asked on 10/10/2011

Cisco L2L Help

Been having issues setting up this cisco L2L - i had it all working but then users couldnt connect to ssl-vpn and found my mistake. now i am not sure what i am missing. any help will be appreciated. :)

HQ FIREWALL

access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.0.0 10.10.10.0 255.255.255.0

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map Outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto map SITELINKS 10 ipsec-isakmp dynamic Outside_dyn_map
crypto map SITELINKS 20 match address inside_nat0_outbound
crypto map SITELINKS 20 set pfs
crypto map SITELINKS 20 set peer 168.168.168.10
crypto map SITELINKS 20 set transform-set ESP-3DES-SHA
crypto map SITELINKS interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

tunnel-group 168.168.168.10 type ipsec-l2l
tunnel-group 168.168.168.10 ipsec-attributes
 pre-shared-key *


REMOTE SITE

access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 10.1.0.0 255.255.255.0

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 20 match address inside_nat0_outbound
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer 192.192.192.10
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400


tunnel-group 192.192.192.10 type ipsec-l2l
tunnel-group 192.192.192.10 ipsec-attributes
 pre-shared-key *****

Open in new window

Software Firewalls Hardware Firewalls Cisco

Last Comment

South Mod

10/15/2011

piersonm

10/10/2011

At first glance the subnet mask on your HQ SITE access-list inbound_nat0_outbound doesn't match the remote site.

HQ FIREWALL
access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.0.0 10.10.10.0 255.255.255.0

REMOTE SITE
access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 10.1.0.0 255.255.255.0

matt2008

10/10/2011

ASKER

yeah i fixed that - good catch though. still down. i didnt really change much except renamed outside_map to SITELINKS on hq side

piersonm

10/11/2011

what error messages are you receiving?
can you provide information from the show commands:
show crypto isakmp sa
show crypto ipsec sa peer <IP Address>

matt2008

10/11/2011

ASKER

There are no isakmp sas

matt2008

10/11/2011

ASKER

I've requested that this question be deleted for the following reason:

found my own solution.

piersonm

10/11/2011

What was the resolution?

ASKER CERTIFIED SOLUTION

matt2008

10/12/2011

THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.

View this solution by signing up for a free trial.

Members can start a 7-Day free trial and enjoy unlimited access to the platform.

See Pricing Options

Start Free Trial

South Mod

10/15/2011

All,

Following an 'Objection' by piersonm (at https://www.experts-exchange.com/questions/27390508/13-Oct-11-18-Automated-Request-for-Review-Objection-to-Delete-Q-27388070.html) to the intended closure of this question, it has been reviewed by at least one Moderator and is being closed as recommended by the Expert.

At this point I am going to re-start the auto-close procedure.

Thank you,

SouthMod
Community Support Moderator