Hi,
Can you tell me how are you verifying it? Is it ICMP traffic between servers
or what?
Regards,
--
Piotr Matusiak
CCIE #19860 (R&S, Security), CCSI #33705
Technical Instructor
website: www.MicronicsTraining.com <http://www.micronicstraining.com/>
blog: www.ccie1.com
�If you can't explain it simply, you don't understand it well enough� -
Albert Einstein
2011/10/1 Solomon Awosina <solomonawosina_at_gmail.com>
> Dear Expert,
> >
> > I have an issue on my network that I require your help.
> >
> > I have a server (192.168.1.29) that needs to connect to another host
> > (10.13.2.19) over internet thru a VPN but it is not connecting.
> >
> > My Architecture
> >
> > My Server is connected behind a Cisco ASA which is connected to a Cisco
> > Router. It is on the router that the VPN is setup.
> >
> > My_Server(192.168.1.29) ==> Cisco ASA(192.168.1.17) ==> Cisco
> > Router(192.168.1.46) <=====> Cisco ASA(196.200.119.100) ==>
> > Other_host(10.13.2.19)
> >
> > internet
> >
> > If I put my server behind the Cisco Router, I connect successfully. Like
> > this
> > My_Server(192.168.1.40) ==>Cisco Router(192.168.1.46) <=====> Cisco
> > ASA(196.200.119.100) ==> Other_host(10.13.2.19)
> >
> > internet
> >
> > Below are my config,
> >
> > *Cisco ASA*
> >
> >
> > ASA Version 7.0(7)
> > !
> >
> > !
> > interface Ethernet0/0
> > nameif outside
> > security-level 0
> > ip address 192.168.1.33 255.255.255.240
> > !
> > interface Ethernet0/1
> > nameif inside
> > security-level 100
> > ip address 172.16.1.1 255.255.255.0
> > !
> > interface Ethernet0/2
> > nameif dmz1
> > security-level 60
> > ip address 192.168.1.17 255.255.255.240
> >
> >
> > access-list outside_in extended permit icmp any any echo-reply
> > access-list outside_in extended permit ip host 10.13.2.19 host
> > 192.168.1.40
> > access-list dmz1_in extended permit ip host 192.168.1.29 any
> >
> > static (dmz1,outside) 192.168.1.40 192.168.1.29 netmask 255.255.255.255
> > access-group outside_in in interface outside
> > access-group dmz1_in in interface dmz1
> > route outside 0.0.0.0 0.0.0.0 192.168.1.46
> >
> >
> > *Cisco ROUTER*
> >
> >
> > crypto isakmp policy 9
> > encr aes 256
> > authentication pre-share
> > group 2
> >
> > crypto isakmp key XXXXXXXXXXXXX address 196.200.119.100
> > !
> > crypto ipsec security-association lifetime seconds 86400
> > !
> > crypto ipsec transform-set CLICKATELL esp-aes 256 esp-sha-hmac
> > !
> > crypto map CLICK 9 ipsec-isakmp
> > set peer 196.200.119.100
> > set transform-set CLICKATELL
> > match address 198
> > !
> > interface GigabitEthernet0/0
> > description VGC Internet WAN link
> > ip address 41.220.72.126 255.255.255.248
> > ip nbar protocol-discovery
> > ip nat outside
> > ip virtual-reassembly
> > duplex auto
> > speed auto
> > crypto map CLICK
> > !
> > interface GigabitEthernet0/1
> > description 21CTL Internet WAN link
> > ip address 80.248.9.142 255.255.255.128
> > ip nat outside
> > ip virtual-reassembly
> > duplex auto
> > speed auto
> > !
> > interface FastEthernet0/0/0
> > description LAN Interface
> > switchport access vlan 10
> > !
> > interface Vlan10
> > description LAN
> > ip address 192.168.1.46 255.255.255.240
> > ip verify unicast source reachable-via rx
> > ip nat inside
> > ip virtual-reassembly
> > !
> > ip route 10.13.2.19 255.255.255.255 41.220.72.121
> > ip route 196.200.119.100 255.255.255.255 41.220.72.121
> > !
> > access-list 110 deny ip host 192.168.1.40 host 10.13.2.19
> > access-list 110 permit ip host 192.168.1.40 any
> > access-list 198 permit ip host 192.168.1.40 host 10.13.2.19
> >
> >
> >
> > WHAT ARE AM I MISSING?
> >
> > Kindly assist.
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Sat Oct 01 2011 - 22:31:35 ART