Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

501 to 5510 Site-to-site VPN works, but not 5510 to 501's 1

Status
Not open for further replies.
68chicayne

68chicayne

IS-IT--Management
Sep 26, 2008
12
US
I have a central location with a Cisco ASA-5510 and 6 remote locations using Cisco 501's. I've been able to establish one-way site to site VPN connectivity between the remote locations and the central location.
However, I can't seem to initiate a session from the central location to 5 of the remote sites. I can get to one of my remote sites from the central location. All configs are similar.
Any ideas?
Also, any additional thoughts or comments on my configs is welcome -as I'm fairly new at this.

Below are my scrubbed configs.

Thanks!

ASA 5510 Version 7.0(7)
name 64.xxx.xxx.xxx FMP_Server
name 69.xxx.xxx.xxx weybridgeIP
name 208.xxx.xxx.xxx shoreham
name 208.xxx.xxx.xxx cornwall
name 72.xxx.xxx.xxx SalisburyIP
name 64.xxx.xxx.xxx1 RiptonIP
dns-guard
!
interface Ethernet0/0
no nameif
no security-level
no ip address
!
interface Ethernet0/0.1
vlan 100
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.252
!
interface Ethernet0/0.2
vlan 101
nameif dmz
security-level 10
ip address 192.168.0.1 255.255.252.0
!
interface Ethernet0/1.1
vlan 102
nameif inside
security-level 100
ip address 10.128.0.1 255.255.252.0
!
ftp mode passive
same-security-traffic permit intra-interface

access-list ravpn extended permit ip 10.1.0.0 255.255.252.0 172.18.10.0 255.255.255.0
access-list nonat extended permit ip 10.128.0.0 255.255.252.0 172.18.10.0 255.255.255.0
access-list nonat extended permit ip 10.128.0.0 255.255.252.0 192.168.1.0 255.255.255.0
access-list nonat extended permit ip 10.128.0.0 255.255.252.0 192.168.2.0 255.255.255.0
access-list nonat extended permit ip 10.128.0.0 255.255.252.0 192.168.3.0 255.255.255.0
access-list nonat extended permit ip 10.128.0.0 255.255.252.0 192.168.4.0 255.255.255.0
access-list nonat extended permit ip 10.128.0.0 255.255.252.0 192.168.5.0 255.255.255.0
access-list nonat extended permit ip 10.128.0.0 255.255.252.0 192.168.6.0 255.255.255.0
access-list nonat extended permit ip 10.128.0.0 255.255.252.0 192.168.7.0 255.255.255.0
access-list splitt extended permit ip 10.128.0.0 255.255.252.0 172.18.10.0 255.255.255.0
access-list tocornwall extended permit ip 10.128.0.0 255.255.252.0 192.168.3.0 255.255.255.0
access-list toshoreham extended permit ip 10.128.0.0 255.255.252.0 192.168.6.0 255.255.255.0
access-list toweybridge extended permit ip 10.128.0.0 255.255.252.0 192.168.4.0 255.255.255.0
access-list toripton extended permit ip 10.128.0.0 255.255.252.0 192.168.5.0 255.255.255.0
access-list tobridport extended permit ip 10.128.0.0 255.255.252.0 192.168.7.0 255.255.255.0
access-list tosalisbury extended permit ip 10.128.0.0 255.255.252.0 192.168.1.0 255.255.255.0
mtu outside 1500
mtu dmz 1500
mtu inside 1500
mtu management 1500
ip local pool ra_vpn 172.18.10.1-172.18.10.254
no failover
asdm image disk0:/asdm-507.bin
arp timeout 14400
global (outside) 1 interface
global (dmz) 1 192.168.0.9-192.168.3.254
nat (dmz) 1 192.168.0.0 255.255.255.0
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (dmz,outside) fcis 192.168.0.4 netmask 255.255.255.255
static (inside,outside) GPS GPSinside netmask 255.255.255.255
static (inside,dmz) 10.128.0.0 10.128.0.0 netmask 255.255.252.0
static (inside,dmz) 10.1.0.0 10.1.0.0 netmask 255.255.252.0
access-group aclout in interface outside
route outside 0.0.0.0 0.0.0.0 64.xxx.xxx.xxx 1
route inside 10.1.0.0 255.255.0.0 10.128.0.2 1
aaa-server Authinbound protocol radius
aaa-server Authinbound host dnsserver
key blister834d
group-policy acsuafp4 internal
group-policy acsuafp4 attributes
dns-server value 10.128.0.102
crypto ipsec transform-set acsuvpn esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set acsuvpn
crypto map myvpn 25 match address tosalisbury
crypto map myvpn 25 set peer SalisburyIP
crypto map myvpn 25 set transform-set acsuvpn
crypto map myvpn 30 match address tobridport
crypto map myvpn 30 set peer 69.xxx.xxx.xxx
crypto map myvpn 30 set transform-set acsuvpn
crypto map myvpn 35 match address toweybridge
crypto map myvpn 35 set peer weybridgeIP
crypto map myvpn 35 set transform-set acsuvpn
crypto map myvpn 40 match address tocornwall
crypto map myvpn 40 set peer cornwall
crypto map myvpn 40 set transform-set acsuvpn
crypto map myvpn 70 ipsec-isakmp dynamic dynmap
crypto map myvpn interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
tunnel-group acsuafp4 type ipsec-ra
tunnel-group acsuafp4 general-attributes
address-pool ra_vpn
authentication-server-group Authinbound
default-group-policy acsuafp4
tunnel-group acsuafp4 ipsec-attributes
pre-shared-key *
tunnel-group 64.xxx.xxx.xxx type ipsec-l2l
tunnel-group 64.xxx.xxx.xxx ipsec-attributes
pre-shared-key *
tunnel-group 69.xxx.xxx.xxx type ipsec-l2l
tunnel-group 69.xxx.xxx.xxx ipsec-attributes
pre-shared-key *
tunnel-group 208.xxx.xxx.xxx type ipsec-l2l
tunnel-group 208.xxx.xxx.xxx ipsec-attributes
pre-shared-key *
tunnel-group 69.xxx.xxx.xxx type ipsec-l2l
tunnel-group 69.xxx.xxx.xxx ipsec-attributes
pre-shared-key *
tunnel-group 72.xxx.xxx.xxx type ipsec-l2l
tunnel-group 72.xxx.xxx.xxx ipsec-attributes
pre-shared-key *
tunnel-group 208.xxx.xxx.xxx type ipsec-l2l
tunnel-group 208.xxx.xxx.xxx ipsec-attributes
pre-shared-key *
telnet timeout 5

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
: end



Non-working two-way VPN config -

PIX Version 6.3(4)
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list nonat permit ip 192.168.3.0 255.255.255.0 10.128.0.0 255.255.252.0
access-list tocentral permit ip 192.168.3.0 255.255.255.0 10.128.0.0 255.255.252.0
access-list allowin permit icmp any any
mtu outside 1492
mtu inside 1492
ip address outside 208.xxx.xxx.xxx 255.255.255.0 pppoe
ip address inside 192.168.3.1 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group allowin in interface outside
route outside 0.0.0.0 0.0.0.0 208.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set acsuset esp-des esp-md5-hmac
crypto map vpn 80 ipsec-isakmp
crypto map vpn 80 match address tocentral
crypto map vpn 80 set peer 64.xxx.xxx.xxx
crypto map vpn 80 set transform-set acsuset
crypto map vpn interface outside
isakmp enable outside
isakmp key ******** address 64.xxx.xxx.xxx netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpdn group ISP request dialout pppoe
vpdn group ISP localname binghams@XXXXXXXXXX
vpdn group ISP ppp authentication chap
vpdn username binghams@XXXXXXXX password *********
dhcpd address 192.168.3.2-192.168.3.129 inside
dhcpd dns 65.xxx.xxx.xxx
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
end


Working Site to Site Connection

PIX Version 6.3(4)
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list nonat permit ip 192.168.4.0 255.255.255.0 10.128.0.0 255.255.252.0
access-list tocentral permit ip 192.168.4.0 255.255.255.0 10.128.0.0 255.255.252.0
access-list MarcRecords permit tcp any any eq 2007
access-list allowin permit icmp any any
ip address outside 69.xxx.xxx.xxx 255.255.255.0 pppoe
ip address inside 192.168.4.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group allowin in interface outside
route outside 0.0.0.0 0.0.0.0 69.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set acsuset esp-des esp-md5-hmac
crypto map vpn 50 ipsec-isakmp
crypto map vpn 50 match address tocentral
crypto map vpn 50 set peer 64.xxx.xxx.xxx
crypto map vpn 50 set transform-set acsuset
crypto map vpn interface outside
isakmp enable outside
isakmp key ******** address 64.xxx.xxx.xxx netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpdn group pppoex request dialout pppoe
vpdn group pppoex localname weybridgexxx.xxx.xxx
vpdn group pppoex ppp authentication chap
vpdn username XXXXXXXXXXXXXl password *********
end
 
Sort by date Sort by votes
one the device that does not work you are missing this:
hcpd address 192.168.3.2-192.168.3.129 inside
dhcpd dns 65.xxx.xxx.xxx
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside

and you have set your mtu to 1492 and verify your usernmae/password
 
Upvote 0 Downvote
I would think you need DMVPN for this to work...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
Upvote 0 Downvote


Considering I can get to one remote site, I'd be happy to be able to go from spoke to spoke.
Anyone have any ideas on how to go about doing that?


 
Upvote 0 Downvote
bjames (IS/IT--Management)
10 Aug 09 17:27
Do you still need help with this?
___________________________________

Yes.

Thanks.
 
Upvote 0 Downvote
Here are working configs that i created. Main site is a ASA5510 with PIX 501 and ASA5505 remote sites. I gave notes at the end of some commands to explain what its for.


Main site 172.16.9.0
Remote Site 172.16.10.0


ASA 8.x main site

interface Ethernet0/0
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.192
interface Ethernet0/1
nameif inside
security-level 100
ip address 172.16.9.1 255.255.255.0
global (outside) 1 interface
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
object-group network remote_sites
network-object 172.16.10.0 255.255.255.0 <-- put remote site internal ip addresses here
access-list inside_nat0_outbound extended permit ip 172.16.9.0 255.255.255.0 172.16.10.0 255.255.255.0
access-list outside_cryptomap_20 extended permit ip 172.16.9.0 255.255.255.0 object-group remote_sites
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer xxx.xxx.xxx.xxx <-- IP address remote site or sites
crypto map outside_map 20 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 5
isakmp policy 10 lifetime 86400
group-policy GroupPolicy-L2L internal
group-policy GroupPolicy-L2L attributes
vpn-filter none
vpn-tunnel-protocol IPSec
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l <-- IP address remote site
tunnel-group xxx.xxx.xxx.xxx general-attributes <-- IP address remote site
default-group-policy GroupPolicy-L2L
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes <-- IP address remote site
pre-shared-key *********


PIX 6.x Remote Site

access-list inside_nat0_outbound permit ip 172.16.10.0 255.255.255.0 172.16.9.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 172.16.10.0 255.255.255.0 172.16.9.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
http server enable
http 172.16.10.0 255.255.255.0 inside
http 172.16.9.0 255.255.255.0 inside <-- ASDM access from main site
telnet 172.16.10.0 255.255.255.0 inside
telnet 172.16.9.0 255.255.255.0 inside <-- Telnet access from main site
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer xxx.xxx.xxx.xxx <-- IP address main site
crypto map outside_map 20 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key *********** address xxx.xxx.xxx.xxx netmask 255.255.255.192 <-- IP Address and mask of main site
isakmp keepalive 15
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 5
isakmp policy 10 lifetime 86400
management-access inside <--- enables access from main site


ASA 7.x remote site

access-list inside_nat0_outbound extended permit ip 172.16.10.0 255.255.255.0 172.16.9.0 255.255.255.0
access-list outside_cryptomap_20 extended permit ip 172.16.10.0 255.255.255.0 172.16.9.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
http server enable
http 172.16.10.0 255.255.255.0 inside
http 172.16.9.0 255.255.255.0 inside <-- ASDM access from main site
telnet 172.16.10.0 255.255.255.0 inside
telnet 172.16.9.0 255.255.255.0 inside <-- Telnet access from main site
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer xxx.xxx.xxx.xxx <-- IP address main site
crypto map outside_map 20 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 5
isakmp policy 10 lifetime 86400
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l <-- IP address main site
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes <-- IP address main site
pre-shared-key **********
management-access inside <--- enables access from main site
 
Upvote 0 Downvote
It seems like you are a anal person like me but you dont have to get so crazy with your naming convention in your configs your configs are not complex and you will end up messing something up. let me know if you need any other help.

Brian
 
Upvote 0 Downvote
Thanks, Brian.

You're right about several observations. Clearly your configs and your use of object-groups is much cleaner than my naming.

I'm working on a live setup, so I'll be making changes later this evening or tomorrow AM. I'll let you know how it goes.

Thanks again for the help.

- Dan
 
Upvote 0 Downvote
Were you able to get it working? "

Thanks for checking back-in.

Yes, after some config changes and numerous config reloads/reboots, the tunnels finally came up, regardless of which end they were initiated from.

Thanks again!

- Dan
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
269
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
286
Johnkite
Johnkite
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
311
intel233
intel233
ITSUPPORTIT
  • Locked
  • Question
VPN from ASA 5510 and RV215W problem
Replies
0
Views
77
ITSUPPORTIT
ITSUPPORTIT
phjames
  • Locked
  • Question
Replacement for ASA-5510
Replies
1
Views
95
ADB100
ADB100

Part and Inventory Search

Sponsor

Back
Top