11-02-2012 09:37 AM
Dear all
i have configured site to site VPN between asa 5520.
Site A (192.168.56.0/24)------ASA5520------Internet--------- ASA5520-------SiteB ( 192.168.255.0/24)
VPN tunnel is up but i cant access LAN for each side.
config Site A--
hostname CCASA
name 192.168.255.0 CCNetwork
dns-guard
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 41.41.38.156 255.255.255.248
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.56.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
name-server 41.41.32.3
name-server 41.41.32.4
access-list inside_nat0_outbound extended permit ip 192.168.56.0 255.255.255.0 CCNetwork 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.56.0 255.255.255.0 CCNetwork 255.255.255.0
access-list from_outside extended permit icmp any any echo
access-list from_inside extended permit icmp any any echo
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
icmp permit 192.168.56.0 255.255.255.0 inside
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 41.41.38.158 1
route outside CCNetwork 255.255.255.0 41.41.38.153 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.56.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 41.41.38.153
crypto map outside_map 1 set transform-set ESP-DES-SHA
crypto map outside_map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet CCNetwork 255.255.255.0 outside
telnet 41.41.48.6 255.255.255.255 outside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
username admin password f3UhLvUj1QsXsuK7 encrypted privilege 15
tunnel-group 41.41.38.153 type ipsec-l2l
tunnel-group 41.41.38.153 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
Site B--
name 192.168.1.0 ReddotKE
name 192.168.255.92 Kaseya
name 192.168.255.17 BGTZSRV27
name 192.168.56.0 NOC_Servers
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 41.41.37.214 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.10.10.2 255.255.255.248
!
interface Ethernet0/2
nameif Trusted
security-level 90
ip address 192.168.255.83 255.255.255.0
!
interface Ethernet0/3
nameif outside1
security-level 0
ip address 41.41.38.153 255.255.255.248
!
interface Management0/0
nameif management
security-level 0
no ip address
management-only
!
passwd Gbj/iT2lN65K00Cr encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone EAT 3
dns domain-lookup Trusted
dns server-group DefaultDNS
dns server-group Dnss
name-server 192.168.255.6
name-server 8.8.8.8
same-security-traffic permit intra-interface
object-group service Edge_services
service-object tcp eq www
service-object tcp eq https
service-object tcp eq pop3
service-object tcp eq smtp
service-object tcp eq 3389
service-object tcp eq 5721
service-object tcp-udp eq 5721
service-object udp eq 5721
service-object tcp eq 17988
service-object tcp eq telnet
service-object tcp eq ssh
access-list inside_nat0_outbound_1 extended permit ip 192.168.255.0 255.255.255.0 NOC_Servers 255.255.255.0
access-list outside1_1_cryptomap extended permit ip 192.168.255.0 255.255.255.0 NOC_Servers 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu Trusted 1500
mtu outside1 1500
mtu management 1500
ip local pool MYPOOL 192.168.255.190-192.168.255.200
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0
nat (Trusted) 0 access-list inside_nat0_outbound
nat (Trusted) 10 access-list EXCHANGEOUT
nat (Trusted) 10 BGTZSRV27 255.255.255.255
static (Trusted,outside) interface 192.168.255.2 netmask 255.255.255.255
static (Trusted,outside) 41.41.37.210 Kaseya netmask 255.255.255.255
access-group outside_in_OWA in interface outside
route outside 0.0.0.0 0.0.0.0 41.41.37.209 1
route outside1 41.215.33.50 255.255.255.255 41.41.38.158 1
route Trusted 172.16.155.0 255.255.255.0 192.168.155.81 1
route Trusted 172.16.255.0 255.255.255.0 192.168.255.81 1
route Trusted 192.168.0.0 255.255.255.0 192.168.255.81 1
route outside1 ReddotKE 255.255.255.0 41.41.38.153 1
route Trusted 192.168.11.0 255.255.255.0 192.168.255.80 1
route outside1 192.168.20.0 255.255.255.0 213.42.68.162 1
route outside1 NOC_Servers 255.255.255.0 41.41.38.156 1
route Trusted 192.168.100.0 255.255.255.0 192.168.255.81 1
route Trusted 192.168.100.0 255.255.255.0 192.168.100.1 1
route Trusted 192.168.155.0 255.255.255.0 192.168.255.81 1
route outside1 192.168.172.0 255.255.255.0 ReddotKE 1
route outside1 192.168.250.0 255.255.255.0 41.41.38.153 1
route outside1 41.41.38.84 255.255.255.255 41.41.38.153 1
route outside1 213.42.68.162 255.255.255.255 41.41.38.158 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
eou allow none
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 10.10.10.0 255.255.255.248 inside
http 192.168.255.0 255.255.255.0 Trusted
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside1_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 41.41.38.156
crypto map outside_map 1 set transform-set ESP-DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map outside_map interface outside1
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp enable outside1
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
console timeout 0
management-access Trusted
threat-detection basic-threat
threat-detection statistics
webvpn
enable outside
svc image disk0:/anyconnect_win_2.2.0140_k9.pkg 1
tunnel-group 41.41.38.156 type ipsec-l2l
tunnel-group 41.41.38.156 ipsec-attributes
pre-shared-key cisco123456
Please help
11-02-2012 10:04 AM
Hi Vikas,
Please remove the following line from the ASA CCASA:
no route outside CCNetwork 255.255.255.0 41.41.38.153 1
HTH.
Portu.
Please rate any helpful posts
11-02-2012 10:14 AM
Hi portu
thanks for reply.
I did remove both sides,
no route outside1 NOC_Servers 255.255.255.0 41.41.38.156 1
no route outside CCNetwork 255.255.255.0 41.41.38.153 1
but still cant access,
VPN tunnel is up and running.
please help
regards
11-02-2012 10:20 AM
Thanks!
Please attach: "show crypto ipsec sa" from both sides after trying to access across the tunnel.
Portu.
11-02-2012 10:29 AM
Please provide the following as well:
From ASA CCASA:
show run route
From Site B:
show run route
show arp | inc outside1
Thanks.
11-03-2012 08:00 AM
Hi Ports
thanks for mail
please find output
Site A-
Sh route
route outside 0.0.0.0 0.0.0.0 41.41.38.158 1
sh crypo ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: 41.41.38.156
access-list outside_1_cryptomap permit ip 192.168.56.0 255.255.255.0 192.1
68.255.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.56.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.255.0/255.255.255.0/0/0)
current_peer: 41.41.38.153
#pkts encaps: 1701, #pkts encrypt: 1701, #pkts digest: 1701
#pkts decaps: 3175, #pkts decrypt: 3175, #pkts verify: 3175
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1701, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 41.41.38.156, remote crypto endpt.: 41.41.38.153
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 6B1A202D
inbound esp sas:
spi: 0x316B9DAD (829136301)
transform: esp-des esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 4096, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4274854/25007)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x6B1A202D (1796874285)
transform: esp-des esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 4096, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4274909/25006)
IV size: 8 bytes
replay detection support: Y
Site B
Sh run route
route outside 0.0.0.0 0.0.0.0 41.41.37.209 1
route outside1 41.215.33.50 255.255.255.255 41.41.38.158 1
route Trusted 172.16.155.0 255.255.255.0 192.168.155.81 1
route Trusted 172.16.255.0 255.255.255.0 192.168.255.81 1
route Trusted 192.168.0.0 255.255.255.0 192.168.255.81 1
route outside1 ReddotKE 255.255.255.0 41.41.38.153 1
route Trusted 192.168.11.0 255.255.255.0 192.168.255.80 1
route outside1 192.168.20.0 255.255.255.0 213.42.68.162 1
route Trusted 192.168.100.0 255.255.255.0 192.168.255.81 1
route Trusted 192.168.100.0 255.255.255.0 192.168.100.1 1
route Trusted 192.168.155.0 255.255.255.0 192.168.255.81 1
route outside1 192.168.172.0 255.255.255.0 ReddotKE 1
route outside1 192.168.250.0 255.255.255.0 41.41.38.153 1
route outside1 41.41.38.84 255.255.255.255 41.41.38.153 1
route outside1 213.42.68.162 255.255.255.255 41.41.38.158 1
sh arp | in outside1
outside1 196.41.61.251 00b0.0c05.4ecf
outside1 196.41.38.156 44d3.ca8e.1bc4
outside1 196.41.38.84 001f.9e57.c208
outside1 196.41.38.158 000f.8fb9.411c
sh crpto ipsec sa
interface: outside1
Crypto map tag: outside_map, seq num: 22, local addr: 41.41.38.153
access-list outside_22_cryptomap permit ip 192.168.255.0 255.255.255.0 192
.168.250.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.255.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.250.0/255.255.255.0/0/0)
current_peer: 41.41.38.84
#pkts encaps: 10421, #pkts encrypt: 10421, #pkts digest: 10421
#pkts decaps: 390933, #pkts decrypt: 390933, #pkts verify: 390933
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 10421, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 380489
local crypto endpt.: 41.41.38.153, remote crypto endpt.: 41.41.38.84
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 18EECB15
inbound esp sas:
spi: 0x5F488B16 (1598589718)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4096, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4273972/1342)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x18EECB15 (418302741)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4096, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4273960/1341)
IV size: 8 bytes
replay detection support: Y
Crypto map tag: outside_map, seq num: 1, local addr: 41.41.38.153
access-list outside1_1_cryptomap permit ip 192.168.255.0 255.255.255.0 192
.168.56.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.255.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.56.0/255.255.255.0/0/0)
current_peer: 41.41.38.156
#pkts encaps: 15321, #pkts encrypt: 15319, #pkts digest: 15319
#pkts decaps: 4301, #pkts decrypt: 4301, #pkts verify: 4301
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 15516, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 41.41.38.153, remote crypto endpt.: 41.41.38.156
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 316B9DAD
inbound esp sas:
spi: 0x6B1A202D (1796874285)
transform: esp-des esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 8192, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3824804/24545)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x316B9DAD (829136301)
transform: esp-des esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 8192, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3824313/24545)
IV size: 8 bytes
replay detection support: Y
Crypto map tag: outside_map, seq num: 21, local addr: 41.41.38.153
access-list outside_21_cryptomap permit ip 192.168.255.0 255.255.255.0 192
.168.20.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.255.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0)
current_peer: 213.42.68.162
#pkts encaps: 8713, #pkts encrypt: 8713, #pkts digest: 8713
#pkts decaps: 8670, #pkts decrypt: 8670, #pkts verify: 8670
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 8713, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 41.41.38.153, remote crypto endpt.: 213.42.68.162
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 8DC06326
inbound esp sas:
spi: 0x3E1A92AC (1041928876)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 57344, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3823305/26841)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x8DC06326 (2378195750)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 57344, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3823300/26841)
IV size: 8 bytes
replay detection support: Y
Crypto map tag: outside_map, seq num: 20, local addr: 41.41.38.153
access-list outside_20_cryptomap permit ip 192.168.255.0 255.255.255.0 Red
dotKE 255.255.255.0
local ident (addr/mask/prot/port): (192.168.255.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (ReddotKE/255.255.255.0/0/0)
current_peer: 41.215.33.50
#pkts encaps: 2653, #pkts encrypt: 2653, #pkts digest: 2653
#pkts decaps: 2779, #pkts decrypt: 2779, #pkts verify: 2779
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 2653, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 41.41.38.153, remote crypto endpt.: 41.215.33.50
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 3FB5157C
inbound esp sas:
spi: 0xE96696AD (3915814573)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 102400, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4274830/28734)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x3FB5157C (1068832124)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 102400, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4274832/28734)
IV size: 8 bytes
replay detection support: Y
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide