cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1026
Views
0
Helpful
4
Replies

Site to site VPN with 2 local IP addresses

Dear All,

I have site A which contains two local servers as well as site B but after the configurations I can only ping one local server I need help.

 

object network remote-net
subnet 192.168.53.3 255.255.255.255
object network net
subnet 192.168.53.2 255.255.255.255
object-group service outside-to-dmzservices
description services allowed from outside to dmz
service-object icmp echo
service-object icmp echo-reply
service-object tcp-udp destination eq domain
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq smtp
object-group icmp-type ICMP_SERVICES
icmp-object echo-reply
icmp-object time-exceeded
icmp-object unreachable
icmp-object echo
icmp-object traceroute
object-group network local-net
network-object 192.168.30.10 255.255.255.255
network-object 10.10.1.101 255.255.255.255
object-group network remote
network-object 192.168.53.2 255.255.255.255
network-object 192.168.53.3 255.255.255.255
object-group network remotes
network-object host 192.168.53.3
network-object host 192.168.53.2
access-list GUEST_access extended permit udp object GUEST-NETWORK object DNS-SERVER eq domain
access-list GUEST_access extended deny ip any object DMZ-NETWORK
access-list GUEST_access extended permit ip any any
access-list Outside_access extended permit object-group outside-to-dmzservices any4 object DMZ-NETWORK
access-list 100 extended permit ip object-group local-net object remote-net
access-list 100 extended permit ip object-group local-net object-group remote
access-list 100 extended permit ip object-group local-net object net
access-list 100 extended permit ip object-group local-net object-group remotes
pager lines 24
mtu OUTSIDE 1500
mtu INSIDE-DMZ 1500
mtu GUEST-INTERNET 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
icmp permit 192.168.20.16 255.255.255.240 INSIDE-DMZ
icmp permit 192.168.20.0 255.255.255.240 INSIDE-DMZ
icmp permit host 192.168.30.10 INSIDE-DMZ
asdm image disk0:/asdm-openjre-7122.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (INSIDE-DMZ,OUTSIDE) source static local-net local-net destination static remotes remotes no-proxy-arp route-lookup
!
object network Webserver-Private
nat (INSIDE-DMZ,OUTSIDE) static WebServer-Mapped
!
nat (INSIDE-DMZ,OUTSIDE) after-auto source dynamic any interface
nat (GUEST-INTERNET,OUTSIDE) after-auto source dynamic any interface
access-group Outside_access in interface OUTSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 154.72.197.237 1
route INSIDE-DMZ 10.10.1.0 255.255.255.248 192.168.30.30 1
route INSIDE-DMZ 192.168.20.0 255.255.255.0 192.168.30.30 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
url-server (OUTSIDE) vendor websense host 185.60.219.53 timeout 30 protocol TCP version 1 connections 5
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable
http 192.168.20.180 255.255.255.255 INSIDE-DMZ
http 192.168.20.26 255.255.255.255 INSIDE-DMZ
http 192.168.20.26 255.255.255.255 OUTSIDE
http 192.168.30.10 255.255.255.255 INSIDE-DMZ
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set phase2 esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set myset esp-aes-256 esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map GUEST-INTERNET_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map GUEST-INTERNET_map interface GUEST-INTERNET
crypto map outside_map 20 match address 100
crypto map outside_map 20 set peer 154.72.194.50
crypto map outside_map 20 set ikev1 transform-set myset
crypto map outside_map interface OUTSIDE
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev1 enable OUTSIDE
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.20.16 255.255.255.240 INSIDE-DMZ
ssh 192.168.30.16 255.255.255.240 INSIDE-DMZ
ssh 192.168.30.0 255.255.255.0 INSIDE-DMZ
ssh 192.168.30.10 255.255.255.255 INSIDE-DMZ
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable OUTSIDE
anyconnect image disk0:/anyconnect-win-4.7.04056-webdeploy-k9.pkg 1
anyconnect enable
keepout "Service out temporarily."
cache
disable
error-recovery disable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
dns-server value 192.168.20.23
vpn-tunnel-protocol ssl-client
default-domain value fia.local
dynamic-access-policy-record DfltAccessPolicy
username test password P4ttSyrm33SV8TYp encrypted privilege 15
username admin password 4x8jGw9qYb.SU5M4 encrypted
username chris password $sha512$5000$OXWgEivHGF1zNpRLe75sVw==$i/bi8Sa1376lgFhZYZQ0aA== pbkdf2
tunnel-group TestVpn type remote-access
tunnel-group TestVpn general-attributes
default-group-policy GroupPolicy1
dhcp-server 192.168.100.10
tunnel-group 154.72.194.50 type ipsec-l2l
tunnel-group 154.72.194.50 ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp

4 Replies 4

I have simplified your config for other to help you.

 

also i noted you need to define a route in your ASA for ip address 192.168.53.3. can you ping this address from ASA 192.168.53.3. i think this is the problem you having. define a static route.

 

 

nat (INSIDE-DMZ,OUTSIDE) source static local-net local-net destination static remotes remotes no-proxy-arp route-lookup
!
object-group network local-net
network-object 192.168.30.10 255.255.255.255
network-object 10.10.1.101 255.255.255.255
!
object-group network remotes
network-object host 192.168.53.3
network-object host 192.168.53.2
!
access-list 100 extended permit ip object-group local-net object remote-net
access-list 100 extended permit ip object-group local-net object-group remote
access-list 100 extended permit ip object-group local-net object net
access-list 100 extended permit ip object-group local-net object-group remotes
!
crypto map outside_map 20 match address 100
crypto map outside_map 20 set peer 154.72.194.50
crypto map outside_map 20 set ikev1 transform-set myset
crypto map outside_map interface OUTSIDE
!
tunnel-group 154.72.194.50 type ipsec-l2l
tunnel-group 154.72.194.50 ipsec-attributes
ikev1 pre-shared-key *****
!
crypto ipsec ikev1 transform-set phase2 esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set myset esp-aes-256 esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
!
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev1 enable OUTSIDE
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
!

 

 

 

we need more information. show us

!

show crypto ipsec sa

!

also share your other site config if possible.

please do not forget to rate.

yes i can ping 192.168.53.3

let me try it now 

can you share both site configuration?

please do not forget to rate.

unfortunately I cannot get the configs from the other side