Re: OT:VPN Connection from Solomon Awosina on 2011-10-01 (Ccielab archives 10/2011)

From: Solomon Awosina <solomonawosina_at_gmail.com>
Date: Sat, 1 Oct 2011 20:52:18 +0100

Dear Expert,
>
> I have an issue on my network that I require your help.
>
> I have a server (192.168.1.29) that needs to connect to another host
> (10.13.2.19) over internet thru a VPN but it is not connecting.
>
> My Architecture
>
> My Server is connected behind a Cisco ASA which is connected to a Cisco
> Router. It is on the router that the VPN is setup.
>
> My_Server(192.168.1.29) ==> Cisco ASA(192.168.1.17) ==> Cisco
> Router(192.168.1.46) <=====> Cisco ASA(196.200.119.100) ==>
> Other_host(10.13.2.19)
>
> internet
>
> If I put my server behind the Cisco Router, I connect successfully. Like
> this
> My_Server(192.168.1.40) ==>Cisco Router(192.168.1.46) <=====> Cisco
> ASA(196.200.119.100) ==> Other_host(10.13.2.19)
>
> internet
>
> Below are my config,
>
> *Cisco ASA*
>
>
> ASA Version 7.0(7)
> !
>
> !
> interface Ethernet0/0
> nameif outside
> security-level 0
> ip address 192.168.1.33 255.255.255.240
> !
> interface Ethernet0/1
> nameif inside
> security-level 100
> ip address 172.16.1.1 255.255.255.0
> !
> interface Ethernet0/2
> nameif dmz1
> security-level 60
> ip address 192.168.1.17 255.255.255.240
>
>
> access-list outside_in extended permit icmp any any echo-reply
> access-list outside_in extended permit ip host 10.13.2.19 host
> 192.168.1.40
> access-list dmz1_in extended permit ip host 192.168.1.29 any
>
> static (dmz1,outside) 192.168.1.40 192.168.1.29 netmask 255.255.255.255
> access-group outside_in in interface outside
> access-group dmz1_in in interface dmz1
> route outside 0.0.0.0 0.0.0.0 192.168.1.46
>
>
> *Cisco ROUTER*
>
>
> crypto isakmp policy 9
> encr aes 256
> authentication pre-share
> group 2
>
> crypto isakmp key XXXXXXXXXXXXX address 196.200.119.100
> !
> crypto ipsec security-association lifetime seconds 86400
> !
> crypto ipsec transform-set CLICKATELL esp-aes 256 esp-sha-hmac
> !
> crypto map CLICK 9 ipsec-isakmp
> set peer 196.200.119.100
> set transform-set CLICKATELL
> match address 198
> !
> interface GigabitEthernet0/0
> description VGC Internet WAN link
> ip address 41.220.72.126 255.255.255.248
> ip nbar protocol-discovery
> ip nat outside
> ip virtual-reassembly
> duplex auto
> speed auto
> crypto map CLICK
> !
> interface GigabitEthernet0/1
> description 21CTL Internet WAN link
> ip address 80.248.9.142 255.255.255.128
> ip nat outside
> ip virtual-reassembly
> duplex auto
> speed auto
> !
> interface FastEthernet0/0/0
> description LAN Interface
> switchport access vlan 10
> !
> interface Vlan10
> description LAN
> ip address 192.168.1.46 255.255.255.240
> ip verify unicast source reachable-via rx
> ip nat inside
> ip virtual-reassembly
> !
> ip route 10.13.2.19 255.255.255.255 41.220.72.121
> ip route 196.200.119.100 255.255.255.255 41.220.72.121
> !
> access-list 110 deny ip host 192.168.1.40 host 10.13.2.19
> access-list 110 permit ip host 192.168.1.40 any
> access-list 198 permit ip host 192.168.1.40 host 10.13.2.19
>
>
>
> WHAT ARE AM I MISSING?
>
> Kindly assist.

Blogs and organic groups at http://www.ccie.net
Received on Sat Oct 01 2011 - 20:52:18 ART

This archive was generated by hypermail 2.2.0 : Tue Nov 15 2011 - 13:10:29 ART