Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
561
Views
0
Helpful
1
Replies

Site-2-Site VPN odd config

rashev_kamen
Level 1
Level 1

‎05-08-2009 11:25 AM

Today I had to troubleshoot a VPN configuration and I've never seen VPN configured this way. I'll need someones help.

whit this config i see vpn tunnel established but i am not sure the interestin traffic is going trought the tunnel or is routed to default gateway to internet

This is the config:

interface Ethernet0

description Internet Faceing Address

nameif outside

security-level 0

ip address aaa.bbb.173.242 255.255.255.0

ospf cost 10

!

interface Ethernet1

description LAN Faceing Address

nameif inside

security-level 100

ip address 172.25.110.42 255.255.254.0 standby 172.25.110.40

ospf cost 10

!

same-security-traffic permit inter-interface

object-group network ABC

description Systems With Access to VPN

network-object host 172.25.100.93

network-object host 172.25.101.93

access-list outside_access_out remark To ABC

access-list outside_access_out extended permit ip aaa.bbb.173.160 255.255.255.240 host 216.229.154.50 log

access-list outside_access_out extended permit ip aaa.bbb.173.160 255.255.255.240 host 216.229.154.12 log

access-list outside_access_in extended permit ip host 216.229.154.50 aaa.bbb.173.160 255.255.255.240 log

access-list outside_access_in extended permit ip host 216.229.154.12 aaa.bbb.173.160 255.255.255.240 log

access-list inside_access_out extended permit ip object-group ABC host 216.229.154.12 log

access-list inside_access_out extended permit ip object-group ABC host 216.229.154.50 log

access-list outside_cryptomap_iron extended permit ip aaa.bbb.173.160 255.255.255.240 host 216.229.154.50

access-list outside_cryptomap_iron extended permit ip aaa.bbb.173.160 255.255.255.240 host 216.229.154.12

static (inside,outside) aaa.bbb.173.166 172.25.100.93 netmask 255.255.255.255

static (inside,outside) aaa.bbb.173.167 172.25.101.93 netmask 255.255.255.255

static (outside,inside) 172.25.100.93 aaa.bbb.173.166 netmask 255.255.255.255

static (outside,inside) 172.25.101.93 aaa.bbb.173.167 netmask 255.255.255.255

access-group outside_access_in in interface outside

access-group outside_access_out out interface outside

access-group inside_access_out out interface inside

route outside 0.0.0.0 0.0.0.0 aaa.bbb.173.254 1

route inside 172.25.100.0 255.255.254.0 172.25.111.254 1

crypto map IronRules 10 match address outside_cryptomap_iron

crypto map IronRules 10 set peer 216.229.152.17

crypto map IronRules 10 set transform-set Iron

crypto map IronRules 10 set security-association lifetime seconds 28800

crypto map IronRules 10 set security-association lifetime kilobytes 4608000

Labels:
0 Helpful
1 Reply 1

bamnocadmin
Level 1
Level 1

‎05-11-2009 05:18 AM

Hello,

I think you need to post full config (with NAT and group-policy). Also, you can see if traffic goes through tunnel with "sh cry ip sa".

Thanks.

0 Helpful
Customers Also Viewed These Support Documents