Solved

Can not access remote network through ASA Site-to-Site VPN

Posted on 2011-03-10
12
755 Views
Last Modified: 2012-05-11
Hello everybody

First I must say I have configured site-to-site vpns million times before. Got stuck with this one. First of all I can not ping outside interface of my remote ASA. Secondly, VPN is up, but no connectivity between LANs

Local ASA:
hostname gyd-asa
domain-name bct.az
enable password XeY1QWHKPK75Y48j encrypted
passwd XeY1QWHKPK75Y48j encrypted
names
dns-guard
!
interface GigabitEthernet0/0
 shutdown
 nameif vpnswc
 security-level 0
 ip address 10.254.17.41 255.255.255.248
!
interface GigabitEthernet0/1
 description vpn-turan-baku
 nameif outside-Baku
 security-level 0
 ip address 10.254.17.9 255.255.255.248

!
interface GigabitEthernet0/2
 description vpn-ganja
 nameif outside-Ganja
 security-level 0
 ip address 10.254.17.17 255.255.255.248
!
interface GigabitEthernet0/2.30
 description Remote Access
 vlan 30
 nameif remote-access
 security-level 0
 ip address 85.*.*.* 255.255.255.0
!
interface GigabitEthernet0/3
 description BCT_Inside
 nameif inside-Bct
 security-level 100
 ip address 10.40.50.65 255.255.255.252
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.251.1 255.255.255.0
 management-only
!
boot system disk0:/asa823-k8.bin
ftp mode passive
dns server-group DefaultDNS
 name-server 192.168.1.3
 domain-name bct.az
same-security-traffic permit intra-interface
object-group network obj-192.168.121.0
object-group network obj-10.40.60.0
object-group network obj-10.40.50.0
object-group network obj-192.168.0.0
object-group network obj-172.26.0.0
object-group network obj-10.254.17.0
object-group network obj-192.168.122.0
object-group service obj-tcp-eq-22
object-group network obj-10.254.17.18
object-group network obj-10.254.17.10
object-group network obj-10.254.17.26
access-list 110 extended permit ip any any
access-list nat extended permit tcp any host 10.254.17.10 eq ssh
access-list nat extended permit tcp any host 10.254.17.26 eq ssh
access-list nonat extended permit ip any any
access-list icmp_inside extended permit icmp any any
access-list icmp_inside extended permit ip any any
access-list nat-ganja extended permit tcp any host 10.254.17.18 eq ssh
access-list rdp extended permit tcp any host 192.168.45.3 eq 3389
access-list rdp extended permit ip any any
access-list nonat-vpn extended permit ip any 192.168.121.0 255.255.255.0
access-list nat-vpn-internet extended permit ip 192.168.121.0 255.255.255.0 any
access-list nat-vpn-internet extended permit ip 172.26.0.0 255.255.255.0 any
access-list nat-vpn-internet extended permit ip 192.168.122.0 255.255.255.0 any
access-list nonat-vpn-city extended permit ip 192.168.121.0 255.255.255.0 10.40.60.0 255.255.255.0
access-list nonat-vpn-city extended permit ip 192.168.121.0 255.255.255.0 10.40.50.0 255.255.255.0
access-list nonat-vpn-city extended permit ip 192.168.121.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list nonat-vpn-city extended permit ip 192.168.121.0 255.255.255.0 172.26.0.0 255.255.255.0
access-list nonat-vpn-city extended permit ip 192.168.121.0 255.255.255.0 10.254.17.0 255.255.255.0
access-list ghc-ganja-internet extended permit ip 192.168.45.0 255.255.255.0 any
access-list Split_Tunnel_List standard permit 192.168.16.0 255.255.255.0
access-list azans extended permit ip 192.168.69.0 255.255.255.0 any
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 192.168.121.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 192.168.80.0 255.255.255.0
pager lines 24
logging enable
logging emblem
logging console debugging
logging trap debugging
logging asdm informational
logging host inside-Bct 192.168.1.27
flow-export destination inside-Bct 192.168.1.27 9996
mtu vpnswc 1500
mtu outside-Baku 1500
mtu outside-Ganja 1500
mtu remote-access 1500
mtu inside-Bct 1500
mtu management 1500
ip local pool raccess 192.168.121.60-192.168.121.120 mask 255.255.255.0
ip local pool ssl 192.168.121.130-192.168.121.200 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside-Baku
icmp permit any remote-access
icmp permit any inside-Bct
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside-Baku) 1 interface
global (outside-Ganja) 2 interface
global (remote-access) 3 interface
nat (outside-Ganja) 3 access-list azans
nat (remote-access) 0 access-list nonat-vpn-city
nat (remote-access) 3 access-list nat-vpn-internet
nat (inside-Bct) 0 access-list inside_nat0_outbound
nat (inside-Bct) 2 access-list nat-ganja
nat (inside-Bct) 1 access-list nat
access-group rdp out interface outside-Ganja
!
router eigrp 2008
 no auto-summary
 neighbor 10.254.17.10 interface outside-Baku
 neighbor 10.40.50.66 interface inside-Bct
 network 10.40.50.64 255.255.255.252
 network 10.250.25.0 255.255.255.0
 network 10.254.17.8 255.255.255.248
 network 10.254.17.16 255.255.255.248
 redistribute static
!
route remote-access 0.0.0.0 0.0.0.0 85.*.*.* 1
route outside-Baku 10.0.11.0 255.255.255.0 10.254.17.10 1
route outside-Baku 10.0.33.0 255.255.255.0 10.254.17.10 1
route outside-Baku 10.0.150.0 255.255.255.0 10.254.17.10 1
route outside-Baku 10.0.170.0 255.255.255.0 10.254.17.10 1
route outside-Baku 10.254.17.24 255.255.255.248 10.254.17.10 1
route outside-Baku 10.254.17.32 255.255.255.248 10.254.17.10 1
route outside-Baku 192.1.1.0 255.255.255.0 10.254.17.10 1
route outside-Baku 192.168.27.0 255.255.255.0 10.254.17.10 1
route outside-Baku 192.168.39.0 255.255.255.0 10.254.17.10 1
route outside-Ganja 192.168.45.0 255.255.255.0 10.254.17.18 1
route outside-Ganja 192.168.66.0 255.255.255.0 10.254.17.18 1
route outside-Ganja 192.168.69.0 255.255.255.0 10.254.17.18 1
route outside-Baku 192.168.80.0 255.255.255.0 10.254.17.11 1
route remote-access 192.168.121.0 255.255.255.0 85.132.43.1 1
route outside-Ganja 192.168.184.0 255.255.255.0 10.254.17.18 1
route outside-Baku 192.168.208.16 255.255.255.240 10.254.17.10 1
route outside-Ganja 192.168.208.112 255.255.255.240 10.254.17.18 1
route inside-Bct 192.168.254.0 255.255.255.0 10.40.50.66 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS protocol tacacs+
aaa-server TACACS (inside-Bct) host 192.168.1.8
 key *****
aaa-server TACACS (inside-Bct) host 192.168.22.46
 key *****    
aaa-server TACACS1 protocol radius
aaa-server TACACS1 (inside-Bct) host 192.168.1.8
 key *****
aaa-server TACACS1 (inside-Bct) host 192.168.22.46
 key *****
aaa authentication ssh console TACACS LOCAL
aaa authentication enable console TACACS LOCAL
aaa authentication telnet console TACACS LOCAL
aaa accounting ssh console TACACS
aaa accounting telnet console TACACS
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 inside-Bct
http 192.168.139.0 255.255.255.0 inside-Bct
http 192.168.0.0 255.255.255.0 inside-Bct
snmp-server host inside-Bct 192.168.1.27 poll community *****
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec transform-set newset esp-aes esp-md5-hmac
crypto ipsec transform-set myset2 esp-3des esp-sha-hmac

crypto ipsec transform-set raccess esp-3des esp-md5-hmac
crypto ipsec transform-set vpnclienttrans esp-3des esp-sha-hmac
crypto ipsec transform-set vpnclienttrans mode transport
crypto ipsec security-association lifetime seconds 2147483646
crypto ipsec security-association lifetime kilobytes 2147483646
crypto dynamic-map dyn1 1 set transform-set vpnclienttrans raccess
crypto map mymap 10 match address 110
crypto map mymap 10 set peer 10.254.17.10
crypto map mymap 10 set transform-set myset
crypto map mymap 20 match address 110

crypto map mymap 20 set peer 10.254.17.11
crypto map mymap 20 set transform-set myset2
crypto map mymap interface outside-Baku
crypto map ganja 10 match address 110
crypto map ganja 10 set peer 10.254.17.18
crypto map ganja 10 set transform-set myset
crypto map ganja interface outside-Ganja
crypto map vpntest 20 match address 110
crypto map vpntest 20 set peer 10.250.25.1
crypto map vpntest 20 set transform-set newset
crypto map vpntest interface vpnswc
crypto map vpnclientmap 30 ipsec-isakmp dynamic dyn1
crypto map vpnclientmap interface remote-access
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 subject-name CN=gyd-asa.bct.az
 keypair sslvpnkeypair
 crl configure
crypto ca certificate map DefaultCertificateMap 10

crypto isakmp identity address
crypto isakmp enable vpnswc
crypto isakmp enable outside-Baku
crypto isakmp enable outside-Ganja
crypto isakmp enable remote-access
crypto isakmp enable inside-Bct
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption aes
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 40
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal 30
no vpn-addr-assign aaa
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside-Bct
ssh timeout 35
console timeout 0
priority-queue outside-Baku
  queue-limit   2046
  tx-ring-limit 254
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.1.3
ssl encryption 3des-sha1 rc4-md5 aes128-sha1 aes256-sha1
ssl trust-point ASDM_TrustPoint0 remote-access vpnlb-ip
ssl trust-point ASDM_TrustPoint0 remote-access
webvpn
 enable remote-access
 svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
 svc enable
 tunnel-group-list enable
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy ssl internal
group-policy ssl attributes
 banner value Welcome to SW
 dns-server value 192.168.1.3
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 group-lock value SSL
 webvpn
  url-list value SPS
group-policy vpn internal
group-policy vpn attributes
 dns-server value 192.168.1.3
 vpn-tunnel-protocol IPSec l2tp-ipsec
 pfs disable
 default-domain value bct.az
 vpn-group-policy ssl
 webvpn
  url-list value SPS
tunnel-group DefaultL2LGroup ipsec-attributes
 isakmp keepalive threshold 20 retry 5
tunnel-group DefaultRAGroup general-attributes
 address-pool raccess
 authentication-server-group TACACS
 default-group-policy vpn
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *****
 isakmp keepalive threshold 20 retry 5
tunnel-group DefaultWEBVPNGroup ipsec-attributes
 isakmp keepalive threshold 20 retry 5
tunnel-group 10.254.17.10 type ipsec-l2l
tunnel-group 10.254.17.10 ipsec-attributes
 pre-shared-key *****
 isakmp keepalive threshold 20 retry 5
tunnel-group SSL type remote-access
tunnel-group SSL general-attributes
 address-pool ssl
 authentication-server-group (remote-access) LOCAL
 default-group-policy ssl
 username-from-certificate use-entire-name
tunnel-group SSL webvpn-attributes
 group-alias SSL enable
 group-url https://85.*.*.*/ enable
tunnel-group 10.254.17.18 type ipsec-l2l
tunnel-group 10.254.17.18 ipsec-attributes
 pre-shared-key *****
 isakmp keepalive threshold 20 retry 5
tunnel-group 10.254.17.11 type ipsec-l2l
tunnel-group 10.254.17.11 ipsec-attributes
 pre-shared-key *****

 isakmp keepalive threshold 20 retry 5
tunnel-group DefaultSWITGroup type remote-access
tunnel-group DefaultSWITGroup general-attributes
 address-pool raccess
 authentication-server-group TACACS
 default-group-policy vpn
tunnel-group DefaultSWITGroup ipsec-attributes
 pre-shared-key *****
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect sunrpc
  inspect xdmcp
  inspect netbios
  inspect ip-options
 class flow_export_cl
  flow-export event-type all destination 192.168.1.27
 class class-default
  flow-export event-type all destination 192.168.1.27
policy-map Voicepolicy
 class Voice
  priority
 class Data  
  police output 80000000
!
service-policy global_policy global
service-policy Voicepolicy interface outside-Baku
prompt hostname context

Cryptochecksum:4f35f975ba7a0c11f7f46dfd541d266f
: end
gyd-asa#


Remote ASA:
ASA Version 8.2(3)
!
hostname ciscoasa
enable password XeY1QWHKPK75Y48j encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif inside
 security-level 100
 ip address 192.168.80.14 255.255.255.0

!
interface Ethernet0/1
 nameif outside
 security-level 0
 ip address 10.254.17.11 255.255.255.248

!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!            
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 no ip address
 management-only
!
boot system disk0:/asa823-k8.bin
ftp mode passive
access-list 110 extended permit ip any any
access-list nonat extended permit ip 192.168.80.0 255.255.255.0 192.168.0.0 255.255.0.0

pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu management 1500
mtu inside 1500
no failover  
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list nonat
route outside 0.0.0.0 0.0.0.0 10.254.17.9 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.80.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec transform-set newset esp-aes esp-md5-hmac
crypto ipsec transform-set myset2 esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 2147483646
crypto ipsec security-association lifetime kilobytes 2147483646
crypto map mymap 10 match address 110
crypto map mymap 10 set peer 10.254.17.9
crypto map mymap 10 set transform-set myset2
crypto map mymap interface outside
crypto isakmp enable outside
crypto isakmp policy 10

 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption aes
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2      
 lifetime 86400
crypto isakmp policy 40
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn

tunnel-group 10.254.17.9 type ipsec-l2l
tunnel-group 10.254.17.9 ipsec-attributes
 pre-shared-key *****

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context

Cryptochecksum:1c1ac60e2fb84f65269d15d53f27c21b
: end
ciscoasa# $        



Once again, I can not ping Remote ASA outside interface from Local's outside. And there is no connectivity between remote 192.168.80.0 and local's lets say 192.168.1.0. I run out of ideas

Would appreciate any help. Thank you very much in advance..
0
Comment
Question by:fgasimzade
  • 7
  • 5
12 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Did you check (ASDM) logs to see if something shows up there?
0
 
LVL 18

Author Comment

by:fgasimzade
Comment Utility
Yes, VPN goes up (PHASE 2 Completed), sh crypto isakmp isa also states that the tunnel is active, when I ping the remote site, logs show building outbound icmp connection and then teardown outbound icmp connection
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
First:
access-list 110 extended permit ip any any is used to select the traffic going into the tunnel. That's everything, so it's logical you can't ping the outside.
Try: access-list 110 extended permit ip 192.168.0.0 255.255.0.0 192.168.80.0 255.255.255.0
192.168.0.0 or whatever range you want to try it from.

The nat0 rules don't match at both sides:
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 192.168.121.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 192.168.80.0 255.255.255.0

Vs.
access-list nonat extended permit ip 192.168.80.0 255.255.255.0 192.168.0.0 255.255.0.0

So change the first to: access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 192.168.80.0 255.255.255.0 only.

And let's see if that helps.
0
 
LVL 18

Author Comment

by:fgasimzade
Comment Utility
Yes, you are right, but access-list 110 works fine for other vpn tunnels, for example, for 10.254.17.10 and I can ping 10.254.17.10 from 10.254.17.9 (both interfaces are outside). However, ping fails from 10.254.17.9 to 10.254.17.11

nat0 rules does not have to match at both sides, as far as I know..

0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Well that's interesting. Must have a closer look on how that's working.....

You're right nat0 doesn't have to match, I just like to keep the config tidy :)

Let's see, you just can't ping the outside or can't you ping anything on the remote lan as well?
Did you also check the remote logs?
And last, did you compare the configs of the 10.254.17.11 and 10.254.17.10 to see if you overlooked anything?
0
 
LVL 18

Author Comment

by:fgasimzade
Comment Utility
I removed crypto maps from both outside interfaces (10.254.17.11 and 10.254.17.9), now ping is successful... Now I dont understand how 10.254.17.9 can ping 10.254.17.10 with crypto maps applied..

Still can not ping remote subnet (192.168.80.0)

I have compared configs million times, line by line, word by word.. ((
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
If you want to, you could the 10.254.17.10 config here as well and we can have a look at it. You never know.

I'll have another veeery close looks at the configs again later on......
0
 
LVL 18

Author Comment

by:fgasimzade
Comment Utility
ASA Version 8.2(1)
!
hostname bak-asa
enable password XeY1QWHKPK75Y48j encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface GigabitEthernet0/0
 description vpn-bank
 nameif outside-bank
 security-level 0
 ip address 10.254.17.25 255.255.255.248
!
interface GigabitEthernet0/1
 nameif outside-GYD
 security-level 0
 ip address 10.254.17.10 255.255.255.248
!
interface GigabitEthernet0/1.128
 no vlan
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/1.138
 vlan 138
 nameif outside-ganja
 security-level 0
 no ip address
!
interface GigabitEthernet0/2
 no nameif
 security-level 0
 no ip address
!
interface GigabitEthernet0/2.30
 vlan 30
 no nameif
 security-level 0
 no ip address
!
interface GigabitEthernet0/2.32
 description remote access
 vlan 32
 nameif remote-access
 security-level 0
 no ip address
!
interface GigabitEthernet0/2.128
 vlan 128
 nameif internet
 security-level 0
 ip address 94.*.*.* 255.255.255.0
!
interface GigabitEthernet0/3
 description eigrp 2008
 nameif inside-Baku
 security-level 100
 ip address 10.40.50.69 255.255.255.252
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.22.4 255.255.255.0
 management-only
!
boot system disk0:/asa821-k8.bin
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list 110 extended permit ip any any
access-list 110 extended permit ip any 192.168.186.0 255.255.255.0
access-list 110 extended permit ip any 192.168.86.0 255.255.255.0
access-list 110 extended permit ip any 192.168.87.0 255.255.255.0
access-list nat extended permit tcp any host 10.254.17.18 eq ssh
access-list nat extended permit tcp any host 10.254.17.9 eq ssh

access-list remote extended permit tcp any any eq 6129
access-list nat-bank extended permit tcp any host 10.254.17.26 eq ssh
access-list nonat-vpn extended permit ip any 192.168.121.0 255.255.255.0
access-list nonat-vpn extended permit ip any 192.168.85.0 255.255.255.0
access-list nonat-vpn extended permit ip any 192.168.208.252 255.255.255.252
access-list nonat-vpn extended permit ip any 172.18.46.80 255.255.255.240
access-list nat-vpn-internet extended permit ip 192.168.121.0 255.255.255.0 any
access-list 111 extended permit ip any 192.168.185.0 255.255.255.0
access-list 111 extended permit ip any 192.168.85.0 255.255.255.0
access-list 111 extended permit ip any 192.168.208.252 255.255.255.252
access-list 111 extended permit ip any 172.18.46.80 255.255.255.240
access-list 113 extended permit ip any 192.168.186.0 255.255.255.0
access-list 113 extended permit ip any 192.168.86.0 255.255.255.0
access-list 113 extended permit ip any 192.168.87.0 255.255.255.0
pager lines 24
logging enable
logging monitor debugging
logging buffered debugging
logging asdm informational
logging host outside-GYD 192.168.1.27
mtu outside-bank 1500
mtu outside-GYD 1500
mtu outside-ganja 1500
mtu remote-access 1500
mtu internet 1500
mtu inside-Baku 1500
mtu management 1500
ip local pool raccess 192.168.121.5-192.168.121.55 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any remote-access
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside-bank) 2 interface
global (outside-GYD) 1 interface
nat (internet) 0 access-list nonat-vpn
nat (inside-Baku) 0 access-list nonat-vpn
nat (inside-Baku) 1 access-list nat
nat (inside-Baku) 2 access-list nat-bank
!
route-map test permit 10
!
route-map GHC-Ganja-Intenet permit 10
!
!
router eigrp 2008
 neighbor 10.254.17.9 interface outside-GYD
 neighbor 10.40.50.70 interface inside-Baku
 network 10.40.50.68 255.255.255.252
 network 10.254.17.8 255.255.255.248
 network 10.254.17.24 255.255.255.248
 network 192.168.175.0 255.255.255.0
 redistribute static
!
route internet 0.0.0.0 0.0.0.0 94.20.77.2 1
route inside-Baku 10.0.11.0 255.255.255.0 10.40.50.70 1
route inside-Baku 10.0.33.0 255.255.255.0 10.40.50.70 1
route inside-Baku 10.0.150.0 255.255.255.0 10.40.50.70 1
route inside-Baku 10.0.170.0 255.255.255.0 10.40.50.69 1
route internet 10.99.88.0 255.255.255.0 85.132.76.3 1
route outside-bank 10.101.10.0 255.255.255.0 10.254.17.26 1
route outside-bank 10.254.17.32 255.255.255.248 10.254.17.26 1
route outside-bank 10.254.17.72 255.255.255.248 10.254.17.26 1
route outside-bank 85.132.76.16 255.255.255.240 10.254.17.26 1
route outside-bank 172.18.46.16 255.255.255.240 10.254.17.26 1
route outside-bank 172.18.46.32 255.255.255.240 10.254.17.26 1
route outside-bank 172.18.46.64 255.255.255.240 10.254.17.26 1
route internet 172.18.46.80 255.255.255.240 85.132.19.126 1
route inside-Baku 172.18.254.0 255.255.255.0 10.40.50.70 1
route inside-Baku 192.1.1.0 255.255.255.0 10.40.50.70 1
route outside-bank 192.168.27.0 255.255.255.0 10.254.17.26 1
route outside-bank 192.168.35.0 255.255.255.0 10.254.17.26 1
route outside-bank 192.168.39.0 255.255.255.0 10.254.17.26 1
route internet 192.168.85.0 255.255.255.0 85.132.19.126 1
route internet 192.168.86.0 255.255.255.0 10.254.17.59 1
route internet 192.168.87.0 255.255.255.0 10.254.17.59 1
route inside-Baku 192.168.150.0 255.255.255.0 10.40.50.70 1
route outside-GYD 192.168.174.0 255.255.254.0 10.254.17.26 1
route inside-Baku 192.168.174.0 255.255.255.0 10.40.50.70 1
route outside-bank 192.168.175.0 255.255.255.0 10.254.17.26 1
route outside-bank 192.168.177.0 255.255.255.0 10.254.17.26 1
route internet 192.168.185.0 255.255.255.0 85.132.19.126 1
route internet 192.168.186.0 255.255.255.0 10.254.17.59 1
route outside-bank 192.168.208.16 255.255.255.240 10.254.17.26 1
route outside-bank 192.168.208.128 255.255.255.240 10.254.17.26 1
route internet 192.168.208.252 255.255.255.252 85.132.19.126 1
route outside-GYD 192.168.254.0 255.255.255.0 10.254.17.9 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS protocol tacacs+
aaa-server TACACS (outside-GYD) host 192.168.1.8
 key Link2as
aaa-server TACACS (outside-GYD) host 192.168.22.46
 key Link2as
aaa authentication ssh console TACACS LOCAL
aaa authentication telnet console TACACS LOCAL
aaa authentication enable console TACACS LOCAL
aaa accounting ssh console TACACS
aaa accounting telnet console TACACS
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.0.0 255.255.254.0 outside-GYD
snmp-server host outside-GYD 192.168.1.13 poll community vlan
snmp-server host outside-GYD 192.168.1.27 poll community vlan
snmp-server host inside-Baku 192.168.22.46 community vlan
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection preserve-vpn-flows
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec transform-set vpnclienttrans esp-3des esp-md5-hmac
crypto ipsec transform-set vpnclienttrans mode transport
crypto ipsec transform-set raccess esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 214748364
crypto ipsec security-association lifetime kilobytes 214748364
crypto dynamic-map dyn1 1 set transform-set vpnclienttrans raccess
crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 10 match address 110
crypto map mymap 10 set peer 10.254.17.9
crypto map mymap 10 set transform-set myset
crypto map mymap interface outside-GYD
crypto map bank 10 match address 110
crypto map bank 10 set peer 10.254.17.26
crypto map bank 10 set transform-set myset
crypto map bank interface outside-bank
crypto map ganja 10 match address 110
crypto map ganja 10 set peer 10.254.17.18
crypto map ganja 10 set transform-set myset
crypto map vpnlankoran 10 match address 111
crypto map vpnlankoran 10 set peer 85.*.*.*
crypto map vpnlankoran 10 set transform-set myset
crypto map vpnlankoran interface internet
crypto isakmp identity address
crypto isakmp enable outside-bank
crypto isakmp enable outside-GYD
crypto isakmp enable remote-access
crypto isakmp enable internet
crypto isakmp enable inside-Baku
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp nat-traversal 10
telnet timeout 60
ssh 10.254.17.26 255.255.255.255 outside-bank
ssh 192.168.1.0 255.255.255.192 outside-GYD

ssh 0.0.0.0 0.0.0.0 inside-Baku
ssh timeout 60
console timeout 0
priority-queue outside-GYD
  queue-limit   2046
  tx-ring-limit 254
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.1.3
ssl encryption des-sha1
webvpn
group-policy vpn internal
group-policy vpn attributes
 dns-server value 192.168.1.3
 vpn-tunnel-protocol IPSec l2tp-ipsec
 default-domain value bct.az
username admin password fOxbBT5HEEz5OxJT encrypted
tunnel-group DefaultRAGroup general-attributes
 address-pool raccess
 authentication-server-group TACACS
 default-group-policy vpn
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group 10.254.17.9 type ipsec-l2l
tunnel-group 10.254.17.9 ipsec-attributes
 pre-shared-key *
tunnel-group 10.254.17.26 type ipsec-l2l
tunnel-group 10.254.17.26 ipsec-attributes
 pre-shared-key *
tunnel-group 10.254.17.18 type ipsec-l2l
tunnel-group 10.254.17.18 ipsec-attributes
 pre-shared-key *
tunnel-group 10.254.17.57 type ipsec-l2l
tunnel-group 10.254.17.57 ipsec-attributes
 pre-shared-key *
tunnel-group 10.254.17.59 type ipsec-l2l
tunnel-group 10.254.17.59 ipsec-attributes
 pre-shared-key *
tunnel-group 85.*.*.* type ipsec-l2l
tunnel-group 85.*.*.* ipsec-attributes
 pre-shared-key *
!

!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect sunrpc
  inspect xdmcp
  inspect netbios
policy-map Voicepolicy
 class Voice  
  priority
 class Data
  police output 80000000
!
service-policy Voicepolicy interface outside-GYD
prompt hostname context
Cryptochecksum:b95c9686081ff0abbce43997b9884830
: end


Thank you very much!!
0
 
LVL 18

Author Comment

by:fgasimzade
Comment Utility
Another thing I noticed is:

Crypto map tag: mymap, seq num: 20, local addr: 10.254.17.9
 
      access-list 112 extended permit ip any 192.168.80.0 255.255.255.0
      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.80.0/255.255.255.0/0/0)
      current_peer: 10.254.17.11
             
      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0
             
      local crypto endpt.: 10.254.17.9, remote crypto endpt.: 10.254.17.11

Encrypted packets count 0.
0
 
LVL 18

Accepted Solution

by:
fgasimzade earned 0 total points
Comment Utility
The issue is solved, Ecrypted packets count helped me a lot, a change crypto map reference number from 20 to 5, lower than the current 10, everyting is working now!

Thank you!
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Good! Glad It's working!
0
 
LVL 18

Author Closing Comment

by:fgasimzade
Comment Utility
Changed crypto map reference number
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now