ASA 5510 site-to-site IP-sec VPN issue

[fillthy]

Hi all, I am using the wizard to create a site-to-site VPN. Every time I set ths up I loose the internet. The 2 lines that I remove allow me back on:

no access-list inside_nat0_outbound_1 extended permit ip 192.168.30.0 255.255.255.0 any
no access-list outside_1_cryptomap_1 extended permit ip 192.168.30.0 255.255.255.0

The only part of the wizard that I am unsure of is the "protect" "do not protect" section it has 2 choices for local network and remote network. What am I supposed to choose here? When I chose "do not protect" it ays I canot chose that....An help with this wizard would be great
Cheers

 

[nnnnnnnnnn]

what is your internal segment and the remote network segment? it looks like your sending all traffic though the tunnel instead of only traffic destine for that remote network like it sounds like you want to do. It would be helpful to post a sanitized copy of your config. but you probably just need to be more specific with your acl for crypto and nat0, for example permit ip local-net remote-net instead of using any. hope that helps

cheers

 

[fillthy]

ASA Version 8.0(3)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.x.x 255.255.255.0
!
interface Ethernet0/1
nameif outside
security-level 0
pppoe client vpdn group cppgroup
ip address 76.65.x.x 255.255.255.255 pppoe
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only

Just reying to get a site to site going..

 

[fillthy]

The local network is
192.168.x.x network and the remote (peer) network is 66.159.x.x with also a 192.168.x.x

 

[brianinms]

Can you tell us the specific local networks at both locations?

 

[nnnnnnnnnn]

This will get you going fromthe cli if you want to try it that way. Just change <remote peer> to the ip of your remote peer outside ip address and update the lan segments used. hope that helps

cheers

name <remote peer> remotepeer

object-group network remote-net
network-object 192.168.100.0 255.255.255.0

object-group network remote-sites
group-object remote-net

object-group network local-net
network-object 192.168.1.0 255.255.255.0

access-list vpntraffic-remote extended permit ip object-group local-net object-group remote-net

access-list nonat-acl extended permit ip object-group local-net object-group remote-sites

nat (inside) 0 access-list nonat-acl

crypto ipsec transform-set myset esp-aes-256 esp-md5-hmac

crypto map mymap 100 match address vpntraffic-remote
crypto map mymap 100 set peer remotepeer
crypto map mymap 100 set transform-set myset

crypto map mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside

crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash md5
group 2
lifetime 86400

tunnel-group <remote peer> type ipsec-l2l
tunnel-group <remote peer> ipsec-attributes
pre-shared-key thisisthekeyforthevpntunnel