inquirer23
asked on
unique setup of sitetosite VPN using security contexts
i have two 4507s trunked to two ASA's in active active failover mode using security contexts. the ASA's are trunked to a 3560 switch which in turn is connected to a 2811 router that has two internet connections.
i have setup a site2site vpn on the 2811 and I can see the tunnel as active. however, when I try to send interesting traffic to the tunnel or ping a remote host it is unreachable. also, from the 2811 when i try to reach my internal network via the ASA i get the error
%ASA-3-305005: No translation group found for icmp src outside:119.111.136.17 dst inside:10.10.8.254 (type 8, code 0)
i think in order for the remote network to reach my internal network the 2811 should be able to reach my inside network behind the ASA?
the diagram looks like this internet-router (public ip addresses)- (outside public addresses)ASA-inside network
i have setup a site2site vpn on the 2811 and I can see the tunnel as active. however, when I try to send interesting traffic to the tunnel or ping a remote host it is unreachable. also, from the 2811 when i try to reach my internal network via the ASA i get the error
%ASA-3-305005: No translation group found for icmp src outside:119.111.136.17 dst inside:10.10.8.254 (type 8, code 0)
i think in order for the remote network to reach my internal network the 2811 should be able to reach my inside network behind the ASA?
the diagram looks like this internet-router (public ip addresses)- (outside public addresses)ASA-inside network
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp key motif123 address 203.200.226.138
!
!
crypto ipsec transform-set motif_india-set esp-3des esp-md5-hmac
!
crypto map motifvpn 10 ipsec-isakmp
set peer 203.200.226.138
set transform-set motif_india-set
match address 120
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.5
encapsulation dot1Q 5
ip address 202.124.135.132 255.255.255.224
ip policy route-map to_helius
no snmp trap link-status
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.4
encapsulation dot1Q 4
ip address 119.111.136.17 255.255.255.240
ip policy route-map to_prime
no snmp trap link-status
!
interface FastEthernet0/0/0
description prime
switchport access vlan 100
!
interface FastEthernet0/0/1
description helius
switchport access vlan 200
!
interface FastEthernet0/0/2
shutdown
!
interface FastEthernet0/0/3
shutdown
!
interface Vlan1
no ip address
!
interface Vlan100
ip address 119.111.23.22 255.255.255.252
crypto map motifvpn
!
interface Vlan200
ip address 202.124.130.142 255.255.255.252
!
ip classless
ip route 0.0.0.0 0.0.0.0 202.124.130.141
ip route 10.10.8.0 255.255.255.0 119.111.136.27
!
no ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
access-list 120 permit ip host 10.126.1.11 10.10.0.0 0.0.15.255
access-list 120 permit ip host 10.126.1.14 10.10.0.0 0.0.15.255
access-list 120 permit ip host 10.126.1.60 10.10.0.0 0.0.15.255
access-list 120 permit ip 10.10.0.0 0.0.15.255 host 10.126.1.11
access-list 120 permit ip 10.10.0.0 0.0.15.255 host 10.126.1.14
access-list 120 permit ip 10.10.0.0 0.0.15.255 host 10.126.1.60
access-list 120 permit ip host 10.126.1.250 10.10.0.0 0.0.15.255
access-list 120 permit ip 10.10.0.0 0.0.15.255 host 10.126.1.250
access-list 120 permit ip host 119.111.136.17 host 10.126.1.14
access-list 199 permit ip any any
access-list 199 permit icmp any any
access-list 199 permit icmp any any echo-reply
route-map to_prime permit 10
set ip default next-hop 119.111.23.21
!
route-map to_helius permit 10
set ip default next-hop 202.124.130.141
!
!
!
control-plane
!
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device and
it provides the default username "cisco" for one-time use. If you have already
used the username "cisco" to login to the router and your IOS image supports the
"one-time" user option, then this username has already expired. You will not be
able to login to the router with this username after you exit this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you want to
use.
-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege level of 15.
Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want to use.
For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------------
^C
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
First it is not necessary that your router interface can ping your inside network. You VPN traffic can be made to reach the inside network without this.
To enable the Router interface to reach the inside network, you will need to add the following command on the ASA :
access-list inside_nat0 extended permit ip 10.10.0.0 255.255.240.0 host 119.111.136.17
Further, the VPN traffic also needs to be exempted from NAT on ASA. So another ACE will be needed. Example :
access-list inside_nat0 extended permit ip 10.10.0.0 255.255.240.0 <remote network> <mask>
HTH