[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Cisco L2L Help

Posted on 2011-10-09
9
Medium Priority
?
502 Views
Last Modified: 2013-11-16
Been having issues setting up this cisco L2L - i had it all working but then users couldnt connect to ssl-vpn and found my mistake. now i am not sure what i am missing. any help will be appreciated. :)
HQ FIREWALL

access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.0.0 10.10.10.0 255.255.255.0

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map Outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto map SITELINKS 10 ipsec-isakmp dynamic Outside_dyn_map
crypto map SITELINKS 20 match address inside_nat0_outbound
crypto map SITELINKS 20 set pfs
crypto map SITELINKS 20 set peer 168.168.168.10
crypto map SITELINKS 20 set transform-set ESP-3DES-SHA
crypto map SITELINKS interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

tunnel-group 168.168.168.10 type ipsec-l2l
tunnel-group 168.168.168.10 ipsec-attributes
 pre-shared-key *


REMOTE SITE

access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 10.1.0.0 255.255.255.0

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 20 match address inside_nat0_outbound
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer 192.192.192.10
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400


tunnel-group 192.192.192.10 type ipsec-l2l
tunnel-group 192.192.192.10 ipsec-attributes
 pre-shared-key *****

Open in new window

0
Comment
Question by:matt2008
  • 4
  • 3
8 Comments
 
LVL 4

Expert Comment

by:piersonm
ID: 36942125
At first glance the subnet mask on your HQ SITE access-list inbound_nat0_outbound doesn't match the remote site.

HQ FIREWALL
access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.0.0 10.10.10.0 255.255.255.0

REMOTE SITE
access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 10.1.0.0 255.255.255.0
0
 

Author Comment

by:matt2008
ID: 36942518
yeah i fixed that - good catch though. still down. i didnt really change much except renamed outside_map to SITELINKS  on hq side

0
 
LVL 4

Expert Comment

by:piersonm
ID: 36946051
what error messages are you receiving?
can you provide information from the show commands:
   show crypto isakmp sa
   show crypto ipsec sa peer <IP Address>
   
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 

Author Comment

by:matt2008
ID: 36946176
There are no isakmp sas
0
 

Author Comment

by:matt2008
ID: 36948523
I've requested that this question be deleted for the following reason:

found my own solution.
0
 
LVL 4

Expert Comment

by:piersonm
ID: 36948524
What was the resolution?
0
 

Accepted Solution

by:
matt2008 earned 0 total points
ID: 36953407
removed crypto map outside_map 20 set pfs from each side and came right up. took a few to renegotiate.
0
 

Expert Comment

by:South Mod
ID: 36998362
All,
 
Following an 'Objection' by piersonm (at http://www.experts-exchange.com/Q_27390508.html) to the intended closure of this question, it has been reviewed by at least one Moderator and is being closed as recommended by the Expert.
 
At this point I am going to re-start the auto-close procedure.
 
Thank you,
 
SouthMod
Community Support Moderator
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to fix a SonicWall Gateway Anti-Virus firewall blocking automatic updates to apps like Windows, Adobe, Symantec, etc.
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses
Course of the Month19 days, 6 hours left to enroll

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question