RE: site-to-site vpn

This is the final config. Phase I is up, but Phase II is not coming up.

name 10.15.10.45 SMPP-internal
name 38.105.120.78 SMPP-external

static (inside,outside) SMPP-external SMPP-internal netmask 255.255.255.255

object-group network Tmobile_SMPP_Networks
 network-object 66.94.3.71 255.255.255.255

object-group service SMPP tcp
 port-object eq 9071

crypto isakmp enable outside

crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

access-list outside_SMPP extended permit tcp host SMPP-internal host
66.94.3.71 object-group SMPP

nat (inside) 0 access-list outside_SMPP

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 1 match address outside_SMPP
crypto map outside_map 1 set peer 66.94.3.71
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 3600

crypto map outside_map interface outside

tunnel-group 66.94.3.71 type ipsec-l2l
tunnel-group 66.94.3.71 ipsec-attributes
 pre-shared-key *

> From: jpoplawski_at_starkinvestments.com
> To: marcelo_at_academiacisco.com.br; rwest_at_zyedge.com
> CC: ebay_products_at_hotmail.com; ccielab_at_groupstudy.com
> Date: Tue, 19 Oct 2010 19:38:26 -0500
> Subject: RE: site-to-site vpn
>
> Missing a NAT0 command
> Not sure I saw outside_map_1 acl defined.
>
> Call me a slacker but typically I use ASDM to configure the Site-to-Site,
then use CLI to check ACLs, phase 1 (show crypto isakmp sa) phase 2 (show
crypto ipsec sa).
>
> Are you trying to do a static NAT translation to the outside world too?
>
> I always run into problems with PSK. Other end doesn't support it
typically.
>
> HTH,
> JB
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Marcelo Pinheiro
> Sent: Tuesday, October 19, 2010 6:42 PM
> To: Ryan West
> Cc: Cisco Fanatic; ccielab_at_groupstudy.com
> Subject: Re: site-to-site vpn
>
> Hi Yuri,
>
> Make sure that:
> - the crypto map ACL is mirrored. This can cause weird behaviors (packet
> loss, lose vpn connection, etc).
> - psk is OK
> - transform-set is OK
>
> If possible, try to debug (ipsec, isakmp).
>
> HTH.
> Marcelo Pinheiro
>
> On Tue, Oct 19, 2010 at 8:32 PM, Ryan West <rwest_at_zyedge.com> wrote:
>
> > Probably want to avoid port selectors when configuring a site to site
> > tunnel, it will affect performance. Your interesting traffic ACL should
> > read 'access-list permit ip host <your host> host <their host>. If you
want
> > to limit what comes across the tunnel, turn off sysopt permit-vpn and
filter
> > on your outside ACL.
> >
> > -ryan
> >
> > -----Original Message-----
> > From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> > Cisco Fanatic
> > Sent: Tuesday, October 19, 2010 7:25 PM
> > To: ccielab_at_groupstudy.com
> > Subject: site-to-site vpn
> >
> > I am trying to configure site-to-site vpn on a ASA. I don't have access
to
> > the other side of the equipment so can't really, but the person has been
> > generous to share the parameters which I need to configure on my end to
make
> > it work. I just have couple of hrs to get it working so that I can
checklist
> > on my things to do from my CCIE standpoint :(-.
> >
> > Appreciate any help.
> >
> > What I am trying to do is that there is a remote server - 66.94.3.71 and
I
> > have a local server 10.15.10.45 which should be seen by the outside world
as
> > 38.105.120.78.
> >
> > [Local] ---38.105.120.66 --- INTERNET --- 97.65.105.5 -- [Remote] ---
> > 66.94.3.71
> > !
> > !
> > 38.105.120.78
> > !
> > [10.15.10.45]
> >
> > Config
> > ++++
> >
> > name 10.15.10.45 SM-internal
> > name 38.105.120.78 SM-external
> >
> > static (inside,outside) SM-external SM-internal netmask 255.255.255.255
> >
> > object-group network mob_SM_Networks
> > network-object 66.94.3.71 255.255.255.255
> >
> > object-group service SM tcp
> > port-object eq 9071
> >
> > crypto isakmp enable outside
> >
> > crypto isakmp policy 1
> > authentication pre-share
> > encryption 3des
> > hash sha
> > group 2
> > lifetime 86400
> >
> >
> > access-list outside_SM extended permit tcp host SM-internal host
66.94.3.71
> > object-group SM
> >
> >
> > crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
> >
> > crypto map outside_map 1 match address outside_SM crypto map outside_map
1
> > set peer 66.94.3.71 crypto map outside_map 1 set transform-set
ESP-3DES-SHA
> > crypto map outside_map 1 set security-association lifetime seconds 3600
> >
> >
> > tunnel-group 66.94.3.71 type ipsec-l2l
> > tunnel-group 66.94.3.71 ipsec-attributes pre-shared-key *
> >
> > Thanks,
> > -Yuri
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
> This transmission contains information for the exclusive use of the intended
recipient and may be privileged, confidential and/or otherwise protected from
disclosure. Any unauthorized review or distribution is strictly prohibited.
Our company is required to retain electronic mail messages, which may be
produced at the request of regulators or in connection with litigation.
Electronic messages cannot be guaranteed to be secure, timely or error-free.
As such, we recommend that you do not send confidential information to us via
electronic mail. This communication is for informational purposes only and is
not an offer or solicitation to buy or sell any investment product. Any
information regarding specific investment products is subject to change
without notice. If you received this transmission in error, please notify the
sender immediately by return e-mail and delete this message and any
attachments from your system.

Blogs and organic groups at http://www.ccie.net
Received on Tue Oct 19 2010 - 17:49:10 ART