Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
608
Views
0
Helpful
0
Replies

CONFIGURING SITE TO SITE IPSEC VPN BETWEEN TWO REMOTE OFFICES

mmoore1
Level 1
Level 1

‎08-22-2018 05:13 PM - edited ‎02-21-2020 09:26 PM

I'm trying to create a VPN between two remote sites.  The site-to-site VPN between the Datacenter and Corporate office work.  The site-to-site VPN between the Corporate and Remote 1 work.  Now i need to connect the Datacenter and the Remote 1 office through the Corporate office.  These are all CIsco ASA5506's IOS 9.9(2).  I added an nat (outside,outside) source static obj-DatacenterLAN obj-DatacenterLAN destination static Remote1LAN Remote1LAN no-proxy-arp and i have the same-security-traffic permit intra-interface input in the configuration.  I can connect from the datacenter to the Remote 1, but as soon as the connects, it drops the connection between the Corporate and Remote 1 LANs.  If i stop pinging from the datacenter, it will start working from the corporate to remote 1, but i can't get both sites online at the same time.  I assume the issue is with the corporate office firewall, so that configuration is below.

ASA Version 9.9(2)
!
hostname Corporate-FW01
domain-name cccc.kds
enable password xxxxxxxxxxx encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd nnnnnnnnn encrypted
names

!
interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address 2.2.2.2 255.255.255.252
!
interface GigabitEthernet1/2
 nameif inside
 security-level 100
 ip address 10.200.0.1 255.255.0.0
!
interface GigabitEthernet1/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/4
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/7

 shutdown
!
interface GigabitEthernet1/8
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management1/1
 management-only
 no nameif
 no security-level
 no ip address
!
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
same-security-traffic permit intra-interface
object network obj-any
 subnet 0.0.0.0 0.0.0.0
object-group network obj-CorpLAN
 network-object 10.200.0.0 255.255.0.0
object-group network obj-DatacenterLAN
 network-object 10.100.0.0 255.255.0.0
object-group network Remote1LAN
 network-object 10.30.0.0 255.255.0.0
object-group network NAT-REMOTE2
 group-object obj-CorpLAN
 group-object Remote1LAN
object-group network NAT-REMOTE1
 group-object obj-DatacenterLAN
 group-object obj-CorpLAN
access-list outside_access_in extended permit ip object-group obj-DatacenterLAN object-group obj-CorpLAN
access-list outside_access_in extended permit ip object-group Remote1LAN object-group obj-CorpLAN
access-list outside_10_cryptomap extended permit ip object-group NAT-REMOTE2 object-group obj-DatacenterLAN
access-list outside_30_cryptomap extended permit ip object-group NAT-REMOTE1 object-group Remote1LAN
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (outside,outside) source static obj-DatacenterLAN obj-DatacenterLAN destination static Remote1LAN Remote1LAN no-proxy-arp
nat (inside,outside) source static obj-CorpLAN obj-CorpLAN destination static obj-DatacenterLAN obj-DatacenterLAN
nat (inside,outside) source static obj-CorpLAN obj-CorpLAN destination static Remote1LAN Remote1LAN no-proxy-arp route-lookup
!
object network obj-any
 nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 2.2.2.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
aaa authentication login-history
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 10 match address outside_10_cryptomap
crypto map outside_map 10 set pfs
crypto map outside_map 10 set peer 3.3.3.3
crypto map outside_map 10 set ikev1 transform-set ESP-3DES-SHA ESP-AES-128-SHA
crypto map outside_map 10 set security-association lifetime seconds 3600
crypto map outside_map 10 set security-association lifetime kilobytes 608000
crypto map outside_map 30 match address outside_30_cryptomap
crypto map outside_map 30 set pfs
crypto map outside_map 30 set peer 1.1.1.1
crypto map outside_map 30 set ikev1 transform-set ESP-3DES-SHA ESP-AES-128-SHA
crypto map outside_map 30 set security-association lifetime seconds 3600
crypto map outside_map 30 set security-association lifetime kilobytes 608000
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 15
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 28800
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh xxxxxxxxxxxxxxxxxxxxxxxx
ssh timeout 15
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy GroupPolicy_3.3.3.3 internal
group-policy GroupPolicy_3.3.3.3 attributes
 vpn-tunnel-protocol ikev1
group-policy GroupPolicy_1.1.1.1 internal
group-policy GroupPolicy_1.1.1.1 attributes
 vpn-tunnel-protocol ikev1
dynamic-access-policy-record DfltAccessPolicy
username ME password ccccccccccc encrypted privilege 15
tunnel-group 3.3.3.3 type ipsec-l2l
tunnel-group 3.3.3.3 general-attributes
 default-group-policy GroupPolicy_3.3.3.3
tunnel-group 3.3.3.3 ipsec-attributes
 ikev1 pre-shared-key
 peer-id-validate nocheck
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 general-attributes
 default-group-policy GroupPolicy_1.1.1.1
tunnel-group 1.1.1.1 ipsec-attributes
 ikev1 pre-shared-key
 peer-id-validate nocheck
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect dns preset_dns_map
  inspect icmp
policy-map type inspect dns migrated_dns_map_2
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily

end

Please help!

cisco topology.PNG

 

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents