01-11-2019 07:34 AM - edited 02-21-2020 08:39 AM
Hi Community,
I am stuck in here as, VPN is successfully established between DC & Site1 but traffic (icmp or any other) is not flowing. Kindly help. Below are the two site IKV1 configuration.
Site 1:
object-group network Datacenter_nw
network-object 192.168.20.0 255.255.255.0
network-object 10.55.1.0 255.255.255.0
object network LAN
subnet 10.184.2.0 255.255.255.0
access-list SEATFWtoDatacenter extended permit ip object LAN object-group Datacenter_nw
nat (inside_1,outside) source static LAN LAN destination static Datacenter_nw Datacenter_nw no-proxy-arp route-lookup
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800
crypto ikev1 enable outside
crypto isakmp identity address
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
ikev1 pre-shared-key *****
crypto ipsec ikev1 transform-set myvpnset esp-aes-256 esp-sha-hmac
crypto map SEATVPN 1 match address SEATFWtoDatacenter
crypto map SEATVPN 1 set peer x.x.x.x
crypto map SEATVPN 1 set ikev1 transform-set myvpnset
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: x.x.x.x
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Encrypt : aes-256 Hash : SHA
Auth : preshared Lifetime: 28800
Lifetime Remaining: 27848
There are no IKEv2 SAs
NATTr.
1 (inside_1) to (outside) source static LAN LAN destination static Datacenter_nw Datacenter_nw no-proxy-arp route-lookup
translate_hits = 7618, untranslate_hits = 7618
access-list SEATFWtoDatacenter; 10 elements; name hash: 0xbf70aa0c
access-list SEATFWtoDatacenter line 1 extended permit ip object LAN object-group Datacenter_nw (hitcnt=42) 0xf67bb5c9
access-list SEATFWtoDatacenter line 1 extended permit ip 10.184.2.0 255.255.255.0 10.55.1.0 255.255.255.0 (hitcnt=39943) 0x862fb856
DC :
object-group network Datacenter_lan
network-object 192.168.20.0 255.255.255.0
network-object 10.0.0.0 255.0.0.0
object-group network SeattleFW_lan
network-object 10.184.2.0 255.255.255.0
access-list DatacentertoSEATFW extended permit ip object-group Datacenter_lan object-group SeattleFW_lan
nat (inside,outside) 1 source static Datacenter_lan Datacenter_lan destination static SeattleFW_lan SeattleFW_lan no-proxy-arp route-lookup
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800
crypto ikev1 enable outside
crypto isakmp identity address
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
ikev1 pre-shared-key *****
crypto ipsec ikev1 transform-set myvpnset esp-aes-256 esp-sha-hmac
crypto map outside_map2 60 match address DatacentertoSEATFW
crypto map outside_map2 60 set peer x.x.x.x
crypto map outside_map2 60 set ikev1 transform-set myvpnset
30 IKE Peer: 96.79.192.233
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Encrypt : aes-256 Hash : SHA
Auth : preshared Lifetime: 28800
Lifetime Remaining: 27770
NAT Tr.
1 (inside) to (outside) source static Datacenter_lan Datacenter_lan destination static SeattleFW_lan SeattleFW_lan no-proxy-arp route-lookup
translate_hits = 11, untranslate_hits = 11
Access List-
access-list DatacentertoSEATFW; 2 elements; name hash: 0x6a9b85c7
access-list DatacentertoSEATFW line 1 extended permit ip object-group Datacenter_lan object-group SeattleFW_lan (hitcnt=0) 0x1cf33b31
access-list DatacentertoSEATFW line 1 extended permit ip 10.0.0.0 255.0.0.0 10.184.2.0 255.255.255.0 (hitcnt=32) 0x4bb5c8a0
Thanks in advance.
Solved! Go to Solution.
01-11-2019 09:12 AM
01-11-2019 09:17 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide