Link to home
Start Free TrialLog in
Avatar of ccfcfc
ccfcfcFlag for United Kingdom of Great Britain and Northern Ireland

asked on

Cisco L2L VPN - Two tunnels, one peer

I am trying to setup a L2L VPN, with local IP address details as follows.

Side A: 192.168.50.0/24, 192.168.53.0/24
Side B: 192.168.69.17, 192.168.69.21

The operators of Side B have requested that this be setup as two separate tunnels, between the same peers.

My config (Side A, ASA 5520) is as follows.


access-list inside-in-acl extended permit ip 192.168.50.0 255.255.255.0 host 192.168.69.17
access-list inside-in-acl extended permit icmp 192.168.50.0 255.255.255.0 host 192.168.69.17
access-list inside-in-acl extended permit ip 192.168.50.0 255.255.255.0 host 192.168.69.21
access-list inside-in-acl extended permit icmp 192.168.50.0 255.255.255.0 host 192.168.69.21

access-list stg-dmz-in-acl extended permit ip 192.168.53.0 255.255.255.0 host 192.168.69.17
access-list stg-dmz-in-acl extended permit icmp 192.168.53.0 255.255.255.0 host 192.168.69.17
access-list stg-dmz-in-acl extended permit ip 192.168.53.0 255.255.255.0 host 192.168.69.21
access-list stg-dmz-in-acl extended permit icmp 192.168.53.0 255.255.255.0 host 192.168.69.21

access-list no-nat-inside extended permit ip 192.168.50.0 255.255.255.0 192.168.69.0 255.255.255.0
access-list no-nat-inside extended permit icmp 192.168.50.0 255.255.255.0 192.168.69.0 255.255.255.0

access-list no-nat-stg-dmz extended permit ip 192.168.53.0 255.255.255.0 192.168.69.0 255.255.255.0
access-list no-nat-stg-dmz extended permit icmp 192.168.53.0 255.255.255.0 192.168.69.0 255.255.255.0

access-list 187 remark SF VPN Link
access-list 187 extended permit ip 192.168.50.0 255.255.255.0 192.168.69.0 255.255.255.0
access-list 187 extended permit icmp 192.168.50.0 255.255.255.0 192.168.69.0 255.255.255.0
 
access-list 186 remark SF VPN Link 2
access-list 186 extended permit ip 192.168.53.0 255.255.255.0 192.168.69.0 255.255.255.0
access-list 186 extended permit icmp 192.168.53.0 255.255.255.0 192.168.69.0 255.255.255.0

crypto map intamap 86 match address 186
crypto map intamap 86 set peer 88.88.88.88
crypto map intamap 86 set transform-set intatrans-sf
crypto map intamap 86 set nat-t-disable

crypto map intamap 87 match address 187
crypto map intamap 87 set peer 88.88.88.88
crypto map intamap 87 set transform-set intatrans-sf
crypto map intamap 87 set nat-t-disable

tunnel-group 88.88.88.88 type ipsec-l2l
tunnel-group 88.88.88.88 ipsec-attributes
 pre-shared-key xxxxxxxx


Phase 1 seems to be up ok and is showing a state of MM_ACTIVE, but if I try to connect to either of the 192.168.69.xx hosts I see encrypted traffic increasing on the IPSec sa, but the decrypt count remains at zero.

Any ideas, anyone ?
ASKER CERTIFIED SOLUTION
Avatar of fgasimzade
fgasimzade
Flag of Azerbaijan image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of ccfcfc
ccfcfc
Flag of United Kingdom of Great Britain and Northern Ireland image

ASKER

fgasimzade,

I had already added in the first change that you suggested yesterday, but it didn't help.

My ACLs relevant to this are as follows, allowing traffic in both directions.

access-list inside-in-acl extended permit ip 192.168.50.0 255.255.255.0 host 192.168.69.17
access-list inside-in-acl extended permit icmp 192.168.50.0 255.255.255.0 host 192.168.69.17
access-list inside-in-acl extended permit ip 192.168.50.0 255.255.255.0 host 192.168.69.21
access-list inside-in-acl extended permit icmp 192.168.50.0 255.255.255.0 host 192.168.69.21
access-list inside-in-acl extended permit ip host 192.168.69.17 192.168.50.0 255.255.255.0
access-list inside-in-acl extended permit icmp host 192.168.69.17 192.168.50.0 255.255.255.0
access-list inside-in-acl extended permit ip host 192.168.69.21 192.168.50.0 255.255.255.0
access-list inside-in-acl extended permit icmp host 192.168.69.21 192.168.50.0 255.255.255.0

access-list stg-dmz-in-acl extended permit ip 192.168.53.0 255.255.255.0 host 192.168.69.17
access-list stg-dmz-in-acl extended permit icmp 192.168.53.0 255.255.255.0 host 192.168.69.17
access-list stg-dmz-in-acl extended permit ip 192.168.53.0 255.255.255.0 host 192.168.69.21
access-list stg-dmz-in-acl extended permit icmp 192.168.53.0 255.255.255.0 host 192.168.69.21
access-list stg-dmz-in-acl extended permit ip host 192.168.69.17 192.168.53.0 255.255.255.0
access-list stg-dmz-in-acl extended permit icmp host 192.168.69.17 192.168.53.0 255.255.255.0
access-list stg-dmz-in-acl extended permit ip host 192.168.69.21 192.168.53.0 255.255.255.0
access-list stg-dmz-in-acl extended permit icmp host 192.168.69.21 192.168.53.0 255.255.255.0

The above ACLs are not applied to the outside interface, but to the inside and stg-dmz interfaces, respectively.

The crypto ACLs below are applied to the outside interface. I don't understand why I don't need the ICMP entries in these ACLs if I want ICMP to be passed over the VPN ?

access-list 186 remark SF VPN Link 2
access-list 186 extended permit ip 192.168.53.0 255.255.255.0 192.168.69.0 255.255.255.0
access-list 186 extended permit icmp 192.168.53.0 255.255.255.0 192.168.69.0 255.255.255.0

access-list 187 remark SF VPN Link
access-list 187 extended permit ip 192.168.50.0 255.255.255.0 192.168.69.0 255.255.255.0
access-list 187 extended permit icmp 192.168.50.0 255.255.255.0 192.168.69.0 255.255.255.0
Avatar of fgasimzade
fgasimzade
Flag of Azerbaijan image
Well, you need to apply your inside-in-acl to outside interface since traffic is coming from OUTSIDE to INSIDE. Everything from outside to inside is blocked by default,  so you need to allow remote subnet to talk to your inside subnet. Everything from inside to outside is allowed by default,

extended permit ip - ip keyword here includes ICMP allredy, so you just dublicate it