From: operator sid (ccie1@live.co.uk)
Date: Thu Feb 19 2009 - 19:26:46 ARST
Hi All
I am having problems with L2L ipsec VPN, as the tunnel is not initiating at
all... I have ASA on the A-end and PIX on B-end. The ASA on the A-end is also
doing NAT of both source and destination and it is also tunnel endpoint.
the topology is like this. Note the LAN addresses specified are not directly
connected but behind the ASA and PIX
(10.1.1.0/24) ----- --A-end - (ASA)--------------------------- INTERNET
-------------------- B-end PIX ---- (10.20.20.0/24)
NAT ON ASA -
10.1.1.1/32 (server) NAT'ed TO 80.2.2.2/32 - SO B-end see's this server as
80.2.2.2 address
10.2.2.0/24 NAT TO 10.20.20.0/24 - So A-end see's B-end subnet as
10.2.2.0/24
The problem is that the tunnel is not even initiating... i have attached
config...
A-end ASA
ASA Version 7.2(3)
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 90.1.1.1 255.255.255.128 standby 90.1.1.2
!
interface GigabitEthernet0/2
nameif outside
security-level 0
ip address 80.1.1.1 255.255.255.128 standby 80.1.1.2
access-list proxy_acl extended permit ip host 80.2.2.2 10.20.10.32 10.20.20.0
255.255.255.0
access-list proxy_acl extended permit ip 10.20.20.0 255.255.255.0 80.2.2.2
255.255.255.255
access-list outside extended permit icmp any any
access-list outside extended permit esp any any
access-list outside extended permit udp any any eq isakmp
access-list inside extended permit ip any any
access-list policy-nat-1 extended permit ip 10.0.0.0 255.0.0.0 any
access-list policy-nat-1 extended permit ip 172.16.0.0 255.240.0.0 any
global (outside) 1 100.1.1.1
nat (inside) 1 access-list policy-nat-1
static (inside,outside) 80.2.2.2 10.1.1.1 netmask 255.255.255.255
static (outside,inside) 10.2.2.0 10.20.20.0 netmask 255.255.255.0
access-group inside in interface inside
access-group outside in interface outside
route inside 172.16.0.0 255.240.0.0 90.1.1.5
route inside 10.0.0.0 255.0.0.0 90.1.1.5
route outside 0.0.0.0 0.0.0.0 80.1.1.5
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map CRY-MAP 10 match address proxy_acl
crypto map CRY-MAP 10 set peer 60.1.1.1
crypto map CRY-MAP 10 set transform-set ESP-3DES-SHA
crypto map CRY-MAP 10 set security-association lifetime seconds 28800
crypto map CRY-MAP interface outside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
!
tunnel-group 60.1.1.1 type ipsec-l2l
tunnel-group 60.1.1.1 ipsec-attributes
pre-shared-key *
B-end PIX
access-list proxy-acl permit ip 10.20.20.0 255.255.255.0 8.2.2.2
255.255.255.255
access-list no_nat permit ip 10.20.20.0 255.255.255.0 8.2.2.2 255.255.255.255
nat (data) 0 access-list no_nat
crypto ipsec transform-set 3dessha1 esp-3des esp-sha-hmac
crypto map vpn 10 ipsec-isakmp
crypto map vpn 10 match address proxy-acl
crypto map vpn 10 set peer 80.1.1.1
crypto map vpn 10 set transform-set 3dessha1
crypto map vpn interface outside
isakmp key ******** address 80.1.1.1 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:44:12 ARST