10-25-2006 01:57 PM - edited 02-21-2020 02:41 PM
Scenario: I have 2 PIXes (PIX1 and PIX2) at remote sites each connected with a site-to-site VPN to the
central ASA (ASA1). I can ping to and from the ASA1 from either site but I can't ping from one remote
site to the other remote site (PIX1 to PIX2).
PIX1 Internet traffic goes through ASA1 thru the VPN to PIX1.
Internet traffic for PIX2 is through it's gateway.
I'm using the "Enhanced Spoke-to-Spoke config" example to assist me but I still can't get it to work:
l
In reference to the above document:
I?m using site-to-site VPNs between the Hub (ASA1) and spokes (PIX1 and PIX2).
ASA1 = PIX1 in the config example (internal network of 172.17.16.0)
PIX2 = PIX2 in the config example (internal network of 10.100.101.0)
PIX3 = PIX3 in the config example (internal network of 10.100.102.0)
[Please see attached file as I am unable to post it directly here]
I would prefer to do this method, but if not possible, should I be creating a 3rd VPN connection between PIX2 and PIX3 instead?
10-26-2006 12:15 AM
the link above was cutoff, see below:
in the example above, do you have to use a dynamic L2L? or can you use Static L2Ls for both tunnels?
10-28-2006 04:55 PM
Hello,
Spent a bit going over your configuration - I hope what I've found fixes you.
Basically from your symptoms, it sounds like the VPN tunnels are up and running (so we're not troubleshooting keys and all that) - that let me break down what I was looking for in each configuration:
1) NAT
2) same security (on the ASA)
3) interesting traffic matching (match-address)
4) routing
So here's what I found:
ASA1
Had same-security-traffic intra interface :GOOD
Had no nat statements for all networks it was trying to reach over VPN. : GOOD
Interesting Traffic:
map20 --> 172.x to 10.100.102.x peer XXX.XX: needs change
map40 --> any to 10.100.101.x peer XXX.YY : GOOD
map 60 --> ANY to 10.100.103.0 peer XXX.ZZ: don't know - peer not in file
Crypto map 20 needs to say from the hub to the spoke *and* the spoke to the other spoke is marked for encryption. You currently have:
access-list Outside_cryptomap_20_1 extended permit ip 172.17.16.0 255.255.255.0 10.100.102.0
You also need
access-list Outside_cryptomap_20_1 extended permit ip 10.100.101.0 255.255.255.0 10.100.102.0 255.255.255.0
PIX 2
Everything looked good here:
NAT: everything is not natted
Interesting traffic: everything is sent over VPN and matches crypto map at hub.
Route: routing exists
PIX 3
Has a few issues:
NAT: only has no nat to hub - you need no nat to other spoke as well. You currently have:
access-list inside_outbound_nat0_acl permit ip 10.100.102.0 255.255.255.0 Volvo 255.255.255.0
You also need this command:
access-list inside_outbound_nat0_acl permit ip 10.100.102.0 255.255.255.0 10.100.101.0 255.255.255.0
Interesting traffic: only has traffic to hub - you need traffic to other spoke as well. You currently have:
access-list outside_cryptomap_20 permit ip 10.100.102.0 255.255.255.0 Volvo 255.255.255.0
you also need this command:
access-list outside_cryptomap_20 permit ip 10.100.102.0 255.255.255.0 10.100.101.0 255.255.255.0
Routing looked good.
I think where you got in trouble is that example has dynamic VPNs for one of the spokes and didn't give you the L2L configuration you'd need for that portion.
You'll have to clear the SAs on the ASA and Pix3 once you've made the changes on both ends:
Perform PIX commands in config mode:
clear crypto isakmp sa
!--Clears the Phase 1 SAs
clear crypto ipsec sa
!--Clears the Phase 2 SAs
I hope this helps, don't forget to rate!
--Jason
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide