07-06-2012 11:28 AM
Main office has a ASA 5520, new office has a ASA 5510. Problem is no traffic goes out when the 5510 is installed, no internet no network connection to servers. I had a guy assist me but he can not figure it out either. I have both config files attached. Any help/input would be great as I am not sure what is the next step.
07-06-2012 10:38 PM
Hi Joe!
In ASA5520 traffic destined for 192.168.200.0 network, will be routed to 192.168.2.23, therefore don't go through the vpn tunnel, and tunnel will not established at all.
Type
"no route Inside 192.168.200.0 255.255.255.0 192.168.2.23 1". It must helps.
Rate helpfull answer
07-07-2012 11:36 AM
Also i do see the access-group for pointing the ACL is missing..... in ASA 5510... also remove that static route as well..
07-08-2012 12:36 AM
Natarajan, show me where that access group, please. In 5510 config static route for Inside dos not exist, and nothing to remove, i think.
07-08-2012 03:47 AM
sorry... nope... i asked you to remove the static route in the 5520...
07-08-2012 04:27 AM
i do see the policies also having the problem..... let me share my own config for these sites.... hope that helps you....
07-08-2012 04:46 AM
Please have the below configurations in the firewalls and have only the default route...... This should work.....
ASA 5510
=========
access-list outbound extended permit ip 192.168.200.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outbound extended permit
access-list outbound extended deny ip any any
!
access-group outbound in interface inside
!
access-list Outside_1_cryptomap extended permit ip 192.168.200.0 255.255.255.0 192.168.2.0 255.255.255.0
!
global (outside) 1 interface
nat (inside) 1 access-list Outside_1_cryptomap
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map Outside_map 10 match address Outside_1_cryptomap
crypto map Outside_map 10 set peer 24.105.190.106
crypto map Outside_map 10 set transform-set ESP-3DES-SHA
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
tunnel-group 24.105.190.106 type ipsec-l2l
tunnel-group 24.105.190.106 ipsec-attributes
pre-shared-key cisco
!
ASA 5520
=========
access-list outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list outbound extended permit
access-list outbound extended deny ip any any
!
access-group outbound in interface inside
!
access-list Outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.200.0 255.255.255.0
!
global (outside) 1 interface
nat (inside) 1 access-list Outside_1_cryptomap
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map Outside_map 10 match address Outside_1_cryptomap
crypto map Outside_map 10 set peer 24.97.189.34
crypto map Outside_map 10 set transform-set ESP-3DES-SHA
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
tunnel-group 24.97.189.34 type ipsec-l2l
tunnel-group 24.97.189.34 ipsec-attributes
pre-shared-key cisco
!
07-16-2012 07:28 AM
Ok..the remote office can get to the internet now, but no access to any network drives or server. I must be overlooking something or it is another issue? Thanks for the help so far...
07-16-2012 08:47 AM
Hi joe,
great internt works now for you. Site to Site is not working for those sites????? Please let me know if you seek any help.
Thanks
Please rate if the given info helps
By
Karthik
07-16-2012 08:54 AM
Sure I will take any help offered. You are correct; site to site the remote office can not see or connect to anything on the network. With that no personal drives are mapped,no public folders,no email thru Exchange. I have the server and work stations at the remote office set to use the 5510 as the gateway. But with no network access I had to set the office back the way it was so co-workers could access needed files.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide