cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
312
Views
0
Helpful
9
Replies

Help with VPN site-to-site under other VPN

Hello Guys,

 

I need a help with this scenario.

 

Branch --> HQ --> Site Remote, where:

Branch: Internal = 192.168.50.0/24

HQ: Internal = 192.168.40.0/24

Site Remote = 10.175.26.0/24

 

Branch + HQ = Both ASA with ESP-3DES-MD5. (Here, we are using the real LAN IP range for encryption domain)

HQ + Site Remote = My side ASA with ESP-AES-256-SHA. (Here, to reach the Site remote 10.175.26.0/24 we are NAT our LAN IP range to 172.18.0.10, so the encryption domain is 172.18.0.10 --> 10.175.26.0/24)

 

Now, we need that Branch reachs the Remote Site, under the VPN with Branch to HQ and HQ to Remote Site.

My actions:

Branch Firewall:

 - In the VPN Site to Site configuration I added the 10.175.26.0/24 for Tunnel between Branch and HQ in the Remote Network.

 - I added the EXEMPT for 10.175.26.0/24 in the inside.

HQ Firewall:

 - In the VPN Site to Site configuration I added the 10.175.26.0/24 for Tunnel between Branch and HQ in the Remote Network.

 - I created a Dynamic Policy in the outside from source = Branch IP range to = Site Remote IP range translated to 172.18.0.10.

 

I already have it working for another Site Remote, but that another has IPsec proposal ESP-3DES-MD5. (the same of Branch) I do not know if it is the problem, but I tried to use both proposal, together, 3DES-MD5 and AES-256-SHA.

 

Firewall rules are ok too.

 

Where are the mistake in that configuration?

 

Thanks,

 

Diego

1 ACCEPTED SOLUTION

Accepted Solutions

good


put solved in this post

View solution in original post

9 REPLIES 9
marziano77
Beginner

hi

post your config

Hello,

Follow attached!

The network that I need to reach from Branch is "name 10.175.26.0 REDE_Client"

The Tunnel group of the Client is 200.200.200.200

The NAT IP from my network to reach client is 172.19.0.5

hi seg

I looked very quick HQ config

and I saw that your peer(vpn_client) dont match any crypto map.

and this dont allow phase2.

I have not seen anything else
you double-check the config on both sides first.

 

My bad. I forgot to change it. The crypto map is number 4

diego, your config is wrong also in branch config.

you have only an tunnel group whit ip 177.7.7.7 but crypto map is blind to 177.135.122.70 FWL_Matriz.

 

In the HQ log I can see it...

3May 13 201417:23:08713061    Group = 189.7.7.7, IP = 189..7.7.7, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.90.0/255.255.255.0/0/0 local proxy 10.175.26.23/255.255.255.255/0/0 on interface outside

What do you want me to say 
 you have posted a different conf,than your debug

yeah, probably because I changed it before send...

well... I recreated the tunnels and now it is working fine....

I think when we changed the outside IP and recreate the tunnels, maybe some dirty kept in the config... so I removed all and created it again..

 

thanks!!!

good


put solved in this post

View solution in original post

Content for Community-Ad