Options
VPN ASA 5505 8.3 (1) to ASA 8.2 (2) works only one way
Just wonder if somebody could help me. I’ve set VPN up between two sites using Cisco ASA 5505 and Wizard. Unfortunately VPN works only one way From 8.2 (2) to 8.3 (1) and after spending one day trying to resolve the issue decided to ask somebody better than me. Logs shows that ping leave ASA 8.3 but never hits ASA 8.2 – opposite way everything works perfectly.
I would really appreciate if somebody could advise me something.
ASA Version 8.3(1)
object network RemoteA_internal_Network
subnet xxx.xxx.xxx.0 255.255.255.0
object network NETWORK_OBJ_yyy.yyy.yyy.0_24
subnet yyy.yyy.yyy.0 255.255.255.0
access-list outside_1_cryptomap_1 extended permit ip yyy.yyy.yyy.0 255.255.255.0 object RemoteA_internal_Network
nat (inside,outside) source dynamic any interface
nat (inside,outside) source static NETWORK_OBJ_yyy.yyy.yyy.0_24 NETWORK_OBJ_yyy.yyy.yyy.0_24 destination static RemoteA_internal_Network RemoteA_internal_Network
!
object network obj_any
nat (inside,outside) dynamic interface
dynamic-access-policy-record DfltAccessPolicy
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map0 1 match address outside_1_cryptomap_1
crypto map outside_map0 1 set peer aaa.aaa.aaa.aaa
crypto map outside_map0 1 set transform-set ESP-3DES-MD5
crypto map outside_map0 interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
!
tunnel-group aaa.aaa.aaa.aaa type ipsec-l2l
tunnel-group aaa.aaa.aaa.aaa ipsec-attributes
pre-shared-key *****
__________________________________________________
ASA Version 8.2(2)
name yyy.yyy.yyy.0 RemoteB_internal_Network
access-list inside_access_in extended permit ip any any
access-list outside_1_cryptomap extended permit ip xxx.xxx.xxx.0 255.255.255.0 RemoteB_internal_Network 255.255.255.0
access-list inside_nat0_outbound extended permit ip xxx.xxx.xxx.0 255.255.255.0 RemoteB_internal_Network 255.255.255.0
0
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
dynamic-access-policy-record DfltAccessPolicy
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map0 1 match address outside_1_cryptomap
crypto map outside_map0 1 set peer bbb.bbb.bbb.bbb
crypto map outside_map0 1 set transform-set ESP-3DES-MD5
crypto map outside_map0 interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
no crypto isakmp nat-traversal
tunnel-group bbb.bbb.bbb.bbb type ipsec-l2l
tunnel-group bbb.bbb.bbb.bbb ipsec-attributes
pre-shared-key *****
I would really appreciate if somebody could advise me something.
ASA Version 8.3(1)
object network RemoteA_internal_Network
subnet xxx.xxx.xxx.0 255.255.255.0
object network NETWORK_OBJ_yyy.yyy.yyy.0_24
subnet yyy.yyy.yyy.0 255.255.255.0
access-list outside_1_cryptomap_1 extended permit ip yyy.yyy.yyy.0 255.255.255.0 object RemoteA_internal_Network
nat (inside,outside) source dynamic any interface
nat (inside,outside) source static NETWORK_OBJ_yyy.yyy.yyy.0_24 NETWORK_OBJ_yyy.yyy.yyy.0_24 destination static RemoteA_internal_Network RemoteA_internal_Network
!
object network obj_any
nat (inside,outside) dynamic interface
dynamic-access-policy-record DfltAccessPolicy
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map0 1 match address outside_1_cryptomap_1
crypto map outside_map0 1 set peer aaa.aaa.aaa.aaa
crypto map outside_map0 1 set transform-set ESP-3DES-MD5
crypto map outside_map0 interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
!
tunnel-group aaa.aaa.aaa.aaa type ipsec-l2l
tunnel-group aaa.aaa.aaa.aaa ipsec-attributes
pre-shared-key *****
__________________________________________________
ASA Version 8.2(2)
name yyy.yyy.yyy.0 RemoteB_internal_Network
access-list inside_access_in extended permit ip any any
access-list outside_1_cryptomap extended permit ip xxx.xxx.xxx.0 255.255.255.0 RemoteB_internal_Network 255.255.255.0
access-list inside_nat0_outbound extended permit ip xxx.xxx.xxx.0 255.255.255.0 RemoteB_internal_Network 255.255.255.0
0
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
dynamic-access-policy-record DfltAccessPolicy
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map0 1 match address outside_1_cryptomap
crypto map outside_map0 1 set peer bbb.bbb.bbb.bbb
crypto map outside_map0 1 set transform-set ESP-3DES-MD5
crypto map outside_map0 interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
no crypto isakmp nat-traversal
tunnel-group bbb.bbb.bbb.bbb type ipsec-l2l
tunnel-group bbb.bbb.bbb.bbb ipsec-attributes
pre-shared-key *****
Comments
-
Options
shodown
Member Posts: 2,271
I didn't check the configs, don't have time, but if you feel they are valid a reboot has saved me when I had the same issues.Currently Reading
CUCM SRND 9x/10, UCCX SRND 10x, QOS SRND, SIP Trunking Guide, anything contact center related
