Question : Cisco ASA Lan to Lan VPN configuration problem

I have two remote sites, one with an ASA 5510, call it site A, and one with an ASA 5505, call it site B.

I have been trying like crazy to create a VPN between these two locations, initially with the Site-to-Site VPN wizard, but lately I have been trying to use the CLI. I Followed numerous cisco guides to help with the commands, but I cannot seem to get the vpn to come up at all.

The result of "show crypto isakmp sa" and "show crypto ipsec sa" both result in "There are no isakmp/ipsec sas", so I don think the VPN is coming up at all. Any pings from one LAN to the other fails.

There is one unique part about my setup. I am trying to link the DMZ subnet (10.7.20.0) of my site A with the Inside subnet (10.10.20.0) of my site B. Also, I have a few public IPs at each location, and so I have NAT setup between some of the DMZ hosts (site A) and Inside hosts (site B). Does this prompt for something extra in the VPN configuration? I know that most L2L vpns are setup between both Inside interfaces, but that isn't what I need here. I need the DMZ segment at site A to be able to communicate with the Inside segment at site B.

I have tried troubleshooting this configuration but have been unable to get any type of communication to go though, so I must be missing something. Please help if possible.

Here are the applicable sections of the config

Site A:

...
interface Ethernet0/0
 nameif inside
 security-level 100
 ip address 192.168.2.1 255.255.255.0
 ospf cost 10
!
interface Ethernet0/1
 shutdown
 nameif Inside2
 security-level 100
 ip address 192.168.4.1 255.255.255.0
 ospf cost 10
!
interface Ethernet0/2
 nameif DMZ
 security-level 50
 ip address 10.7.20.1 255.255.255.0
 ospf cost 10
!
interface Ethernet0/3
 nameif outside
 security-level 0
 ip address 66.20.20.162 255.255.255.224
 ospf cost 10
!
...
...
access-list outside_access_in extended permit tcp any host 66.20.20.170 eq www
access-list lan2lan_list extended permit ip 10.7.20.0 255.255.255.0 10.10.20.0 255.255.255.0
...
nat-control
global (outside) 101 interface
nat (inside) 101 0.0.0.0 0.0.0.0
nat (Inside2) 101 0.0.0.0 0.0.0.0
nat (DMZ) 101 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
static (DMZ,outside) 66.20.20.170 10.7.11.50 netmask 255.255.255.255
static (DMZ,inside) 66.20.20.170 10.7.11.50 netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 66.20.20.161 1
route DMZ 10.10.20.0 255.255.255.0 72.20.20.34 1
crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map l2lmap 1 match address lan2lan_list
crypto map l2lmap 1 set peer 72.20.20.34
crypto map l2lmap 1 set transform-set FirstSet
crypto map l2lmap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 43200
...
...
tunnel-group 72.20.20.34 type ipsec-l2l
tunnel-group 72.20.20.34 ipsec-attributes
 pre-shared-key *****
...
...



Site B

...
!
interface Vlan1
 nameif inside
 security-level 99
 ip address 10.10.20.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 72.20.20.34 255.255.255.248
!
interface Vlan3
 nameif dmz
 security-level 50
 ip address 10.20.20.1 255.255.255.0
!
...
...
access-list outside_access_in extended permit tcp any host 72.20.20.36 eq 13500
access-list lan2lan_list extended permit ip 10.10.20.0 255.255.255.0 10.7.20.0 255.255.255.0
...
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
...
static (inside,outside) 72.20.20.36 10.10.20.10 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 72.20.20.33 1
route outside 10.7.20.0 255.255.255.0 66.20.20.162 1
...
...
crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map l2lmap 1 match address lan2lan_list
crypto map l2lmap 1 set peer 66.20.20.162
crypto map l2lmap 1 set transform-set FirstSet
crypto map l2lmap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 43200
crypto isakmp reload-wait
...
tunnel-group 66.20.20.162 type ipsec-l2l
tunnel-group 66.20.20.162 ipsec-attributes
 pre-shared-key *****



Any help would be greatly appreciated. Thanks.

Answer : Cisco ASA Lan to Lan VPN configuration problem

Hi,

Yes, because it is trying to load one of the broken .mov files (AntrimIntro.mov).

If you can get all the .mov files to play it will work ok.

Chris.