09-26-2012 07:47 PM - edited 02-21-2020 06:21 PM
Hello - I cannot get a 3rd ASA site to communicate with Headquaters site ASA. Headquarter's site can communicate with 2nd site fine. Can anyone check out my config and let me know what you think is going wrong?? All i really care about is connecting Site 3 to Headquaters Site.
Headquarters Site:
access-list 110 extended permit ip 10.10.0.0 255.255.0.0 10.1.1.0 255.255.255.0 = SITE TWO IP SCHEME
access-list 210 extended permit ip 10.10.0.0 255.255.0.0 10.10.210.0 255.255.254.0 = SITE THREE IP SCHEME
access-list inside_access_out extended permit tcp 10.10.200.0 255.255.254.0 10.10.210.0 255.255.254.0
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.10.210.0 255.255.254.0
nat (inside) 0 access-list nonat
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association lifetime kilobytes 4608000
crypto map mymap 10 match address 110
crypto map mymap 10 set peer 1.1.1.1
crypto map mymap 10 set transform-set ESP-3DES-SHA
crypto map mymap 10 set security-association lifetime seconds 28800
crypto map mymap 20 match address 210
crypto map mymap 20 set peer 2.2.2.2
crypto map mymap 20 set transform-set ESP-3DES-SHA
crypto map mymap 20 set security-association lifetime seconds 28800
crypto map mymap interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *****
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key *****
2nd ASA (connects to headquarters site fine):
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map WAN1_map0 2 match address WAN1_cryptomap_1
crypto map WAN1_map0 2 set peer 3.3.3.3
crypto map WAN1_map0 2 set transform-set ESP-3DES-SHA
crypto map WAN1_map0 interface WAN1
crypto isakmp enable WAN1
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
tunnel-group 3.3.3.3 type ipsec-l2l
tunnel-group 3.3.3.3 ipsec-attributes
pre-shared-key *****
3rd ASA (cannot connect to headquarter site):
access-list outside_cryptomap_1 extended permit ip 10.10.210.0 255.255.254.0 10.10.200.0 255.255.254.0
access-list inside_nat0_outbound extended permit ip 10.10.210.0 255.255.254.0 10.10.200.0 255.255.254.0
access-list outside_access_in extended permit ip 10.10.210.0 255.255.254.0 10.10.200.0 255.255.254.0
access-list INSIDE_ACCESS_IN extended permit ip any 10.10.200.0 255.255.254.0
nat (inside) 0 access-list inside_nat0_outbound
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 20 match address outside_cryptomap_1
crypto map outside_map 20 set peer 3.3.3.3
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
tunnel-group 3.3.3.3 type ipsec-l2l
tunnel-group 3.3.3.3 ipsec-attributes
pre-shared-key *****
09-27-2012 04:57 PM
Hi,
The configuration looks fine.
Please attach: "debug crypro isakmp 190" and "debug crypto ipsec 190" from the third location.
Thanks.
Portu.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide