RE: site-to-site vpn

Missing a NAT0 command
Not sure I saw outside_map_1 acl defined.

Call me a slacker but typically I use ASDM to configure the Site-to-Site, then use CLI to check ACLs, phase 1 (show crypto isakmp sa) phase 2 (show crypto ipsec sa).

Are you trying to do a static NAT translation to the outside world too?

I always run into problems with PSK. Other end doesn't support it typically.

HTH,
JB

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Marcelo Pinheiro
Sent: Tuesday, October 19, 2010 6:42 PM
To: Ryan West
Cc: Cisco Fanatic; ccielab_at_groupstudy.com
Subject: Re: site-to-site vpn

Hi Yuri,

Make sure that:
- the crypto map ACL is mirrored. This can cause weird behaviors (packet
loss, lose vpn connection, etc).
- psk is OK
- transform-set is OK

If possible, try to debug (ipsec, isakmp).

HTH.
Marcelo Pinheiro

On Tue, Oct 19, 2010 at 8:32 PM, Ryan West <rwest_at_zyedge.com> wrote:

> Probably want to avoid port selectors when configuring a site to site
> tunnel, it will affect performance. Your interesting traffic ACL should
> read 'access-list permit ip host <your host> host <their host>. If you want
> to limit what comes across the tunnel, turn off sysopt permit-vpn and filter
> on your outside ACL.
>
> -ryan
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Cisco Fanatic
> Sent: Tuesday, October 19, 2010 7:25 PM
> To: ccielab_at_groupstudy.com
> Subject: site-to-site vpn
>
> I am trying to configure site-to-site vpn on a ASA. I don't have access to
> the other side of the equipment so can't really, but the person has been
> generous to share the parameters which I need to configure on my end to make
> it work. I just have couple of hrs to get it working so that I can checklist
> on my things to do from my CCIE standpoint :(-.
>
> Appreciate any help.
>
> What I am trying to do is that there is a remote server - 66.94.3.71 and I
> have a local server 10.15.10.45 which should be seen by the outside world as
> 38.105.120.78.
>
> [Local] ---38.105.120.66 --- INTERNET --- 97.65.105.5 -- [Remote] ---
> 66.94.3.71
> !
> !
> 38.105.120.78
> !
> [10.15.10.45]
>
> Config
> ++++
>
> name 10.15.10.45 SM-internal
> name 38.105.120.78 SM-external
>
> static (inside,outside) SM-external SM-internal netmask 255.255.255.255
>
> object-group network mob_SM_Networks
> network-object 66.94.3.71 255.255.255.255
>
> object-group service SM tcp
> port-object eq 9071
>
> crypto isakmp enable outside
>
> crypto isakmp policy 1
> authentication pre-share
> encryption 3des
> hash sha
> group 2
> lifetime 86400
>
>
> access-list outside_SM extended permit tcp host SM-internal host 66.94.3.71
> object-group SM
>
>
> crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
>
> crypto map outside_map 1 match address outside_SM crypto map outside_map 1
> set peer 66.94.3.71 crypto map outside_map 1 set transform-set ESP-3DES-SHA
> crypto map outside_map 1 set security-association lifetime seconds 3600
>
>
> tunnel-group 66.94.3.71 type ipsec-l2l
> tunnel-group 66.94.3.71 ipsec-attributes pre-shared-key *
>
> Thanks,
> -Yuri
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Tue Oct 19 2010 - 19:38:26 ART