01-21-2009 05:02 PM
i have a lan to lan using 2 asa's. from site B i can not ping anything on site A network. From site A i can ping site B and then Site B is able to ping that Ip at site A for a while and then will timeout after some inactivity. i will attach the relevent part of my configs. One question i have is that Site A specifies a few servers on its side but on site b it specifies the whole subnet. Do these access-lists have to match up perfectly? I only want site B to have access to certain servers at site A. IF there is a better way to limit the traffic let me know.
Site A
OBJECT GROUPS
object-group network vpn
network-object 10.23.16.0 255.255.240.0
network-object 172.16.200.0 255.255.252.0
object-group network vpn.resources
network-object 192.168.1.10 255.255.255.255
network-object 192.168.1.5 255.255.255.255
network-object 192.168.1.8 255.255.255.255
network-object 192.168.1.68 255.255.255.255
network-object 192.168.1.121 255.255.255.255
network-object 192.168.1.176 255.255.255.255
network-object 192.168.1.144 255.255.255.255
network-object 192.168.1.156 255.255.255.255
No NAT Access List
access-list inside.nat0.outbound extended permit ip object-group vpn.resources object-group vpn log
access-list inside.nat0.outbound extended permit ip object-group vpn object-group vpn.resources log
Crypto Access List
access-list MD_VPN extended permit ip object-group vpn.resources object-group vpn log
access-list MD_VPN extended permit ip object-group vpn object-group vpn.resources log
!--- PHASE 1 CONFIGURATION ---!
crypto ipsec transform-set MDSet esp-3des esp-md5-hmac
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
!--- PHASE 2 CONFIGURATION ---!
crypto map myDCP 150 match address MD_VPN
crypto map myDCP 150 set peer xx.xx.xx.66
crypto map myDCP 150 set transform-set MDSet
crypto map myDCP 150 set security-association lifetime seconds 86400
tunnel-group xx.xx.xx.66 type ipsec-l2l
tunnel-group xx.xx.xx.66 ipsec-attributes
pre-shared-key *
Site B
!--- PHASE 1 CONFIGURATION ---!
isakmp key * address xx.xx.xx.130 netmask 255.255.255.255
crypto isakmp policy 2
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
No NAT Access List
access-list nonat permit ip 10.23.16.0 255.255.240.0 192.168.1.0 255.255.255.0
Crypto Access List
access-list dcp permit ip 10.23.16.0 255.255.240.0 192.168.1.0 255.255.255.0
!--- PHASE 2 CONFIGURATION ---!
crypto ipsec transform-set 3des esp-3des esp-md5-hmac
crypto map ahmd1 45 match address dcp
crypto map ahmd1 45 set peer xx.xx.xx.130
crypto map ahmd1 45 set transform-set 3des
01-21-2009 06:13 PM
It looks like the 192 network is at site A and the 10.23.16.0 and 172 networks are at site B?
At site B only a packet sourced from the 10.23.16.0 network should be able to bring up the tunnel according to this, but your access lists at site A are a bit confusing. Can you post the whole config from both sites?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide