06-22-2012 11:42 AM - edited 02-21-2020 06:09 PM
hi, i am jonathan rivero.
i have an ASA 5520 Version 8.0(2), i configured the VPN site to site and works fine, in the other apliance i configured the VPN Client for remote users, and works fine, but i try to cofigure the 2 VPNs on ASA 5520 on the same outside interface and i have the line "crypto map outside_map interface outside (for VPN client)", but when I configure the "crypto map VPNL2L interface outside, it overwrites the command", and therefore I can only have one connection.
the show run.
ASA1(config)# sh run
: Saved
:
ASA Version 8.0(2)
!
hostname ASA1
enable password 7esAUjZmKQSFDCZX encrypted
names
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 172.16.3.2 255.255.255.0
!
interface Ethernet0/1
nameif outside
security-level 0
ip address 200.20.20.1 255.255.255.0
!
interface Ethernet0/1.1
vlan 1
nameif outside1
security-level 0
no ip address
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
object-group network net-local
network-object 172.16.0.0 255.255.255.0
network-object 172.16.1.0 255.255.255.0
network-object 172.16.2.0 255.255.255.0
network-object 172.16.3.0 255.255.255.0
object-group network net-remote
network-object 172.16.100.0 255.255.255.0
network-object 172.16.101.0 255.255.255.0
network-object 172.16.102.0 255.255.255.0
network-object 172.16.103.0 255.255.255.0
object-group network net-poolvpn
network-object 192.168.11.0 255.255.255.0
access-list nat-outside extended permit ip object-group net-local any
access-list nonat extended permit ip object-group net-local object-group net-remote
access-list nonat extended permit ip object-group net-local object-group net-poolvpn
access-list splittun-vpngroup1 extended permit ip object-group net-local object-group net-poolvpn
pager lines 24
mtu inside 1500
mtu outside 1500
mtu outside1 1500
ip local pool ippool 192.168.11.1-192.168.11.100 mask 255.255.255.0
no failover
icmp unreachable rate-limit 100 burst-size 10
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 access-list nat-outside
route outside 0.0.0.0 0.0.0.0 200.20.20.1 1
route inside 172.16.0.0 255.255.255.0 172.16.3.2 1
route inside 172.16.1.0 255.255.255.0 172.16.3.2 1
route inside 172.16.2.0 255.255.255.0 172.16.3.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association lifetime kilobytes 400000
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map VPNL2L 1 match address nonat
crypto map VPNL2L 1 set peer 200.30.30.1
crypto map VPNL2L 1 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
!
group-policy vpngroup1 internal
group-policy vpngroup1 attributes
banner value ++++Welcome to Cisco Systems 7.0.+++++
dns-server value 192.168.0.1 192.168.1.1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittun-vpngroup1
default-domain value ad-domain.local
split-dns value ad-domain.local
address-pools value ippool
username asa1 password VRTlLlJ48/PoDKjS encrypted privilege 15
tunnel-group 200.30.30.1 type ipsec-l2l
tunnel-group 200.30.30.1 ipsec-attributes
pre-shared-key *
tunnel-group vpngroup1 type remote-access
tunnel-group vpngroup1 general-attributes
address-pool ippool
default-group-policy vpngroup1
tunnel-group vpngroup1 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:00000000000000000000000000000000
: end
ASA2(config)#sh run
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association lifetime kilobytes 400000
crypto map VPNL2L 1 match address nonat
crypto map VPNL2L 1 set peer 200.30.30.1
crypto map VPNL2L 1 set transform-set ESP-3DES-MD5
crypto map VPNL2L interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
tunnel-group 200.30.30.1 type ipsec-l2l
tunnel-group 200.30.30.1 ipsec-attributes
pre-shared-key cisco
my topology:
i try with the next links but didn`t work
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080912cfd.shtml
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml
Best Regards...
Solved! Go to Solution.
07-11-2012 07:54 AM
hi karsten/riswanr74
yes yesterday I try from LAN to LAN, but now re-configure the 2 ASA (same configuration copy and paste) and now test the tunnel and both tunnel the TresASA1 is up (site to site and remote), but in TresASA2 don't pass traffic across the tunnel, input the show crypto ipsec sa command and view of the numbers (#pkts encaps: #pkts encrypt: , #pkts digest: 99) mismatch....
the configuration the access-list is:
TresASA1(config)# sh run access-list
access-list nat extended permit ip object-group net-local any
access-list nonat extended permit ip object-group net-local object-group net-remote
access-list nonat extended permit ip object-group net-local object-group net-poolvpn
access-list nonat1 extended permit ip object-group net-local object-group net-remote
access-list splittun-vpngroup1 extended permit ip object-group net-local object-group net-poolvpn
TresASA1(config)# sh run crypto
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association lifetime kilobytes 400000
crypto dynamic-map dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map dyn_map 65535 set transform-set ESP-3DES-SHA
crypto map vpns 1 match address nonat1
crypto map vpns 1 set peer 200.30.30.1
crypto map vpns 1 set transform-set ESP-3DES-MD5
crypto map vpns 65535 ipsec-isakmp dynamic dyn_map
crypto map vpns interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
TresASA1(config)# sh run tunnel
tunnel-group 200.30.30.1 type ipsec-l2l
tunnel-group 200.30.30.1 ipsec-attributes
pre-shared-key *****
tunnel-group vpngroup1 type remote-access
tunnel-group vpngroup1 general-attributes
address-pool ippool
default-group-policy vpngroup1
tunnel-group vpngroup1 ipsec-attributes
pre-shared-key *****
TresASA1(config)# sh run nat
nat (inside) 0 access-list nonat
nat (inside) 1 access-list nat
TresASA1(config)# sh run global
global (outside) 1 interface
TresASA1(config)#
---------------------------------------
TresASA2(config)# sh run access-list
access-list nat extended permit ip object-group net-local any
access-list nonat extended permit ip object-group net-local object-group net-remote
access-list nonat1 extended permit ip object-group net-local object-group net-remote
TresASA2(config)# sh run nat
nat (inside) 0 access-list nonat
nat (inside) 1 access-list nat
TresASA2(config)# sh run cryt
TresASA2(config)# sh run cryptoi
TresASA2(config)# sh run cryptto
TresASA2(config)# sh run crypto
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association lifetime kilobytes 400000
crypto map vpns 1 match address nonat1
crypto map vpns 1 set peer 200.20.20.1
crypto map vpns 1 set transform-set ESP-3DES-MD5
crypto map vpns interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
TresASA2(config)# sh run globa
global (outside) 1 interface
TresASA2(config)#
thk !!!
07-11-2012 08:38 AM
So you have packets flowing from ASA2 to ASA1 but nothing comes back. Are there any relevant log-messages on ASA1 while testing?
While testing you could do a packet-capture on ASA1 to see if the test-packets come back to the ASA (in the following form not while peak-hours):
ASA# capture CAP1 interface inside real-time
07-11-2012 09:12 AM
ok this is the output:
TresASA1(config)# capture CAP1 interface inside real-time
Warning: using this option with a slow console connection may
result in an excessive amount of non-displayed packets
due to performance limitations.
Use ctrl-c to terminate real-time capture
1: 16:50:50.959239 172.16.103.1 > 172.16.3.1: icmp: echo request
2: 16:50:52.959316 172.16.103.1 > 172.16.3.1: icmp: echo request
3: 16:50:54.959667 172.16.103.1 > 172.16.3.1: icmp: echo request
4: 16:50:56.959972 172.16.103.1 > 172.16.3.1: icmp: echo request
5: 16:50:58.959911 172.16.103.1 > 172.16.3.1: icmp: echo request
6: 16:51:00.960323 172.16.103.1 > 172.16.3.1: icmp: echo request
7: 16:51:02.960353 172.16.103.1 > 172.16.3.1: icmp: echo request
8: 16:51:04.960613 172.16.103.1 > 172.16.3.1: icmp: echo request
9: 16:51:06.960948 172.16.103.1 > 172.16.3.1: icmp: echo request
10: 16:51:08.960994 172.16.103.1 > 172.16.3.1: icmp: echo request
11: 16:51:10.961376 172.16.103.1 > 172.16.3.1: icmp: echo request
12: 16:51:12.961421 172.16.103.1 > 172.16.3.1: icmp: echo request
13: 16:51:14.961650 172.16.103.1 > 172.16.3.1: icmp: echo request
14: 16:51:16.962001 172.16.103.1 > 172.16.3.1: icmp: echo request
15: 16:51:18.962062 172.16.103.1 > 172.16.3.1: icmp: echo request
16: 16:51:20.962413 172.16.103.1 > 172.16.3.1: icmp: echo request
17: 16:51:22.962505 172.16.103.1 > 172.16.3.1: icmp: echo request
18: 16:51:24.962734 172.16.103.1 > 172.16.3.1: icmp: echo request
19: 16:51:26.963054 172.16.103.1 > 172.16.3.1: icmp: echo request
20: 16:51:28.963115 172.16.103.1 > 172.16.3.1: icmp: echo request
21: 16:51:30.963527 172.16.103.1 > 172.16.3.1: icmp: echo request
22: 16:51:32.963527 172.16.103.1 > 172.16.3.1: icmp: echo request
23: 16:51:34.963756 172.16.103.1 > 172.16.3.1: icmp: echo request
24: 16:51:36.964122 172.16.103.1 > 172.16.3.1: icmp: echo request
25: 16:51:38.964183 172.16.103.1 > 172.16.3.1: icmp: echo request
26: 16:51:40.964564 172.16.103.1 > 172.16.3.1: icmp: echo request
27: 16:51:42.964610 172.16.103.1 > 172.16.3.1: icmp: echo request
28: 16:51:44.964809 172.16.103.1 > 172.16.3.1: icmp: echo request
29: 16:51:46.965190 172.16.103.1 > 172.16.3.1: icmp: echo request
30: 16:51:48.965221 172.16.103.1 > 172.16.3.1: icmp: echo request
31: 16:51:50.965602 172.16.103.1 > 172.16.3.1: icmp: echo request
32: 16:51:52.965678 172.16.103.1 > 172.16.3.1: icmp: echo request
33: 16:51:54.965892 172.16.103.1 > 172.16.3.1: icmp: echo request
34: 16:51:56.966273 172.16.103.1 > 172.16.3.1: icmp: echo request
35: 16:51:58.966273 172.16.103.1 > 172.16.3.1: icmp: echo request
36: 16:52:00.966640 172.16.103.1 > 172.16.3.1: icmp: echo request
37: 16:52:02.966716 172.16.103.1 > 172.16.3.1: icmp: echo request
38: 16:52:04.966929 172.16.103.1 > 172.16.3.1: icmp: echo request
39: 16:52:06.967326 172.16.103.1 > 172.16.3.1: icmp: echo request
40: 16:52:08.967357 172.16.103.1 > 172.16.3.1: icmp: echo request
41: 16:52:10.967723 172.16.103.1 > 172.16.3.1: icmp: echo request
42: 16:52:12.967784 172.16.103.1 > 172.16.3.1: icmp: echo request
43: 16:52:14.967982 172.16.103.1 > 172.16.3.1: icmp: echo request
44: 16:52:16.968348 172.16.103.1 > 172.16.3.1: icmp: echo request
45: 16:52:18.968410 172.16.103.1 > 172.16.3.1: icmp: echo request
46: 16:52:20.968776 172.16.103.1 > 172.16.3.1: icmp: echo request
47: 16:52:22.968852 172.16.103.1 > 172.16.3.1: icmp: echo request
48: 16:52:24.969111 172.16.103.1 > 172.16.3.1: icmp: echo request
49: 16:52:26.969432 172.16.103.1 > 172.16.3.1: icmp: echo request
50: 16:52:28.969462 172.16.103.1 > 172.16.3.1: icmp: echo request
51: 16:52:30.969874 172.16.103.1 > 172.16.3.1: icmp: echo request
52: 16:52:32.969951 172.16.103.1 > 172.16.3.1: icmp: echo request
53: 16:52:34.970118 172.16.103.1 > 172.16.3.1: icmp: echo request
54: 16:52:36.970469 172.16.103.1 > 172.16.3.1: icmp: echo request
55: 16:52:38.970546 172.16.103.1 > 172.16.3.1: icmp: echo request
56: 16:52:40.970912 172.16.103.1 > 172.16.3.1: icmp: echo request
57: 16:52:42.970973 172.16.103.1 > 172.16.3.1: icmp: echo request
58: 16:52:44.971171 172.16.103.1 > 172.16.3.1: icmp: echo request
59: 16:52:46.971522 172.16.103.1 > 172.16.3.1: icmp: echo request
60: 16:52:48.971583 172.16.103.1 > 172.16.3.1: icmp: echo request
61: 16:52:50.971949 172.16.103.1 > 172.16.3.1: icmp: echo request
62: 16:52:52.972117 172.16.103.1 > 172.16.3.1: icmp: echo request
63: 16:52:54.972239 172.16.103.1 > 172.16.3.1: icmp: echo request
64: 16:52:56.972651 172.16.103.1 > 172.16.3.1: icmp: echo request
65: 16:52:57.772939 arp who-has 172.16.3.4 tell 172.16.3.8
66: 16:52:58.972651 172.16.103.1 > 172.16.3.1: icmp: echo request
67: 16:53:00.973017 172.16.103.1 > 172.16.3.1: icmp: echo request
68: 16:53:02.973109 172.16.103.1 > 172.16.3.1: icmp: echo request
69: 16:53:04.973292 172.16.103.1 > 172.16.3.1: icmp: echo request
70: 16:53:07.001678 172.16.103.1 > 172.16.3.1: icmp: echo request
71: 16:53:09.001754 172.16.103.1 > 172.16.3.1: icmp: echo request
72: 16:53:11.002197 172.16.103.1 > 172.16.3.1: icmp: echo request
73: 16:53:13.002197 172.16.103.1 > 172.16.3.1: icmp: echo request
74: 16:53:15.002456 172.16.103.1 > 172.16.3.1: icmp: echo request
75: 16:53:17.002761 172.16.103.1 > 172.16.3.1: icmp: echo request
76: 16:53:19.002822 172.16.103.1 > 172.16.3.1: icmp: echo request
77: 16:53:21.003173 172.16.103.1 > 172.16.3.1: icmp: echo request
78: 16:53:23.003372 172.16.103.1 > 172.16.3.1: icmp: echo request
79: 16:53:25.003494 172.16.103.1 > 172.16.3.1: icmp: echo request
80: 16:53:27.003829 172.16.103.1 > 172.16.3.1: icmp: echo request
81: 16:53:29.003890 172.16.103.1 > 172.16.3.1: icmp: echo request
82: 16:53:31.004424 172.16.103.1 > 172.16.3.1: icmp: echo request
83: 16:53:33.004333 172.16.103.1 > 172.16.3.1: icmp: echo request
84: 16:53:35.004592 172.16.103.1 > 172.16.3.1: icmp: echo request
85: 16:53:37.004867 172.16.103.1 > 172.16.3.1: icmp: echo request
86: 16:53:39.004913 172.16.103.1 > 172.16.3.1: icmp: echo request
87: 16:54:19.243410 arp who-has 172.16.3.5 tell 172.16.3.4
88: 16:57:58.513767 arp who-has 172.16.3.8 tell 172.16.3.4
89: 16:58:11.834841 arp who-has 172.16.3.1 tell 172.16.3.5
89 packets shown.
0 packets not shown due to performance limitations.
TresASA1(config)#
let me tell you that I do ping from 172.16.103.1 to 172.16.3.1 the ping is unsuccessful, but I do ping from 172.16.3.1 to 172.16.103.1 the ping is successful.
CORE_Tres(config)#do sh ip interface br
Interface IP-Address OK? Method Status Protocol
Vlan1 unassigned YES NVRAM up up
Vlan2 172.16.2.1 YES manual up up
Vlan4 172.16.4.1 YES manual up up
Vlan5 172.16.5.1 YES manual up up
Vlan7 172.16.7.1 YES manual up up
Vlan8 172.16.8.1 YES manual up up
Vlan9 172.16.9.1 YES manual up up
Vlan10 172.16.10.1 YES manual up up
Vlan11 172.16.11.1 YES manual up up
Vlan99 172.16.99.1 YES manual up up
Vlan101 unassigned YES NVRAM administratively down down
Vlan152 172.16.3.1 YES NVRAM up up
Vlan153 unassigned YES manual up up
FastEthernet2/0/1 unassigned YES manual down down
FastEthernet2/0/2 unassigned YES manual down down
FastEthernet2/0/3 unassigned YES unset down down
FastEthernet2/0/4 unassigned YES unset down down
FastEthernet2/0/5 unassigned YES unset up up
FastEthernet2/0/6 unassigned YES unset down down
FastEthernet2/0/7 unassigned YES unset down down
FastEthernet2/0/8 unassigned YES unset down down
FastEthernet2/0/9 unassigned YES unset up up
CORE_Tres(config)#do ping 172.16.103.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.103.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms
CORE_Tres(config)#do telnet 172.16.103.1
Trying 172.16.103.1 ... Open
User Access Verification
Username: tresland
Password:
TresLAND#
so I think so that is the packet do not come back to TresASA2....
what do you think?
07-11-2012 09:22 AM
could it be, that 172.16.3.1 is filtering the incoming ICMP-packets?
07-11-2012 09:27 AM
mmm, no, this is the access-list configure on TresASA1:
TresASA1(config)# sh run access-list
access-list nat extended permit ip object-group net-local any
access-list nonat extended permit ip object-group net-local object-group net-remote
access-list nonat extended permit ip object-group net-local object-group net-poolvpn
access-list nonat1 extended permit ip object-group net-local object-group net-remote
access-list splittun-vpngroup1 extended permit ip object-group net-local object-group net-poolvpn
07-11-2012 09:59 AM
not the ASA, the router that you try to ping.
07-11-2012 10:06 AM
Hi there,
Please make sure, your internal switch have a static-route in placed to push all remote-network segments (which are going over IPSec tunnel) to its local firewall inside address. This static must exists from both ends on internal switch.
thanks
07-11-2012 10:23 AM
yes...
TresASA2(config)# sh run object-group
object-group network net-local
network-object 172.16.100.0 255.255.255.0
network-object 172.16.101.0 255.255.255.0
network-object 172.16.102.0 255.255.255.0
network-object 172.16.103.0 255.255.255.0
object-group network net-remote
network-object 172.16.0.0 255.255.255.0
network-object 172.16.1.0 255.255.255.0
network-object 172.16.2.0 255.255.255.0
network-object 172.16.3.0 255.255.255.0
network-object 172.16.4.0 255.255.255.0
network-object 172.16.5.0 255.255.255.0
network-object 172.16.6.0 255.255.255.0
network-object 172.16.7.0 255.255.255.0
network-object 172.16.8.0 255.255.255.0
network-object 172.16.9.0 255.255.255.0
network-object 172.16.11.0 255.255.255.0
TresASA2(config)# sh run route
route outside 0.0.0.0 0.0.0.0 200.30.30.2 1
route inside 172.16.100.0 255.255.255.0 172.16.103.2 1
route inside 172.16.101.0 255.255.255.0 172.16.103.2 1
route inside 172.16.102.0 255.255.255.0 172.16.103.2 1
route inside 172.16.103.0 255.255.255.0 172.16.103.2 1
TresASA2(config)# ping 172.16.100.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
TresASA2(config)# ping 172.16.101.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.101.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
TresASA2(config)# ping 172.16.103.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.103.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
TresASA2(config)# ping 172.16.102.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.102.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
TresASA2(config)#
TresASA2(config)#
TresASA2(config)#
TresLAND(config-if)#exit
TresLAND(config)#
TresLAND(config)#
TresLAND(config)#do sh run | inc ip route
ip route 0.0.0.0 0.0.0.0 172.16.103.2
TresLAND(config)#ping 172.16.103.1
^
% Invalid input detected at '^' marker.
TresLAND(config)#do ping 172.16.103.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.103.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
TresLAND(config)#
-----------------------------------------------------------------------------------------------------
TresASA1(config)# sh run object-group
object-group network net-local
network-object 172.16.0.0 255.255.255.0
network-object 172.16.1.0 255.255.255.0
network-object 172.16.2.0 255.255.255.0
network-object 172.16.3.0 255.255.255.0
network-object 172.16.4.0 255.255.255.0
network-object 172.16.5.0 255.255.255.0
network-object 172.16.6.0 255.255.255.0
network-object 172.16.7.0 255.255.255.0
network-object 172.16.8.0 255.255.255.0
network-object 172.16.9.0 255.255.255.0
network-object 172.16.11.0 255.255.255.0
object-group network net-remote
network-object 172.16.100.0 255.255.255.0
network-object 172.16.101.0 255.255.255.0
network-object 172.16.102.0 255.255.255.0
network-object 172.16.103.0 255.255.255.0
object-group network net-poolvpn
network-object 192.168.11.0 255.255.255.0
TresASA1(config)# sh run route
route outside 0.0.0.0 0.0.0.0 200.20.20.2 1
route inside 172.16.1.0 255.255.255.0 172.16.3.1 1
route inside 172.16.2.0 255.255.255.0 172.16.3.1 1
route inside 172.16.4.0 255.255.255.0 172.16.3.1 1
route inside 172.16.5.0 255.255.255.0 172.16.3.1 1
route inside 172.16.6.0 255.255.255.0 172.16.3.1 1
route inside 172.16.7.0 255.255.255.0 172.16.3.1 1
route inside 172.16.8.0 255.255.255.0 172.16.3.1 1
route inside 172.16.9.0 255.255.255.0 172.16.3.1 1
route inside 172.16.10.0 255.255.255.0 172.16.3.1 1
route inside 172.16.11.0 255.255.255.0 172.16.3.1 1
TresASA1(config)# ping 172.16.3.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.3.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
TresASA1(config)# ping 172.16.11.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.11.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
TresASA1(config)#
CORE_Tres>
CORE_Tres>
CORE_Tres>en
Password:
CORE_Tres#sh run | inc ip route
ip route 0.0.0.0 0.0.0.0 172.16.3.2
CORE_Tres#sh ip interface br
Interface IP-Address OK? Method Status Protocol
Vlan1 unassigned YES NVRAM up up
Vlan2 172.16.2.1 YES manual up up
Vlan4 172.16.4.1 YES manual up up
Vlan5 172.16.5.1 YES manual up up
Vlan7 172.16.7.1 YES manual up up
Vlan8 172.16.8.1 YES manual up up
Vlan9 172.16.9.1 YES manual up up
Vlan10 172.16.10.1 YES manual up up
Vlan11 172.16.11.1 YES manual up up
Vlan99 172.16.99.1 YES manual up up
Vlan101 unassigned YES NVRAM administratively down down
Vlan152 172.16.3.1 YES NVRAM up up
Vlan153 unassigned YES manual up up
FastEthernet2/0/1 unassigned YES manual down down
FastEthernet2/0/2 unassigned YES manual down down
FastEthernet2/0/3 unassigned YES unset down down
FastEthernet2/0/4 unassigned YES unset down down
FastEthernet2/0/5 unassigned YES unset up up
FastEthernet2/0/6 unassigned YES unset down down
FastEthernet2/0/7 unassigned YES unset down down
FastEthernet2/0/8 unassigned YES unset down down
FastEthernet2/0/9 unassigned YES unset up up
CORE_Tres#
07-11-2012 10:49 AM
Please post your current config from both firewall as an attachedment, please as an attachement.
thanks
07-11-2012 10:54 AM
07-11-2012 11:22 AM
Can you please add this static route on both devices.
Please add this static route on ASA2
route outside 172.16.0.0 255.255.0.0 200.30.30.2
Please add this static route on ASA1, as well.
route outside 172.16.0.0 255.255.0.0 200.20.20.2
Please remove this line from ASA2.
crypto isakmp identity address
Please update.
thanks
07-11-2012 12:10 PM
hi rizwanr74
After the create the route the VPN site to site is successful ping (LAN to LAN) and the same time is successful VPN remote.
TresLAND#sh ip interface br
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 unassigned YES unset administratively down down
GigabitEthernet0/1 172.16.103.1 YES manual up up
Serial0/2/0 unassigned YES unset administratively down down
Serial0/2/1 unassigned YES unset administratively down down
Loopback0 172.16.100.1 YES manual up up
Loopback1 172.16.101.1 YES manual up up
Loopback2 172.16.102.1 YES manual up up
Loopback4 unassigned YES unset up up
TresLAND#ping 172.16.3.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.3.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
CORE_Tres#
CORE_Tres#ping 172.16.103.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.103.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/9 ms
CORE_Tres#
now the most complicated is the explication... I thing so of the force the ASA with the new route outside, why this? if I have the route outside default (route 0.0.0.0 0.0.0.0
07-11-2012 12:24 PM
"I thing so of the force the ASA with the new route outside, why this? "
without the route ASA pushes traffic to inside, by default.
Anyway, this must have been a learning experience.
I hope, this has been any help.
Please rate, all helful post.
thanks
Rizwan Rafeek.
07-11-2012 01:59 PM
I understand, I try with GNS3 in version 8.0.2 and I dont had trouble, but as you tell me "experience".
thk for all and this is my MSN a24042004@hotmail.com
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide