Hi Jouni

Here is the log files

Some how I am not able to connect from Site B to Site A.  (I have no control on the Site A, the other Network Engineer is the one who control it)  He keeps saying that I config it wrong, he keeps saying One to One Crypto map

I am able to connect with Site B to Site Site C. 

ASA Version 8.2(5)
!
hostname ciscoasa
enable password XXXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXXXXX encrypted
names

name 172.65.2.3  A Server

name 172.65.2.4  B Server
name 172.65.2.5  C Server

name 172.65.5.3  D server

name 171.50.1.1 outside (Site B)
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address outside 255.255.255.248
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
object-group network Site A
network-object host A Server
network-object host B Server
network-object host C Server
network-object host D Server
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.40.0 255.255.255.0 (Site C)
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.40.0 255.255.255.0 (Site C)
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 object-group Site A
access-list outside_2_cryptomap extended permit ip host outside object-group Site A
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 171.50.1.6 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 171.50.80.1   (Site C)
crypto map outside_map 1 set transform-set ESP-AES-256-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 171.65.1.1  (Site A)
crypto map outside_map 2 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 171.50.80.1 (Site C) type ipsec-l2l
tunnel-group 171.50.80.1 (Site C) ipsec-attributes
pre-shared-key *****
tunnel-group 171.65.1.1  (Site A)

type ipsec-l2l
tunnel-group 171.65.1.1  (Site A)

ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:4343b9249a78e314434309cb54d5e752f42
: end

Thanks

Lionel

Hi,

The information you mention in your original post and the configuration above dont really match

You first mention that Site B is

Site B

Outside IP addresses: 171.50.1.1

Inside IP: 192.168.40.0/24

Yet the configuration above says (to me atleast) that Site C would have the network 192.168.40.0/24

access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.40.0 255.255.255.0 (Site C)

Where are these hosts located? According to the configuration atleast not on the above device

Inside IP: 172.65.2.3   (A server)

Inside IP: 172.65.2.4  (B server)

Inside IP: 172.65.2.5  (C Server)

Inside IP: 172.65.5.3  (D server)

- Jouni

Hi Jouni

Sorry about the confusion.

On Site B

I have change the internal IP  to

Outside IP addresses: 171.50.1.1

Inside IP: 192.168.1.0/24

On Site C

Outside IP addresses: 171.50.80.1

Inside IP: 192.168.40.0/24

The site A is locate at other company.

names

name 172.65.2.3  A Server

name 172.65.2.4  B Server
name 172.65.2.5  C Server

name 172.65.5.3  D server

Thanks

Lionel

Hi,

Could provide me the output for the below,

SiteB-ASA#show crypto isakmp sa details

Note : Before you execute the above kindly initiate the traffic by keeping a ping to SiteA host from any of your host.

Example : from host 192.168.1.5

C:\>ping 172.65.2.3 -t

Regards

Mohammed

Hi,

So from the previous configuration this is the connection that is having problems

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set pfs

crypto map outside_map 2 set peer 171.65.1.1  (Site A)

crypto map outside_map 2 set transform-set ESP-AES-256-SHA

Lets look at the ACL

access-list outside_2_cryptomap extended permit ip host outside object-group Site A

I am not exactly sure if you have changed something in the configuration since I dont think the "object-group" name above is valid as it has a space. Maybe you have changed something.

But the actual problem to me seems to be the fact that you have configured the source address as your external interfaces IP address.

To my understanding in this case you should configure the internal LAN as the source

object-group network SITE-A-NET

network-object 172.65.2.3

network-object 172.65.2.4

network-object 172.65.2.5

network-object 172.65.5.3

access-list outside_2_cryptomap extended permit ip 192.168.1.0 255.255.255.0 object-group SITE-A-NET

In the same way the NAT0 ACL also has to match the IP addresses configured for the L2L VPN

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 object-group SITE-A-NET

So if your Site B with network 192.168.1.0/24 is supposed to connect to Site A with its original IP addresses then the above configurations should be whats needed. It might be possible that the only thing not matching in your current configuration is actually the L2L VPN ACL that uses the "outside" interface IP address rather then the LAN network of 192.168.1.0/24

Hope this helps

- Jouni