site to site not working

Home Forums Networking Cisco Security – PIX/ASA/VPN site to site not working

Viewing 1 post (of 1 total)
  • Author
    Posts
  • Avatar
    necro
    Member
    #164668

    My site to site is not working from A to B,

    anyone can help? it stuck at phase 1

    Site A,

    crypto keyring KP-keyring vrf KP
    pre-shared-key address 60.51.196.53 key 215GMaP1

    crypto isakmp profile KP-ike-prfl
    match identity address 60.51.196.53 255.255.255.255 KP

    crypto map KP-MAP 11 ipsec-isakmp
    description KP:KPMMF
    set peer 60.51.196.53
    set transform-set AES-SHA
    set isakmp-profile KP-ike-prfl
    match address KP-KPMMF-ACL
    reverse-route

    ip access-list extended KP-KPMMF-ACL
    permit ip 10.210.0.0 0.0.0.255 10.215.10.0 0.0.0.255
    permit ip 10.210.0.0 0.0.0.255 10.215.11.0 0.0.0.255
    permit ip 10.255.255.0 0.0.0.255 host 192.168.0.150

    Site B

    ASA Version 8.0(3)
    !
    hostname kewpie-MLK-ASA
    domain-name default.domain.invalid
    enable password ym1CwmrLnc/fndsu encrypted
    names
    !
    interface Ethernet0/0
    nameif outside
    security-level 0
    ip address 60.51.196.54 255.255.255.252
    !
    interface Ethernet0/1
    no nameif
    no security-level
    no ip address
    !
    interface Ethernet0/1.1
    vlan 10
    nameif Inside
    security-level 80
    ip address 192.168.0.1 255.255.255.0
    !
    interface Ethernet0/1.2
    vlan 20
    nameif visitor
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    !
    access-list 100 extended permit icmp any any
    access-list 100 extended permit tcp any any
    access-list 100 extended permit ip any any
    access-list 101 extended permit icmp any any
    access-list 101 extended permit tcp any any eq 2828
    access-list 101 extended permit tcp any host 192.168.0.254 eq 2255
    access-list VPN_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.5.0 255.255.255.0
    access-list Inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.5.0 255.255.255.0
    access-list 102 extended permit ip 192.168.0.0 255.255.255.0 192.168.5.0 255.255.255.0
    access-list inside_mpc extended permit tcp any any eq www
    access-list inside_mpc extended permit tcp any any eq 8080
    access-list SG_cryptomap extended permit ip 10.215.10.0 255.255.255.0 10.210.0.0 255.255.255.0
    access-list SG_cryptomap extended permit ip 10.215.11.0 255.255.255.0 10.210.0.0 255.255.255.0
    access-list SG_cryptomap extended permit ip 192.168.0.0 255.255.255.0 10.210.0.0 255.255.255.0
    access-list SG_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.210.0.0 255.255.255.0
    access-list policy-nat extended permit ip 192.168.0.0 255.255.255.0 10.210.0.0 255.255.0.0
    access-list policy-nat-v extended permit ip 192.168.1.0 255.255.255.0 10.210.0.0 255.255.0.0
    global (outside) 1 interface
    nat (Inside) 0 access-list Inside_nat0_outbound
    nat (Inside) 1 192.168.0.0 255.255.255.0
    nat (visitor) 1 192.168.1.0 255.255.255.0
    static (Inside,outside) tcp interface 2828 192.168.0.254 telnet netmask 255.255.255.255
    static (Inside,outside) 10.215.10.0 access-list policy-nat
    static (visitor,outside) 10.215.11.0 access-list policy-nat-v
    access-group 101 in interface outside
    access-group 100 in interface Inside
    access-group 100 in interface visitor
    route outside 0.0.0.0 0.0.0.0 60.51.196.53 1
    timeout xlate 3:00:00
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto map VPN_map 10 match address VPN_cryptomap
    crypto map VPN_map 10 set peer 218.111.42.234
    crypto map VPN_map 10 set transform-set ESP-AES-256-SHA
    crypto map VPN_map 20 match address SG_cryptomap
    crypto map VPN_map 20 set peer 202.68.211.20
    crypto map VPN_map 20 set transform-set ESP-AES-256-SHA
    crypto map VPN_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 1
    authentication pre-share
    encryption aes-256
    hash sha
    group 5
    lifetime 86400

    tunnel-group 218.111.42.234 type ipsec-l2l
    tunnel-group 218.111.42.234 ipsec-attributes
    pre-shared-key *
    tunnel-group 202.68.211.20 type ipsec-l2l
    tunnel-group 202.68.211.20 ipsec-attributes
    pre-shared-key *

Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.