Solved

L2L VPN Help

Posted on 2010-09-06
1
812 Views
Last Modified: 2012-05-10
Hey Guys,

Having problems with setting up a L2L VPN Connection to our other sites. For some reason its just not even trying to connect so unable to trouble shoot further.

I setup the connections and NAT using the ASDM Wizard. Internet Access is working perfectly.

This is a ASA connecting to PIX Devices


Any help would be greatly apprciated



ASA Version 8.3(1)
!
names
!
interface Ethernet0/0
 nameif WAN
 security-level 0
 ip address 88.211.88.888 255.255.255.240
!
interface Ethernet0/1
 nameif LAN
 security-level 100
 ip address 192.168.2.199 255.255.255.0
!
interface Ethernet0/2
 nameif DMZ
 security-level 50
 ip address 20.0.0.254 255.255.255.0
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 no ip address
 management-only
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup LAN
dns server-group DefaultDNS
 name-server 192.168.2.7
 domain-name jmj.com
object network London_LAN
 subnet 192.168.2.0 255.255.255.0
object network Austin_LAN
 subnet 192.168.1.0 255.255.255.0
object network obj_wan
object network Singapore_LAN
 subnet 192.168.6.0 255.255.255.0
object network Doha_LAN
 subnet 192.168.5.0 255.255.255.0
object network Durban_LAN
 subnet 192.168.4.0 255.255.255.0
object network Perth_LAN
 subnet 192.168.3.0 255.255.255.0
object network Austin_DMZ
 subnet 10.0.0.0 255.255.255.0
object network Singapore_DMZ
 subnet 192.168.6.0 255.255.255.0
object network London_DMZ
 subnet 20.0.0.0 255.255.255.0
object-group icmp-type DM_INLINE_ICMP_1
 icmp-object echo-reply
 icmp-object time-exceeded
object-group service DM_INLINE_SERVICE_1
 service-object tcp destination eq www
 service-object udp destination eq www
object-group service DM_INLINE_TCP_1 tcp
 port-object eq ftp
 port-object eq www
 port-object eq pop3
 port-object eq smtp
access-list LAN_access_in extended permit ip any any
access-list LAN_access_in extended permit tcp any any
access-list LAN_access_in extended permit object-group DM_INLINE_SERVICE_1 any any
access-list DMZ_access_in extended permit ip any any
access-list WAN_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1
access-list WAN_access_in extended permit tcp any any eq www
access-list inside_access_in extended permit ip any any
access-list WAN_1_cryptomap extended permit ip object London_LAN object Austin_DMZ inactive
access-list WAN_1_cryptomap extended permit ip object London_LAN object Austin_LAN log notifications
access-list WAN_2_cryptomap extended permit ip object London_LAN object Singapore_DMZ
access-list WAN_2_cryptomap extended permit ip object London_LAN object Singapore_LAN log notifications
access-list WAN_3_cryptomap extended permit ip object London_LAN object Perth_LAN
access-list global_mpc extended permit tcp any any object-group DM_INLINE_TCP_1
pager lines 24
logging enable
logging asdm debugging
mtu WAN 1500
mtu LAN 1500
mtu DMZ 1500
mtu management 1500
ip local pool VPN_DHCP 192.168.2.200-192.168.2.250 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any WAN
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
nat (WAN,WAN) source static London_LAN London_LAN destination static Austin_LAN Austin_LAN
nat (LAN,WAN) source static London_LAN London_LAN destination static Singapore_LAN Singapore_LAN
nat (LAN,WAN) source static London_LAN London_LAN destination static Perth_LAN Perth_LAN

object network London_LAN
 nat (LAN,WAN) dynamic interface
access-group WAN_access_in in interface WAN
access-group LAN_access_in in interface LAN
access-group DMZ_access_in in interface DMZ
access-group WAN_access_in global
route WAN 0.0.0.0 0.0.0.0 88.211.54.800 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server DC protocol radius
aaa-server DC (LAN) host 192.168.2.7
 timeout 5
 key *****
http server enable
http 192.168.2.0 255.255.255.0 LAN
http 192.168.1.0 255.255.255.0 LAN
http 192.168.6.0 255.255.255.0 LAN
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec security-association replay disable
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-3DES-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
crypto map WAN_map 1 match address WAN_1_cryptomap
crypto map WAN_map 1 set peer 66.219.50.888
crypto map WAN_map 1 set transform-set ESP-3DES-SHA
crypto map WAN_map 1 set reverse-route
crypto map WAN_map 2 match address WAN_2_cryptomap
crypto map WAN_map 2 set peer 203.126.100.888
crypto map WAN_map 2 set transform-set ESP-3DES-SHA
crypto map WAN_map 2 set reverse-route
crypto map WAN_map 5 match address WAN_3_cryptomap
crypto map WAN_map 5 set peer 203.29.237.888
crypto map WAN_map 5 set transform-set ESP-3DES-SHA
crypto map WAN_map 5 set reverse-route
crypto map WAN_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map WAN_map interface WAN
crypto isakmp enable WAN
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 192.168.1.0 255.255.255.0 LAN
telnet 192.168.2.0 255.255.255.0 LAN
telnet 192.168.6.0 255.255.255.0 LAN
telnet timeout 15
ssh timeout 15
console timeout 0
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 192.43.244.18 source WAN
webvpn
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol l2tp-ipsec
group-policy JMJ_UK_VPN_Group internal
group-policy JMJ_UK_VPN_Group attributes
 dns-server value 192.168.2.7 192.168.1.3
 vpn-tunnel-protocol IPSec
 default-domain value jmj.com
tunnel-group 66.219.50.888 type ipsec-l2l
tunnel-group 66.219.50.888 ipsec-attributes
 pre-shared-key *****
tunnel-group 203.126.100.888 type ipsec-l2l
tunnel-group 203.126.100.888 ipsec-attributes
 pre-shared-key *****
tunnel-group JMJ_VPN_Group type remote-access
tunnel-group JMJ_VPN_Group general-attributes
 address-pool VPN_DHCP
 authentication-server-group DC
tunnel-group JMJ_VPN_Group ipsec-attributes
 pre-shared-key *****
tunnel-group 203.29.237.888 type ipsec-l2l
tunnel-group 203.29.237.888 ipsec-attributes
 pre-shared-key *****
!
class-map global-class
 match access-list global_mpc
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
 class global-class
  csc fail-close
!
service-policy global_policy global

Open in new window

0
Comment
Question by:supportemea
1 Comment
 
LVL 9

Accepted Solution

by:
ffleisma earned 500 total points
ID: 33610560
you don't seem to have a static route pointing to your peer and static route to peer internal subnet (im guessing subnet you defined as Austin_DMZ/Singapore_DMZ

route <interface facing peer> 66.219.50.888 255.255.255.255 <ip address for interface facing peer> 1
route <interface facing peer> Austin_DMZ/Singapore_DMZ mask <ip address for interface facing peer> 1

for example, your using 192.168.1.0/24 for Austin_DMZ/Singapore_DMZ and interface facing your peer is outside with ip address 1.1.1.1 then

route outside 66.219.50.888 255.255.255.255 1.1.1.1 1
route outside 192.168.1.0 255.255.255.0 1.1.1.1 1

also add a NAT exemption rule for  Austin_DMZ/Singapore_DMZ subnets
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now