[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1260
  • Last Modified:

Asa 5505 Site to site.

Hi,

I'm having 2 Asa 5505 firewalls, that cannot establish a site to site vpn connection or communicate. I have several Asa's running, and usually its no problem. But this is not working.

Problem 1.

If users from site a (asa 1) is trying to access a web server at site b(asa 2), the asa log on both asa's gives a syn timeout. Anyone else is able to access the web server at site b.

Problem 2.

When establising a vpn tunnel both asa's give a Removing peer from peer table failed, no match!

I've tryed to delete and recofigure the vpn tunnels serval times. The access list, ipsec setting totally match.

Any suggjestions? I'm really stuck this time

LHC
0
melfarit
Asked:
melfarit
1 Solution
 
Ernie BeekCommented:
Could you post a sanitized config, preferably for both ASAs? It will be much easier for us to help if we could have a look.

I also took the liberty of adding the PIX/ASA zone to draw some more attention.
0
 
Jan SpringerCommented:
We also need to know which version the ASA is running.
0
 
eduardonandezCommented:
could you check your nat exempt to make sure its there on both sides?
can you check if there is no routing issues at the other side , where the web server is , you can see a syn packet going but never received ack back maybe the web server is sending ack back but never reaching your ASA , and there is a syn timeout.
you can open wireshark in the web server to see if the syn packet is really coming .
do a traceroute from your web server to the other side to make sure is taking the correct path .
0
Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

 
melfaritAuthor Commented:
Thank you for your replys!

I try to return with the ASA's config's a little later, and I will try wiredshark. I have a small update for you.

As I wrote Site a (asa 1) cannot connect to a web server at site b (asa 2). BUT Site a can telnet to a public mail server at site b and gets a response, how ever, ANY server/computer at site 2 cannot telnet a public mail server at site a.

It seams to me, as asa 2 at site b is the one blocking the traffic.......

TIA for all your help!

LHC
0
 
Ernie BeekCommented:
You could check:
-The access lists at site b
-The nat exempt rules at site b
 Can the public mail server at site b get to site a?
0
 
melfaritAuthor Commented:
Hi,

I have check access lists and nat exempt rules at a + b.

The public mail server at site B cannot get to site a!

TIA

Lasse
0
 
Ernie BeekCommented:
Ok, like I said before: could you post the configs?
0
 
melfaritAuthor Commented:
Hi,

This is from site a (where everything seems to be ok)

ASA Version 7.2(4)
!
hostname xxxxxxxxxxxxx
domain-name xxxxxxxxxxxxxxxxx

names
name x.x.x.x.x fone_IP_Telefoni description fone IP foni
name 172.16.180.0 vpn
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.26.254 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 192.168.14.2 255.255.255.252
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name xxxxxxx
object-group service xxx.NET tcp-udp
 description xxxxxx.NET
 port-object eq 8095
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group network Awxxx
 network-object 172.16.100.0 255.255.255.0
object-group network Styxxx
 network-object 192.168.26.0 255.255.255.0
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any interface outside eq pptp
access-list outside_access_in remark xxx.NET
access-list outside_access_in extended permit object-group TCPUDP any interface outside object-group xxxx.NET
access-list outside_access_in remark fone IP Telefoni
access-list outside_access_in extended permit ip host fone_IP_Telefoni interface outside
access-list outside_access_in extended permit tcp any interface outside eq 10000
access-list outside_access_in extended permit tcp any interface outside eq 20000
access-list vpngroup_splitTunnelAcl standard permit 192.168.26.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip host 192.168.26.5 host 172.16.100.22
access-list inside_nat0_outbound extended permit ip host 192.168.26.5 host 172.16.100.22
access-list inside_nat0_outbound extended permit ip 192.168.26.0 255.255.255.0 vpn 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 172.16.180.1-172.16.180.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 192.168.26.1 3389 netmask 255.255.255.255
static (inside,outside) tcp interface pptp 192.168.26.1 pptp netmask 255.255.255.255
static (inside,outside) tcp interface 8095 192.168.26.1 8095 netmask 255.255.255.255
static (inside,outside) udp interface 8095 192.168.26.1 8095 netmask 255.255.255.255
static (inside,outside) tcp interface 20000 192.168.26.3 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 10000 192.168.26.5 3389 netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.26.4 smtp netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.26.4 https netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.14.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.26.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer x.x.45.39
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
telnet 192.168.26.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0

group-policy vpngroup internal
group-policy vpngroup attributes
 wins-server value 192.168.26.1
 dns-server value 192.168.26.1 8.8.8.8
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vpngroup_splitTunnelAcl
 default-domain value xxxx
username gudrid password nuqXs7LDItZtSgFx encrypted
username gudrid attributes
 vpn-group-policy vpngroup
username oxxx password Wdd9GwpAUDrcXT/8 encrypted
username oxxx attributes
 vpn-group-policy vpngroup
username axxx password In8.6qXTZGbPwCsL encrypted
username axxx attributes
 vpn-group-policy vpngroup
username jxxxx password 4aKBfHXadGmrD.5M encrypted privilege 0
username jxxxx attributes
 vpn-group-policy vpngroup
username lxxxx password ANCZiCN68aFz2EKz encrypted privilege 0
username lxxxx attributes
 vpn-group-policy vpngroup
username axxxx password Ny/m8ekKSjq8k9ph encrypted
username axxxx attributes
 vpn-group-policy vpngroup
tunnel-group vpngroup type ipsec-ra
tunnel-group vpngroup general-attributes
 address-pool vpnpool
 default-group-policy vpngroup
tunnel-group vpngroup ipsec-attributes
 pre-shared-key *
tunnel-group x.x.45.39 type ipsec-l2l
tunnel-group x.x.45.39 ipsec-attributes
 pre-shared-key *
!
class-map global-class
 match default-inspection-traffic
!
!
policy-map global-policy
 class global-class
  inspect pptp
  inspect ipsec-pass-thru
!
service-policy global-policy global
prompt hostname context
Cryptochecksum:9e8326438e0ff19e9ea37884a79d6412
: end
[OK]
0
 
Ernie BeekCommented:
This might be the issue:

access-list outside_1_cryptomap extended permit ip host 192.168.26.5 host 172.16.100.22
access-list inside_nat0_outbound extended permit ip host 192.168.26.5 host 172.16.100.22
access-list inside_nat0_outbound extended permit ip 192.168.26.0 255.255.255.0 vpn


The crypto map only sees traffic from  host 192.168.26.5 to host 172.16.100.22 as interesting traffic. I guess 172.16.100.22 is the mail server?

So to get the rest working you'll need to add something like:

access-list outside_1_cryptomap extended permit ip 192.168.26.0 255.255.255.0 172.16.100.0 255.255.255.0
and
access-list inside_nat0_outbound extended permit ip 192.168.26.0 255.255.255.0 172.16.100.0 255.255.255.0

To allow the whole subnet through. I assume there's something similar on the other side.
0
 
melfaritAuthor Commented:
Hi,

See your point, but I have tryed with the whole subnet. This is the last test where I tried to only allow 172.16.100.22...Not working either....

Lasse
0
 
melfaritAuthor Commented:
Hi,

This is site b


: Saved
:
ASA Version 8.2(1)
!
hostname gateway
names
name 10.10.25.0 sis
name 172.16.100.2 ProxyServer1 description Reverse Proxy
name 172.16.100.21 AhsayBackup1 description Ahsay Backup Server
name 172.16.100.23 MailServer description mail.remote.dk
name 10.16.100.0 remoteHq description remote LAN ovre
name 172.16.100.160 A-172.16.100.160 description CSS-RDC
name 172.31.31.0 A-172.31.31.0 description remote Any VPN
name 172.16.100.32 iRedMail description Hosted Linux Mail
name 172.16.100.170 A-172.16.100.170 description Mar Terminal
name 172.16.100.33 ScreenConnect description ScreenConnect Support Server
name 192.168.26.0 Styrki description Styrki LAN
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.16.100.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address x.x.x.39 255.255.255.224
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service DM_INLINE_TCP_0 tcp
 port-object eq https
 port-object eq smtp
 port-object eq www
 port-object eq imap4
 port-object eq 10000
 port-object eq 25000
 port-object eq 8080
 port-object eq 20000
object-group service DM_INLINE_TCP_1 tcp
 port-object eq ftp
 port-object eq ftp-data
 port-object eq 9444
 port-object eq smtp
object-group service DM_INLINE_TCP_2 tcp
 port-object eq www
 port-object eq https
 port-object eq 8040
 port-object eq 8041
object-group service DM_INLINE_TCP_3 tcp
 port-object eq www
 port-object eq https
 port-object eq 445
 port-object eq smtp
 port-object eq imap4
 port-object eq pop3
 port-object eq 366
object-group service DM_INLINE_SERVICE_1
 service-object tcp eq ssh
 service-object udp eq 4569
object-group network DM_INLINE_NETWORK_1
 network-object host 172.16.100.130
 network-object host 172.16.100.131
 network-object host 172.16.100.132
 network-object host 172.16.100.133
 network-object host 172.16.100.12
 network-object host 172.16.100.134
access-list outside_access_in extended permit tcp any host x.x.x.41 object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp any host x.x.x.42 object-group DM_INLINE_TCP_0
access-list outside_access_in extended permit tcp any host x.x.x.40 eq ftp inactive
access-list outside_access_in extended permit tcp any host x.x.x.40 eq 3389
access-list outside_access_in extended permit tcp any host x.x.x.41 object-group DM_INLINE_TCP_2
access-list outside_access_in extended permit tcp any host x.x.x.40 eq smtp
access-list outside_access_in extended permit tcp any host x.x.x.40 eq https
access-list outside_access_in remark Backup Server
access-list outside_access_in extended permit tcp any host x.x.x.39 object-group DM_INLINE_TCP_3
access-list outside_access_in remark FTP til Backup maskinen
access-list outside_access_in extended permit tcp any host x.x.x.40 eq 40100
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any host x.x.x.39
access-list inside_nat0_outbound extended permit ip any 172.16.100.64 255.255.255.192
access-list inside_nat0_outbound extended permit ip 172.16.100.0 255.255.255.0 sis 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.100.0 255.255.255.0 remoteHq 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.100.0 255.255.255.0 A-172.31.31.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_1 172.16.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip host 172.16.100.22 host 192.168.26.5
access-list Local_LAN_Access standard permit any
access-list outside_1_cryptomap extended permit ip 172.16.100.0 255.255.255.0 sis 255.255.255.0
access-list outside_2_cryptomap extended permit ip 172.16.100.0 255.255.255.0 remoteHq 255.255.255.0
access-list outside_3_cryptomap extended permit ip 172.16.100.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list outside_4_cryptomap extended permit ip host 172.16.100.22 host 192.168.26.5
pager lines 24
mtu inside 1500
mtu outside 1500
ip local pool remote_vpn_pool 172.16.100.45-172.16.100.49 mask 255.255.255.0
ip local pool VPNOdensen 172.16.100.90-172.16.100.99 mask 255.255.255.0
ip local pool vpn_ip_pool 172.16.200.1-172.16.200.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (inside) 1 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0 dns
static (inside,outside) tcp x.x.x.41 www ProxyServer1 www netmask 255.255.255.255  dns
static (inside,inside) tcp x.x.x.41 www ProxyServer1 www netmask 255.255.255.255  dns
static (inside,outside) tcp x.x.x.41 ftp 172.16.100.155 ftp netmask 255.255.255.255  dns
static (inside,outside) tcp x.x.x.41 ftp-data 172.16.100.155 ftp-data netmask 255.255.255.255  dns
static (inside,inside) tcp x.x.x.41 ftp 172.16.100.155 ftp netmask 255.255.255.255
static (inside,inside) tcp x.x.x.41 ftp-data 172.16.100.155 ftp-data netmask 255.255.255.255
static (inside,inside) tcp x.x.x.41 https 172.16.100.155 https netmask 255.255.255.255  dns
static (inside,outside) tcp x.x.x.41 https 172.16.100.155 https netmask 255.255.255.255  dns
static (inside,outside) tcp x.x.x.41 smtp MailServer smtp netmask 255.255.255.255  dns
static (inside,inside) tcp x.x.x.41 smtp MailServer smtp netmask 255.255.255.255  dns
static (inside,outside) tcp x.x.x.40 ftp 172.16.100.20 ftp netmask 255.255.255.255
static (inside,outside) tcp x.x.x.40 smtp SIS-Exchange smtp netmask 255.255.255.255  dns
static (inside,inside) tcp x.x.x.40 smtp SIS-Exchange smtp netmask 255.255.255.255  dns
static (inside,outside) tcp x.x.x.40 3389 172.16.100.104 3389 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.40 https SIS-Exchange https netmask 255.255.255.255  dns
static (inside,outside) tcp x.x.x.40 www SIS-Exchange www netmask 255.255.255.255  dns
static (inside,outside) tcp interface www AhsayBackup1 www netmask 255.255.255.255  dns
static (inside,outside) tcp interface https AhsayBackup1 https netmask 255.255.255.255  dns
static (inside,inside) tcp x.x.x.39 www AhsayBackup1 www netmask 255.255.255.255
static (inside,inside) tcp x.x.x.39 https AhsayBackup1 https netmask 255.255.255.255
static (inside,outside) tcp x.x.x.40 40100 SIS-Backup 40100 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.42 www 172.16.100.150 www netmask 255.255.255.255
static (inside,outside) tcp x.x.x.42 https 172.16.100.150 https netmask 255.255.255.255
static (inside,outside) tcp x.x.x.42 smtp 172.16.100.150 smtp netmask 255.255.255.255  dns
static (inside,outside) tcp x.x.x.42 8080 172.16.100.132 8080 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.42 10000 A-172.16.100.160 3389 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.42 25000 A-172.16.100.170 3389 netmask 255.255.255.255
static (inside,outside) tcp interface smtp iRedMail smtp netmask 255.255.255.255  dns
static (inside,outside) tcp interface imap4 iRedMail imap4 netmask 255.255.255.255  dns
static (inside,inside) tcp x.x.x.39 smtp iRedMail smtp netmask 255.255.255.255  dns
static (inside,outside) tcp interface pop3 iRedMail pop3 netmask 255.255.255.255  dns
static (inside,outside) tcp interface 366 iRedMail 366 netmask 255.255.255.255  dns
static (inside,outside) tcp interface ssh 172.16.100.80 ssh netmask 255.255.255.255
static (inside,outside) udp interface 4569 172.16.100.80 4569 netmask 255.255.255.255
static (inside,inside) tcp x.x.x.42 www 172.16.100.150 www netmask 255.255.255.255
static (inside,inside) tcp x.x.x.42 https 172.16.100.150 https netmask 255.255.255.255
static (inside,inside) tcp x.x.x.42 smtp 172.16.100.150 smtp netmask 255.255.255.255
static (inside,outside) tcp x.x.x.42 20000 172.16.100.134 3389 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.41 8040 ScreenConnect 8040 netmask 255.255.255.255  dns
static (inside,outside) tcp x.x.x.41 8041 ScreenConnect 8041 netmask 255.255.255.255  dns
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable 444
http 172.16.100.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
http remoteHq 255.255.255.0 inside
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer x.x.x.234
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs group1
crypto map outside_map 2 set peer x.x.x.242
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set pfs group1
crypto map outside_map 3 set peer x.x.x.118
crypto map outside_map 3 set transform-set ESP-3DES-SHA
crypto map outside_map 4 match address outside_4_cryptomap
crypto map outside_map 4 set peer x.x.x.51
crypto map outside_map 4 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
no vpn-addr-assign aaa
vpn-addr-assign local reuse-delay 5
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
dhcpd address 172.16.100.50-172.16.100.79 inside
dhcpd dns 172.16.100.22 interface inside
dhcpd wins 172.16.100.22 interface inside
dhcpd domain remote.local interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
 svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 1
 svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 2
 svc enable
 tunnel-group-list enable
group-policy VPN-Odensen internal
group-policy VPN-Odensen attributes
 dns-server value 8.8.8.8 8.8.4.4
 vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy remoteVpnGP internal
group-policy remoteVpnGP attributes
 wins-server value 172.16.100.22
 dns-server value 172.16.100.22 172.16.100.24
 vpn-tunnel-protocol IPSec
 split-tunnel-policy excludespecified
 split-tunnel-network-list value Local_LAN_Access
 default-domain value remote.local
 vlan none
 address-pools value remote_vpn_pool
group-policy VPNStandard internal
group-policy VPNStandard attributes
 dns-server value 8.8.8.8 8.8.4.4
 vpn-tunnel-protocol IPSec
 split-tunnel-policy excludespecified
 split-tunnel-network-list value Local_LAN_Access
 vlan none
tunnel-group x.x.x.51 type ipsec-l2l
tunnel-group x.x.x.51 ipsec-attributes
 pre-shared-key *
!
class-map class_ftp
 match port tcp eq 40100
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect pptp
 class class_ftp
  inspect ftp
!
service-policy global_policy global
smtp-server 10.16.100.23
prompt hostname context
Cryptochecksum: *encryptet*
: end
[OK]
0
 
Ernie BeekCommented:
Ok, let's see.

Is there anything showing in the logs of the ASAs?
I assume when you adjusted the access lists for the VPN you made the changes on both sides (of course)?
The ASAs are the default gateways for the servers/workstations on the network (to ask the obvious).
That server you can reach is the 172.16.100.22?
0
 
melfaritAuthor Commented:
Hi Erniebeek.


Is there anything showing in the logs of the ASAs?

When any server/computer a site b  tryes to reach a public server (like telnet mailserversitea.domain.com 25 or opening browser and trying www.domainsitea.com both asa's gives a syn timeout.

When trying to reach them via site to site both tunnels give a Removing peer from peer table failed, no match!

I assume when you adjusted the access lists for the VPN you made the changes on both sides (of course)?

Yes I did!

The ASAs are the default gateways for the servers/workstations on the network (to ask the obvious).
No problem, sometimes one forgets something.
But Yes they are!
That server you can reach is the 172.16.100.22?
In this config yes.

I have tryed other 172.16.100 servers when I exposed the whole network and not just .22. It made no difference.

I tryed Wireshark yesterday. And tryed from site b to telnet mail.publicipsitea.com 25

Site a gets both syn + ack. Site B only has syn. And no answer from the mail server.

If I do the opposite from site a telnet mail.publicipsiteb.com 25 no problem at all.

I'm quite sure this has nothing to do with the site to site vpn connection. I think that site B asa has some kein of problem with communicating with site a.

Also site a can mail to site b, but site b cannot mail to site a.

Yes, its rather complicated :-/

Tia

Lasse
0
 
Ernie BeekCommented:
The complicated ones are the more interesting ones :)

Let me think....... I see that site a's ASA has an outside address of 192.168.14.2. That would mean there is a router/modem/something in front of it that is doing nat. Perhaps some misconfiguration on that device?
The most ideal would be to let that device bridge so the ASA get's the public address directly on its outside interface.
Are you able to get to that device and/or manage it?
0
 
melfaritAuthor Commented:
Hi Erniebeek,

Nope, it's a ISP router. But I'm go'ing to call them at once.
0
 
Ernie BeekCommented:
Ok, let me know what comes out of that.
0
 
melfaritAuthor Commented:
Hi Erniebeek!

So I owe you big time. THe problem was the router sitting on the interface 192.168.14.2. Aparently I had an access list denying the public ip at site B......

So it wasent the nat, but you clearly got my on the rigth track

So now the problem is solved. Thank you very much!

LHC
0
 
Ernie BeekCommented:
Great! Good to hear you got it.

Glad I could help & thx 4 the points :)
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now