Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

VPN site to site impossible

Hi all,

i'm not a good performer with cisco asa 5505 and 5510 but after a long time with google cisco forum and more it's time for me to ask the question to someone who can help me! i have 3 site, the first is in the center of the configuration site 2 is the site who guest the important host and site 3 is my site.

i have acces to the config of site one ane my site.

in a first time we implement a solution with vpnclient between site 1 and site 3 to acces site 2 it's working good but we want pass to site to site between site 1 and 3, they told ok but do it and after 1 month and lot of week end it's not working yet.

this config working good on site 1 for my site 3 with vpnclient

Config working as vpnclient on site 1:

ASA Version 8.2(5)

name <ip> Host_1_OnSite2

name <ip> Routeur_Host_1

!

interface Ethernet0/0

nameif outside

security-level 0

ip address <MySite1Ipaddress> 255.255.255.248

!

interface Ethernet0/1

nameif inside

security-level 100

ip address <InsideLanIpAddress> 255.255.255.0

!

access-list EasyVPN_splitTunnelAcl standard permit <InsideLanIprange> 255.255.255.0

access-list EasyVPN_splitTunnelAcl standard permit host Host_1_OnSite2

access-list EasyVPN_splitTunnelAcl standard permit host Routeur_Host_1

access-list inside_nat0_outbound extended permit ip any 10.1.9.0 255.255.255.128

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit icmp any any

ip local pool <MyGroup>_pool 10.1.9.50-10.1.9.100 mask 255.255.255.0

global (outside) 101 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 101 0.0.0.0 0.0.0.0

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 <MySite1IpGateway> 1

route inside Host_1_OnSite2 255.255.255.255 Routeur_Host_1 1

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

group-policy <MyGroup> internal

group-policy <MyGroup> attributes

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value EasyVPN_splitTunnelAcl

nem enable

tunnel-group <MyGroup> type remote-access

tunnel-group <MyGroup> general-attributes

address-pool <MyGroup>_pool

default-group-policy <MyGroup>

tunnel-group <MyGroup> ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

Idon't know Site2 configuration but i think it's asa too in router mode.

Config on site 3 with vpnclient

vpnclient server <MySite1Ipaddress>

vpnclient mode network-extension-mode

vpnclient nem-st-autoconnect

vpnclient vpngroup <MyGroup>

password ********

vpnclient username <MyGroup>

password ********

vpnclient enable

no acl no particular redirection the basic configuration of asa with vpnclient

i've test a lot of configuration with a lot of acl and other try but nothing working

i have acces on asa 5510 only some times because is in prod so if you have idea i cannot try immediately but your help is appreciate.

Thank's in advance

David.

146
Views
0
Helpful
0
Replies
CreatePlease to create content