cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1195
Views
0
Helpful
4
Replies

Site to site VPN with 2 local ip addresses on both ends

Dear All,

i have site A which contains two local servers as well as site B but after the configurations i can only ping one local server i need help 

1 Accepted Solution

Accepted Solutions

Dennis Mink
VIP Alumni
VIP Alumni
I can help Chris¹111111111111111111111111.Cplz add co figs and ip addresses to the post
Please remember to rate useful posts, by clicking on the stars below.

View solution in original post

4 Replies 4

Dennis Mink
VIP Alumni
VIP Alumni
I can help Chris¹111111111111111111111111.Cplz add co figs and ip addresses to the post
Please remember to rate useful posts, by clicking on the stars below.

interface GigabitEthernet0/0
nameif OUTSIDE
security-level 0
ip address 154.72.197.238 255.255.255.252
!
interface GigabitEthernet0/1
nameif INSIDE-DMZ
security-level 50
ip address 192.168.30.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif GUEST-INTERNET
security-level 25
ip address 192.168.100.2 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/7
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
no nameif
no security-level
no ip address
!
boot system disk0:/asa983-29-smp-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name fia.go.ug
object network WebServer-Mapped
host 154.72.198.17
description Mapped Public IP for Web server
object network Webserver-Private
host 192.168.30.10
description Private Web server IP
object network DNS-SERVER
host 8.8.8.8
description DNS Server for DMZ
object network EXT-DNS-SERVER
host 154.72.192.21
description DNS Server for outside
object network WEBMAIL
host 192.168.30.12
description Webmail Server
object network DMZ-NETWORK
subnet 192.168.30.0 255.255.255.240
description DMZ networks
object network GUEST-NETWORK
subnet 192.168.100.0 255.255.255.0
description guest internet networks
object service GoAML
service tcp source eq 1433 destination eq 1433
object network remote-net
subnet 192.168.53.3 255.255.255.255
object network net
subnet 192.168.53.2 255.255.255.255
object-group service outside-to-dmzservices
description services allowed from outside to dmz
service-object icmp echo
service-object icmp echo-reply
service-object tcp-udp destination eq domain
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq smtp
object-group icmp-type ICMP_SERVICES
icmp-object echo-reply
icmp-object time-exceeded
icmp-object unreachable
icmp-object echo
icmp-object traceroute
object-group network local-net
network-object 192.168.30.10 255.255.255.255
network-object 10.10.1.101 255.255.255.255
object-group network remote
network-object 192.168.53.2 255.255.255.255
network-object 192.168.53.3 255.255.255.255
object-group network remotes
network-object host 192.168.53.3
network-object host 192.168.53.2
access-list GUEST_access extended permit udp object GUEST-NETWORK object DNS-SERVER eq domain
access-list GUEST_access extended deny ip any object DMZ-NETWORK
access-list GUEST_access extended permit ip any any
access-list Outside_access extended permit object-group outside-to-dmzservices any4 object DMZ-NETWORK
access-list 100 extended permit ip object-group local-net object remote-net
access-list 100 extended permit ip object-group local-net object-group remote
access-list 100 extended permit ip object-group local-net object net
access-list 100 extended permit ip object-group local-net object-group remotes
pager lines 24
mtu OUTSIDE 1500
mtu INSIDE-DMZ 1500
mtu GUEST-INTERNET 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
icmp permit 192.168.20.16 255.255.255.240 INSIDE-DMZ
icmp permit 192.168.20.0 255.255.255.240 INSIDE-DMZ
icmp permit host 192.168.30.10 INSIDE-DMZ
asdm image disk0:/asdm-openjre-7122.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (INSIDE-DMZ,OUTSIDE) source static local-net local-net destination static remotes remotes no-proxy-arp route-lookup
!
object network Webserver-Private
nat (INSIDE-DMZ,OUTSIDE) static WebServer-Mapped
!
nat (INSIDE-DMZ,OUTSIDE) after-auto source dynamic any interface
nat (GUEST-INTERNET,OUTSIDE) after-auto source dynamic any interface
access-group Outside_access in interface OUTSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 154.72.197.237 1
route INSIDE-DMZ 10.10.1.0 255.255.255.248 192.168.30.30 1
route INSIDE-DMZ 192.168.20.0 255.255.255.0 192.168.30.30 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
url-server (OUTSIDE) vendor websense host 185.60.219.53 timeout 30 protocol TCP version 1 connections 5
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable
http 192.168.20.180 255.255.255.255 INSIDE-DMZ
http 192.168.20.26 255.255.255.255 INSIDE-DMZ
http 192.168.20.26 255.255.255.255 OUTSIDE
http 192.168.30.10 255.255.255.255 INSIDE-DMZ
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set phase2 esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set myset esp-aes-256 esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map GUEST-INTERNET_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map GUEST-INTERNET_map interface GUEST-INTERNET
crypto map outside_map 20 match address 100
crypto map outside_map 20 set peer 154.72.194.50
crypto map outside_map 20 set ikev1 transform-set myset
crypto map outside_map interface OUTSIDE
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev1 enable OUTSIDE
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.20.16 255.255.255.240 INSIDE-DMZ
ssh 192.168.30.16 255.255.255.240 INSIDE-DMZ
ssh 192.168.30.0 255.255.255.0 INSIDE-DMZ
ssh 192.168.30.10 255.255.255.255 INSIDE-DMZ
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable OUTSIDE
anyconnect image disk0:/anyconnect-win-4.7.04056-webdeploy-k9.pkg 1
anyconnect enable
keepout "Service out temporarily."
cache
disable
error-recovery disable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
dns-server value 192.168.20.23
vpn-tunnel-protocol ssl-client
default-domain value fia.local
dynamic-access-policy-record DfltAccessPolicy
username test password P4ttSyrm33SV8TYp encrypted privilege 15
username admin password 4x8jGw9qYb.SU5M4 encrypted
username chris password $sha512$5000$OXWgEivHGF1zNpRLe75sVw==$i/bi8Sa1376lgFhZYZQ0aA== pbkdf2
tunnel-group TestVpn type remote-access
tunnel-group TestVpn general-attributes
default-group-policy GroupPolicy1
dhcp-server 192.168.100.10
tunnel-group 154.72.194.50 type ipsec-l2l
tunnel-group 154.72.194.50 ipsec-attributes
ikev1 pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 14
subscribe-to-alert-group configuration periodic monthly 14
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:b1325077afc1c2342fdb5054a3f8773d
: end

not yet solved i clicked on solution by mistake

Hello Dennis,

kindly look into the configs