Hot Downloads

Altaro Banner
×

Notice

The forum is in read only mode.
Welcome, Guest
Username: Password: Remember me
Forgot your password? Forgot your username?
Forum
Networking, Security & Administration
Design, Installation & Troubleshooting
ASA Spoke 1 and Spoke 2 cannot ping each other
  • Page:
  • 1

TOPIC:

ASA Spoke 1 and Spoke 2 cannot ping each other 7 years 8 months ago #38668

Hi,
I have got an issue where SPOKE1 and SPOKE 2 cannot communicate with each other. However, SPOKE1 and SPOKE 2 can communicate with HUB. Please see configuration below for spoke and hub. I'll really appreciate if anyone could please guide me in right direction.

SPOKE 1 (Cisco SRST881, v. 12.4)

SPOKE 2 (Cisco 887VA, v.12.4(22r)

HUB (ASA5525, v.8.6(1)2)


** Spoke 1 (Cisco SRST881, v. 12.4) **
==================================

crypto ikev2 proposal AES256-192-128-PROPOSAL
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha1
group 2

crypto ikev2 policy IKEv2-Policy
proposal AES256-192-128-PROPOSAL

crypto ikev2 keyring VPN-KEYS
peer ASA-DC
address 200.200.200.1
pre-shared-key local 12345678
pre-shared-key remote 12345678

crypto ikev2 profile ASA-DC
match identity remote address 200.200.200.1 255.255.255.255
identity local address 50.50.50.1
authentication local pre-share
authentication remote pre-share
keyring VPN-KEYS

crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac

crypto map SPOKE1-ASA 10 ipsec-isakmp
set peer 200.200.200.1
set transform-set ESP-AES256-SHA
set ikev2-profile ASA-DC
match address SPOKE1-VPN-ACL

interface FastEthernet4
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map SPOKE1-ASA

interface Vlan1
ip address 192.168.210.225 255.255.255.224
ip nat inside
ip virtual-reassembly in

ip nat inside source list NONAT interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 50.50.50.1

ip access-list extended NONAT
deny ip 192.168.210.64 0.0.0.31 172.16.0.0 0.0.255.255
permit ip 192.168.210.64 0.0.0.31 any

ip access-list extended SPOKE1-VPN-ACL
permit ip 192.168.210.224 0.0.0.31 172.16.0.0 0.0.255.255
permit ip 192.168.210.224 0.0.0.31 192.168.210.64 0.0.0.31
** SPOKE2 (Cisco 887VA, v.12.4(22r) **
=================================

crypto ikev2 proposal AES256-192-128-PROPOSAL
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha1
group 2

crypto ikev2 policy IKEv2-Policy
proposal AES256-192-128-PROPOSAL

crypto ikev2 keyring VPN-KEYS
peer ASA-DC
address 200.200.200.1
pre-shared-key local 12345678
pre-shared-key remote 12345678

crypto ikev2 profile ASA-DC
match identity remote address 200.200.200.1 255.255.255.255
identity local address 100.100.100.1
authentication local pre-share
authentication remote pre-share
keyring VPN-KEYS

crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac

crypto map SPOKE2-ASA 10 ipsec-isakmp
set peer 200.200.200.1
set transform-set ESP-AES256-SHA
set ikev2-profile ASA-DC
match address SPOKE2-VPN-ACL

interface Vlan1
ip address 192.168.210.65 255.255.255.224
ip helper-address 172.16.5.32
ip nat inside
ip virtual-reassembly in

interface Dialer1
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
ppp chap hostname This email address is being protected from spambots. You need JavaScript enabled to view it.
ppp chap password 7 zzzzzzzzz
crypto map SPOKE2-ASA

ip nat inside source list NONAT interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1

ip access-list extended SPOKE2-VPN-ACL
permit ip 192.168.210.64 0.0.0.31 172.16.0.0 0.0.255.255
permit ip 192.168.210.64 0.0.0.31 192.168.210.224 0.0.0.31

ip access-list extended NONAT
deny ip 192.168.210.64 0.0.0.31 172.16.0.0 0.0.255.255
permit ip 192.168.210.64 0.0.0.31 any

** HUB (ASA5525, v.8.6(1)2) **
===============================

object network SPOKE1
subnet 192.168.210.224 255.255.255.224

object network SPOKE2
subnet 192.168.210.64 255.255.255.224

object-group network INSIDE-SUBNET
network-object 172.16.0.0 255.255.0.0


access-list VPN-SPOKE1 extended permit ip object-group INSIDE-SUBNET object SPOKE1
access-list VPN-SPOKE1 extended permit ip object SPOKE2 object SPOKE1
access-list VPN-SPOKE2 extended permit ip object-group INSIDE-SUBNET object SPOKE2
access-list VPN-SPOKE2 extended permit ip object SPOKE1 object SPOKE2

nat (inside,outside) source static inside-subnet-source INSIDE-SUBNET destination static SPOKE1 SPOKE1 no-proxy-arp route-lookup
nat (inside,outside) source static inside-subnet-source INSIDE-SUBNET destination static SPOKE2 SPOKE2 no-proxy-arp route-lookup
nat (any,outside) source static inside-subnet-source INSIDE-SUBNET destination static SPOKE1 SPOKE1 no-proxy-arp
nat (any,outside) source static inside-subnet-source INSIDE-SUBNET destination static SPOKE2 SPOKE2 no-proxy-arp

route outside 192.168.210.64 255.255.255.224 200.200.200.1 1
route outside 192.168.210.224 255.255.255.224 200.200.200.1 1

crypto ipsec ikev2 ipsec-proposal AES256-192-128-PROPOSAL
protocol esp encryption aes-256 aes-192 aes
protocol esp integrity sha-1

crypto map ASA-VPN-SITE 10 match address VPN-SPOKE1
crypto map ASA-VPN-SITE 10 set peer 50.50.50.1
crypto map ASA-VPN-SITE 20 set ikev2 ipsec-proposal AES256-192-128-PROPOSAL

crypto map ASA-VPN-SITE 20 match address VPN-SPOKE2
crypto map ASA-VPN-SITE 20 set peer 100.100.100.1
crypto map ASA-VPN-SITE 20 set ikev2 ipsec-proposal AES256-192-128-PROPOSAL

tunnel-group 50.50.50.1 type ipsec-l2l
tunnel-group 50.50.50.1 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****

tunnel-group 100.100.100.1 type ipsec-l2l
tunnel-group 100.100.100.1 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****

same-security-traffic permit intra-interface

Thank You,
Kind Regards
Rohit.
  • Page:
  • 1
Forum
Networking, Security & Administration
Design, Installation & Troubleshooting
ASA Spoke 1 and Spoke 2 cannot ping each other
Time to create page: 0.097 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup