08-04-2008 04:32 AM - edited 03-11-2019 06:25 AM
Hi,
I had a working site-to-site VPN until I had to change the external outside interface ip address on one of the ASA's. Now it's not working anymore.
When I try to generate traffic from one site to the other, nothing gets to the other side.
Suggested traffic flow:
192.168.100.12 -> 192.168.100.1 -> 213.136.41.181 -> internet -> 79.136.112.50 -> 192.168.1.5
The configs:
First asa:
access-list l2l_list extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 79.136.112.49 1
route outside 192.168.100.0 255.255.255.0 213.136.41.181 1
crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
crypto map abcmap 1 match address l2l_list
crypto map abcmap 1 set peer 213.136.41.181
crypto map abcmap 1 set transform-set FirstSet
crypto map abcmap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
tunnel-group 213.136.41.181 type ipsec-l2l
Second asa:
access-list l2l_list extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list outside_access_in extended permit icmp any any
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 213.136.41.182 1
route outside 192.168.200.0 255.255.255.0 79.136.112.50 1
route outside 192.168.1.0 255.255.255.0 79.136.112.50 1
crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
crypto map abcmap 1 match address l2l_list
crypto map abcmap 1 set peer 79.136.112.50
crypto map abcmap 1 set transform-set FirstSet
crypto map abcmap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
no vpn-addr-assign aaa
tunnel-group 79.x.112.50 type ipsec-l2l
tunnel-group 79.x.112.50 ipsec-attributes
pre-shared-key *
08-04-2008 05:05 AM
Your interesting VPN traffic access-lists are incorrect, assuming the "first asa" has a LAN address subnet of 192.168.100.0/24 change the config to:-
access-list l2l_list extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0
And change the second ASA config to:-
access-list l2l_list extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0
HTH>
08-04-2008 05:13 AM
Ok, so it should be: ?
access-list l2l_list extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 79.136.112.49 1
route outside 192.168.100.0 255.255.255.0 213.136.41.181 1
crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
crypto map abcmap 1 match address l2l_list
crypto map abcmap 1 set peer 213.136.41.181
crypto map abcmap 1 set transform-set FirstSet
crypto map abcmap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
tunnel-group 213.136.41.181 type ipsec-l2l
08-04-2008 05:20 AM
It depends on which device you are talking about - I can tell you from the config output above the ACL's should actually be:-
access-list l2l_list extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0
The reason why is because of this line:-
route outside 192.168.100.0 255.255.255.0 213.136.41.181 1
Which indicates - that the local IP subnet is 192.168.1.0 255.255.255.0 - correct??
08-04-2008 05:24 AM
yes, that's correct. the 192.168.1.0 subnet and the 192.168.100.0 subnet are behind two different asa's. hence the routing entry. I guess I need it right?
08-04-2008 05:27 AM
yes - but which one is which, you have got yourself confused in regards what should be encrypteds from src to dst, and what should be expemt to NAT.
To be honest looking at your config, this VPN has never worked if the only thing that has changed is an external IP address.
Post BOTH full configs - remove passwords, this will help to get to the bottom of this.
08-04-2008 05:42 AM
08-04-2008 05:50 AM
08-04-2008 06:01 AM
Oh thanx! will give it a try.
Are you sure the route settings on the two host are correct?
08-04-2008 06:05 AM
Yes - pretty sure.
You can always add the changes to the exising config, then see which acl lines get hits.
08-04-2008 06:18 AM
Got it working. thanx a bunch.
08-04-2008 06:26 AM
np - glad to help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide