- Cisco Community
- Technology and Support
- Security
- Network Security
- Site-to-Site VPN between ASA 5510 and ASA5505 Configuration
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-19-2013 05:42 AM - edited 03-11-2019 06:31 PM
Hello Team,
I would like to ask for some assistance. Unfortunately, I am not very experienced with Cisco networking.
Here is the situation.
Site A - headquarters 192.168.1.x
Site B - remote office 192.168.20.x
Site C - remote office 192.168.30.x
Site A - ASA 5510
Site B - ASA 5505
Site C - ASA 5505
Site-to-site VPN is established and works between A and B, A and C.
Users would like to establish a tunnel between B and C to work on a common project and the data is on Site B.
I tried configuring the S2S VPN with pre-shared keys on both firewalls at sites B and C but in the end it is not established (I cannot ping either side). I used the Wizard interface multiple times and one time the CLI. I generally followed the settings chosen between the headquarter and the individual remote sites and tried to replicate them. Obviously I have made a mistake somewhere.
Could anyone recommend how can I start troubleshooting where the issue is?
Could there be any limitation on the ASA 5505 in terms of licensing and the number of S2S tunnels? Hope not.
Thanks in advance.
Vihren
Solved! Go to Solution.
- Labels:
-
NGFW Firewalls
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-19-2013 12:54 PM
Hi,
Notice that I DONT want you to remove this
object network LAN_BiH
subnet 192.168.30.0 255.255.255.0
nat (any,outside) dynamic interface
This seems to be the Dynamic PAT configuration for Site C Internet traffic.
BUT notice this configuration
nat (inside,outside) source dynamic any interface
It also seems to be a Dynamic PAT configuration for the "inside" users Internet traffic. No reason to have 2 configurations that do the same thing?
Thats why I would suggest issuing this command
no nat (inside,outside) source dynamic any interface
With regards to the Site C and Site A L2L VPN Connection. Notice the order of NAT configurations (removed description from one so its easier to read)
nat (inside,outside) source static LAN_BiH LAN_BiH destination static LAN_Muenchen LAN_Muenchen
nat (inside,outside) source dynamic any interface
nat (inside,outside) source static LAN_BiH LAN_BiH destination static LAN_Puchheim LAN_Puchheim
The NAT configuration for Site A to Site C L2L VPN connection is at the very top. Therefore it gets ALWAYS matched first. And that is atleast one reason why the Site A to Site C L2L VPN connection is not expiriencing any problems.
Now notice that the NAT configurations that I suggest you remove is the next in order. Notice also that this NAT configuration would match to the traffic that is supposed to leave UN-NATed because the source address is defined as "any". So any traffic leaving Site C for Site B gets matched to the wrong NAT rule.
If you dont want to remove the NAT configuration I am suggesting there one other option.
First remove the NAT0 / NAT Exempt configuration for the Site C to Site B L2L VPN connection and insert it again with a line number so it goes before the rule I suggest removing.
no nat (inside,outside) source static LAN_BiH LAN_BiH destination static LAN_Puchheim LAN_Puchheim
nat (inside,outside) 2 source static LAN_BiH LAN_BiH destination static LAN_Puchheim LAN_Puchheim
Hope I made sense
- Jouni
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-19-2013 06:30 AM
Hi,
Well naturally if you can share the configurations on Site B and Site C we could look through the configurations and see if we could correct those.
There is also an option to tunnel the connections from Site B through Site A to Site C. But with that situation you would naturally be "eating up" the bandwith on Site A also.
But as I said, if we could see the Site B and Site C ASA configurations then we could go through them.
- Jouni
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-19-2013 10:43 AM
Hi Jouni,
thanks for the quick reply.
Maybe it would be useful to test the s2s via Site A. How is this called?
Here is Site B ASA Configuration:
: Saved
:
ASA Version 8.4(1)
!
hostname fwpuchheim
domain-name elatec.com
enable password XXXXXXXXXXX encrypted
passwd
XXXXXXXXXXX
encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address replaced for security reasons 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
replaced for security
ip address pppoe setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa841-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name replaced for security
object network LAN_Puchheim
subnet 192.168.20.0 255.255.255.0
object network LAN_Muenchen
subnet 192.168.1.0 255.255.255.0
object network LAN_Bosnia
subnet 192.168.30.0 255.255.255.0
description Lan Bosnia
object network NETWORK_OBJ_192.168.30.0_24
subnet 192.168.30.0 255.255.255.0
object service 1723
service tcp destination eq pptp
object service 4500
service udp destination eq 4500
object service 50
service esp
object service 500
service udp destination eq isakmp
object service 51
service ah
object-group service User-Zugriff-Puchheim
description Zugriff der User Puchheim
service-object icmp echo
service-object tcp destination eq ftp
service-object tcp destination eq www
service-object tcp destination eq https
service-object udp destination eq domain
service-object tcp destination eq pop3
service-object tcp destination eq smtp
service-object tcp destination eq ssh
service-object tcp destination eq telnet
service-object tcp destination eq whois
access-list inside_access_in remark Zugriff auf Muenchen ueber VPN
access-list inside_access_in extended permit ip object LAN_Puchheim object LAN_Muenchen
access-list inside_access_in remark User-Protokolle fuer Internet-Zugriff
access-list inside_access_in extended permit object-group User-Zugriff-Puchheim object LAN_Puchheim any inactive
access-list inside_access_in extended permit ip object LAN_Puchheim any
access-list inside_access_in extended permit ip object LAN_Puchheim object LAN_Bosnia
access-list outside_cryptomap extended permit ip object LAN_Puchheim object LAN_Muenchen
access-list outside_access_in extended permit ip object LAN_Muenchen object LAN_Puchheim
access-list outside_access_in extended permit ip object LAN_Bosnia object LAN_Puchheim
access-list outside_cryptomap_1 extended permit ip object LAN_Puchheim object LAN_Bosnia
access-list inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list split-tunnel standard permit 192.168.20.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static LAN_Puchheim LAN_Puchheim destination static LAN_Muenchen LAN_Muenchen description kein NAT fuer Zugriff auf NW Muenchen
nat (inside,outside) source static LAN_Puchheim LAN_Puchheim destination static LAN_Bosnia LAN_Bosnia
!
object network LAN_Puchheim
nat (any,outside) dynamic interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.20.0 255.255.255.0 inside
http replaced for security
255.255.255.248 outside
http replaced for security
255.255.255.248 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer replaced for security
crypto map outside_map 1 set ikev1 transform-set ESP-AES-256-SHA ESP-3DES-SHA
crypto map outside_map 2 match address outside_cryptomap_1
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer replaced for security
crypto map outside_map 2 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
telnet replaced for security
inside
telnet timeout 30
ssh replaced for security
inside
ssh replaced for security
255.255.255.248 outside
sshreplaced for security
outside
ssh timeout 30
console timeout 0
vpdn group MNet request dialout pppoe
vpdn group MNet localname replaced for security
vpdn group MNet ppp authentication pap
vpdn username replaced for security
password ***** store-local
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy GroupPolicy_replaced for security
internal
group-policy GroupPolicy_replaced for security
attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_replaced for security
internal
group-policy GroupPolicy_replaced for security
attributes
vpn-tunnel-protocol ikev1
username ASA5510User password udUpPsNRqCJZn8La encrypted privilege 15
username cancom password mgY7GT0lVo7BhYc3 encrypted privilege 15
tunnel-group replaced for security
type ipsec-l2l
tunnel-group replaced for security
general-attributes
default-group-policy GroupPolicy_replaced for security
tunnel-group replaced for security
ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group replaced for security
type ipsec-l2l
tunnel-group replaced for security
general-attributes
default-group-policy GroupPolicy_replaced for security
tunnel-groupreplaced for security
ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect pptp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:a98e0325549c8abbf49b1f09c5577a5c
: end
asdm image disk0:/asdm-641.bin
no asdm history enable
Here is Site C Configuration:
: Saved
:
ASA Version 8.4(4)1
!
hostname replaced for security
domain-name replaced for security
enable password XXXXXXXXXXXXXXXXX encrypted
passwd
XXXXXXXXXXXXXXXXX
encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
description Office network inside
nameif inside
security-level 100
ip address replaced for security 255.255.255.0
!
interface Vlan2
description Iinternet - VPN
nameif outside
security-level 0
ip address replaced for security
!
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
domain-name Elatec.com
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network LAN_BiH
subnet 192.168.30.0 255.255.255.0
description LAN Bosnia
object network LAN_Muenchen
subnet 192.168.1.0 255.255.255.0
description LAN Munich
object network Google
host 8.8.8.8
description Google
object service http8080
service tcp destination eq 8080
description http8080
object service non-isakmp
service udp source range 0 65535 destination eq 4500
object network LAN_Puchheim
subnet 192.168.20.0 255.255.255.0
description LAN Puchheim
object network LAN_CZ
subnet 192.168.135.0 255.255.255.0
description LAN CZ
object service 1723
service tcp destination eq pptp
object service 4500
service udp destination eq 4500
object service 50
service esp
object service 500
service udp destination eq isakmp
object service 51
service ah
object-group service User_Access
description users
service-object object http8080
service-object tcp-udp destination eq www
service-object tcp destination eq echo
service-object tcp destination eq ftp
service-object tcp destination eq ftp-data
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq pop3
service-object tcp destination eq smtp
service-object icmp echo
service-object esp
service-object object non-isakmp
service-object udp destination eq domain
service-object udp destination eq isakmp
access-list inside_access_in remark Allow access to Lan Munich
access-list inside_access_in extended permit ip object LAN_BiH object LAN_Muenchen
access-list inside_access_in remark Allow specified outgoing traffic
access-list inside_access_in extended permit ip object LAN_BiH any
access-list inside_access_in extended permit ip object LAN_BiH object LAN_Puchheim
access-list global_access extended permit icmp object Google object LAN_BiH echo-reply
access-list outside_cryptomap extended permit ip object LAN_BiH object LAN_Muenchen
access-list outside_cryptomap_1 extended permit ip object LAN_BiH object LAN_Muenchen
access-list split-tunnel standard permit 192.168.30.0 255.255.255.0
access-list outside_access_in extended permit ip object LAN_Muenchen object LAN_BiH
access-list outside_access_in extended permit ip object LAN_Puchheim object LAN_BiH
access-list inside_nat0_outbound extended permit ip 192.168.30.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list outside_cryptomap_2 extended permit ip object LAN_BiH object LAN_Puchheim
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static LAN_BiH LAN_BiH destination static LAN_Muenchen LAN_Muenchen description No NAT between Bosnia and Munich
nat (inside,outside) source dynamic any interface
nat (inside,outside) source static LAN_BiH LAN_BiH destination static LAN_Puchheim LAN_Puchheim
!
object network LAN_BiH
nat (any,outside) dynamic interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group global_access global
route outside 0.0.0.0 0.0.0.0 replaced for security
128 track 10
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.30.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
sla monitor 10
type echo protocol ipIcmpEcho replaced for security
interface outside
sla monitor schedule 10 life forever start-time now
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map0 1 match address outside_cryptomap
crypto map outside_map0 1 set pfs
crypto map outside_map0 1 set peer replaced for security
crypto map outside_map0 1 set ikev1 transform-set ESP-AES-256-SHA ESP-3DES-SHA
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer replaced for security
crypto map outside_map 1 set ikev1 transform-set ESP-AES-256-SHA ESP-DES-SHA
crypto map outside_map 2 match address outside_cryptomap_2
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer replaced for security
crypto map outside_map 2 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
!
track 10 rtr 10 reachability
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.30.15-192.168.30.132 inside
dhcpd dns 192.168.30.3 195.222.32.10 interface inside
dhcpd domain elatec.com interface inside
dhcpd auto_config outside vpnclient-wins-override interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy GroupPolicy_replaced for security
internal
group-policy GroupPolicy_replaced for security
attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_replaced for security
internal
group-policy GroupPolicy_replaced for security
attributes
vpn-tunnel-protocol ikev1
username admin password 7KKG/zg/Wo8c.YfN encrypted
tunnel-group replaced for security
type ipsec-l2l
tunnel-group replaced for security
general-attributes
default-group-policy GroupPolicy_replaced for security
tunnel-group replaced for security
ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group replaced for security
type ipsec-l2l
tunnel-group replaced for security
general-attributes
default-group-policy GroupPolicy_replaced for security
tunnel-group replaced for security
ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:b93c1d34431be9cafac57f2b718db669
: end
no asdm history enable
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-19-2013 11:01 AM
Hi,
It seems to me that there is atleast a problem with the NAT on Site C
You have this NAT configuration
nat (inside,outside) source static LAN_BiH LAN_BiH destination static LAN_Muenchen LAN_Muenchen description No NAT between Bosnia and Munich
nat (inside,outside) source dynamic any interface
nat (inside,outside) source static LAN_BiH LAN_BiH destination static LAN_Puchheim LAN_Puchheim
object network LAN_BiH
subnet 192.168.30.0 255.255.255.0
nat (any,outside) dynamic interface
To my understanding you done need this configuration
no nat (inside,outside) source dynamic any interface
The "object network" NAT configuration already handles the same things. Furthermore since your NAT0 / NAT Exempt type configuration is AFTER this rule I am suggesting you to remove, it will prevent the NAT0 / NAT Exempt configuration from being applied to this L2L VPN traffic.
So can you first remove the single NAT configuration line and test the connection again between Site B and Site C.
I cant see anything wrong with the actual L2L VPN configurations otherwise.
- Jouni
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-19-2013 12:44 PM
Hi Jouni,
this configuration
object network LAN_BiH
subnet 192.168.30.0 255.255.255.0
nat (any,outside) dynamic interface
is present on all the firewalls in Site A, Site B and Site C. I do not want to paralize any network. Is there a danger to do that if remove this configuration and add no nat (inside,outside) source dynamic any interface.
Furthermore, S2S between Site A and Site C is working. If the above NAT configuration was the issue I should have not been able to see S2S VPN between Site A and Site C. Is this correct?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-19-2013 12:54 PM
Hi,
Notice that I DONT want you to remove this
object network LAN_BiH
subnet 192.168.30.0 255.255.255.0
nat (any,outside) dynamic interface
This seems to be the Dynamic PAT configuration for Site C Internet traffic.
BUT notice this configuration
nat (inside,outside) source dynamic any interface
It also seems to be a Dynamic PAT configuration for the "inside" users Internet traffic. No reason to have 2 configurations that do the same thing?
Thats why I would suggest issuing this command
no nat (inside,outside) source dynamic any interface
With regards to the Site C and Site A L2L VPN Connection. Notice the order of NAT configurations (removed description from one so its easier to read)
nat (inside,outside) source static LAN_BiH LAN_BiH destination static LAN_Muenchen LAN_Muenchen
nat (inside,outside) source dynamic any interface
nat (inside,outside) source static LAN_BiH LAN_BiH destination static LAN_Puchheim LAN_Puchheim
The NAT configuration for Site A to Site C L2L VPN connection is at the very top. Therefore it gets ALWAYS matched first. And that is atleast one reason why the Site A to Site C L2L VPN connection is not expiriencing any problems.
Now notice that the NAT configurations that I suggest you remove is the next in order. Notice also that this NAT configuration would match to the traffic that is supposed to leave UN-NATed because the source address is defined as "any". So any traffic leaving Site C for Site B gets matched to the wrong NAT rule.
If you dont want to remove the NAT configuration I am suggesting there one other option.
First remove the NAT0 / NAT Exempt configuration for the Site C to Site B L2L VPN connection and insert it again with a line number so it goes before the rule I suggest removing.
no nat (inside,outside) source static LAN_BiH LAN_BiH destination static LAN_Puchheim LAN_Puchheim
nat (inside,outside) 2 source static LAN_BiH LAN_BiH destination static LAN_Puchheim LAN_Puchheim
Hope I made sense
- Jouni
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-19-2013 11:55 PM
Hi Jouni,
i understood what you were pointing to. You made it very clear. Thanks.
I changed the priorities and ping reply starting flowing.
I want to hug you. Respect for your immediate support. If at any time you happen to be in Munich, you have a beer from me.
Regards,
Vihren
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-20-2013 10:36 AM
Hi,
Glad you got it working
Will have to keep the offer in mind
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
