12-07-2013 04:23 AM
Hello,
i´ve troubles getting this to work:
Location A
ASA5505 (10.1.2.0/24)
EasyVPN Server (VPN Pool 172.20.2.0/24)
Location B
878w (192.168.0.0/24)
between A and B is a site to site VPN (both devices are behind a provider gateway, i´ve set up static routes on it)
Traffic between A and B works fine!
now i´d like to allow vpn user´s (172.20.2.0) access to Location B, and here begin the problems.
my first step was to add the 172er subnet to the access-list on Location B
when i send a ping from Location B to the 172er subnet, the vpn tunnel between A and B goes down....?!
can anyone give me a tip where to go? i need to set up staic routes on the 878er?
here my config´s
LOCATION A (ASA)
: Saved
:
ASA Version 9.1(3)
!
hostname vpn
domain-name home
enable password ENCRYPTED encrypted
names
ip local pool VPN-Pool 172.20.2.1-172.20.2.10 mask 255.255.255.0
ip local pool VPN-Pool2 10.254.254.1-10.254.254.10 mask 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.2.230 255.255.255.0
!
interface Vlan2
shutdown
nameif outside
security-level 0
ip address dhcp
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.1.2.250
domain-name home
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network LAN-Firma
subnet 192.168.0.0 255.255.255.0
object network NETWORK_OBJ_10.1.2.0_24
subnet 10.1.2.0 255.255.255.0
object network NETWORK_OBJ_172.20.2.0_28
subnet 172.20.2.0 255.255.255.240
access-list inside_cryptomap extended permit ip 10.1.2.0 255.255.255.0 object LAN-Firma
access-list inside_access_in extended permit ip any any
access-list VPN2LAN_splitTunnelAcl standard permit 10.1.2.0 255.255.255.0
access-list VPNCERT_splitTunnelAcl remark LAN Home
access-list VPNCERT_splitTunnelAcl standard permit 10.1.2.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,inside) source static NETWORK_OBJ_10.1.2.0_24 NETWORK_OBJ_10.1.2.0_24 destination static NETWORK_OBJ_172.20.2.0_28 NETWORK_OBJ_172.20.2.0_28 no-proxy-arp route-lookup
!
object network obj_any
nat (inside,outside) dynamic interface
access-group inside_access_in in interface inside
route inside 0.0.0.0 0.0.0.0 10.1.2.254 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.1.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map inside_map 1 match address inside_cryptomap
crypto map inside_map 1 set peer 195.248.54.231
crypto map inside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map inside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint1
keypair ASDM_TrustPoint1
crl configure
crypto ca trustpoint Carmen
keypair Carmen
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
certificate ca 4f8689e745b986ab4420b66164e20fe4
30820392 3082027a a0030201 0202104f 8689e745 b986ab44 20b66164 e20fe430
0d06092a 864886f7 0d010105 05003048 31153013 060a0992 268993f2 2c640119
16056c6f 63616c31 1a301806 0a099226 8993f22c 64011916 0a636572 74736572
76657231 13301106 03550403 130a5a65 72745365 72766572 301e170d 31333131
32353039 34333231 5a170d31 38313132 35303935 3235365a 30483115 3013060a
09922689 93f22c64 01191605 6c6f6361 6c311a30 18060a09 92268993 f22c6401
19160a63 65727473 65727665 72311330 11060355 0403130a 5a657274 53657276
65723082 0122300d 06092a86 4886f70d 01010105 00038201 0f003082 010a0282
010100de 5ec9e689 6b9c332d b5aa3b62 dae0c53c b5c6482c 00adaf3c 4f8bcf8e
8f07e129 f37abf92 1c26fd67 e02875fb d154aa7e 546cd288 94b42aa7 e0c494d0
d486705d 37004529 e177d338 0ca63078 6f992270 6fb98fd0 1122cfb7 df2a50d2
675cc72b 5d982638 b62893a6 c68af0cd a8a4fb11 6e31a736 8d4d6348 6b75a97c
8cd69422 fad16723 2bd091eb 4050dd64 8697d7e9 197d7962 21251173 9cf6fe23
09cc6686 04bf840d 1f51723f f3ae484d d42873c6 ffdb1bd9 472b0a87 b5c7b5d2
bd74e17e 4c736a79 3acbafe2 daa1166f 95e46fc6 efd8bdd9 19cda194 2de5ade3
e2d1cedd 99541769 ccd702b9 aaf0aa84 799c7c44 b920b5ac b4e6b532 18e53c46
d8ba9f02 03010001 a3783076 300b0603 551d0f04 04030201 86300f06 03551d13
0101ff04 05300301 01ff301d 0603551d 0e041604 14b5fbe5 d282e426 67959c01
4d25f4b3 9781ad5d 9b301206 092b0601 04018237 15010405 02030100 01302306
092b0601 04018237 15020416 0414c02f 9f0c28e5 fec3c48e 49787188 784e0458
facf300d 06092a86 4886f70d 01010505 00038201 010069c8 3927a216 6ae4c320
d368494d 0d9b2640 b2ff0b12 9c54e822 1f6c16f1 44af6196 3b9af309 67194851
5b11dd13 1454c804 c4cc0346 46450dac 89eb10a4 7009bf79 4b517af4 bcaa5011
1d7d8df6 cc3d418c a869675e 416a329e f628449f d382e4e9 424776cb a3c40629
bc2cd5d1 4d483df6 ab8fd8fc 4e5d89a0 4183fae5 7241e685 254fc278 fb34bac1
593397e9 26de0ddb 4f58628f 7196b57d 57e06c63 a5bdfff6 c8516404 3186ed7a
2cb9dc23 253961d9 c134dd38 9972f4dd 2b889326 61cd5d21 1051118a 121a5170
66ad1611 b2756d1f b059d49f 14e52832 8049bdcb aef6b988 d5e2c622 9bd809ee
5b292a81 a0d33c19 6109f5eb 6c88cfa0 d075a4f0 2047
quit
crypto ca certificate chain ASDM_TrustPoint1
certificate 61198fc3000100000016
308203c1 308202a9 a0030201 02020a61 198fc300 01000000 16300d06 092a8648
86f70d01 01050500 30483115 3013060a 09922689 93f22c64 01191605 6c6f6361
6c311a30 18060a09 92268993 f22c6401 19160a63 65727473 65727665 72311330
11060355 0403130a 5a657274 53657276 6572301e 170d3133 31313236 31393331
33305a17 0d313531 31323631 39333133 305a3081 9e310b30 09060355 04061302
41543113 30110603 55040813 0a537465 6965726d 61726b31 0d300b06 03550407
13044772 617a3110 300e0603 55040a13 0756504e 43455254 3110300e 06035504
0b130756 504e4345 52543117 30150603 55040313 0e426572 6e642057 696e6469
73636831 2e302c06 092a8648 86f70d01 0901161f 6265726e 642e7769 6e646973
63684076 6964656f 2d746563 686e696b 2e617430 819f300d 06092a86 4886f70d
01010105 0003818d 00308189 02818100 b05befc7 f1ea9aa0 0e625a35 0c18bac6
73a04ff0 97b8e290 41e5ff2e eef5faa8 1a205a96 099b04e3 9dc1fd09 9d204b23
fcb631a5 5d19965f 9edd5406 e7fa6a45 afe550a7 e7d04077 e9492a75 ae2e45d7
9769247b b0c0e5bb 6b8130c5 4d6faa35 9b74217b 2e38d3f9 a23ee7c4 c36817bf
08fb1ad9 9cb40a99 6e101ed5 15fbb915 02030100 01a381d9 3081d630 0b060355
1d0f0404 030205a0 301d0603 551d0e04 16041482 38942cf8 cf4cd7b0 b9159a33
d772fff6 5c5c2630 3c06092b 06010401 82371507 042f302d 06252b06 01040182
37150885 86e41b82 b9855381 ed8b0686 8edf2e87 cecf5670 f3e22084 b8872402
01640201 02301f06 03551d23 04183016 8014b5fb e5d282e4 2667959c 014d25f4
b39781ad 5d9b3013 0603551d 25040c30 0a06082b 06010505 08020230 1b06092b
06010401 8237150a 040e300c 300a0608 2b060105 05080202 30170603 551d1104
10300e82 0c38352e 3132362e 38352e38 38300d06 092a8648 86f70d01 01050500
03820101 00c1d2cc bba37410 159808b2 0ce8835a 5f045b5b 57e09828 4def7ffa
710eefa1 1352baf9 9e4ec65a 81da6699 fa4b3e3d fb131214 69cda982 59f06541
4ea0ad3a 49027ad7 e401cd0e e4761e9a 3b607269 c79ed2c6 45d5eb8e 6bd02e88
7c79eade a0cc2d82 f9ca0d76 fd15b4d6 130f99b1 8834b77e db029e29 0551be88
c9f68cd5 ae8bb30b 714466f2 5f451341 5df5b34e 2f389fef 17af4a04 a84094c0
970fc21d ed12c99f f8f8e6b4 4cfe6970 3517e9f9 edb831a8 8c6e4b58 64239af9
bdcf047a c09cb6f2 758691b1 3bb1f46f 4cc265dd e1979320 b71a722a 1da08375
74822a6c 34b908be 6fab7a12 7f1aa404 bcad1d77 6f9b1aa3 e1b2d468 59ae611a
17ab0ca4 01
quit
crypto ca certificate chain Carmen
certificate 61225231000100000019
308203c2 308202aa a0030201 02020a61 22523100 01000000 19300d06 092a8648
86f70d01 01050500 30483115 3013060a 09922689 93f22c64 01191605 6c6f6361
6c311a30 18060a09 92268993 f22c6401 19160a63 65727473 65727665 72311330
11060355 0403130a 5a657274 53657276 6572301e 170d3133 31323034 31393236
35325a17 0d313531 32303431 39323635 325a3081 a0310b30 09060355 04061302
41543113 30110603 55040813 0a537465 6965726d 61726b31 0d300b06 03550407
13044772 617a3110 300e0603 55040a13 0756504e 43455254 3110300e 06035504
0b130756 504e4345 52543118 30160603 55040313 0f436172 6d656e20 57696e64
69736368 312f302d 06092a86 4886f70d 01090116 20636172 6d656e2e 77696e64
69736368 40766964 656f2d74 6563686e 696b2e61 7430819f 300d0609 2a864886
f70d0101 01050003 818d0030 81890281 8100a806 2822f09b 0743e641 2a57c89c
01a91bbf bf6a112f 54bce28a 31534324 45a09a4e c78a64ac a2e00adb 84e9b546
628836e5 449c1923 475922bb 1aed5dbf 557ee1e7 00a4f21f 325bbdf7 83dce59d
c8bd66c0 4afe15e8 fbad492c d4b363b7 6967a8fe 2f3cf6c2 32fc4cea 18607123
65279e88 100266b5 813089b5 bc375bda 14fb0203 010001a3 81d83081 d5300b06
03551d0f 04040302 05a0301d 0603551d 0e041604 142056e6 68b919bc f96314df
e0de0551 020e83a2 16303c06 092b0601 04018237 1507042f 302d0625 2b060104
01823715 088586e4 1b82b985 5381ed8b 06868edf 2e87cecf 5670f3e2 2084b887
24020164 02010230 1f060355 1d230418 30168014 b5fbe5d2 82e42667 959c014d
25f4b397 81ad5d9b 30130603 551d2504 0c300a06 082b0601 05050802 02301b06
092b0601 04018237 150a040e 300c300a 06082b06 01050508 02023016 0603551d
11040f30 0d820b38 352e3132 3638352e 3838300d 06092a86 4886f70d 01010505
00038201 01005bd7 51a2da8c 60eea83c 9a017cf4 bba68dc7 d0201e0a 85ad88db
5b4da95a d08d8730 f94e4536 c0d2d217 69a0846e 7e2a99ab f5e877d1 e240354a
06f5eab1 22f01cfa 01346c48 4733038f c70544a0 2389e758 fd67d912 5d13edfe
0faeeadb a6e3ae16 13f225a0 04be942c a8af65ad a47516f3 f6dca239 4feb5f9a
19280c3b 78eb821b a9aa30a9 1520ffa3 7c555b52 6337f518 9acf524c c7704a16
fe0e0b82 d80e2753 c7038ed6 7f3ba19c 3b525675 bfd424ff 985b82c5 8dbd0c01
8a9a280d b0ded3d0 5e0464c3 a4ef1899 ab192f6b 2566f6f2 2125fece 01b75558
e83935d4 560bfc20 7ee20897 d193c948 36e297b0 b486784c 8a85c91e ce92d9c8
9bd75a0e 913d
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable inside
crypto ikev1 enable inside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 10.1.2.1-10.1.2.32 inside
dhcpd dns 10.1.2.250 10.1.2.254 interface inside
dhcpd domain home interface inside
dhcpd option 3 ip 10.1.2.254 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.0.253
group-policy GroupPolicy_195.248.54.231 internal
group-policy GroupPolicy_195.248.54.231 attributes
vpn-tunnel-protocol ikev1 ikev2
group-policy VPN2LAN internal
group-policy VPN2LAN attributes
dns-server value 10.1.2.250
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN2LAN_splitTunnelAcl
default-domain value home
group-policy VPNCERT internal
group-policy VPNCERT attributes
dns-server value 10.1.2.250
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPNCERT_splitTunnelAcl
default-domain value home
username USERNAME password PASSWD encrypted
username USERNAME attributes
password-storage enable
service-type remote-access
username admin password PASSWD encrypted
username USERNAME1 password PASSWD encrypted privilege 15
username USERNAME1 attributes
vpn-idle-timeout none
password-storage enable
tunnel-group PUBLIC-IP Location B type ipsec-l2l
tunnel-group PUBLIC-IP Location B general-attributes
default-group-policy GroupPolicy_PUBLIC-IP Location B
tunnel-group PUBLIC-IP Location B ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group VPN2LAN type remote-access
tunnel-group VPN2LAN general-attributes
address-pool VPN-Pool
default-group-policy VPN2LAN
tunnel-group VPN2LAN ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group VPNCERT type remote-access
tunnel-group VPNCERT general-attributes
address-pool VPN-Pool
default-group-policy VPNCERT
tunnel-group VPNCERT ipsec-attributes
ikev1 trust-point ASDM_TrustPoint1
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:0f21b500871a9a1e0dc008a34c45ec36
: end
no asdm history enable
LOCATION B (878w)
Building configuration...
Current configuration : 1783 bytes
!
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
logging buffered 52000
!
no aaa new-model
crypto pki token default removal timeout 0
!
!
dot11 syslog
ip source-route
!
!
!
ip cef
!
!
!
!
username admin privilege 15 password 0 PASSWORD
!
!
controller DSL 0
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key PSK address PUBLIC-IP LOCATION A
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to LOCATION A
set peer PUBLIC-IP LOCATION A
set transform-set ESP-3DES-SHA
match address 100
!
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Dot11Radio0
no ip address
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Vlan1
ip address 192.168.0.250 255.255.255.0
crypto map SDM_CMAP_1
!
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 192.168.0.253
!
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.0.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.0.0 0.0.0.255 172.20.2.0 0.0.0.255
!
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
login
transport input all
!
end
12-07-2013 04:36 AM
Hi,
Why are you only using a single interface on each device? It seems like you have connected the LAN side of each device to your Internet router instead of dedicating one interface to be the WAN interface.
- Jouni
12-07-2013 05:34 AM
yes, that´s right! both devices are connected to LAN with one interface. i´m using the devices just for vpn connection! no routing.
12-07-2013 06:04 AM
Hi,
Can't say I have seen a setup like this before Or atleast done in this way.
It seems to me that there are atleast problems on the ASA side.
Seems to me that you have 2 VPN Client configurations so I am not sure which needs the additions since they use the same VPN Pool. You need to add the remote network to the Split Tunnel ACL
access-list VPN2LAN_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list VPNCERT_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
Then it also seems that you have not added the VPN Pool to the Encryption Domain of the L2L VPN connection
access-list inside_cryptomap extended permit ip 172.20.2.0 255.255.255.240 object LAN-Firma
Because of your setup (using a single interface) I am not sure if you even need a separate NAT0 configuration for the this traffic but if it were needed you could add this
object network VPN-POOL
subnet 172.20.2.0 255.255.255.240
object network REMOTE-LAN
subnet 192.168.0.0 255.255.255.0
nat (inside,inside) source static VPN-POOL VPN-POOL destination static REMOTE-LAN REMOTE-LAN
I am not sure where the problem with the VPN going comes from. It might be related to the fact that you are missing configurations on the ASA side and you have only added configurations to the Router side which makes the L2L VPN configurations so that they dont match.
- Jouni
12-08-2013 01:39 AM
i did it with your description, but the tunnel always goes down when i send traffic to the 172er subnet...
12-11-2013 06:53 AM
it looks like the 172 net is routet by the default route 0.0.0.0 0.0.0.0 192.168.0.253. Is there a way to deny the 172 net by the default route?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide