09-19-2013 07:51 AM
Ok after we had this working my remote site changed hardware and IP address, we have gotten the tunnel back up but site B can not ping the inside of site A. Am I missing something?
09-23-2013 05:19 PM
This was poorly posted.
More details and maybe someone could help.
I have established a Site to Site connection between two 5520 ASAs. We got the tunnel up. But we can not ping from either side to the other.
The purpose of this link is for all traffic from site B to go through to site A. I have been stumped and was hoping someone could give me a bit of help on this.
We had the site working but my remote site changed the hardware they had and now its not working again. The part that drives me the most batty is that it was working before the hardware change and now I can't seem to see what is broken.
Thanks
09-24-2013 12:27 AM
Hello Shaun,
i was just going through config of siteA and siteB and found out that there is lot of thing which you have to work on.
1)Ttransformset on both the sites are showing different it is not matching.try to change both to same transform set.
in site A you have used
crypto ipsec transform-set sA2sB esp-aes-256 esp-sha-hmac
crypto map vpn-map 35 match address A2B
crypto map vpn-map 35 set peer 84.194.24.89
crypto map vpn-map 35 set transform-set sA2sB
in site B you have used
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map Outside_map2 1 match address sA2sB
crypto map Outside_map2 1 set peer 182.166.60.6
crypto map Outside_map2 1 set transform-set ESP-AES-256-SHA
-----------------------------------------------------------------------------------------------------
check site A
inside interface IP address
10.4.253.66 255.255.255.252
09-24-2013 02:40 AM
otherwise what we can suggest is you can create a new site to site tunnel between the firewall.Pleas follow the below check list
crypto map outside_map (Order number) match address outside_cryptomap_20
crypto map outside_map (Order number) set peer x.x.x.x
crypto map outside_map (Order number) set transform-set (Eg:ESP-3DES-MD5)
use the transform set correctly on both the firewall
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X ipsec-attributes
pre-shared-key *************
access-list outside_cryptomap_20 extended permit ip (Inside IP) X.X.X.X (outside ip) X.X.X.X
access-list inside_nat0_outbound extended permit ip (Inside IP) X.X.X.X object-(outside ip) X.X.X.Xp
nat (inside) 0 access-list inside_nat0_outbound (this statement would already be there in the firewall the no nat statement)
and now your tunnel should be working.
checking commands
sh cry isa sa
sh cry ipsec sa
Please let us know if this is working for you.
09-25-2013 08:33 PM
please give the output of the below two commands
sh cry ipsec sa
sh cry isa sa
09-25-2013 01:33 PM
Please correct me if i am wrong but thses match :
crypto ipsec transform-set sA2sB esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
isnt the basic format:
crypto ipsec transform-set NAME types
Do the names really have to match or aren't they names that are unique to each router?
09-25-2013 08:32 PM
yes you are right the transformset is matching. i checked the config once again. it was confusing because it had lots of transform set.
the transformset name can be any things it need not be same on both device
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide