cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

308
Views
5
Helpful
16
Replies
Highlighted
Participant

second vpn subnet between asa 5515 and meraki mx64

I currently have a vpn connection setup between an ASA 5515 and a Meraki MX64, works great. However I've got a new subnet behind the asa that I want to put over the vpn. I added it to the local subnet on the ASA and the remote subnet on the Meraki. It won't work on that subnet. When I do a packet-tracer from the new subnet to the meraki it says "nat-xlate failed"

 

The new subnet is natted to a different public IP, not sure if that matters. Here is my config for the ASA

 


interface GigabitEthernet0/0
description WAN
nameif outside
security-level 0
ip address 5.2.201.65 255.255.255.224 standby 5.2.201.66
!
interface GigabitEthernet0/1
description Part of Port-Channel16
channel-group 16 mode active
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
description Part of Port-Channel16
channel-group 16 mode active
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
description LAN Failover Interface
!
interface GigabitEthernet0/4
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
description Connection between ASA's
nameif To_5516
security-level 10
ip address 192.168.95.1 255.255.255.248 standby 192.168.95.3
!
interface Management0/0
description STATE Failover Interface
management-only
!
interface Port-channel16
lacp max-bundle 8
no nameif
no security-level
no ip address
!
interface Port-channel16.16
description Inside
vlan 16
nameif inside
security-level 100
ip address 10.16.1.251 255.255.255.0 standby 10.16.1.252
!
interface Port-channel16.18
description Interfaces Vlan
vlan 18
nameif Interfaces
security-level 80
ip address 10.18.1.251 255.255.255.0

object network Inside_10.16.1.0
subnet 10.16.1.0 255.255.255.0
description inside network
object network inside
subnet 10.16.1.0 255.255.255.0
description Inside network 10.16.1.0
object network issue_city_Bellevue
subnet 10.211.41.0 255.255.255.0
description issue_city House Bellevue BOH
object-group protocol DM_INLINE_PROTOCOL_4
protocol-object ip
protocol-object icmp
object-group service DM_INLINE_SERVICE_4
service-object ip
service-object icmp
service-object tcp-udp destination eq domain
object-group network SNMP_Collectors
description SNMP Collectors
network-object object Cacti
network-object object Obersvium
object-group network DM_INLINE_NETWORK_1
network-object object VPN
network-object object VPN_RDS
object-group network DM_INLINE_NETWORK_2
network-object object VPN
network-object object VPN_RDS
object-group network DM_INLINE_NETWORK_3
network-object object Inside_10.16.1.0
network-object object Interfaces
object-group network DM_INLINE_NETWORK_4
network-object 10.16.1.0 255.255.255.0
network-object 10.18.1.0 255.255.255.0
object-group network DM_INLINE_NETWORK_5
network-object 10.16.1.0 255.255.255.0
network-object object Interfaces
access-list Inside_access_in extended permit ip any any
access-list Inside_access_in extended permit icmp any any
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_3 any any
access-list outside_access_in extended deny icmp any any
access-list outside_access_in extended permit ip any any
access-list outside_cryptomap_1 extended permit object-group DM_INLINE_PROTOCOL_8 object-group DM_INLINE_NETWORK_5 object issue_city_Bellevue
access-list Interfaces_access_in extended permit ip any any
nat (inside,outside) source static NETWORK_OBJ_10.16.1.0_24 NETWORK_OBJ_10.16.1.0_24 destination static issue_city_Bellevue issue_city_Bellevue no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_10.16.1.0_24 NETWORK_OBJ_10.16.1.0_24 destination static issue_city_Redmond issue_city_Redmond no-proxy-arp route-lookup
nat (inside,outside) source static DM_INLINE_NETWORK_4 DM_INLINE_NETWORK_4 destination static issue_city_Bellevue issue_city_Bellevue no-proxy-arp route-lookup
!
object network inside
nat (inside,outside) dynamic interface
object network Interfaces
nat (Interfaces,outside) dynamic Interface_Public_IP
access-group outside_access_in in interface outside
access-group To_5516_access_in in interface To_5516
access-group inside_access_in in interface inside
access-group Interfaces_access_in in interface Interfaces
route outside 0.0.0.0 0.0.0.0 5.2.201.94 1
route To_5516 10.15.2.0 255.255.255.0 192.168.95.2 1
route To_5516 10.15.33.0 255.255.255.0 192.168.95.2 1
route To_5516 10.45.46.0 255.255.255.192 192.168.95.2 1
route To_5516 10.245.245.0 255.255.255.0 192.168.95.2 1
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 4 match address outside_cryptomap_1
crypto map outside_map 4 set peer 5.23.31.194
crypto map outside_map 4 set ikev1 transform-set AES-256 ESP-AES-256-SHA
group-policy GroupPolicy_5.23.31.194 internal
group-policy GroupPolicy_5.23.31.194 attributes
vpn-tunnel-protocol ikev1
vpn-tunnel-protocol ikev1
dynamic-access-policy-record DfltAccessPolicy
username company_name password ***** encrypted privilege 15
tunnel-group 5.23.31.194 type ipsec-l2l
tunnel-group 5.23.31.194 general-attributes
default-group-policy GroupPolicy_5.23.31.194
tunnel-group 5.23.31.194 ipsec-attributes

 

Any advice?

 

Thanks

16 REPLIES 16
VIP Advisor

Re: second vpn subnet between asa 5515 and meraki mx64

have you added the same second subnet other side of the VPN (MX64 ?) for the intresting traffic to allow.

BB
*** Rate All Helpful Responses ***
Participant

Re: second vpn subnet between asa 5515 and meraki mx64

I have added the 2nd IP subnet on the Meraki. Let me go through the other suggestions on this post and I'll reply back later today.

 

Thank you for the input

VIP Advocate

Re: second vpn subnet between asa 5515 and meraki mx64

Hi,

Have you added the same subnet on the Meraki? We are not sure which is your other subnet so it's it very difficult to find in the configuration.

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution If this comment will make help you!
Participant

Re: second vpn subnet between asa 5515 and meraki mx64

So behind the ASA I have the subnet 10.16.1.0/24 which works and I want to add another vlan which is 10.18.1.0/24.

 

Thanks 

VIP Mentor

Re: second vpn subnet between asa 5515 and meraki mx64

Hello,

 

I think the access list matching the crypto map is missing the new subnet. Change:

 

access-list outside_cryptomap_1 extended permit object-group DM_INLINE_PROTOCOL_8 object-group DM_INLINE_NETWORK_5 object issue_city_Bellevue

 

to

 

access-list outside_cryptomap_1 extended permit object-group DM_INLINE_PROTOCOL_4 object-group object issue_city_Bellevue

 

as the object DM_INLINE_PROTOCOL_4 contains both subnets (10.16.1.0/24 and 10.18.1.0.24).

 

Also, delete the NAT exemption:

 

nat (inside,outside) source static NETWORK_OBJ_10.16.1.0_24 NETWORK_OBJ_10.16.1.0_24 destination static issue_city_Bellevue issue_city_Bellevue no-proxy-arp route-lookup

 

as it is redundant. The below line should be sufficient:


nat (inside,outside) source static DM_INLINE_NETWORK_4 DM_INLINE_NETWORK_4 destination static issue_city_Bellevue issue_city_Bellevue no-proxy-arp route-lookup

 

 

Participant

Re: second vpn subnet between asa 5515 and meraki mx64

This is what I have on the ASA now.

 

access-list outside_cryptomap_9 extended permit ip object-group DM_INLINE_NETWORK_6 object City_Bellevue

object-group network DM_INLINE_NETWORK_6
network-object 10.16.1.0 255.255.255.0
network-object 10.18.1.0 255.255.255.0

 

11 (inside) to (outside) source static DM_INLINE_NETWORK_6 DM_INLINE_NETWORK_6 destination static City_Bellevue City_Bellevue no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 83

 

Auto NAT Policies (Section 2)
1 (inside) to (outside) source dynamic inside interface
translate_hits = 1771519, untranslate_hits = 15334
2 (Interfaces) to (outside) source dynamic Interfaces Interface_Public_IP
translate_hits = 4850, untranslate_hits = 3626

 

 

 

I still don't seem to be able to get the VPN to work on the 10.18.1.0/24 subnet.

VIP Mentor

Re: second vpn subnet between asa 5515 and meraki mx64

Hello,

 

post the full running config of the ASA again with the changes you have implemented...the previous one had redundancies and errors, I want to check if everything is correctly configured now...

Participant

Re: second vpn subnet between asa 5515 and meraki mx64

IP addresses that are public have been changed to post this


interface GigabitEthernet0/0
description WAN
nameif outside
security-level 0
ip address 12.12.12.65 255.255.255.224 standby 12.12.12.66
!
interface GigabitEthernet0/1
description Part of Port-Channel16
channel-group 16 mode active
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
description Part of Port-Channel16
channel-group 16 mode active
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
description LAN Failover Interface
!
interface GigabitEthernet0/4
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
description Connection between ASA's
nameif To_5516
security-level 10
ip address 192.168.95.1 255.255.255.248 standby 192.168.95.3
!
interface Management0/0
description STATE Failover Interface
management-only
!
interface Port-channel16
lacp max-bundle 8
no nameif
no security-level
no ip address
!
interface Port-channel16.16
description Inside
vlan 16
nameif inside
security-level 100
ip address 10.16.1.251 255.255.255.0 standby 10.16.1.252
!
interface Port-channel16.18
description Interfaces Vlan
vlan 18
nameif Interfaces
security-level 80
ip address 10.18.1.251 255.255.255.0
!
boot system disk0:/asa9-12-1-smp-k8.bin
boot system disk0:/asa912-smp-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup To_5516
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.15.2.1
name-server 10.15.2.3
name-server 10.15.2.6
domain-name lodgeworks.corp
object network 10.15.2.0_24
subnet 10.15.2.0 255.255.255.0
description Corp Vlan2
object network Inside_10.16.1.0
subnet 10.16.1.0 255.255.255.0
description inside network
object network inside
subnet 10.16.1.0 255.255.255.0
description Inside network 10.16.1.0
object network ICTDC01
host 10.15.2.1
description ICTDC01
object network ICTDC03
host 10.15.2.3
description ICTDC03
object network ICTDC06
host 10.15.2.6
description ICTDC06
object network John_PC
host 10.15.2.50
description John's Computer
object network Matt_Mac
host 10.15.2.93
description Matt's Mac Laptop
object network Lukes_MacBook
host 10.15.2.80
description Luke's Mac Book Pro
object network NETWORK_OBJ_10.30.97.0_24
subnet 10.30.97.0 255.255.255.0
object network NETWORK_OBJ_10.16.1.0_24
subnet 10.16.1.0 255.255.255.0
object network Austin_City
subnet 10.30.97.0 255.255.255.0
description Austin City Admin LAN
object network NETWORK_OBJ_10.10.1.0_24
subnet 10.10.1.0 255.255.255.0
object network Test_(delete)
host 10.15.2.95
description Dell Wyse Test
object network Test_2_Wyse
host 10.15.2.131
description Wyse ThinOS
object network Dell_5070_1
host 10.15.2.130
description 8Y6Q0T2
object network Wyse3040test
host 10.15.2.109
object network City_Redmond
subnet 10.47.122.0 255.255.255.0
description City Redmond
object network Austin_City_Failover
subnet 192.168.93.0 255.255.255.0
description Fail Over network in Austin City
object network City_Manhattan
subnet 10.17.1.0 255.255.255.0
description City Manhattan BOH
object network Cacti
host 10.15.2.73
description Cacti_VM
object network Obersvium
host 10.15.2.22
description Observium VM
object network Test
host 10.15.2.83
description test
object network VPN
subnet 10.245.245.0 255.255.255.0
description VPN range
object network NETWORK_OBJ_192.168.93.0_24
subnet 192.168.93.0 255.255.255.0
object network City_Bellevue
subnet 10.211.41.0 255.255.255.0
description City House Bellevue BOH
object network RDSHostA01
host 10.16.1.3
object network RDSHostA02
host 10.16.1.6
object network RDSHostA03
host 10.16.1.7
object network RDSNAS
host 10.16.1.55
object network ICTRDS01
host 10.16.1.1
object network RDS-Storage01
host 10.16.1.100
object network VPN_RDS
subnet 10.45.46.0 255.255.255.192
description RDS VPN
object network City_KOP
subnet 10.211.67.0 255.255.255.0
description City House KOP
object network City_Redmond
subnet 10.211.51.0 255.255.255.0
description City House Redmond
object network Interfaces
subnet 10.18.1.0 255.255.255.0
description Interfaces VLAN
object network Interface_Public_IP
host 12.12.12.67
description Interface Public IP
object network IT_Printer
host 10.15.33.75
object network City_Napa
subnet 10.38.122.0 255.255.255.0
description City Napa
object network City_Burlington
subnet 10.1.10.0 255.255.255.0
description City Burlington
object-group network LW_Domain_Controllers
description LW corp domain controllers
network-object object ICTDC01
network-object object ICTDC03
network-object object ICTDC06
object-group service DM_INLINE_SERVICE_3
service-object ip
service-object udp destination eq netbios-ns
service-object tcp destination eq netbios-ssn
object-group service SMB tcp
description SMB 445
port-object eq 445
object-group service RDP tcp-udp
description RDP
port-object eq 3389
object-group service DM_INLINE_TCP_1 tcp
group-object SMB
port-object eq cifs
port-object eq ftp
port-object eq ssh
port-object eq www
port-object eq https
group-object RDP
object-group network IT_computers
description IT dept PCs
network-object object John_PC
network-object object Lukes_MacBook
network-object object Dell_5070_1
network-object object Test_(delete)
network-object object Test_2_Wyse
network-object object Matt_Mac
network-object object Test
network-object object IT_Printer
network-object object Wyse3040test
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_4
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_5
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_6
protocol-object ip
protocol-object icmp
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object icmp
service-object tcp-udp destination eq domain
object-group service DM_INLINE_SERVICE_2
service-object ip
service-object icmp
service-object tcp destination eq https
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_7
protocol-object ip
protocol-object icmp
object-group service DM_INLINE_SERVICE_4
service-object ip
service-object icmp
service-object tcp-udp destination eq domain
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
object-group network SNMP_Collectors
description SNMP Collectors
network-object object Cacti
network-object object Obersvium
object-group service DM_INLINE_SERVICE_5
service-object icmp
service-object udp destination eq snmp
object-group service DM_INLINE_TCP_2 tcp
group-object RDP
group-object SMB
object-group protocol DM_INLINE_PROTOCOL_8
protocol-object ip
protocol-object icmp
object-group service DM_INLINE_TCP_3 tcp
group-object RDP
group-object SMB
object-group network RDS_Servers
description RDS Servers
network-object object RDSHostA01
network-object object RDSHostA02
network-object object RDSHostA03
network-object object RDSNAS
network-object object ICTRDS01
network-object object RDS-Storage01
object-group network DM_INLINE_NETWORK_1
network-object object VPN
network-object object VPN_RDS
object-group network DM_INLINE_NETWORK_2
network-object object VPN
network-object object VPN_RDS
object-group network DM_INLINE_NETWORK_3
network-object object Inside_10.16.1.0
network-object object Interfaces
object-group network DM_INLINE_NETWORK_4
network-object 10.16.1.0 255.255.255.0
network-object 10.18.1.0 255.255.255.0
object-group network DM_INLINE_NETWORK_5
network-object 10.16.1.0 255.255.255.0
network-object object Interfaces
object-group network DM_INLINE_NETWORK_6
network-object 10.16.1.0 255.255.255.0
network-object 10.18.1.0 255.255.255.0
access-list Inside_access_in extended permit ip any any
access-list Inside_access_in extended permit icmp any any
access-list To_5516_access_in extended permit object-group DM_INLINE_SERVICE_2 object-group IT_computers object-group DM_INLINE_NETWORK_3
access-list To_5516_access_in extended permit object-group DM_INLINE_SERVICE_3 object-group LW_Domain_Controllers any
access-list To_5516_access_in extended permit object-group DM_INLINE_SERVICE_5 object-group SNMP_Collectors any
access-list To_5516_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 object-group RDS_Servers object-group DM_INLINE_TCP_3
access-list To_5516_access_in extended permit object-group TCPUDP object-group DM_INLINE_NETWORK_2 object-group RDS_Servers eq domain
access-list To_5516_access_in extended deny tcp any any object-group DM_INLINE_TCP_1
access-list To_5516_access_in extended deny object-group DM_INLINE_PROTOCOL_5 any any
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_3 any any
access-list outside_access_in extended deny icmp any any
access-list outside_access_in extended permit ip any any
access-list outside_cryptomap extended permit object-group DM_INLINE_SERVICE_1 10.16.1.0 255.255.255.0 object Austin_City
access-list outside_cryptomap_2 extended permit ip 10.16.1.0 255.255.255.0 object Austin_City_Failover
access-list outside_cryptomap_7 extended permit ip 10.16.1.0 255.255.255.0 object City_Redmond
access-list outside_cryptomap_9 extended permit ip object-group DM_INLINE_NETWORK_6 object City_Bellevue
access-list outside_cryptomap_4 extended permit ip 10.16.1.0 255.255.255.0 object City_Manhattan
access-list outside_cryptomap_5 extended permit ip 10.16.1.0 255.255.255.0 object City_KOP
access-list outside_cryptomap_6 extended permit ip 10.16.1.0 255.255.255.0 object City_Redmond
access-list Interfaces_access_in extended permit ip any any
access-list outside_cryptomap_3 extended permit ip 10.16.1.0 255.255.255.0 object City_Napa
access-list outside_cryptomap_8 extended permit ip 10.16.1.0 255.255.255.0 object City_Burlington
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu To_5516 1500
mtu inside 1500
mtu Interfaces 1500
failover
failover lan unit primary
failover lan interface Failover_LAN GigabitEthernet0/3
failover polltime unit 1 holdtime 3
failover key *****
failover link Failover_State Management0/0
failover interface ip Failover_LAN 192.168.43.1 255.255.255.252 standby 192.168.43.2
failover interface ip Failover_State 192.168.42.1 255.255.255.252 standby 192.168.42.2
no monitor-interface inside
no monitor-interface Interfaces
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-7121.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static NETWORK_OBJ_10.16.1.0_24 NETWORK_OBJ_10.16.1.0_24 destination static Austin_City Austin_City no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_10.16.1.0_24 NETWORK_OBJ_10.16.1.0_24 destination static NETWORK_OBJ_10.10.1.0_24 NETWORK_OBJ_10.10.1.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_10.16.1.0_24 NETWORK_OBJ_10.16.1.0_24 destination static City_Manhattan City_Manhattan no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_10.16.1.0_24 NETWORK_OBJ_10.16.1.0_24 destination static NETWORK_OBJ_192.168.93.0_24 NETWORK_OBJ_192.168.93.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_10.16.1.0_24 NETWORK_OBJ_10.16.1.0_24 destination static Austin_City_Failover Austin_City_Failover no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_10.16.1.0_24 NETWORK_OBJ_10.16.1.0_24 destination static City_KOP City_KOP no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_10.16.1.0_24 NETWORK_OBJ_10.16.1.0_24 destination static City_Redmond City_Redmond no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_10.16.1.0_24 NETWORK_OBJ_10.16.1.0_24 destination static City_Napa City_Napa no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_10.16.1.0_24 NETWORK_OBJ_10.16.1.0_24 destination static City_Redmond City_Redmond no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_10.16.1.0_24 NETWORK_OBJ_10.16.1.0_24 destination static City_Burlington City_Burlington no-proxy-arp route-lookup
nat (inside,outside) source static DM_INLINE_NETWORK_6 DM_INLINE_NETWORK_6 destination static City_Bellevue City_Bellevue no-proxy-arp route-lookup
!
object network inside
nat (inside,outside) dynamic interface
object network Interfaces
nat (Interfaces,outside) dynamic Interface_Public_IP
access-group outside_access_in in interface outside
access-group To_5516_access_in in interface To_5516
access-group inside_access_in in interface inside
access-group Interfaces_access_in in interface Interfaces
route outside 0.0.0.0 0.0.0.0 12.12.12.94 1
route To_5516 10.15.2.0 255.255.255.0 192.168.95.2 1
route To_5516 10.15.33.0 255.255.255.0 192.168.95.2 1
route To_5516 10.45.46.0 255.255.255.192 192.168.95.2 1
route To_5516 10.245.245.0 255.255.255.0 192.168.95.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15 crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 7.8.141.130
crypto map outside_map 1 set ikev1 transform-set AES-256
crypto map outside_map 2 match address outside_cryptomap_2
crypto map outside_map 2 set pfs group14
crypto map outside_map 2 set peer 7.8.141.133
crypto map outside_map 2 set ikev2 ipsec-proposal AES-256
crypto map outside_map 2 set ikev2 pre-shared-key *****
crypto map outside_map 3 match address outside_cryptomap_7
crypto map outside_map 3 set peer 5.2.71.222
crypto map outside_map 3 set ikev1 transform-set AES-256 ESP-AES-256-SHA-TRANS ESP-AES-256-SHA
crypto map outside_map 4 match address outside_cryptomap_9
crypto map outside_map 4 set peer 5.2.31.194
crypto map outside_map 4 set ikev1 transform-set AES-256
crypto map outside_map 5 match address outside_cryptomap_4
crypto map outside_map 5 set peer 2.7.238.227
crypto map outside_map 5 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA
crypto map outside_map 6 match address outside_cryptomap_5
crypto map outside_map 6 set peer 5.2.231.222
crypto map outside_map 6 set ikev1 transform-set AES-256 ESP-AES-256-SHA
crypto map outside_map 7 match address outside_cryptomap_6
crypto map outside_map 7 set peer 5.2.24.34
crypto map outside_map 7 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA
crypto map outside_map 8 match address outside_cryptomap_3
crypto map outside_map 8 set peer 5.2.232.163
crypto map outside_map 8 set ikev1 transform-set AES-256
crypto map outside_map 9 match address outside_cryptomap_8
crypto map outside_map 9 set peer 5.2.174.67
crypto map outside_map 9 set ikev1 transform-set AES-256
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 1

group-policy GroupPolicy_2.7.238.227 internal
group-policy GroupPolicy_2.7.238.227 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_5.2.174.67 internal
group-policy GroupPolicy_5.2.174.67 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_5.2.24.34 internal
group-policy GroupPolicy_5.2.24.34 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_5.2.31.194 internal
group-policy GroupPolicy_5.2.31.194 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_7.8.141.133 internal
group-policy GroupPolicy_7.8.141.133 attributes
vpn-tunnel-protocol ikev2
group-policy GroupPolicy_5.2.232.163 internal
group-policy GroupPolicy_5.2.232.163 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_5.2.231.222 internal
group-policy GroupPolicy_5.2.231.222 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_5.2.71.222 internal
group-policy GroupPolicy_5.2.71.222 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_2.8.141.130 internal
group-policy GroupPolicy_2.8.141.130 attributes
vpn-tunnel-protocol ikev1
dynamic-access-policy-record DfltAccessPolicy
username lodgeworks password ***** encrypted privilege 15
tunnel-group 2.8.141.130 type ipsec-l2l
tunnel-group 2.8.141.130 general-attributes
default-group-policy GroupPolicy_172.87.141.130
tunnel-group 2.8.141.130 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 2.8.141.133 type ipsec-l2l
tunnel-group 2.8.141.133 general-attributes
default-group-policy GroupPolicy_2.8.141.133
tunnel-group 2.8.141.133 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 5.2.71.222 type ipsec-l2l
tunnel-group 5.2.71.222 general-attributes
default-group-policy GroupPolicy_5.2.71.222
tunnel-group 5.2.71.222 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 5.5.31.194 type ipsec-l2l
tunnel-group 5.5.31.194 general-attributes
default-group-policy GroupPolicy_5.2.31.194
tunnel-group 5.5.31.194 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 2.71.238.227 type ipsec-l2l
tunnel-group 2.71.238.227 general-attributes
default-group-policy GroupPolicy_2.71.238.227
tunnel-group 2.71.238.227 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 5.2.231.222 type ipsec-l2l
tunnel-group 5.2.231.222 general-attributes
default-group-policy GroupPolicy_5.2.231.222
tunnel-group 5.2.231.222 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 5.2.24.34 type ipsec-l2l
tunnel-group 5.4.24.34 general-attributes
default-group-policy GroupPolicy_5.2.24.34
tunnel-group 5.2.24.34 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 5.2.232.163 type ipsec-l2l
tunnel-group 5.2.232.163 general-attributes
default-group-policy GroupPolicy_5.2.232.163
tunnel-group 5.2.232.163 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 5.3.174.67 type ipsec-l2l
tunnel-group 5.3.174.67 general-attributes
default-group-policy GroupPolicy_5.3.174.67
tunnel-group 5.2.174.67 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****

VIP Mentor

Re: second vpn subnet between asa 5515 and meraki mx64

Hello,

 

you didn't implement what I suggested, but instead you added a new network object group with non-existing network objects:

 

object-group network DM_INLINE_NETWORK_6
network-object 10.16.1.0 255.255.255.0 --> doesn't exist
network-object 10.18.1.0 255.255.255.0 --> doesn't exist

 

Make sure your configuration has the below, and the exact syntax. You need to add a network object for the 10.18.1.0/24 network.

 

 

object network NETWORK_OBJ_10.16.1.0_24
subnet 10.16.1.0 255.255.255.0

!

object network NETWORK_OBJ_10.18.1.0_24
subnet 10.18.1.0 255.255.255.0

!

object-group network DM_INLINE_NETWORK_6
network-object NETWORK_OBJ_10.16.1.0_24
network-object NETWORK_OBJ_10.18.1.0_24

 

Your configuration is really messy because you have the same subnet (10.16.1.0/24) in multiple network objects, I would just leave:

 

object network NETWORK_OBJ_10.16.1.0_24
subnet 10.16.1.0 255.255.255.0

 

in and take everything else out that refers to that subnet.

 

After making the changes, post the configuration again, so we can doublecheck...

 

 

 

VIP Mentor

Re: second vpn subnet between asa 5515 and meraki mx64

I have marked (in bold) the parts that you need to have in your configuration to make the VPN work to both locations, make sure they are configured in the exact same syntax:

 

interface GigabitEthernet0/0
description WAN
nameif outside
security-level 0
ip address 12.12.12.65 255.255.255.224 standby 12.12.12.66
!
interface GigabitEthernet0/1
description Part of Port-Channel16
channel-group 16 mode active
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
description Part of Port-Channel16
channel-group 16 mode active
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
description LAN Failover Interface
!
interface GigabitEthernet0/4
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
description Connection between ASA's
nameif To_5516
security-level 10
ip address 192.168.95.1 255.255.255.248 standby 192.168.95.3
!
interface Management0/0
description STATE Failover Interface
management-only
!
interface Port-channel16
lacp max-bundle 8
no nameif
no security-level
no ip address
!
interface Port-channel16.16
description Inside
vlan 16
nameif inside
security-level 100
ip address 10.16.1.251 255.255.255.0 standby 10.16.1.252
!
interface Port-channel16.18
description Interfaces Vlan
vlan 18
nameif Interfaces
security-level 80
ip address 10.18.1.251 255.255.255.0
!
boot system disk0:/asa9-12-1-smp-k8.bin
boot system disk0:/asa912-smp-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup To_5516
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.15.2.1
name-server 10.15.2.3
name-server 10.15.2.6
domain-name lodgeworks.corp
object network 10.15.2.0_24
subnet 10.15.2.0 255.255.255.0
description Corp Vlan2
object network Inside_10.16.1.0
subnet 10.16.1.0 255.255.255.0
description inside network
object network inside
subnet 10.16.1.0 255.255.255.0
description Inside network 10.16.1.0
object network ICTDC01
host 10.15.2.1
description ICTDC01
object network ICTDC03
host 10.15.2.3
description ICTDC03
object network ICTDC06
host 10.15.2.6
description ICTDC06
object network John_PC
host 10.15.2.50
description John's Computer
object network Matt_Mac
host 10.15.2.93
description Matt's Mac Laptop
object network Lukes_MacBook
host 10.15.2.80
description Luke's Mac Book Pro
object network NETWORK_OBJ_10.30.97.0_24
subnet 10.30.97.0 255.255.255.0
object network NETWORK_OBJ_10.16.1.0_24
subnet 10.16.1.0 255.255.255.0
object network NETWORK_OBJ_10.18.1.0_24
subnet 10.18.1.0 255.255.255.0
object network Austin_City
subnet 10.30.97.0 255.255.255.0
description Austin City Admin LAN
object network NETWORK_OBJ_10.10.1.0_24
subnet 10.10.1.0 255.255.255.0
object network Test_(delete)
host 10.15.2.95
description Dell Wyse Test
object network Test_2_Wyse
host 10.15.2.131
description Wyse ThinOS
object network Dell_5070_1
host 10.15.2.130
description 8Y6Q0T2
object network Wyse3040test
host 10.15.2.109
object network City_Redmond
subnet 10.47.122.0 255.255.255.0
description City Redmond
object network Austin_City_Failover
subnet 192.168.93.0 255.255.255.0
description Fail Over network in Austin City
object network City_Manhattan
subnet 10.17.1.0 255.255.255.0
description City Manhattan BOH
object network Cacti
host 10.15.2.73
description Cacti_VM
object network Obersvium
host 10.15.2.22
description Observium VM
object network Test
host 10.15.2.83
description test
object network VPN
subnet 10.245.245.0 255.255.255.0
description VPN range
object network NETWORK_OBJ_192.168.93.0_24
subnet 192.168.93.0 255.255.255.0
object network City_Bellevue
subnet 10.211.41.0 255.255.255.0
description City House Bellevue BOH
object network RDSHostA01
host 10.16.1.3
object network RDSHostA02
host 10.16.1.6
object network RDSHostA03
host 10.16.1.7
object network RDSNAS
host 10.16.1.55
object network ICTRDS01
host 10.16.1.1
object network RDS-Storage01
host 10.16.1.100
object network VPN_RDS
subnet 10.45.46.0 255.255.255.192
description RDS VPN
object network City_KOP
subnet 10.211.67.0 255.255.255.0
description City House KOP
object network City_Redmond
subnet 10.211.51.0 255.255.255.0
description City House Redmond
object network Interfaces
subnet 10.18.1.0 255.255.255.0
description Interfaces VLAN
object network Interface_Public_IP
host 12.12.12.67
description Interface Public IP
object network IT_Printer
host 10.15.33.75
object network City_Napa
subnet 10.38.122.0 255.255.255.0
description City Napa
object network City_Burlington
subnet 10.1.10.0 255.255.255.0
description City Burlington
object-group network LW_Domain_Controllers
description LW corp domain controllers
network-object object ICTDC01
network-object object ICTDC03
network-object object ICTDC06
object-group service DM_INLINE_SERVICE_3
service-object ip
service-object udp destination eq netbios-ns
service-object tcp destination eq netbios-ssn
object-group service SMB tcp
description SMB 445
port-object eq 445
object-group service RDP tcp-udp
description RDP
port-object eq 3389
object-group service DM_INLINE_TCP_1 tcp
group-object SMB
port-object eq cifs
port-object eq ftp
port-object eq ssh
port-object eq www
port-object eq https
group-object RDP
object-group network IT_computers
description IT dept PCs
network-object object John_PC
network-object object Lukes_MacBook
network-object object Dell_5070_1
network-object object Test_(delete)
network-object object Test_2_Wyse
network-object object Matt_Mac
network-object object Test
network-object object IT_Printer
network-object object Wyse3040test
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_4
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_5
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_6
protocol-object ip
protocol-object icmp
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object icmp
service-object tcp-udp destination eq domain
object-group service DM_INLINE_SERVICE_2
service-object ip
service-object icmp
service-object tcp destination eq https
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_7
protocol-object ip
protocol-object icmp
object-group service DM_INLINE_SERVICE_4
service-object ip
service-object icmp
service-object tcp-udp destination eq domain
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
object-group network SNMP_Collectors
description SNMP Collectors
network-object object Cacti
network-object object Obersvium
object-group service DM_INLINE_SERVICE_5
service-object icmp
service-object udp destination eq snmp
object-group service DM_INLINE_TCP_2 tcp
group-object RDP
group-object SMB
object-group protocol DM_INLINE_PROTOCOL_8
protocol-object ip
protocol-object icmp
object-group service DM_INLINE_TCP_3 tcp
group-object RDP
group-object SMB
object-group network RDS_Servers
description RDS Servers
network-object object RDSHostA01
network-object object RDSHostA02
network-object object RDSHostA03
network-object object RDSNAS
network-object object ICTRDS01
network-object object RDS-Storage01
object-group network DM_INLINE_NETWORK_1
network-object object VPN
network-object object VPN_RDS
object-group network DM_INLINE_NETWORK_2
network-object object VPN
network-object object VPN_RDS
object-group network DM_INLINE_NETWORK_3
network-object object Inside_10.16.1.0
network-object object Interfaces
object-group network DM_INLINE_NETWORK_4
network-object 10.16.1.0 255.255.255.0
network-object 10.18.1.0 255.255.255.0
object-group network DM_INLINE_NETWORK_5
network-object 10.16.1.0 255.255.255.0
network-object object Interfaces
object-group network DM_INLINE_NETWORK_6
network-object NETWORK_OBJ_10.16.1.0_24
network-object NETWORK_OBJ_10.18.1.0_24
access-list Inside_access_in extended permit ip any any
access-list Inside_access_in extended permit icmp any any
access-list To_5516_access_in extended permit object-group DM_INLINE_SERVICE_2 object-group IT_computers object-group DM_INLINE_NETWORK_3
access-list To_5516_access_in extended permit object-group DM_INLINE_SERVICE_3 object-group LW_Domain_Controllers any
access-list To_5516_access_in extended permit object-group DM_INLINE_SERVICE_5 object-group SNMP_Collectors any
access-list To_5516_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 object-group RDS_Servers object-group DM_INLINE_TCP_3
access-list To_5516_access_in extended permit object-group TCPUDP object-group DM_INLINE_NETWORK_2 object-group RDS_Servers eq domain
access-list To_5516_access_in extended deny tcp any any object-group DM_INLINE_TCP_1
access-list To_5516_access_in extended deny object-group DM_INLINE_PROTOCOL_5 any any
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_3 any any
access-list outside_access_in extended deny icmp any any
access-list outside_access_in extended permit ip any any
access-list outside_cryptomap extended permit object-group DM_INLINE_SERVICE_1 10.16.1.0 255.255.255.0 object Austin_City
access-list outside_cryptomap_2 extended permit ip 10.16.1.0 255.255.255.0 object Austin_City_Failover
access-list outside_cryptomap_7 extended permit ip 10.16.1.0 255.255.255.0 object City_Redmond
access-list outside_cryptomap_9 extended permit ip object-group DM_INLINE_NETWORK_6 object City_Bellevue
access-list outside_cryptomap_4 extended permit ip 10.16.1.0 255.255.255.0 object City_Manhattan
access-list outside_cryptomap_5 extended permit ip 10.16.1.0 255.255.255.0 object City_KOP
access-list outside_cryptomap_6 extended permit ip 10.16.1.0 255.255.255.0 object City_Redmond
access-list Interfaces_access_in extended permit ip any any
access-list outside_cryptomap_3 extended permit ip 10.16.1.0 255.255.255.0 object City_Napa
access-list outside_cryptomap_8 extended permit ip 10.16.1.0 255.255.255.0 object City_Burlington
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu To_5516 1500
mtu inside 1500
mtu Interfaces 1500
failover
failover lan unit primary
failover lan interface Failover_LAN GigabitEthernet0/3
failover polltime unit 1 holdtime 3
failover key *****
failover link Failover_State Management0/0
failover interface ip Failover_LAN 192.168.43.1 255.255.255.252 standby 192.168.43.2
failover interface ip Failover_State 192.168.42.1 255.255.255.252 standby 192.168.42.2
no monitor-interface inside
no monitor-interface Interfaces
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-7121.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static NETWORK_OBJ_10.16.1.0_24 NETWORK_OBJ_10.16.1.0_24 destination static Austin_City Austin_City no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_10.16.1.0_24 NETWORK_OBJ_10.16.1.0_24 destination static NETWORK_OBJ_10.10.1.0_24 NETWORK_OBJ_10.10.1.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_10.16.1.0_24 NETWORK_OBJ_10.16.1.0_24 destination static City_Manhattan City_Manhattan no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_10.16.1.0_24 NETWORK_OBJ_10.16.1.0_24 destination static NETWORK_OBJ_192.168.93.0_24 NETWORK_OBJ_192.168.93.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_10.16.1.0_24 NETWORK_OBJ_10.16.1.0_24 destination static Austin_City_Failover Austin_City_Failover no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_10.16.1.0_24 NETWORK_OBJ_10.16.1.0_24 destination static City_KOP City_KOP no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_10.16.1.0_24 NETWORK_OBJ_10.16.1.0_24 destination static City_Redmond City_Redmond no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_10.16.1.0_24 NETWORK_OBJ_10.16.1.0_24 destination static City_Napa City_Napa no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_10.16.1.0_24 NETWORK_OBJ_10.16.1.0_24 destination static City_Redmond City_Redmond no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_10.16.1.0_24 NETWORK_OBJ_10.16.1.0_24 destination static City_Burlington City_Burlington no-proxy-arp route-lookup
nat (inside,outside) source static DM_INLINE_NETWORK_6 DM_INLINE_NETWORK_6 destination static City_Bellevue City_Bellevue no-proxy-arp route-lookup
!
object network inside
nat (inside,outside) dynamic interface
object network Interfaces
nat (Interfaces,outside) dynamic Interface_Public_IP
access-group outside_access_in in interface outside
access-group To_5516_access_in in interface To_5516
access-group inside_access_in in interface inside
access-group Interfaces_access_in in interface Interfaces
route outside 0.0.0.0 0.0.0.0 12.12.12.94 1
route To_5516 10.15.2.0 255.255.255.0 192.168.95.2 1
route To_5516 10.15.33.0 255.255.255.0 192.168.95.2 1
route To_5516 10.45.46.0 255.255.255.192 192.168.95.2 1
route To_5516 10.245.245.0 255.255.255.0 192.168.95.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15 crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 7.8.141.130
crypto map outside_map 1 set ikev1 transform-set AES-256
crypto map outside_map 2 match address outside_cryptomap_2
crypto map outside_map 2 set pfs group14
crypto map outside_map 2 set peer 7.8.141.133
crypto map outside_map 2 set ikev2 ipsec-proposal AES-256
crypto map outside_map 2 set ikev2 pre-shared-key *****
crypto map outside_map 3 match address outside_cryptomap_7
crypto map outside_map 3 set peer 5.2.71.222
crypto map outside_map 3 set ikev1 transform-set AES-256 ESP-AES-256-SHA-TRANS ESP-AES-256-SHA
crypto map outside_map 4 match address outside_cryptomap_9
crypto map outside_map 4 set peer 5.2.31.194
crypto map outside_map 4 set ikev1 transform-set AES-256
crypto map outside_map 5 match address outside_cryptomap_4
crypto map outside_map 5 set peer 2.7.238.227
crypto map outside_map 5 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA
crypto map outside_map 6 match address outside_cryptomap_5
crypto map outside_map 6 set peer 5.2.231.222
crypto map outside_map 6 set ikev1 transform-set AES-256 ESP-AES-256-SHA
crypto map outside_map 7 match address outside_cryptomap_6
crypto map outside_map 7 set peer 5.2.24.34
crypto map outside_map 7 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA
crypto map outside_map 8 match address outside_cryptomap_3
crypto map outside_map 8 set peer 5.2.232.163
crypto map outside_map 8 set ikev1 transform-set AES-256
crypto map outside_map 9 match address outside_cryptomap_9
crypto map outside_map 9 set peer 5.2.174.67
crypto map outside_map 9 set ikev1 transform-set AES-256
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 1

group-policy GroupPolicy_2.7.238.227 internal
group-policy GroupPolicy_2.7.238.227 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_5.2.174.67 internal
group-policy GroupPolicy_5.2.174.67 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_5.2.24.34 internal
group-policy GroupPolicy_5.2.24.34 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_5.2.31.194 internal
group-policy GroupPolicy_5.2.31.194 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_7.8.141.133 internal
group-policy GroupPolicy_7.8.141.133 attributes
vpn-tunnel-protocol ikev2
group-policy GroupPolicy_5.2.232.163 internal
group-policy GroupPolicy_5.2.232.163 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_5.2.231.222 internal
group-policy GroupPolicy_5.2.231.222 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_5.2.71.222 internal
group-policy GroupPolicy_5.2.71.222 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_2.8.141.130 internal
group-policy GroupPolicy_2.8.141.130 attributes
vpn-tunnel-protocol ikev1
dynamic-access-policy-record DfltAccessPolicy
username lodgeworks password ***** encrypted privilege 15
tunnel-group 2.8.141.130 type ipsec-l2l
tunnel-group 2.8.141.130 general-attributes
default-group-policy GroupPolicy_172.87.141.130
tunnel-group 2.8.141.130 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 2.8.141.133 type ipsec-l2l
tunnel-group 2.8.141.133 general-attributes
default-group-policy GroupPolicy_2.8.141.133
tunnel-group 2.8.141.133 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 5.2.71.222 type ipsec-l2l
tunnel-group 5.2.71.222 general-attributes
default-group-policy GroupPolicy_5.2.71.222
tunnel-group 5.2.71.222 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 5.5.31.194 type ipsec-l2l
tunnel-group 5.5.31.194 general-attributes
default-group-policy GroupPolicy_5.2.31.194
tunnel-group 5.5.31.194 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 2.71.238.227 type ipsec-l2l
tunnel-group 2.71.238.227 general-attributes
default-group-policy GroupPolicy_2.71.238.227
tunnel-group 2.71.238.227 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 5.2.231.222 type ipsec-l2l
tunnel-group 5.2.231.222 general-attributes
default-group-policy GroupPolicy_5.2.231.222
tunnel-group 5.2.231.222 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 5.2.24.34 type ipsec-l2l
tunnel-group 5.4.24.34 general-attributes
default-group-policy GroupPolicy_5.2.24.34
tunnel-group 5.2.24.34 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 5.2.232.163 type ipsec-l2l
tunnel-group 5.2.232.163 general-attributes
default-group-policy GroupPolicy_5.2.232.163
tunnel-group 5.2.232.163 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 5.3.174.67 type ipsec-l2l
tunnel-group 5.3.174.67 general-attributes
default-group-policy GroupPolicy_5.3.174.67
tunnel-group 5.2.174.67 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****

Participant

Re: second vpn subnet between asa 5515 and meraki mx64

So I made the changes and I had to still manually add the vpn on asdm as it didn't show up. The 10.16.1.0/24 network still goes through but not the 10.18.1.0/24

 

Here is my current config

 

object network 10.15.2.0_24
subnet 10.15.2.0 255.255.255.0
description Corp Vlan2
object network Inside_10.16.1.0
subnet 10.16.1.0 255.255.255.0
description inside network
object network inside
subnet 10.16.1.0 255.255.255.0
description Inside network 10.16.1.0
object network ICTDC01
host 10.15.2.1
description ICTDC01
object network ICTDC03
host 10.15.2.3
description ICTDC03
object network ICTDC06
host 10.15.2.6
description ICTDC06
object network John_PC
host 10.15.2.50
description John's Computer
object network Matt_Mac
host 10.15.2.93
description Matt's Mac Laptop
object network Lukes_MacBook
host 10.15.2.80
description Luke's Mac Book Pro
object network NETWORK_OBJ_10.30.97.0_24
subnet 10.30.97.0 255.255.255.0
object network NETWORK_OBJ_10.16.1.0_24
subnet 10.16.1.0 255.255.255.0
object network Austin_city1
subnet 10.30.97.0 255.255.255.0
description Austin city1 Admin LAN
object network NETWORK_OBJ_10.10.1.0_24
subnet 10.10.1.0 255.255.255.0
object network Test_(delete)
host 10.15.2.95
description Dell Wyse Test
object network Test_2_Wyse
host 10.15.2.131
description Wyse ThinOS
object network Dell_5070_1
host 10.15.2.130
description 8Y6Q0T2
object network Wyse3040test
host 10.15.2.84
object network city1_Redmond
subnet 10.47.122.0 255.255.255.0
description city1 Redmond
object network Austin_city1_Failover
subnet 192.168.93.0 255.255.255.0
description Fail Over network in Austin city1
object network city1_Manhattan
subnet 10.17.1.0 255.255.255.0
description city1 Manhattan BOH
object network Cacti
host 10.15.2.73
description Cacti_VM
object network Obersvium
host 10.15.2.22
description Observium VM
object network Test
host 10.15.2.83
description test
object network VPN
subnet 10.245.245.0 255.255.255.0
description VPN range
object network NETWORK_OBJ_192.168.93.0_24
subnet 192.168.93.0 255.255.255.0
object network City_Bellevue
subnet 10.211.41.0 255.255.255.0
description City House Bellevue BOH
object network RDSHostA01
host 10.16.1.3
object network RDSHostA02
host 10.16.1.6
object network RDSHostA03
host 10.16.1.7
object network RDSNAS
host 10.16.1.55
object network ICTRDS01
host 10.16.1.1
object network RDS-Storage01
host 10.16.1.100
object network VPN_RDS
subnet 10.45.46.0 255.255.255.192
description RDS VPN
object network City_KOP
subnet 10.211.67.0 255.255.255.0
description City House KOP
object network City_Redmond
subnet 10.211.51.0 255.255.255.0
description City House Redmond
object network Interfaces
subnet 10.18.1.0 255.255.255.0
description Interfaces VLAN
object network Interface_Public_IP
host 12.12.2.67
description Interface Public IP
object network IT_Printer
host 10.15.33.75
object network city1_Napa
subnet 10.38.122.0 255.255.255.0
description city1 Napa
object network city1_Burlington
subnet 10.1.10.0 255.255.255.0
description city1 Burlington
object network NETWORK_OBJ_10.18.1.0_24
subnet 10.18.1.0 255.255.255.0
object-group network LW_Domain_Controllers
description LW corp domain controllers
network-object object ICTDC01
network-object object ICTDC03
network-object object ICTDC06
object-group service DM_INLINE_SERVICE_3
service-object ip
service-object udp destination eq netbios-ns
service-object tcp destination eq netbios-ssn
object-group service SMB tcp
description SMB 445
port-object eq 445
object-group service RDP tcp-udp
description RDP
port-object eq 3389
object-group service DM_INLINE_TCP_1 tcp
group-object SMB
port-object eq cifs
port-object eq ftp
port-object eq ssh
port-object eq www
port-object eq https
group-object RDP
object-group network IT_computers
description IT dept PCs
network-object object John_PC
network-object object Lukes_MacBook
network-object object Dell_5070_1
network-object object Test_(delete)
network-object object Test_2_Wyse
network-object object Matt_Mac
network-object object Test
network-object object IT_Printer
network-object object Wyse3040test
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_4
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_5
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_6
protocol-object ip
protocol-object icmp
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object icmp
service-object tcp-udp destination eq domain
object-group service DM_INLINE_SERVICE_2
service-object ip
service-object icmp
service-object tcp destination eq https
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_7
protocol-object ip
protocol-object icmp
object-group service DM_INLINE_SERVICE_4
service-object ip
service-object icmp
service-object tcp-udp destination eq domain
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
object-group network SNMP_Collectors
description SNMP Collectors
network-object object Cacti
network-object object Obersvium
object-group service DM_INLINE_SERVICE_5
service-object icmp
service-object udp destination eq snmp
object-group service DM_INLINE_TCP_2 tcp
group-object RDP
group-object SMB
object-group protocol DM_INLINE_PROTOCOL_8
protocol-object ip
protocol-object icmp
object-group service DM_INLINE_TCP_3 tcp
group-object RDP
group-object SMB
object-group network RDS_Servers
description RDS Servers
network-object object RDSHostA01
network-object object RDSHostA02
network-object object RDSHostA03
network-object object RDSNAS
network-object object ICTRDS01
network-object object RDS-Storage01
object-group network DM_INLINE_NETWORK_1
network-object object VPN
network-object object VPN_RDS
object-group network DM_INLINE_NETWORK_2
network-object object VPN
network-object object VPN_RDS
object-group network DM_INLINE_NETWORK_3
network-object object Inside_10.16.1.0
network-object object Interfaces
object-group network DM_INLINE_NETWORK_4
network-object 10.16.1.0 255.255.255.0
object-group network DM_INLINE_NETWORK_5
network-object 10.16.1.0 255.255.255.0
network-object object Interfaces
object-group network DM_INLINE_NETWORK_7
network-object object NETWORK_OBJ_10.16.1.0_24
network-object object NETWORK_OBJ_10.18.1.0_24
access-list Inside_access_in extended permit ip any any
access-list Inside_access_in extended permit icmp any any
access-list To_5516_access_in extended permit object-group DM_INLINE_SERVICE_2 object-group IT_computers object-group DM_INLINE_NETWORK_3
access-list To_5516_access_in extended permit object-group DM_INLINE_SERVICE_3 object-group LW_Domain_Controllers any
access-list To_5516_access_in extended permit object-group DM_INLINE_SERVICE_5 object-group SNMP_Collectors any
access-list To_5516_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 object-group RDS_Servers object-group DM_INLINE_TCP_3
access-list To_5516_access_in extended permit object-group TCPUDP object-group DM_INLINE_NETWORK_2 object-group RDS_Servers eq domain
access-list To_5516_access_in extended deny tcp any any object-group DM_INLINE_TCP_1
access-list To_5516_access_in extended deny object-group DM_INLINE_PROTOCOL_5 any any
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_3 any any
access-list outside_access_in extended deny icmp any any
access-list outside_access_in extended permit ip any any
access-list outside_cryptomap extended permit object-group DM_INLINE_SERVICE_1 10.16.1.0 255.255.255.0 object Austin_city1
access-list outside_cryptomap_2 extended permit ip 10.16.1.0 255.255.255.0 object Austin_city1_Failover
access-list outside_cryptomap_7 extended permit ip 10.16.1.0 255.255.255.0 object city1_Redmond
access-list outside_cryptomap_4 extended permit ip 10.16.1.0 255.255.255.0 object city1_Manhattan
access-list outside_cryptomap_5 extended permit ip 10.16.1.0 255.255.255.0 object City_KOP
access-list outside_cryptomap_6 extended permit ip 10.16.1.0 255.255.255.0 object City_Redmond
access-list Interfaces_access_in extended permit ip any any
access-list outside_cryptomap_3 extended permit ip 10.16.1.0 255.255.255.0 object city1_Napa
access-list outside_cryptomap_8 extended permit ip 10.16.1.0 255.255.255.0 object city1_Burlington
access-list outside_cryptomap_1 extended permit ip object-group DM_INLINE_NETWORK_7 object City_Bellevue
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu To_5516 1500
mtu inside 1500
mtu Interfaces 1500
failover
failover lan unit primary
failover lan interface Failover_LAN GigabitEthernet0/3
failover polltime unit 1 holdtime 3
failover key *****
failover link Failover_State Management0/0
failover interface ip Failover_LAN 192.168.43.1 255.255.255.252 standby 192.168.43.2
failover interface ip Failover_State 192.168.42.1 255.255.255.252 standby 192.168.42.2
no monitor-interface inside
no monitor-interface Interfaces
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-7121.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static NETWORK_OBJ_10.16.1.0_24 NETWORK_OBJ_10.16.1.0_24 destination static Austin_city1 Austin_city1 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_10.16.1.0_24 NETWORK_OBJ_10.16.1.0_24 destination static NETWORK_OBJ_10.10.1.0_24 NETWORK_OBJ_10.10.1.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_10.16.1.0_24 NETWORK_OBJ_10.16.1.0_24 destination static city1_Manhattan city1_Manhattan no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_10.16.1.0_24 NETWORK_OBJ_10.16.1.0_24 destination static NETWORK_OBJ_192.168.93.0_24 NETWORK_OBJ_192.168.93.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_10.16.1.0_24 NETWORK_OBJ_10.16.1.0_24 destination static Austin_city1_Failover Austin_city1_Failover no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_10.16.1.0_24 NETWORK_OBJ_10.16.1.0_24 destination static City_KOP City_KOP no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_10.16.1.0_24 NETWORK_OBJ_10.16.1.0_24 destination static City_Redmond City_Redmond no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_10.16.1.0_24 NETWORK_OBJ_10.16.1.0_24 destination static city1_Napa city1_Napa no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_10.16.1.0_24 NETWORK_OBJ_10.16.1.0_24 destination static city1_Redmond city1_Redmond no-proxy-arp route-lookup
nat (inside,outside) source static DM_INLINE_NETWORK_7 DM_INLINE_NETWORK_7 destination static City_Bellevue City_Bellevue no-proxy-arp route-lookup
!
object network inside
nat (inside,outside) dynamic interface
object network Interfaces
nat (Interfaces,outside) dynamic Interface_Public_IP
access-group outside_access_in in interface outside
access-group To_5516_access_in in interface To_5516
access-group inside_access_in in interface inside
access-group Interfaces_access_in in interface Interfaces
route outside 0.0.0.0 0.0.0.0 12.12.2.94 1
route To_5516 10.15.2.0 255.255.255.0 192.168.95.2 1
route To_5516 10.15.33.0 255.255.255.0 192.168.95.2 1
route To_5516 10.45.46.0 255.255.255.192 192.168.95.2 1
route To_5516 10.245.245.0 255.255.255.0 192.168.95.2 1
protocol esp encryption aes-gcm-256 aes-gcm-192 aes-256 aes-192 aes
protocol esp integrity sha-512 sha-384 sha-256
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 12.7.11.130
crypto map outside_map 1 set ikev1 transform-set AES-256
crypto map outside_map 2 match address outside_cryptomap_2
crypto map outside_map 2 set pfs group14
crypto map outside_map 2 set peer 12.7.11.133
crypto map outside_map 2 set ikev2 ipsec-proposal AES-256
crypto map outside_map 2 set ikev2 pre-shared-key *****
crypto map outside_map 3 match address outside_cryptomap_7
crypto map outside_map 3 set peer 5.2.71.222
crypto map outside_map 3 set ikev1 transform-set AES-256 ESP-AES-256-SHA-TRANS ESP-AES-256-SHA
crypto map outside_map 4 match address outside_cryptomap_1
crypto map outside_map 4 set peer 5.2.31.194
crypto map outside_map 4 set ikev1 transform-set AES-256
crypto map outside_map 5 match address outside_cryptomap_4
crypto map outside_map 5 set peer 2.7.238.227
crypto map outside_map 5 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA
crypto map outside_map 6 match address outside_cryptomap_5
crypto map outside_map 6 set peer 5.2.231.222
crypto map outside_map 6 set ikev1 transform-set AES-256 ESP-AES-256-SHA
crypto map outside_map 7 match address outside_cryptomap_6
crypto map outside_map 7 set peer 5.2.24.34
crypto map outside_map 7 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA
crypto map outside_map 8 match address outside_cryptomap_3
crypto map outside_map 8 set peer 5.2.232.163
crypto map outside_map 8 set ikev1 transform-set AES-256
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256 aes-192 aes
integrity sha512 sha384 sha256
group 19 14 5
prf sha512 sha384 sha256
lifetime seconds 28800
crypto ikev2 enable outside
crypto ikev1 enable outside

group-policy GroupPolicy_2.7.238.227 internal
group-policy GroupPolicy_2.7.238.227 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_5.2.24.34 internal
group-policy GroupPolicy_5.2.24.34 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_5.2.31.194 internal
group-policy GroupPolicy_5.2.31.194 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_2.7.141.133 internal
group-policy GroupPolicy_2.7.141.133 attributes
vpn-tunnel-protocol ikev2
group-policy GroupPolicy_5.2.232.163 internal
group-policy GroupPolicy_5.2.232.163 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_5.2.231.222 internal
group-policy GroupPolicy_5.2.231.222 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_5.2.71.222 internal
group-policy GroupPolicy_5.2.71.222 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_12.7.141.130 internal
group-policy GroupPolicy_12.8.141.130 attributes
vpn-tunnel-protocol ikev1
dynamic-access-policy-record DfltAccessPolicy
username Company password ***** encrypted privilege 15
tunnel-group 12.7.141.130 type ipsec-l2l
tunnel-group 12.7.141.130 general-attributes
default-group-policy GroupPolicy_12.7.141.130
tunnel-group 12.7.141.130 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 12.7.141.133 type ipsec-l2l
tunnel-group 12.7.141.133 general-attributes
default-group-policy GroupPolicy_12.7.141.133
tunnel-group 12.7.141.133 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 5.2.71.222 type ipsec-l2l
tunnel-group 5.2.71.222 general-attributes
default-group-policy GroupPolicy_5.2.71.222
tunnel-group 5.2.71.222 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group City_Bellevue type ipsec-l2l
tunnel-group City_Bellevue general-attributes
default-group-policy GroupPolicy1
tunnel-group City_Bellevue ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 2.1.238.227 type ipsec-l2l
tunnel-group 2.1.238.227 general-attributes
default-group-policy GroupPolicy_2.1.238.227
tunnel-group 2.1.238.227 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 5.2.231.222 type ipsec-l2l
tunnel-group 5.2.231.222 general-attributes
default-group-policy GroupPolicy_5.2.231.222
tunnel-group 5.2.231.222 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 5.2.24.34 type ipsec-l2l
tunnel-group 5.2.24.34 general-attributes
default-group-policy GroupPolicy_5.2.24.34
tunnel-group 5.2.24.34 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 5.2.232.163 type ipsec-l2l
tunnel-group 5.2.232.163 general-attributes
default-group-policy GroupPolicy_5.2.232.163
tunnel-group 5.2.232.163 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 5.2.31.194 type ipsec-l2l
tunnel-group 5.2.31.194 general-attributes
default-group-policy GroupPolicy_5.2.31.194
tunnel-group 5.2.31.194 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****

 

 

I appreciate all your help

VIP Mentor

Re: second vpn subnet between asa 5515 and meraki mx64

From what I can tell, now you have forgot a digit in the peer address:

 

crypto map outside_map 4 match address outside_cryptomap_1
crypto map outside_map 4 set peer 5.2.31.194 --> this should be 5.23.31.194

Participant

Re: second vpn subnet between asa 5515 and meraki mx64

I checked it on my config and it's correct, when I copied the config I changed the IP's to hide the real ones.

 

Thanks

 

VIP Mentor

Re: second vpn subnet between asa 5515 and meraki mx64

Hello,

 

the ASA side looks fine then. The problem might as well be with the Meraki, can you post that config as well ?

CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards