troubleshooting Question

asa 5505 Spoke-to-Spoke configuration

Avatar of Optimus_Prime7
Optimus_Prime7 asked on
VPNHardware FirewallsCisco
4 Comments1 Solution1307 ViewsLast Modified:
Hello to all,

OK, let's start with my problem. This is my first time that I configure asa 5505. I use this scenario Spoke-to-Spoke and I got one more problem. I have three asa 5505 named PIX1, PIX2 and PIX3. PIX1 ---> PIX2 have Dynamic L2L and PIX1--->PIX3 have static L2L. I configured as it told on that scenario and I got VPN tunnel between PIX1--->PIX3 but not PIX1--->PIX2 and PIX2--->PIX3. And I'm wedge. Can you help me ?

Here is configuration taht I  use:
---------------------------------------------------------------------------------------------------------------------------
PIX1
PIX Version 7.0(1)
no names
!
interface Ethernet0
nameif outside
securitylevel 0
ip address 172.18.124.170 255.255.255.0
!
interface Ethernet1
nameif inside
securitylevel 100
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet2
shutdown
nameif intf2
securitylevel 4
no ip address
!
interface Ethernet3
shutdown
nameif intf3
securitylevel 6
no ip address
!
interface Ethernet4
shutdown
nameif intf4
securitylevel 8
no ip address
!
interface Ethernet5
shutdown
nameif intf5
securitylevel 10
no ip address
!
enable password 9jNfZuG3TC5tCVH0 encrypted
passwd OnTrBUG1Tp0edmkr encrypted
hostname PIX1
domainname cisco.com
boot system flash:/image.bin
ftp mode passive
samesecuritytraffic permit intrainterface
accesslist 100 extended permit ip 10.10.10.0 255.255.255.0 10.30.30.0 255.255.255.0
accesslist 100 extended permit ip 10.20.20.0 255.255.255.0 10.30.30.0 255.255.255.0
accesslist nonat extended permit ip 10.10.10.0 255.255.255.0 10.30.30.0 255.255.255.0
accesslist nonat extended permit ip 10.10.10.0 255.255.255.0 10.20.20.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
no failover
monitorinterface outside
monitorinterface inside
monitorinterface intf2
monitorinterface intf3
monitorinterface intf4
monitorinterface intf5
asdm history enable
arp timeout 14400
natcontrol
global (outside) 1 interface
nat (inside) 0 accesslist nonat
nat (inside) 1 10.10.10.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 172.18.124.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 halfclosed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcppat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaaserver TACACS+ protocol tacacs+
aaaserver RADIUS protocol radius
no snmpserver location
no snmpserver contact
snmpserver community public
snmpserver enable traps snmp
crypto ipsec transformset myset esp3des espshahmac
crypto dynamicmap cisco 20 set transformset myset
crypto map mymap 10 match address 100
crypto map mymap 10 set peer 172.16.77.10
crypto map mymap 10 set transformset myset
crypto map mymap 20 ipsecisakmp dynamic cisco
crypto map mymap interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication preshare
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication preshare
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
ssh version 1
console timeout 0
tunnelgroup DefaultRAGroup type ipsecra
tunnelgroup DefaultRAGroup generalattributes
authenticationservergroup none
tunnelgroup DefaultRAGroup ipsecattributes
presharedkey *
tunnelgroup 172.16.77.10 type ipsecl2l
tunnelgroup 172.16.77.10 ipsecattributes
presharedkey *
!
classmap inspection_default
match defaultinspectiontraffic
!
!
policymap global_policy
class inspection_default
inspect dns maximumlength 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
servicepolicy global_policy global
Cryptochecksum:7167c0647778b77f8d1d2400d943b825
-----------------------------------------------------------------------------------------------------------------------------
PIX2:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname PIX2
domainname cisco.com
fixup protocol dns maximumlength 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 17181719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
accesslist 100 permit ip 10.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0
accesslist 100 permit ip 10.20.20.0 255.255.255.0 10.30.30.0 255.255.255.0
accesslist nonat permit ip 10.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0
accesslist nonat permit ip 10.20.20.0 255.255.255.0 10.30.30.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 172.18.124.172 255.255.255.0
ip address inside 10.20.20.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 accesslist nonat
nat (inside) 1 10.20.20.0 255.255.255.0 0 0
route outside 0.0.0.0 0.0.0.0 172.18.124.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 halfclosed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaaserver TACACS+ protocol tacacs+
aaaserver TACACS+ maxfailedattempts 3
aaaserver TACACS+ deadtime 10
aaaserver RADIUS protocol radius
aaaserver RADIUS maxfailedattempts 3
aaaserver RADIUS deadtime 10
aaaserver LOCAL protocol local
no snmpserver location
no snmpserver contact
snmpserver community public
no snmpserver enable traps
floodguard enable
sysopt connection permitipsec
crypto ipsec transformset myset esp3des espshahmac
crypto map mymap 10 ipsecisakmp
crypto map mymap 10 match address 100
crypto map mymap 10 set peer 172.18.124.170
crypto map mymap 10 set transformset myset
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 172.18.124.170 netmask 255.255.255.255 noxauth
isakmp identity address
isakmp policy 10 authentication preshare
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:fb2e89ab9da0ae93d69e345a4675ff38
---------------------------------------------------------------------------------------------------------------------------
PIX3:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname PIX3
domainname cisco.com
fixup protocol dns maximumlength 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 17181719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
accesslist 100 permit ip 10.30.30.0 255.255.255.0 10.10.10.0 255.255.255.0
accesslist 100 permit ip 10.30.30.0 255.255.255.0 10.20.20.0 255.255.255.0
accesslist nonat permit ip 10.30.30.0 255.255.255.0 10.10.10.0 255.255.255.0
accesslist nonat permit ip 10.30.30.0 255.255.255.0 10.20.20.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside 172.16.77.10 255.255.255.0
ip address inside 10.30.30.1 255.255.255.0
no ip address intf2
no ip address intf3
no ip address intf4
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 accesslist nonat
nat (inside) 1 10.30.30.0 255.255.255.0 0 0
route outside 0.0.0.0 0.0.0.0 172.16.77.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 halfclosed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaaserver TACACS+ protocol tacacs+
aaaserver TACACS+ maxfailedattempts 3
aaaserver TACACS+ deadtime 10
aaaserver RADIUS protocol radius
aaaserver RADIUS maxfailedattempts 3
aaaserver RADIUS deadtime 10
aaaserver LOCAL protocol local
no snmpserver location
no snmpserver contact
snmpserver community public
no snmpserver enable traps
floodguard enable
sysopt connection permitipsec
crypto ipsec transformset myset esp3des espshahmac
crypto map mymap 10 ipsecisakmp
crypto map mymap 10 match address 100
crypto map mymap 10 set peer 172.18.124.170
crypto map mymap 10 set transformset myset
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 172.18.124.170 netmask 255.255.255.0 noxauth
isakmp identity address
isakmp policy 10 authentication preshare
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:cb5c245112db607e3a9a85328d1295db
--------------------------------------------------------------------------------------------------------------------------

I didn't use command like fixup xxxxxx and other command are enabled by default in ASA 5505.
So What you think? How to have tunnel betwen pix1--->pix2 and pix3?

Thanks,
Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 1 Answer and 4 Comments.
Join the Community
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 4 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros