cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10916
Views
0
Helpful
7
Replies

Site-to-Site VPN between ASA 5510 and ASA5505 Configuration

Vihren Todorov
Level 1
Level 1

Hello Team,

I would like to ask for some assistance. Unfortunately, I am not very experienced with Cisco networking.

Here is the situation.

Site A - headquarters 192.168.1.x

Site B - remote office 192.168.20.x

Site C - remote office 192.168.30.x

Site A - ASA 5510

Site B - ASA 5505

Site C - ASA 5505

Site-to-site VPN is established and works between A and B, A and C.

Users would like to establish a tunnel between B and C to work on a common project and the data is on Site B.

I tried configuring the S2S VPN with pre-shared keys on both firewalls at sites B and C but in the end it is not established (I cannot ping either side). I used the Wizard interface multiple times and one time the CLI. I generally followed the settings chosen between the headquarter and the individual remote sites and tried to replicate them. Obviously I have made a mistake somewhere.

Could anyone recommend how can I start troubleshooting where the issue is?

Could there be any limitation on the ASA 5505 in terms of licensing and the number of S2S tunnels? Hope not.

Thanks in advance.

Vihren

1 Accepted Solution

Accepted Solutions

Hi,

Notice that I DONT want you to remove this

  object network LAN_BiH

   subnet 192.168.30.0 255.255.255.0

   nat (any,outside) dynamic interface

This seems to be the Dynamic PAT configuration for Site C Internet traffic.

BUT notice this configuration

nat (inside,outside) source dynamic any interface

It also seems to be a Dynamic PAT configuration for the "inside" users Internet traffic. No reason to have 2 configurations that do the same thing?

Thats why I would suggest issuing this command

no nat (inside,outside) source dynamic any interface

With regards to the Site C and Site A L2L VPN Connection. Notice the order of NAT configurations (removed description from one so its easier to read)

nat (inside,outside) source static LAN_BiH LAN_BiH  destination static  LAN_Muenchen LAN_Muenchen

nat (inside,outside) source dynamic any interface

nat (inside,outside) source static LAN_BiH LAN_BiH destination static LAN_Puchheim LAN_Puchheim

The NAT configuration for Site A to Site C L2L VPN connection is at the very top. Therefore it gets ALWAYS matched first. And that is atleast one reason why the Site A to Site C L2L VPN connection is not expiriencing any problems.

Now notice that the NAT configurations that I suggest you remove is the next in order. Notice also that this NAT configuration would match to the traffic that is supposed to leave UN-NATed because the source address is defined as "any". So any traffic leaving Site C for Site B gets matched to the wrong NAT rule.

If you dont want to remove the NAT configuration I am suggesting there one other option.

First remove the NAT0 / NAT Exempt configuration for the Site C to Site B L2L VPN connection and insert it again with a line number so it goes before the rule I suggest removing.

no nat (inside,outside) source static LAN_BiH LAN_BiH destination static LAN_Puchheim LAN_Puchheim
nat (inside,outside)  2 source static LAN_BiH LAN_BiH destination static LAN_Puchheim LAN_Puchheim

Hope I made sense

- Jouni

View solution in original post

7 Replies 7

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Well naturally if you can share the configurations on Site B and Site C we could look through the configurations and see if we could correct those.

There is also an option to tunnel the connections from Site B through Site A to Site C. But with that situation you would naturally be "eating up" the bandwith on Site A also.

But as I said, if we could see the Site B and Site C ASA configurations then we could go through them.

- Jouni

Hi Jouni,

thanks for the quick reply.

Maybe it would be useful to test the s2s via Site A. How is this called?

Here is Site B ASA Configuration:

: Saved

:

ASA Version 8.4(1)

!

hostname fwpuchheim

domain-name elatec.com

enable password XXXXXXXXXXX encrypted

passwd

XXXXXXXXXXX

encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address replaced for security reasons 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

replaced for security

ip address pppoe setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system disk0:/asa841-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name replaced for security

object network LAN_Puchheim

subnet 192.168.20.0 255.255.255.0

object network LAN_Muenchen

subnet 192.168.1.0 255.255.255.0

object network LAN_Bosnia

subnet 192.168.30.0 255.255.255.0

description Lan Bosnia

object network NETWORK_OBJ_192.168.30.0_24

subnet 192.168.30.0 255.255.255.0

object service 1723

service tcp destination eq pptp

object service 4500

service udp destination eq 4500

object service 50

service esp

object service 500

service udp destination eq isakmp

object service 51

service ah

object-group service User-Zugriff-Puchheim

description Zugriff der User Puchheim

service-object icmp echo

service-object tcp destination eq ftp

service-object tcp destination eq www

service-object tcp destination eq https

service-object udp destination eq domain

service-object tcp destination eq pop3

service-object tcp destination eq smtp

service-object tcp destination eq ssh

service-object tcp destination eq telnet

service-object tcp destination eq whois

access-list inside_access_in remark Zugriff auf Muenchen ueber VPN

access-list inside_access_in extended permit ip object LAN_Puchheim object LAN_Muenchen

access-list inside_access_in remark User-Protokolle fuer Internet-Zugriff

access-list inside_access_in extended permit object-group User-Zugriff-Puchheim object LAN_Puchheim any inactive

access-list inside_access_in extended permit ip object LAN_Puchheim any

access-list inside_access_in extended permit ip object LAN_Puchheim object LAN_Bosnia

access-list outside_cryptomap extended permit ip object LAN_Puchheim object LAN_Muenchen

access-list outside_access_in extended permit ip object LAN_Muenchen object LAN_Puchheim

access-list outside_access_in extended permit ip object LAN_Bosnia object LAN_Puchheim

access-list outside_cryptomap_1 extended permit ip object LAN_Puchheim object LAN_Bosnia

access-list inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0 192.168.30.0 255.255.255.0

access-list split-tunnel standard permit 192.168.20.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-641.bin

no asdm history enable

arp timeout 14400

nat (inside,outside) source static LAN_Puchheim LAN_Puchheim destination static LAN_Muenchen LAN_Muenchen description kein NAT fuer Zugriff auf NW Muenchen

nat (inside,outside) source static LAN_Puchheim LAN_Puchheim destination static LAN_Bosnia LAN_Bosnia

!

object network LAN_Puchheim

nat (any,outside) dynamic interface

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication http console LOCAL

aaa authentication telnet console LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.20.0 255.255.255.0 inside

http replaced for security
255.255.255.248 outside

http replaced for security
255.255.255.248 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto map outside_map 1 match address outside_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer replaced for security

crypto map outside_map 1 set ikev1 transform-set ESP-AES-256-SHA ESP-3DES-SHA

crypto map outside_map 2 match address outside_cryptomap_1

crypto map outside_map 2 set pfs

crypto map outside_map 2 set peer replaced for security

crypto map outside_map 2 set ikev1 transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5

prf sha

lifetime seconds 86400

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

telnet replaced for security
inside

telnet timeout 30

ssh replaced for security
inside

ssh replaced for security
255.255.255.248 outside

sshreplaced for security
outside

ssh timeout 30

console timeout 0

vpdn group MNet request dialout pppoe

vpdn group MNet localname replaced for security

vpdn group MNet ppp authentication pap

vpdn username replaced for security
password ***** store-local

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy GroupPolicy_replaced for security
internal

group-policy GroupPolicy_replaced for security
attributes

vpn-tunnel-protocol ikev1

group-policy GroupPolicy_replaced for security
internal

group-policy GroupPolicy_replaced for security
attributes

vpn-tunnel-protocol ikev1

username ASA5510User password udUpPsNRqCJZn8La encrypted privilege 15

username cancom password mgY7GT0lVo7BhYc3 encrypted privilege 15

tunnel-group replaced for security
type ipsec-l2l

tunnel-group replaced for security
general-attributes

default-group-policy GroupPolicy_replaced for security

tunnel-group replaced for security
ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group replaced for security
type ipsec-l2l

tunnel-group replaced for security
general-attributes

default-group-policy GroupPolicy_replaced for security

tunnel-groupreplaced for security
ipsec-attributes

ikev1 pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

  inspect pptp

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:a98e0325549c8abbf49b1f09c5577a5c

: end

asdm image disk0:/asdm-641.bin

no asdm history enable

Here is Site C Configuration:

: Saved

:

ASA Version 8.4(4)1

!

hostname replaced for security

domain-name replaced for security

enable password XXXXXXXXXXXXXXXXX encrypted

passwd

XXXXXXXXXXXXXXXXX

encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

description Office network inside

nameif inside

security-level 100

ip address replaced for security 255.255.255.0

!

interface Vlan2

description Iinternet - VPN

nameif outside

security-level 0

ip address replaced for security

!

ftp mode passive

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

domain-name Elatec.com

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network LAN_BiH

subnet 192.168.30.0 255.255.255.0

description LAN Bosnia

object network LAN_Muenchen

subnet 192.168.1.0 255.255.255.0

description LAN Munich

object network Google

host 8.8.8.8

description Google

object service http8080

service tcp destination eq 8080

description http8080

object service non-isakmp

service udp source range 0 65535 destination eq 4500

object network LAN_Puchheim

subnet 192.168.20.0 255.255.255.0

description LAN Puchheim

object network LAN_CZ

subnet 192.168.135.0 255.255.255.0

description LAN CZ

object service 1723

service tcp destination eq pptp

object service 4500

service udp destination eq 4500

object service 50

service esp

object service 500

service udp destination eq isakmp

object service 51

service ah

object-group service User_Access

description users

service-object object http8080

service-object tcp-udp destination eq www

service-object tcp destination eq echo

service-object tcp destination eq ftp

service-object tcp destination eq ftp-data

service-object tcp destination eq www

service-object tcp destination eq https

service-object tcp destination eq pop3

service-object tcp destination eq smtp

service-object icmp echo

service-object esp

service-object object non-isakmp

service-object udp destination eq domain

service-object udp destination eq isakmp

access-list inside_access_in remark Allow access to Lan Munich

access-list inside_access_in extended permit ip object LAN_BiH object LAN_Muenchen

access-list inside_access_in remark Allow specified outgoing traffic

access-list inside_access_in extended permit ip object LAN_BiH any

access-list inside_access_in extended permit ip object LAN_BiH object LAN_Puchheim

access-list global_access extended permit icmp object Google object LAN_BiH echo-reply

access-list outside_cryptomap extended permit ip object LAN_BiH object LAN_Muenchen

access-list outside_cryptomap_1 extended permit ip object LAN_BiH object LAN_Muenchen

access-list split-tunnel standard permit 192.168.30.0 255.255.255.0

access-list outside_access_in extended permit ip object LAN_Muenchen object LAN_BiH

access-list outside_access_in extended permit ip object LAN_Puchheim object LAN_BiH

access-list inside_nat0_outbound extended permit ip 192.168.30.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list outside_cryptomap_2 extended permit ip object LAN_BiH object LAN_Puchheim

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside,outside) source static LAN_BiH LAN_BiH destination static LAN_Muenchen LAN_Muenchen description No NAT between Bosnia and Munich

nat (inside,outside) source dynamic any interface

nat (inside,outside) source static LAN_BiH LAN_BiH destination static LAN_Puchheim LAN_Puchheim

!

object network LAN_BiH

nat (any,outside) dynamic interface

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

access-group global_access global

route outside 0.0.0.0 0.0.0.0 replaced for security
128 track 10

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.30.0 255.255.255.0 inside

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

sla monitor 10

type echo protocol ipIcmpEcho replaced for security
interface outside

sla monitor schedule 10 life forever start-time now

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map0 1 match address outside_cryptomap

crypto map outside_map0 1 set pfs

crypto map outside_map0 1 set peer replaced for security

crypto map outside_map0 1 set ikev1 transform-set ESP-AES-256-SHA ESP-3DES-SHA

crypto map outside_map 1 match address outside_cryptomap_1

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer replaced for security

crypto map outside_map 1 set ikev1 transform-set ESP-AES-256-SHA ESP-DES-SHA

crypto map outside_map 2 match address outside_cryptomap_2

crypto map outside_map 2 set pfs

crypto map outside_map 2 set peer replaced for security

crypto map outside_map 2 set ikev1 transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

!

track 10 rtr 10 reachability

telnet timeout 5

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd address 192.168.30.15-192.168.30.132 inside

dhcpd dns 192.168.30.3 195.222.32.10 interface inside

dhcpd domain elatec.com interface inside

dhcpd auto_config outside vpnclient-wins-override interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy GroupPolicy_replaced for security
internal

group-policy GroupPolicy_replaced for security
attributes

vpn-tunnel-protocol ikev1

group-policy GroupPolicy_replaced for security
internal

group-policy GroupPolicy_replaced for security
attributes

vpn-tunnel-protocol ikev1

username admin password 7KKG/zg/Wo8c.YfN encrypted

tunnel-group replaced for security
type ipsec-l2l

tunnel-group replaced for security
general-attributes

default-group-policy GroupPolicy_replaced for security

tunnel-group replaced for security
ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group replaced for security
type ipsec-l2l

tunnel-group replaced for security
general-attributes

default-group-policy GroupPolicy_replaced for security

tunnel-group replaced for security
ipsec-attributes

ikev1 pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:b93c1d34431be9cafac57f2b718db669

: end

no asdm history enable

Hi,

It seems to me that there is atleast a problem with the NAT on Site C

You have this NAT configuration

nat (inside,outside) source static LAN_BiH LAN_BiH destination static  LAN_Muenchen LAN_Muenchen description No NAT between Bosnia and Munich

nat (inside,outside) source dynamic any interface

nat (inside,outside) source static LAN_BiH LAN_BiH destination static LAN_Puchheim LAN_Puchheim

object network LAN_BiH

subnet 192.168.30.0 255.255.255.0

  nat (any,outside) dynamic interface

To my understanding you done need this configuration

no nat (inside,outside) source dynamic any interface

The "object network" NAT configuration already handles the same things. Furthermore since your NAT0 / NAT Exempt type configuration is AFTER this rule I am suggesting you to remove, it will prevent the NAT0 / NAT Exempt configuration from being applied to this L2L VPN traffic.

So can you first remove the single NAT configuration line and test the connection again between Site B and Site C.

I cant see anything wrong with the actual L2L VPN configurations otherwise.

- Jouni

Hi Jouni,

this configuration

object network LAN_BiH

subnet 192.168.30.0 255.255.255.0

  nat (any,outside) dynamic interface

is present on all the firewalls in Site A, Site B and Site C. I do not want to paralize any network. Is there a danger to do that if remove this configuration and add no nat (inside,outside) source dynamic any interface.

Furthermore, S2S between Site A and Site C is working. If the above NAT configuration was the issue I should have not been able to see S2S VPN between Site A and Site C. Is this correct?

Hi,

Notice that I DONT want you to remove this

  object network LAN_BiH

   subnet 192.168.30.0 255.255.255.0

   nat (any,outside) dynamic interface

This seems to be the Dynamic PAT configuration for Site C Internet traffic.

BUT notice this configuration

nat (inside,outside) source dynamic any interface

It also seems to be a Dynamic PAT configuration for the "inside" users Internet traffic. No reason to have 2 configurations that do the same thing?

Thats why I would suggest issuing this command

no nat (inside,outside) source dynamic any interface

With regards to the Site C and Site A L2L VPN Connection. Notice the order of NAT configurations (removed description from one so its easier to read)

nat (inside,outside) source static LAN_BiH LAN_BiH  destination static  LAN_Muenchen LAN_Muenchen

nat (inside,outside) source dynamic any interface

nat (inside,outside) source static LAN_BiH LAN_BiH destination static LAN_Puchheim LAN_Puchheim

The NAT configuration for Site A to Site C L2L VPN connection is at the very top. Therefore it gets ALWAYS matched first. And that is atleast one reason why the Site A to Site C L2L VPN connection is not expiriencing any problems.

Now notice that the NAT configurations that I suggest you remove is the next in order. Notice also that this NAT configuration would match to the traffic that is supposed to leave UN-NATed because the source address is defined as "any". So any traffic leaving Site C for Site B gets matched to the wrong NAT rule.

If you dont want to remove the NAT configuration I am suggesting there one other option.

First remove the NAT0 / NAT Exempt configuration for the Site C to Site B L2L VPN connection and insert it again with a line number so it goes before the rule I suggest removing.

no nat (inside,outside) source static LAN_BiH LAN_BiH destination static LAN_Puchheim LAN_Puchheim
nat (inside,outside)  2 source static LAN_BiH LAN_BiH destination static LAN_Puchheim LAN_Puchheim

Hope I made sense

- Jouni

Hi Jouni,

i understood what you were pointing to. You made it very clear. Thanks.

I changed the priorities and ping reply starting flowing.

I want to hug you. Respect for your immediate support. If at any time you happen to be in Munich, you have a beer from me.

Regards,

Vihren

Hi,

Glad you got it working

Will have to keep the offer in mind

- Jouni

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: