Microsoft
Software
Hardware
Network
Question : Cisco ASA Lan to Lan VPN configuration problem
I have two remote sites, one with an ASA 5510, call it site A, and one with an ASA 5505, call it site B.
I have been trying like crazy to create a VPN between these two locations, initially with the Site-to-Site VPN wizard, but lately I have been trying to use the CLI. I Followed numerous cisco guides to help with the commands, but I cannot seem to get the vpn to come up at all.
The result of "show crypto isakmp sa" and "show crypto ipsec sa" both result in "There are no isakmp/ipsec sas", so I don think the VPN is coming up at all. Any pings from one LAN to the other fails.
There is one unique part about my setup. I am trying to link the DMZ subnet (10.7.20.0) of my site A with the Inside subnet (10.10.20.0) of my site B. Also, I have a few public IPs at each location, and so I have NAT setup between some of the DMZ hosts (site A) and Inside hosts (site B). Does this prompt for something extra in the VPN configuration? I know that most L2L vpns are setup between both Inside interfaces, but that isn't what I need here. I need the DMZ segment at site A to be able to communicate with the Inside segment at site B.
I have tried troubleshooting this configuration but have been unable to get any type of communication to go though, so I must be missing something. Please help if possible.
Here are the applicable sections of the config
Site A:
...
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
ospf cost 10
!
interface Ethernet0/1
shutdown
nameif Inside2
security-level 100
ip address 192.168.4.1 255.255.255.0
ospf cost 10
!
interface Ethernet0/2
nameif DMZ
security-level 50
ip address 10.7.20.1 255.255.255.0
ospf cost 10
!
interface Ethernet0/3
nameif outside
security-level 0
ip address 66.20.20.162 255.255.255.224
ospf cost 10
!
...
...
access-list outside_access_in extended permit tcp any host 66.20.20.170 eq www
access-list lan2lan_list extended permit ip 10.7.20.0 255.255.255.0 10.10.20.0 255.255.255.0
...
nat-control
global (outside) 101 interface
nat (inside) 101 0.0.0.0 0.0.0.0
nat (Inside2) 101 0.0.0.0 0.0.0.0
nat (DMZ) 101 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
static (DMZ,outside) 66.20.20.170 10.7.11.50 netmask 255.255.255.255
static (DMZ,inside) 66.20.20.170 10.7.11.50 netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 66.20.20.161 1
route DMZ 10.10.20.0 255.255.255.0 72.20.20.34 1
crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map l2lmap 1 match address lan2lan_list
crypto map l2lmap 1 set peer 72.20.20.34
crypto map l2lmap 1 set transform-set FirstSet
crypto map l2lmap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
...
...
tunnel-group 72.20.20.34 type ipsec-l2l
tunnel-group 72.20.20.34 ipsec-attributes
pre-shared-key *****
...
...
Site B
...
!
interface Vlan1
nameif inside
security-level 99
ip address 10.10.20.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 72.20.20.34 255.255.255.248
!
interface Vlan3
nameif dmz
security-level 50
ip address 10.20.20.1 255.255.255.0
!
...
...
access-list outside_access_in extended permit tcp any host 72.20.20.36 eq 13500
access-list lan2lan_list extended permit ip 10.10.20.0 255.255.255.0 10.7.20.0 255.255.255.0
...
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
...
static (inside,outside) 72.20.20.36 10.10.20.10 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 72.20.20.33 1
route outside 10.7.20.0 255.255.255.0 66.20.20.162 1
...
...
crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map l2lmap 1 match address lan2lan_list
crypto map l2lmap 1 set peer 66.20.20.162
crypto map l2lmap 1 set transform-set FirstSet
crypto map l2lmap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto isakmp reload-wait
...
tunnel-group 66.20.20.162 type ipsec-l2l
tunnel-group 66.20.20.162 ipsec-attributes
pre-shared-key *****
Any help would be greatly appreciated. Thanks.
Answer : Cisco ASA Lan to Lan VPN configuration problem
Hi,
Yes, because it is trying to load one of the broken .mov files (AntrimIntro.mov).
If you can get all the .mov files to play it will work ok.
Chris.
Random Solutions
Mitel or Shortel
J2ME - J2ME Polish - Class not found error only in some places
IF THEN statement with link to web pages
Detect dual monitor via javascript
Send Mail via Google Apps
sharepoint - performance tunning
MS SQL count total time.
Exchange Edge Transport Issues
Backup Exec 2010 fails on VSS services
asp - The resource could not be found