Solved: Re: VPN site to site & VPN client on ASA 5520 on same outside - Page 2

josue jonathan rivero herrera · ‎06-22-2012

hi, i am jonathan rivero.

i have an ASA 5520 Version 8.0(2), i configured the VPN site to site and works fine, in the other apliance i configured the VPN Client for remote users, and works fine, but i try to cofigure the 2 VPNs on ASA 5520 on the same outside interface and i have the line "crypto map outside_map interface outside (for VPN client)", but when I configure the "crypto map VPNL2L interface outside, it overwrites the command", and therefore I can only have one connection.

the show run.

ASA1(config)# sh run

: Saved

:

ASA Version 8.0(2)

!

hostname ASA1

enable password 7esAUjZmKQSFDCZX encrypted

names

!

interface Ethernet0/0

nameif inside

security-level 100

ip address 172.16.3.2 255.255.255.0

!

interface Ethernet0/1

nameif outside

security-level 0

ip address 200.20.20.1 255.255.255.0

!

interface Ethernet0/1.1

vlan 1

nameif outside1

security-level 0

no ip address

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/5

shutdown

no nameif

no security-level

no ip address

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

object-group network net-local

network-object 172.16.0.0 255.255.255.0

network-object 172.16.1.0 255.255.255.0

network-object 172.16.2.0 255.255.255.0

network-object 172.16.3.0 255.255.255.0

object-group network net-remote

network-object 172.16.100.0 255.255.255.0

network-object 172.16.101.0 255.255.255.0

network-object 172.16.102.0 255.255.255.0

network-object 172.16.103.0 255.255.255.0

object-group network net-poolvpn

network-object 192.168.11.0 255.255.255.0

access-list nat-outside extended permit ip object-group net-local any

access-list nonat extended permit ip object-group net-local object-group net-remote

access-list nonat extended permit ip object-group net-local object-group net-poolvpn

access-list splittun-vpngroup1 extended permit ip object-group net-local object-group net-poolvpn

pager lines 24

mtu inside 1500

mtu outside 1500

mtu outside1 1500

ip local pool ippool 192.168.11.1-192.168.11.100 mask 255.255.255.0

no failover

icmp unreachable rate-limit 100 burst-size 10

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 access-list nat-outside

route outside 0.0.0.0 0.0.0.0 200.20.20.1 1

route inside 172.16.0.0 255.255.255.0 172.16.3.2 1

route inside 172.16.1.0 255.255.255.0 172.16.3.2 1

route inside 172.16.2.0 255.255.255.0 172.16.3.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 86400

crypto ipsec security-association lifetime kilobytes 400000

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map VPNL2L 1 match address nonat

crypto map VPNL2L 1 set peer 200.30.30.1

crypto map VPNL2L 1 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

!

group-policy vpngroup1 internal

group-policy vpngroup1 attributes

banner value ++++Welcome to Cisco Systems 7.0.+++++

dns-server value 192.168.0.1 192.168.1.1

split-tunnel-policy tunnelspecified

split-tunnel-network-list value splittun-vpngroup1

default-domain value ad-domain.local

split-dns value ad-domain.local

address-pools value ippool

username asa1 password VRTlLlJ48/PoDKjS encrypted privilege 15

tunnel-group 200.30.30.1 type ipsec-l2l

tunnel-group 200.30.30.1 ipsec-attributes

pre-shared-key *

tunnel-group vpngroup1 type remote-access

tunnel-group vpngroup1 general-attributes

address-pool ippool

default-group-policy vpngroup1

tunnel-group vpngroup1 ipsec-attributes

pre-shared-key *

prompt hostname context

Cryptochecksum:00000000000000000000000000000000

: end

ASA2(config)#sh run

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association lifetime kilobytes 400000
crypto map VPNL2L 1 match address nonat
crypto map VPNL2L 1 set peer 200.30.30.1
crypto map VPNL2L 1 set transform-set ESP-3DES-MD5
crypto map VPNL2L interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400

tunnel-group 200.30.30.1 type ipsec-l2l
tunnel-group 200.30.30.1 ipsec-attributes
pre-shared-key cisco

my topology:

i try with the next links but didn`t work

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080912cfd.shtml

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

Best Regards...

josue jonathan rivero herrera · ‎07-11-2012

hi karsten/riswanr74

yes yesterday I try from LAN to LAN, but now re-configure the 2 ASA (same configuration copy and paste) and now test the tunnel and both tunnel the TresASA1 is up (site to site and remote), but in TresASA2 don't pass traffic across the tunnel, input the show crypto ipsec sa command and view of the numbers (#pkts encaps: #pkts encrypt: , #pkts digest: 99) mismatch....

the configuration the access-list is:

TresASA1(config)# sh run access-list

access-list nat extended permit ip object-group net-local any

access-list nonat extended permit ip object-group net-local object-group net-remote

access-list nonat extended permit ip object-group net-local object-group net-poolvpn

access-list nonat1 extended permit ip object-group net-local object-group net-remote

access-list splittun-vpngroup1 extended permit ip object-group net-local object-group net-poolvpn

TresASA1(config)# sh run crypto

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 86400

crypto ipsec security-association lifetime kilobytes 400000

crypto dynamic-map dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map dyn_map 65535 set transform-set ESP-3DES-SHA

crypto map vpns 1 match address nonat1

crypto map vpns 1 set peer 200.30.30.1

crypto map vpns 1 set transform-set ESP-3DES-MD5

crypto map vpns 65535 ipsec-isakmp dynamic dyn_map

crypto map vpns interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

TresASA1(config)# sh run tunnel

tunnel-group 200.30.30.1 type ipsec-l2l

tunnel-group 200.30.30.1 ipsec-attributes

pre-shared-key *****

tunnel-group vpngroup1 type remote-access

tunnel-group vpngroup1 general-attributes

address-pool ippool

default-group-policy vpngroup1

tunnel-group vpngroup1 ipsec-attributes

pre-shared-key *****

TresASA1(config)# sh run nat

nat (inside) 0 access-list nonat

nat (inside) 1 access-list nat

TresASA1(config)# sh run global

global (outside) 1 interface

TresASA1(config)#

---------------------------------------

TresASA2(config)# sh run access-list

access-list nat extended permit ip object-group net-local any

access-list nonat extended permit ip object-group net-local object-group net-remote

access-list nonat1 extended permit ip object-group net-local object-group net-remote

TresASA2(config)# sh run nat

nat (inside) 0 access-list nonat

nat (inside) 1 access-list nat

TresASA2(config)# sh run cryt

TresASA2(config)# sh run cryptoi

TresASA2(config)# sh run cryptto

TresASA2(config)# sh run crypto

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 86400

crypto ipsec security-association lifetime kilobytes 400000

crypto map vpns 1 match address nonat1

crypto map vpns 1 set peer 200.20.20.1

crypto map vpns 1 set transform-set ESP-3DES-MD5

crypto map vpns interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

TresASA2(config)# sh run globa

global (outside) 1 interface

TresASA2(config)#

thk !!!

Karsten Iwen · ‎07-11-2012

So you have packets flowing from ASA2 to ASA1 but nothing comes back. Are there any relevant log-messages on ASA1 while testing?

While testing you could do a packet-capture on ASA1 to see if the test-packets come back to the ASA (in the following form not while peak-hours):

ASA# capture CAP1 interface inside real-time

josue jonathan rivero herrera · ‎07-11-2012

ok this is the output:

TresASA1(config)# capture CAP1 interface inside real-time

Warning: using this option with a slow console connection may

result in an excessive amount of non-displayed packets

due to performance limitations.

Use ctrl-c to terminate real-time capture

1: 16:50:50.959239 172.16.103.1 > 172.16.3.1: icmp: echo request

2: 16:50:52.959316 172.16.103.1 > 172.16.3.1: icmp: echo request

3: 16:50:54.959667 172.16.103.1 > 172.16.3.1: icmp: echo request

4: 16:50:56.959972 172.16.103.1 > 172.16.3.1: icmp: echo request

5: 16:50:58.959911 172.16.103.1 > 172.16.3.1: icmp: echo request

6: 16:51:00.960323 172.16.103.1 > 172.16.3.1: icmp: echo request

7: 16:51:02.960353 172.16.103.1 > 172.16.3.1: icmp: echo request

8: 16:51:04.960613 172.16.103.1 > 172.16.3.1: icmp: echo request

9: 16:51:06.960948 172.16.103.1 > 172.16.3.1: icmp: echo request

10: 16:51:08.960994 172.16.103.1 > 172.16.3.1: icmp: echo request

11: 16:51:10.961376 172.16.103.1 > 172.16.3.1: icmp: echo request

12: 16:51:12.961421 172.16.103.1 > 172.16.3.1: icmp: echo request

13: 16:51:14.961650 172.16.103.1 > 172.16.3.1: icmp: echo request

14: 16:51:16.962001 172.16.103.1 > 172.16.3.1: icmp: echo request

15: 16:51:18.962062 172.16.103.1 > 172.16.3.1: icmp: echo request

16: 16:51:20.962413 172.16.103.1 > 172.16.3.1: icmp: echo request

17: 16:51:22.962505 172.16.103.1 > 172.16.3.1: icmp: echo request

18: 16:51:24.962734 172.16.103.1 > 172.16.3.1: icmp: echo request

19: 16:51:26.963054 172.16.103.1 > 172.16.3.1: icmp: echo request

20: 16:51:28.963115 172.16.103.1 > 172.16.3.1: icmp: echo request

21: 16:51:30.963527 172.16.103.1 > 172.16.3.1: icmp: echo request

22: 16:51:32.963527 172.16.103.1 > 172.16.3.1: icmp: echo request

23: 16:51:34.963756 172.16.103.1 > 172.16.3.1: icmp: echo request

24: 16:51:36.964122 172.16.103.1 > 172.16.3.1: icmp: echo request

25: 16:51:38.964183 172.16.103.1 > 172.16.3.1: icmp: echo request

26: 16:51:40.964564 172.16.103.1 > 172.16.3.1: icmp: echo request

27: 16:51:42.964610 172.16.103.1 > 172.16.3.1: icmp: echo request

28: 16:51:44.964809 172.16.103.1 > 172.16.3.1: icmp: echo request

29: 16:51:46.965190 172.16.103.1 > 172.16.3.1: icmp: echo request

30: 16:51:48.965221 172.16.103.1 > 172.16.3.1: icmp: echo request

31: 16:51:50.965602 172.16.103.1 > 172.16.3.1: icmp: echo request

32: 16:51:52.965678 172.16.103.1 > 172.16.3.1: icmp: echo request

33: 16:51:54.965892 172.16.103.1 > 172.16.3.1: icmp: echo request

34: 16:51:56.966273 172.16.103.1 > 172.16.3.1: icmp: echo request

35: 16:51:58.966273 172.16.103.1 > 172.16.3.1: icmp: echo request

36: 16:52:00.966640 172.16.103.1 > 172.16.3.1: icmp: echo request

37: 16:52:02.966716 172.16.103.1 > 172.16.3.1: icmp: echo request

38: 16:52:04.966929 172.16.103.1 > 172.16.3.1: icmp: echo request

39: 16:52:06.967326 172.16.103.1 > 172.16.3.1: icmp: echo request

40: 16:52:08.967357 172.16.103.1 > 172.16.3.1: icmp: echo request

41: 16:52:10.967723 172.16.103.1 > 172.16.3.1: icmp: echo request

42: 16:52:12.967784 172.16.103.1 > 172.16.3.1: icmp: echo request

43: 16:52:14.967982 172.16.103.1 > 172.16.3.1: icmp: echo request

44: 16:52:16.968348 172.16.103.1 > 172.16.3.1: icmp: echo request

45: 16:52:18.968410 172.16.103.1 > 172.16.3.1: icmp: echo request

46: 16:52:20.968776 172.16.103.1 > 172.16.3.1: icmp: echo request

47: 16:52:22.968852 172.16.103.1 > 172.16.3.1: icmp: echo request

48: 16:52:24.969111 172.16.103.1 > 172.16.3.1: icmp: echo request

49: 16:52:26.969432 172.16.103.1 > 172.16.3.1: icmp: echo request

50: 16:52:28.969462 172.16.103.1 > 172.16.3.1: icmp: echo request

51: 16:52:30.969874 172.16.103.1 > 172.16.3.1: icmp: echo request

52: 16:52:32.969951 172.16.103.1 > 172.16.3.1: icmp: echo request

53: 16:52:34.970118 172.16.103.1 > 172.16.3.1: icmp: echo request

54: 16:52:36.970469 172.16.103.1 > 172.16.3.1: icmp: echo request

55: 16:52:38.970546 172.16.103.1 > 172.16.3.1: icmp: echo request

56: 16:52:40.970912 172.16.103.1 > 172.16.3.1: icmp: echo request

57: 16:52:42.970973 172.16.103.1 > 172.16.3.1: icmp: echo request

58: 16:52:44.971171 172.16.103.1 > 172.16.3.1: icmp: echo request

59: 16:52:46.971522 172.16.103.1 > 172.16.3.1: icmp: echo request

60: 16:52:48.971583 172.16.103.1 > 172.16.3.1: icmp: echo request

61: 16:52:50.971949 172.16.103.1 > 172.16.3.1: icmp: echo request

62: 16:52:52.972117 172.16.103.1 > 172.16.3.1: icmp: echo request

63: 16:52:54.972239 172.16.103.1 > 172.16.3.1: icmp: echo request

64: 16:52:56.972651 172.16.103.1 > 172.16.3.1: icmp: echo request

65: 16:52:57.772939 arp who-has 172.16.3.4 tell 172.16.3.8

66: 16:52:58.972651 172.16.103.1 > 172.16.3.1: icmp: echo request

67: 16:53:00.973017 172.16.103.1 > 172.16.3.1: icmp: echo request

68: 16:53:02.973109 172.16.103.1 > 172.16.3.1: icmp: echo request

69: 16:53:04.973292 172.16.103.1 > 172.16.3.1: icmp: echo request

70: 16:53:07.001678 172.16.103.1 > 172.16.3.1: icmp: echo request

71: 16:53:09.001754 172.16.103.1 > 172.16.3.1: icmp: echo request

72: 16:53:11.002197 172.16.103.1 > 172.16.3.1: icmp: echo request

73: 16:53:13.002197 172.16.103.1 > 172.16.3.1: icmp: echo request

74: 16:53:15.002456 172.16.103.1 > 172.16.3.1: icmp: echo request

75: 16:53:17.002761 172.16.103.1 > 172.16.3.1: icmp: echo request

76: 16:53:19.002822 172.16.103.1 > 172.16.3.1: icmp: echo request

77: 16:53:21.003173 172.16.103.1 > 172.16.3.1: icmp: echo request

78: 16:53:23.003372 172.16.103.1 > 172.16.3.1: icmp: echo request

79: 16:53:25.003494 172.16.103.1 > 172.16.3.1: icmp: echo request

80: 16:53:27.003829 172.16.103.1 > 172.16.3.1: icmp: echo request

81: 16:53:29.003890 172.16.103.1 > 172.16.3.1: icmp: echo request

82: 16:53:31.004424 172.16.103.1 > 172.16.3.1: icmp: echo request

83: 16:53:33.004333 172.16.103.1 > 172.16.3.1: icmp: echo request

84: 16:53:35.004592 172.16.103.1 > 172.16.3.1: icmp: echo request

85: 16:53:37.004867 172.16.103.1 > 172.16.3.1: icmp: echo request

86: 16:53:39.004913 172.16.103.1 > 172.16.3.1: icmp: echo request

87: 16:54:19.243410 arp who-has 172.16.3.5 tell 172.16.3.4

88: 16:57:58.513767 arp who-has 172.16.3.8 tell 172.16.3.4

89: 16:58:11.834841 arp who-has 172.16.3.1 tell 172.16.3.5

89 packets shown.

0 packets not shown due to performance limitations.

TresASA1(config)#

let me tell you that I do ping from 172.16.103.1 to 172.16.3.1 the ping is unsuccessful, but I do ping from 172.16.3.1 to 172.16.103.1 the ping is successful.

CORE_Tres(config)#do sh ip interface br

Interface IP-Address OK? Method Status Protocol

Vlan1 unassigned YES NVRAM up up

Vlan2 172.16.2.1 YES manual up up

Vlan4 172.16.4.1 YES manual up up

Vlan5 172.16.5.1 YES manual up up

Vlan7 172.16.7.1 YES manual up up

Vlan8 172.16.8.1 YES manual up up

Vlan9 172.16.9.1 YES manual up up

Vlan10 172.16.10.1 YES manual up up

Vlan11 172.16.11.1 YES manual up up

Vlan99 172.16.99.1 YES manual up up

Vlan101 unassigned YES NVRAM administratively down down

Vlan152 172.16.3.1 YES NVRAM up up

Vlan153 unassigned YES manual up up

FastEthernet2/0/1 unassigned YES manual down down

FastEthernet2/0/2 unassigned YES manual down down

FastEthernet2/0/3 unassigned YES unset down down

FastEthernet2/0/4 unassigned YES unset down down

FastEthernet2/0/5 unassigned YES unset up up

FastEthernet2/0/6 unassigned YES unset down down

FastEthernet2/0/7 unassigned YES unset down down

FastEthernet2/0/8 unassigned YES unset down down

FastEthernet2/0/9 unassigned YES unset up up

CORE_Tres(config)#do ping 172.16.103.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.103.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms

CORE_Tres(config)#do telnet 172.16.103.1

Trying 172.16.103.1 ... Open

User Access Verification

Username: tresland

Password:

TresLAND#

so I think so that is the packet do not come back to TresASA2....

what do you think?

Karsten Iwen · ‎07-11-2012

could it be, that 172.16.3.1 is filtering the incoming ICMP-packets?

josue jonathan rivero herrera · ‎07-11-2012

mmm, no, this is the access-list configure on TresASA1:

TresASA1(config)# sh run access-list

access-list nat extended permit ip object-group net-local any

access-list nonat extended permit ip object-group net-local object-group net-remote

access-list nonat extended permit ip object-group net-local object-group net-poolvpn

access-list nonat1 extended permit ip object-group net-local object-group net-remote

access-list splittun-vpngroup1 extended permit ip object-group net-local object-group net-poolvpn

Karsten Iwen · ‎07-11-2012

not the ASA, the router that you try to ping.

rizwanr74 · ‎07-11-2012

Hi there,

Please make sure, your internal switch have a static-route in placed to push all remote-network segments (which are going over IPSec tunnel) to its local firewall inside address. This static must exists from both ends on internal switch.

thanks

josue jonathan rivero herrera · ‎07-11-2012

yes...

TresASA2(config)# sh run object-group

object-group network net-local

network-object 172.16.100.0 255.255.255.0

network-object 172.16.101.0 255.255.255.0

network-object 172.16.102.0 255.255.255.0

network-object 172.16.103.0 255.255.255.0

object-group network net-remote

network-object 172.16.0.0 255.255.255.0

network-object 172.16.1.0 255.255.255.0

network-object 172.16.2.0 255.255.255.0

network-object 172.16.3.0 255.255.255.0

network-object 172.16.4.0 255.255.255.0

network-object 172.16.5.0 255.255.255.0

network-object 172.16.6.0 255.255.255.0

network-object 172.16.7.0 255.255.255.0

network-object 172.16.8.0 255.255.255.0

network-object 172.16.9.0 255.255.255.0

network-object 172.16.11.0 255.255.255.0

TresASA2(config)# sh run route

route outside 0.0.0.0 0.0.0.0 200.30.30.2 1

route inside 172.16.100.0 255.255.255.0 172.16.103.2 1

route inside 172.16.101.0 255.255.255.0 172.16.103.2 1

route inside 172.16.102.0 255.255.255.0 172.16.103.2 1

route inside 172.16.103.0 255.255.255.0 172.16.103.2 1

TresASA2(config)# ping 172.16.100.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.100.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

TresASA2(config)# ping 172.16.101.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.101.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

TresASA2(config)# ping 172.16.103.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.103.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

TresASA2(config)# ping 172.16.102.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.102.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

TresASA2(config)#

TresLAND(config-if)#exit

TresLAND(config)#

TresLAND(config)#do sh run | inc ip route

ip route 0.0.0.0 0.0.0.0 172.16.103.2

TresLAND(config)#ping 172.16.103.1

^

% Invalid input detected at '^' marker.

TresLAND(config)#do ping 172.16.103.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.103.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

TresLAND(config)#

-----------------------------------------------------------------------------------------------------

TresASA1(config)# sh run object-group

object-group network net-local

network-object 172.16.0.0 255.255.255.0

network-object 172.16.1.0 255.255.255.0

network-object 172.16.2.0 255.255.255.0

network-object 172.16.3.0 255.255.255.0

network-object 172.16.4.0 255.255.255.0

network-object 172.16.5.0 255.255.255.0

network-object 172.16.6.0 255.255.255.0

network-object 172.16.7.0 255.255.255.0

network-object 172.16.8.0 255.255.255.0

network-object 172.16.9.0 255.255.255.0

network-object 172.16.11.0 255.255.255.0

object-group network net-remote

network-object 172.16.100.0 255.255.255.0

network-object 172.16.101.0 255.255.255.0

network-object 172.16.102.0 255.255.255.0

network-object 172.16.103.0 255.255.255.0

object-group network net-poolvpn

network-object 192.168.11.0 255.255.255.0

TresASA1(config)# sh run route

route outside 0.0.0.0 0.0.0.0 200.20.20.2 1

route inside 172.16.1.0 255.255.255.0 172.16.3.1 1

route inside 172.16.2.0 255.255.255.0 172.16.3.1 1

route inside 172.16.4.0 255.255.255.0 172.16.3.1 1

route inside 172.16.5.0 255.255.255.0 172.16.3.1 1

route inside 172.16.6.0 255.255.255.0 172.16.3.1 1

route inside 172.16.7.0 255.255.255.0 172.16.3.1 1

route inside 172.16.8.0 255.255.255.0 172.16.3.1 1

route inside 172.16.9.0 255.255.255.0 172.16.3.1 1

route inside 172.16.10.0 255.255.255.0 172.16.3.1 1

route inside 172.16.11.0 255.255.255.0 172.16.3.1 1

TresASA1(config)# ping 172.16.3.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.3.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

TresASA1(config)# ping 172.16.11.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.11.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

TresASA1(config)#

CORE_Tres>

CORE_Tres>en

Password:

CORE_Tres#sh run | inc ip route

ip route 0.0.0.0 0.0.0.0 172.16.3.2

CORE_Tres#sh ip interface br

Interface IP-Address OK? Method Status Protocol

Vlan1 unassigned YES NVRAM up up

Vlan2 172.16.2.1 YES manual up up

Vlan4 172.16.4.1 YES manual up up

Vlan5 172.16.5.1 YES manual up up

Vlan7 172.16.7.1 YES manual up up

Vlan8 172.16.8.1 YES manual up up

Vlan9 172.16.9.1 YES manual up up

Vlan10 172.16.10.1 YES manual up up

Vlan11 172.16.11.1 YES manual up up

Vlan99 172.16.99.1 YES manual up up

Vlan101 unassigned YES NVRAM administratively down down

Vlan152 172.16.3.1 YES NVRAM up up

Vlan153 unassigned YES manual up up

FastEthernet2/0/1 unassigned YES manual down down

FastEthernet2/0/2 unassigned YES manual down down

FastEthernet2/0/3 unassigned YES unset down down

FastEthernet2/0/4 unassigned YES unset down down

FastEthernet2/0/5 unassigned YES unset up up

FastEthernet2/0/6 unassigned YES unset down down

FastEthernet2/0/7 unassigned YES unset down down

FastEthernet2/0/8 unassigned YES unset down down

FastEthernet2/0/9 unassigned YES unset up up

CORE_Tres#

rizwanr74 · ‎07-11-2012

Please post your current config from both firewall as an attachedment, please as an attachement.

thanks

josue jonathan rivero herrera · ‎07-11-2012

ok, the configuration is attached in notepad

rizwanr74 · ‎07-11-2012

Can you please add this static route on both devices.

Please add this static route on ASA2

route outside 172.16.0.0 255.255.0.0 200.30.30.2

Please add this static route on ASA1, as well.

route outside 172.16.0.0 255.255.0.0 200.20.20.2

Please remove this line from ASA2.

crypto isakmp identity address

Please update.

thanks

josue jonathan rivero herrera · ‎07-11-2012

hi rizwanr74

After the create the route the VPN site to site is successful ping (LAN to LAN) and the same time is successful VPN remote.

TresLAND#sh ip interface br

Interface IP-Address OK? Method Status Protocol

GigabitEthernet0/0 unassigned YES unset administratively down down

GigabitEthernet0/1 172.16.103.1 YES manual up up

Serial0/2/0 unassigned YES unset administratively down down

Serial0/2/1 unassigned YES unset administratively down down

Loopback0 172.16.100.1 YES manual up up

Loopback1 172.16.101.1 YES manual up up

Loopback2 172.16.102.1 YES manual up up

Loopback4 unassigned YES unset up up

TresLAND#ping 172.16.3.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.3.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

CORE_Tres#

CORE_Tres#ping 172.16.103.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.103.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/9 ms

CORE_Tres#

now the most complicated is the explication... I thing so of the force the ASA with the new route outside, why this? if I have the route outside default (route 0.0.0.0 0.0.0.0 ).

rizwanr74 · ‎07-11-2012

"I thing so of the force the ASA with the new route outside, why this? "

without the route ASA pushes traffic to inside, by default.

Anyway, this must have been a learning experience.

I hope, this has been any help.

Please rate, all helful post.

thanks

Rizwan Rafeek.

josue jonathan rivero herrera · ‎07-11-2012

I understand, I try with GNS3 in version 8.0.2 and I dont had trouble, but as you tell me "experience".

thk for all and this is my MSN a24042004@hotmail.com