Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
505
Views
0
Helpful
1
Replies

spoke to spoke communication over site to site vpn

salman abid
Level 1
Level 1

‎09-09-2013 10:54 PM

Hi guys,

Kindly find the attached diagram which can help you to understand what i'm looking for.

recently i have cisco IP phones on site-A and site-B by giving them static IPs. The purpose is to make

them communicate with HO. Now they are able to communicate with HO but somehow they are not able to

make call between spokes.

i want to make them calls between both sides

Site-A and site-B are connected through site-to-site VPN. I tried to ping from site-A to the subnet of

Site-B but not able. So in this case i need to do the needful configuration but keeping in mind i dont

want to allow complete subnets i just want to allow the cisco IP phones to call means only IP phones traffic

should only be allowed

i'm also going to attach the configurations of followings.

1- Site-A router

2- Site-B router

3- HO-ASA

kindly look into it do let me know what additional

config is required to full fill my need

ASA5520:-

VPN config on ASA5520 for site-A

object-group network site-A

network-object 10.3.0.0 255.255.0.0

network-object 192.168.0.0 255.255.255.0

object-group network DM_INLINE_NETWORK_104

network-object 10.1.0.0 255.255.0.0

network-object 192.6.14.0 255.255.255.0

access-list Outside_7_cryptomap extended permit ip object-group DM_INLINE_NETWORK_104 object-group site-A

crypto map Outside_map 7 match address Outside_7_cryptomap

crypto map Outside_map 7 set pfs

crypto map Outside_map 7 set peer 62.xx.xx.xx

crypto map Outside_map 7 set transform-set ESP-3DES

crypto map Outside_map 7 set transform-set ESP-3DES-SHA

crypto map Outside_map 7 set phase1-mode aggressive

group-policy siteA_HO internal

group-policy siteA_HO attributes

vpn-tunnel-protocol IPSec

tunnel-group 62.xx.xx.xx type ipsec-l2l

tunnel-group 62.xx.xx.xx general-attributes

default-group-policy siteA_HO

tunnel-group 62.xx.xx.xx ipsec-attributes

pre-shared-key ******

peer-id-validate nocheck

access-list inside_access_in extended permit ip object-group  DM_INLINE_NETWORK_104 object-group site-A

access-list inside_nat0_outbound  object-group DM_INLINE_NETWORK_104 object-group site-A

=========================================================================================================================================================

VPN config on ASA5520 for site-B:-

object-group network DM_INLINE_NETWORK_4

network-object 182.72.41.32 255.255.255.248

network-object 192.168.124.0 255.255.255.0

access-list Outside_3_cryptomap extended permit ip 192.6.14.0 255.255.255.0 object-group DM_INLINE_NETWORK_4

access-list Outside_3_cryptomap extended permit ip 10.1.0.0 255.255.0.0 object-group DM_INLINE_NETWORK_4

crypto map Outside_map 3 match address Outside_3_cryptomap

crypto map Outside_map 3 set pfs

crypto map Outside_map 3 set peer 182.xx.xx.xx

crypto map Outside_map 3 set transform-set ESP-3DES-SHA

crypto map Outside_map 3 set phase1-mode aggressive

group-policy site-B internal

group-policy site-B attributes

vpn-tunnel-protocol IPSec

tunnel-group 182.xx.xx.xx type ipsec-l2l

tunnel-group 182.xx.xx.xx general-attributes

default-group-policy site-B

tunnel-group 182.xx.xx.xx ipsec-attributes

pre-shared-key *****

peer-id-validate nocheck

access-list Outside_nat0_outbound extended permit ip 192.168.124.0 255.255.255.0 192.168.124.0 255.255.255.0

access-list Outside_nat0_outbound extended permit ip 10.1.0.0 255.255.0.0 192.168.124.0 255.255.255.0

access-list Outside_nat0_outbound extended permit ip 192.6.14.0 255.255.255.0 192.168.124.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.0.0 192.168.124.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.6.14.0 255.255.255.0 192.168.124.0 255.255.255.0

access-list inside_access_in extended permit ip 10.1.0.0 255.255.0.0 192.168.124.0 255.255.255.0

access-list inside_access_in extended permit ip 192.6.14.0 255.255.255.0 192.168.124.0 255.255.255.0

=============================================================================================================

Site-A router config:-

crypto isakmp policy 2

encr 3des

authentication pre-share

group 2

lifetime 28800

crypto isakmp key ***** address 83.xx.xx.xx

crypto ipsec transform-set ASA-IPSEC esp-3des esp-sha-hmac

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to83.xx.xx.xx

set peer 83.xx.xx.xx

set security-association lifetime seconds 28800

set transform-set ASA-IPSEC

set pfs group2

match address 100

interface FastEthernet4.1

encapsulation dot1Q 113

ip address 172.16.7.69 255.255.255.252 secondary

ip address 62.xx.xx.xx 255.255.255.252

ip virtual-reassembly in

crypto map SDM_CMAP_1

access-list 100 permit ip 192.168.0.0 0.0.0.255 192.6.14.0 0.0.0.255

access-list 100 permit ip 192.168.0.0 0.0.0.255 10.1.0.0 0.0.255.255

access-list 100 permit ip 10.3.0.0 0.0.255.255 192.6.14.0 0.0.0.255

access-list 100 permit ip 10.3.0.0 0.0.255.255 10.1.0.0 0.0.255.255

access-list 100 permit ip 192.168.147.0 0.0.0.255 192.6.14.0 0.0.0.255

access-list 100 permit ip 192.168.147.0 0.0.0.255 10.1.0.0 0.0.255.255

ip route 0.0.0.0 0.0.0.0 172.16.7.69

=============================================================================================================

Site-B router config:-

crypto isakmp policy 2

encr 3des

authentication pre-share

group 2

lifetime 28800

crypto isakmp key ******* address 83.xx.xx.xx

!

!

crypto ipsec transform-set ASA-IPSEC esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to83.xx.xx.xxx

set peer 83.xx.xx.xx

set transform-set ASA-IPSEC

set pfs group2

match address 100

interface GigabitEthernet0/0

description "Connected to Internet"

ip address 182.xx.xx.xx 255.255.255.252

ip nat outside

ip virtual-reassembly

duplex full

speed 100

crypto map SDM_CMAP_1

access-list 100 permit ip 192.168.124.0 0.0.0.255 192.6.14.0 0.0.0.255

access-list 100 permit ip 192.168.124.0 0.0.0.255 10.1.0.0 0.0.255.255

route-map nonat permit 10

match ip address 110

access-list 110 deny   ip 192.168.124.0 0.0.0.255 192.6.14.0 0.0.0.255

access-list 110 deny   ip 192.168.124.0 0.0.0.255 10.1.0.0 0.0.255.255

access-list 110 permit ip 192.168.124.0 0.0.0.255 any

ip nat inside source route-map nonat interface GigabitEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 182.xx.xx.xx

Labels:
Preview file
56 KB
0 Helpful
1 Reply 1

salman abid
Level 1
Level 1

‎09-12-2013 03:25 AM

Hi,

can i get experts opinion on same???????????????????

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents