Solved: Re: Problema VPNs Site-to-Site y de Acceso Remoto Simultaneas

mars20200 · ‎04-25-2013

Hi !

Can somebody tell me why I cannot have a Site-to-Site VPN with a Remote Access VPN simultaneously connected or working ??? is in

2 ASAs 5520 8.4(2)

Is it necessary any command or instruction that I don't know yet, because I am a little novice.

Thanks in advance,

Hola!

Podria alguien decirme porque no puedo tener funcionando simultaneamente una vpn site-to-site y una de acceso remoto. Cuando me trato de conectarme con la de acceso remoto no lo hace porque ya esta activa la site-to-site. pero si quito la site-to-site me conecto bien con la de acceso remoto.

Habia olvidado decirles que es con 2 ASAs 5520 8.4(2)

Gracias de antemano

Julio Carvajal · ‎04-28-2013

Hi Miguel Angel,

Problem is that you can only have one crypto map per interface ( you can dinamically attach a dynamic crypto map to a static crypto map )

The thing here is that you are mapping it incorrectly

crypto map Alcala_map interface Outside ( The static one you are using)

crypto dynamic-map dyn_map 65535 set ikev1 transform-set set1 ( The dynamic crypto map for the remote-access VPN sessions )

crypto map outside_map 65535 ipsec-isakmp dynamic dyn_map ( The error is here, you are not using the crypto map outside_map anywhere on the config )

Do this
no crypto map outside_map 65535 ipsec-isakmp dynamic dyn_map

crypto map Alcala_map 65535 ipsec-isakmp dynamic dyn_map

And that should do it my friend... Do not forget to give me some kudos ( Rate the post as that is even more important that a thanks for the community )

Regards,

Julio Carvajal

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎04-25-2013

Hello/Hola Miguel,

Both of them should work,

Post the configurations, The tunnel groups you are using to connect,

Regards,

Julio Carvajal

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

mars20200 · ‎04-26-2013

Hola Julio!

Muchas gracias por responder, a continuacion de pongo a modo de ejemplo la configuracion que tengo en cada 1 de los ASAs:

Julio Carvajal · ‎04-26-2013

Hello,

Where is the remote access and VPN l2l tunnel not working?? On both sides??

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

mars20200 · ‎04-27-2013

HI Julio,

The L2L tunnel is working but Remote access is not.

I first configured the remote access VPN tunnel and was working fine until I configured the L2L tunnel, after I made this configuration of the l2l tunnel the remote access doesn't connect anymore but the L2L tunnel is working fine.

thanks

Julio Carvajal · ‎04-28-2013

Hi Miguel Angel,

Problem is that you can only have one crypto map per interface ( you can dinamically attach a dynamic crypto map to a static crypto map )

The thing here is that you are mapping it incorrectly

crypto map Alcala_map interface Outside ( The static one you are using)

crypto dynamic-map dyn_map 65535 set ikev1 transform-set set1 ( The dynamic crypto map for the remote-access VPN sessions )

crypto map outside_map 65535 ipsec-isakmp dynamic dyn_map ( The error is here, you are not using the crypto map outside_map anywhere on the config )

Do this
no crypto map outside_map 65535 ipsec-isakmp dynamic dyn_map

crypto map Alcala_map 65535 ipsec-isakmp dynamic dyn_map

And that should do it my friend... Do not forget to give me some kudos ( Rate the post as that is even more important that a thanks for the community )

Regards,

Julio Carvajal

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

mars20200 · ‎04-29-2013

Hi Julio!!!

Hey man! You are my man! You're so big! You're the boss, my respect to you!

Thank you so so so much my friend !!!

It's done!!!

How can I give you "Kudos" and how many is the limit I can give ??

Julio Carvajal · ‎04-29-2013

Hello Miguel,

Hey my pleasure to help

To provide Kudos just go to any of my answers on any post and hit the 5 stars at the left ( 5 being great 1 being bad ) and you can give as many as you want,

Glad to know that I could help ( Let me know if you still have some issues with the Kudos stuff )

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

mars20200 · ‎05-04-2013

Hi Julio!

It's me again

Everything is Ok but I realized that when I connect for the first time to remote access VPN with the Cisco VPN Client to the second branch (Alcala) the connection is refused and I have to disconnect the Cisco VPN Client and connect it again in order to work properly the VPN, but this only happens the first time and only in this site or branch, in the main site it doesn't.

I have been looking at the configuration file but it is everything like the main one, so I don't know where's the problem.

I let you here the ASA conf files again to see if you can help me again, because the users have the impression that the VPN is not secure and fails.

The problem is with the ASA2

Thank you in advance my friend.

mars20200 · ‎05-04-2013

Hi Julio!

It's me again

Everything is Ok but I realized that when I connect for the first time to remote access VPN with the Cisco VPN Client to the second branch (Alcala) the connection is refused and I have to disconnect the Cisco VPN Client and connect it again in order to work properly the VPN, but this only happens the first time and only in this site or branch, in the main site it doesn't.

I have been looking at the configuration file but it is everything like the main one, so I don't know where's the problem.

I let you here the ASA conf files again to see if you can help me again, because the users have the impression that the VPN is not secure and fails.

The problem is with the ASA2

Thank you in advance my friend.