240.0 192.168.1.0 255.255.255.0

!--- PHASE 2 CONFIGURATION ---!

crypto ipsec transform-set 3des esp-3des esp-md5-hmac

crypto map ahmd1 45 match address dcp

crypto map ahmd1 45 set peer xx.xx.xx.130

crypto map ahmd1 45 set transform-set 3des

1 REPLY
New Member

Re: vpn lan to lan issue - only one side can initiate traffic

It looks like the 192 network is at site A and the 10.23.16.0 and 172 networks are at site B?

At site B only a packet sourced from the 10.23.16.0 network should be able to bring up the tunnel according to this, but your access lists at site A are a bit confusing. Can you post the whole config from both sites?

294
Views
0
Helpful
1
Replies
CreatePlease to create content