?
Solved

unique setup of sitetosite VPN using security contexts

Posted on 2008-11-05
2
Medium Priority
?
689 Views
Last Modified: 2012-05-05
i have two 4507s trunked to two ASA's in active active failover mode using security contexts. the ASA's are trunked to a 3560 switch which in turn is connected to a 2811 router that has two internet connections.

i have setup a site2site vpn on the 2811 and I can see the tunnel as active. however,  when I try to send interesting traffic to the tunnel or ping a remote host it is unreachable. also, from the 2811 when i try to reach my internal network via the ASA i get the error

%ASA-3-305005: No translation group found for icmp src outside:119.111.136.17 dst inside:10.10.8.254 (type 8, code 0)

i think in order for the remote network to reach my internal network the 2811 should be able to reach my inside network behind the ASA?

the diagram looks like this  internet-router (public ip addresses)- (outside public addresses)ASA-inside network


crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp key motif123 address 203.200.226.138
 
!
!
crypto ipsec transform-set motif_india-set esp-3des esp-md5-hmac
 
!
crypto map motifvpn 10 ipsec-isakmp
 set peer 203.200.226.138
 set transform-set motif_india-set
 match address 120
!
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/0.5
 encapsulation dot1Q 5
 ip address 202.124.135.132 255.255.255.224
 ip policy route-map to_helius
 no snmp trap link-status
!
interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/1.4
 encapsulation dot1Q 4
 ip address 119.111.136.17 255.255.255.240
 ip policy route-map to_prime
 no snmp trap link-status
!
interface FastEthernet0/0/0
 description prime
 switchport access vlan 100
!
interface FastEthernet0/0/1
 description helius
 switchport access vlan 200
!
interface FastEthernet0/0/2
 shutdown
!
interface FastEthernet0/0/3
 shutdown
!
interface Vlan1
 no ip address
!
interface Vlan100
 ip address 119.111.23.22 255.255.255.252
 crypto map motifvpn
!
interface Vlan200
 ip address 202.124.130.142 255.255.255.252
!
ip classless
ip route 0.0.0.0 0.0.0.0 202.124.130.141
ip route 10.10.8.0 255.255.255.0 119.111.136.27
!
no ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
 
access-list 120 permit ip host 10.126.1.11 10.10.0.0 0.0.15.255
access-list 120 permit ip host 10.126.1.14 10.10.0.0 0.0.15.255
access-list 120 permit ip host 10.126.1.60 10.10.0.0 0.0.15.255
access-list 120 permit ip 10.10.0.0 0.0.15.255 host 10.126.1.11
access-list 120 permit ip 10.10.0.0 0.0.15.255 host 10.126.1.14
access-list 120 permit ip 10.10.0.0 0.0.15.255 host 10.126.1.60
access-list 120 permit ip host 10.126.1.250 10.10.0.0 0.0.15.255
access-list 120 permit ip 10.10.0.0 0.0.15.255 host 10.126.1.250
access-list 120 permit ip host 119.111.136.17 host 10.126.1.14
access-list 199 permit ip any any
access-list 199 permit icmp any any
access-list 199 permit icmp any any echo-reply
route-map to_prime permit 10
 set ip default next-hop 119.111.23.21
!
route-map to_helius permit 10
 set ip default next-hop 202.124.130.141
!
!
!
control-plane
!
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
 
Cisco Router and Security Device Manager (SDM) is installed on this device and
it provides the default username "cisco" for  one-time use. If you have already
used the username "cisco" to login to the router and your IOS image supports the
"one-time" user option, then this username has already expired. You will not be
able to login to the router with this username after you exit this session.
 
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
 
username <myuser> privilege 15 secret 0 <mypassword>
 
Replace <myuser> and <mypassword> with the username and password you want to
use.
 
-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege level of 15.
 
Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.
 
username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco
 
Replace <myuser> and <mypassword> with the username and password you want to use.
 
For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------------
^C

Open in new window

security-context.txt
0
Comment
Question by:inquirer23
2 Comments
 
LVL 2

Expert Comment

by:vivek283
ID: 22887619
Hi,

First it is not necessary that your router interface can ping your inside network. You VPN traffic can be made to reach the inside network without this.

To enable the Router interface to reach the inside network, you will need to add the following command on the ASA :

access-list inside_nat0 extended permit ip 10.10.0.0 255.255.240.0 host 119.111.136.17

Further, the VPN traffic also needs to be exempted from NAT on ASA. So another ACE will be needed. Example :

access-list inside_nat0 extended permit ip 10.10.0.0 255.255.240.0 <remote network> <mask>

HTH
0
 

Accepted Solution

by:
inquirer23 earned 0 total points
ID: 22894648
i added a static route pointing back
0

Featured Post

Rewarding opportunities for women in IT

Across the nation, technology jobs are vacant because there aren’t enough qualified professionals to fill them. With a degree from WGU, you can get the credentials it takes to become an in-demand IT professional. Plus, WGU’s IT programs include industry certifications.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question