Announcement

Collapse
No announcement yet.

site to site not working

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • site to site not working

    My site to site is not working from A to B,

    anyone can help? it stuck at phase 1

    Site A,

    crypto keyring KP-keyring vrf KP
    pre-shared-key address 60.51.196.53 key 215GMaP1

    crypto isakmp profile KP-ike-prfl
    match identity address 60.51.196.53 255.255.255.255 KP


    crypto map KP-MAP 11 ipsec-isakmp
    description KP:KPMMF
    set peer 60.51.196.53
    set transform-set AES-SHA
    set isakmp-profile KP-ike-prfl
    match address KP-KPMMF-ACL
    reverse-route

    ip access-list extended KP-KPMMF-ACL
    permit ip 10.210.0.0 0.0.0.255 10.215.10.0 0.0.0.255
    permit ip 10.210.0.0 0.0.0.255 10.215.11.0 0.0.0.255
    permit ip 10.255.255.0 0.0.0.255 host 192.168.0.150



    Site B

    ASA Version 8.0(3)
    !
    hostname kewpie-MLK-ASA
    domain-name default.domain.invalid
    enable password ym1CwmrLnc/fndsu encrypted
    names
    !
    interface Ethernet0/0
    nameif outside
    security-level 0
    ip address 60.51.196.54 255.255.255.252
    !
    interface Ethernet0/1
    no nameif
    no security-level
    no ip address
    !
    interface Ethernet0/1.1
    vlan 10
    nameif Inside
    security-level 80
    ip address 192.168.0.1 255.255.255.0
    !
    interface Ethernet0/1.2
    vlan 20
    nameif visitor
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    !
    access-list 100 extended permit icmp any any
    access-list 100 extended permit tcp any any
    access-list 100 extended permit ip any any
    access-list 101 extended permit icmp any any
    access-list 101 extended permit tcp any any eq 2828
    access-list 101 extended permit tcp any host 192.168.0.254 eq 2255
    access-list VPN_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.5.0 255.255.255.0
    access-list Inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.5.0 255.255.255.0
    access-list 102 extended permit ip 192.168.0.0 255.255.255.0 192.168.5.0 255.255.255.0
    access-list inside_mpc extended permit tcp any any eq www
    access-list inside_mpc extended permit tcp any any eq 8080
    access-list SG_cryptomap extended permit ip 10.215.10.0 255.255.255.0 10.210.0.0 255.255.255.0
    access-list SG_cryptomap extended permit ip 10.215.11.0 255.255.255.0 10.210.0.0 255.255.255.0
    access-list SG_cryptomap extended permit ip 192.168.0.0 255.255.255.0 10.210.0.0 255.255.255.0
    access-list SG_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.210.0.0 255.255.255.0
    access-list policy-nat extended permit ip 192.168.0.0 255.255.255.0 10.210.0.0 255.255.0.0
    access-list policy-nat-v extended permit ip 192.168.1.0 255.255.255.0 10.210.0.0 255.255.0.0
    global (outside) 1 interface
    nat (Inside) 0 access-list Inside_nat0_outbound
    nat (Inside) 1 192.168.0.0 255.255.255.0
    nat (visitor) 1 192.168.1.0 255.255.255.0
    static (Inside,outside) tcp interface 2828 192.168.0.254 telnet netmask 255.255.255.255
    static (Inside,outside) 10.215.10.0 access-list policy-nat
    static (visitor,outside) 10.215.11.0 access-list policy-nat-v
    access-group 101 in interface outside
    access-group 100 in interface Inside
    access-group 100 in interface visitor
    route outside 0.0.0.0 0.0.0.0 60.51.196.53 1
    timeout xlate 3:00:00
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto map VPN_map 10 match address VPN_cryptomap
    crypto map VPN_map 10 set peer 218.111.42.234
    crypto map VPN_map 10 set transform-set ESP-AES-256-SHA
    crypto map VPN_map 20 match address SG_cryptomap
    crypto map VPN_map 20 set peer 202.68.211.20
    crypto map VPN_map 20 set transform-set ESP-AES-256-SHA
    crypto map VPN_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 1
    authentication pre-share
    encryption aes-256
    hash sha
    group 5
    lifetime 86400

    tunnel-group 218.111.42.234 type ipsec-l2l
    tunnel-group 218.111.42.234 ipsec-attributes
    pre-shared-key *
    tunnel-group 202.68.211.20 type ipsec-l2l
    tunnel-group 202.68.211.20 ipsec-attributes
    pre-shared-key *

  • #2
    Re: site to site not working

    It can't create Phase 2 SAs because the access lists defining the SAs don't match.

    The router at Site A uses these Phase 2 definitions:
    Originally posted by necro View Post
    ip access-list extended KP-KPMMF-ACL
    permit ip 10.210.0.0 0.0.0.255 10.215.10.0 0.0.0.255
    permit ip 10.210.0.0 0.0.0.255 10.215.11.0 0.0.0.255
    permit ip 10.255.255.0 0.0.0.255 host 192.168.0.150
    While the ASA at Site B uses the following definitions:
    Originally posted by necro View Post
    access-list SG_cryptomap extended permit ip 10.215.10.0 255.255.255.0 10.210.0.0 255.255.255.0
    access-list SG_cryptomap extended permit ip 10.215.11.0 255.255.255.0 10.210.0.0 255.255.255.0
    access-list SG_cryptomap extended permit ip 192.168.0.0 255.255.255.0 10.210.0.0 255.255.255.0
    access-list SG_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.210.0.0 255.255.255.0
    For IPsec to work, these access lists must be exact mirror images of one another.

    Also, you have a NAT issue on the ASA, as the "Inside_nat0_outbound" access list does not match the Phase 2 definitions for the IPsec tunnel, which means the ASA will be NATing at least some of the traffic originating from Site B.

    Comment

    Working...
    X