Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1349
Views
10
Helpful
16
Replies

Two IPSEC tunnels up, but only can ping mgmt interfaces between one

Jesserony
Level 1
Level 1

‎08-26-2022 06:42 AM

Hello,

I have an ASA5516 that i want to temporarily run two IPSEC site to site tunnels so we can start setting up a new data center while waiting for our SDWAN equipment. One tunnel to our current data center (CoLo) subnet and DMZ (running an ASA5505), and one to our office in Dover (running an ASA5508X).

Both tunnels initialize and look normal when looking at them in ASDM.

We currently have no equipment behind the new ASA to do ping tests with, so i am using the inside interfaces of the ASAs to test.

For the data center tunnel, i can ping back and forth without issue, even to and from hosts behind the data center ASA.

For the Dover tunnel, when i ping from either ASA to the other, i get no ping response. On either end of the tunnel i see Byte Tx increment when i do the ping tests, but the other side Rx doesnt increment, and vise-versa.

Could someone please take a look at my configs and see if there are any glaring issues?

Thank you in advance for any suggestions!

Jesse

 

Config for ASA5516 with tunnel to 192.168.170.0 working and 192.168.10.0 not working:


!
interface GigabitEthernet1/2
nameif Tierpoint
security-level 5
ip address !TierpointIP! 255.255.255.248
!
interface GigabitEthernet1/3
nameif inside
security-level 100
ip address 192.168.190.22 255.255.255.0
!
object network Internal_RFC1918-10
subnet 10.0.0.0 255.0.0.0
object network Internal_RFC1918-172.16
subnet 172.16.0.0 255.240.0.0
object network Internal_RFC1918-192.168
subnet 192.168.0.0 255.255.0.0
object network New_CoLo-SW01
host 192.168.190.21
object network Office-CoLo
subnet 192.168.190.0 255.255.255.0
object network OldCoLo-DMZ
subnet 172.20.43.0 255.255.255.0
object network Office-OldCoLo
subnet 192.168.170.0 255.255.255.0
object network Office-dover
subnet 192.168.10.0 255.255.255.0
object network Dover_inside
subnet 192.168.254.56 255.255.255.248
object-group network Internal_RFC1918
network-object object Internal_RFC1918-10
network-object object Internal_RFC1918-192.168
network-object object Internal_RFC1918-172.16
object-group network local-network
network-object object Office-CoLo
object-group network remote-network
network-object object Office-OldCoLo
network-object object OldCoLo-DMZ
object-group network remote-dover
network-object object Office-dover
network-object object Dover_inside
access-list mpls_access_in extended permit ip any any
access-list inside_access_in extended permit ip any any
access-list DMZ_access_in extended permit ip any any
access-list Tierpoint_cryptomap_1 extended permit ip object-group local-network object-group remote-network
access-list Tierpoint_access_in extended permit tcp any object New_CoLo-SW01 eq ssh
access-list Tierpoint_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any object New_CoLo-SW01 eq ssh
access-list outside_access_in extended permit ip any any
access-list Tierpoint_cryptomap_4 extended permit ip object-group local-network object-group remote-dover

nat (any,any) source static Internal_RFC1918 Internal_RFC1918 destination static Internal_RFC1918 Internal_RFC1918 no-proxy-arp
nat (any,outside) source dynamic any interface inactive
nat (any,Tierpoint) source dynamic any interface
nat (inside,Tierpoint) source static local-network local-network destination static remote-dover remote-dover no-proxy-arp route-lookup
nat (inside,Tierpoint) source static local-network local-network destination static remote-network remote-network no-proxy-arp route-lookup
!
object network New_CoLo-SW01
nat (inside,Tierpoint) static interface service tcp ssh 6758

route Tierpoint 0.0.0.0 0.0.0.0 !TierpointGatewayIP! 1
route outside 0.0.0.0 0.0.0.0 !AnotherISPgateway! 2

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map Tierpoint_map1 1 match address Tierpoint_cryptomap_4
crypto map Tierpoint_map1 1 set peer !IP of non-working peer!
crypto map Tierpoint_map1 1 set ikev1 transform-set ESP-3DES-MD5
crypto map Tierpoint_map1 2 match address Tierpoint_cryptomap_1
crypto map Tierpoint_map1 2 set peer !IP of working peer!
crypto map Tierpoint_map1 2 set ikev1 transform-set ESP-3DES-MD5
crypto map Tierpoint_map1 interface Tierpoint
crypto ca trustpool policy
crypto isakmp identity address
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400

management-access inside

group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
dynamic-access-policy-record DfltAccessPolicy

tunnel-group !IP of working peer! type ipsec-l2l
tunnel-group !IP of working peer! ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group !IP of non-working peer!type ipsec-l2l
tunnel-group !IP of non-working peer!ipsec-attributes
ikev1 pre-shared-key *****
!

 

 


------------------------------------------------------

Config of non-working Dover end of tunnel:


!
interface GigabitEthernet1/3
description LINK SW01:G1/0/20
nameif inside
security-level 100
ip address 192.168.254.58 255.255.255.248
!
!
interface GigabitEthernet1/7
nameif Comcast_Test
security-level 2
ip address !ISP IP! 255.255.255.248
!
object network Internal_RFC1918-10
subnet 10.0.0.0 255.0.0.0
object network Internal_RFC1918-172.16
subnet 172.16.0.0 255.24.0.0
object network Internal_RFC1918-192.168
subnet 192.168.0.0 255.255.0.0
object network Dover_Data_Subnet
subnet 192.168.10.0 255.255.255.0
object network New_CoLo_Subnet
subnet 192.168.190.0 255.255.255.0

object-group network remote-network
network-object object CGI-Network
network-object object CGI-DMZ
network-object object DCIS
object-group network Internal_RFC1918
network-object object Internal_RFC1918-10
network-object object Internal_RFC1918-172.16
network-object object Internal_RFC1918-192.168

object-group network VPN_Local
network-object object Dover_Data_Subnet
network-object 192.168.254.56 255.255.255.248
object-group network VPN_Remote
network-object object New_CoLo_Subnet

access-list inside_access_in extended permit ip any any
access-list Comcast_Test_cryptomap extended permit ip object-group VPN_Local object-group VPN_Remote


access-list Comcast_Test_access_in extended permit ip any any

icmp unreachable rate-limit 1 burst-size 1
icmp permit any mpls
icmp permit any echo-reply outside
icmp permit any outside
icmp permit any inside
icmp permit any Comcast_Test

nat (inside,outside) source static Server_RDGWA-Dov Server_RDGWA-Dov-Outside
nat (DMZ,any) source static CGI-Network CGI-Network destination static DMZ-Network DMZ-Network no-proxy-arp route-lookup
nat (inside,any) source static CGI-Network CGI-Network destination static DMZ-Network DMZ-Network no-proxy-arp route-lookup
nat (DMZ,any) source static CGI-DMZ CGI-DMZ destination static DMZ-Network DMZ-Network no-proxy-arp route-lookup
nat (inside,any) source static CGI-DMZ CGI-DMZ destination static DMZ-Network DMZ-Network no-proxy-arp route-lookup
nat (inside,Comcast_Test) source static VPN_Local VPN_Local destination static VPN_Remote VPN_Remote no-proxy-arp route-lookup
!
nat (any,any) after-auto source static Internal_RFC1918 Internal_RFC1918 destination static Internal_RFC1918 Internal_RFC1918 no-proxy-arp
nat (any,any) after-auto source static Internal_RFC1918 Internal_RFC1918 destination static DCIS-Hosts DCIS-Hosts no-proxy-arp
nat (any,outside) after-auto source dynamic any interface

route Comcast_Test 0.0.0.0 0.0.0.0 !ISP gateway IP! 2
route inside 192.168.8.0 255.255.252.0 192.168.254.57 1

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map Comcast_Test_map0 1 match address Comcast_Test_cryptomap
crypto map Comcast_Test_map0 1 set peer !Peer IP!
crypto map Comcast_Test_map0 1 set ikev1 transform-set ESP-3DES-MD5
crypto map Comcast_Test_map0 1 set nat-t-disable
crypto map Comcast_Test_map0 1 set reverse-route
crypto map Comcast_Test_map0 interface Comcast_Test


crypto ikev1 enable Comcast_Test
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400

management-access inside

group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
dynamic-access-policy-record DfltAccessPolicy

tunnel-group !Peer IP! type ipsec-l2l
tunnel-group !Peer IP! ipsec-attributes
ikev1 pre-shared-key *****
!

 

0 Helpful
16 Replies 16

MHM Cisco World
VIP
VIP
In response to Jesserony

‎08-27-2022 09:19 AM

there are two tunnel run between the Side, 
first try remove one Tunnel check tunnel status, 
if the tunnel is work and UP then you need 
isakmp profile to separate the tunnel. 

0 Helpful

MHM Cisco World
VIP
VIP

‎08-26-2022 07:28 AM

object-group network VPN_Local
network-object object Dover_Data_Subnet <<<---subnet 192.168.10.0 255.255.255.0
network-object 192.168.254.56 255.255.255.248 <<<---
object-group network VPN_Remote
network-object object New_CoLo_Subnet <<<---subnet 192.168.190.0 255.255.255.0

!
object-group network local-network
network-object object Office-CoLo <<<---subnet 192.168.190.0 255.255.255.0
object-group network remote-dover
network-object object Office-dover<<<-subnet 192.168.10.0 255.255.255.0
network-object object Dover_inside<<<-subnet 192.168.254.56 255.255.255.248

 

Your Proxy is OK 
but I prefer add multi ACE instead of using Object-group 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card