05-12-2014 06:56 AM
Hello Guys,
I need a help with this scenario.
Branch --> HQ --> Site Remote, where:
Branch: Internal = 192.168.50.0/24
HQ: Internal = 192.168.40.0/24
Site Remote = 10.175.26.0/24
Branch + HQ = Both ASA with ESP-3DES-MD5. (Here, we are using the real LAN IP range for encryption domain)
HQ + Site Remote = My side ASA with ESP-AES-256-SHA. (Here, to reach the Site remote 10.175.26.0/24 we are NAT our LAN IP range to 172.18.0.10, so the encryption domain is 172.18.0.10 --> 10.175.26.0/24)
Now, we need that Branch reachs the Remote Site, under the VPN with Branch to HQ and HQ to Remote Site.
My actions:
Branch Firewall:
- In the VPN Site to Site configuration I added the 10.175.26.0/24 for Tunnel between Branch and HQ in the Remote Network.
- I added the EXEMPT for 10.175.26.0/24 in the inside.
HQ Firewall:
- In the VPN Site to Site configuration I added the 10.175.26.0/24 for Tunnel between Branch and HQ in the Remote Network.
- I created a Dynamic Policy in the outside from source = Branch IP range to = Site Remote IP range translated to 172.18.0.10.
I already have it working for another Site Remote, but that another has IPsec proposal ESP-3DES-MD5. (the same of Branch) I do not know if it is the problem, but I tried to use both proposal, together, 3DES-MD5 and AES-256-SHA.
Firewall rules are ok too.
Where are the mistake in that configuration?
Thanks,
Diego
Solved! Go to Solution.
05-14-2014 08:31 AM
05-12-2014 12:11 PM
hi
post your config
05-13-2014 09:35 AM
05-13-2014 10:33 AM
hi seg
I looked very quick HQ config
and I saw that your peer(vpn_client) dont match any crypto map.
and this dont allow phase2.
I have not seen anything else
you double-check the config on both sides first.
05-13-2014 11:30 AM
My bad. I forgot to change it. The crypto map is number 4
05-13-2014 12:35 PM
diego, your config is wrong also in branch config.
you have only an tunnel group whit ip 177.7.7.7 but crypto map is blind to 177.135.122.70 FWL_Matriz.
05-13-2014 01:24 PM
In the HQ log I can see it...
3 | May 13 2014 | 17:23:08 | 713061 | Group = 189.7.7.7, IP = 189..7.7.7, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.90.0/255.255.255.0/0/0 local proxy 10.175.26.23/255.255.255.255/0/0 on interface outside |
05-14-2014 01:28 AM
What do you want me to say
you have posted a different conf,than your debug
05-14-2014 07:50 AM
yeah, probably because I changed it before send...
well... I recreated the tunnels and now it is working fine....
I think when we changed the outside IP and recreate the tunnels, maybe some dirty kept in the config... so I removed all and created it again..
thanks!!!
05-14-2014 08:31 AM
good
put solved in this post
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide