
Welcome,
Guest
|
TOPIC:
ASA Spoke 1 and Spoke 2 cannot ping each other 7 years 8 months ago #38668
Hi,
I have got an issue where SPOKE1 and SPOKE 2 cannot communicate with each other. However, SPOKE1 and SPOKE 2 can communicate with HUB. Please see configuration below for spoke and hub. I'll really appreciate if anyone could please guide me in right direction. SPOKE 1 (Cisco SRST881, v. 12.4) SPOKE 2 (Cisco 887VA, v.12.4(22r) HUB (ASA5525, v.8.6(1)2) ** Spoke 1 (Cisco SRST881, v. 12.4) ** ================================== crypto ikev2 proposal AES256-192-128-PROPOSAL encryption aes-cbc-256 aes-cbc-192 aes-cbc-128 integrity sha1 group 2 crypto ikev2 policy IKEv2-Policy proposal AES256-192-128-PROPOSAL crypto ikev2 keyring VPN-KEYS peer ASA-DC address 200.200.200.1 pre-shared-key local 12345678 pre-shared-key remote 12345678 crypto ikev2 profile ASA-DC match identity remote address 200.200.200.1 255.255.255.255 identity local address 50.50.50.1 authentication local pre-share authentication remote pre-share keyring VPN-KEYS crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac crypto map SPOKE1-ASA 10 ipsec-isakmp set peer 200.200.200.1 set transform-set ESP-AES256-SHA set ikev2-profile ASA-DC match address SPOKE1-VPN-ACL interface FastEthernet4 ip address dhcp ip nat outside ip virtual-reassembly in duplex auto speed auto crypto map SPOKE1-ASA interface Vlan1 ip address 192.168.210.225 255.255.255.224 ip nat inside ip virtual-reassembly in ip nat inside source list NONAT interface FastEthernet4 overload ip route 0.0.0.0 0.0.0.0 50.50.50.1 ip access-list extended NONAT deny ip 192.168.210.64 0.0.0.31 172.16.0.0 0.0.255.255 permit ip 192.168.210.64 0.0.0.31 any ip access-list extended SPOKE1-VPN-ACL permit ip 192.168.210.224 0.0.0.31 172.16.0.0 0.0.255.255 permit ip 192.168.210.224 0.0.0.31 192.168.210.64 0.0.0.31 ** SPOKE2 (Cisco 887VA, v.12.4(22r) ** ================================= crypto ikev2 proposal AES256-192-128-PROPOSAL encryption aes-cbc-256 aes-cbc-192 aes-cbc-128 integrity sha1 group 2 crypto ikev2 policy IKEv2-Policy proposal AES256-192-128-PROPOSAL crypto ikev2 keyring VPN-KEYS peer ASA-DC address 200.200.200.1 pre-shared-key local 12345678 pre-shared-key remote 12345678 crypto ikev2 profile ASA-DC match identity remote address 200.200.200.1 255.255.255.255 identity local address 100.100.100.1 authentication local pre-share authentication remote pre-share keyring VPN-KEYS crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac crypto map SPOKE2-ASA 10 ipsec-isakmp set peer 200.200.200.1 set transform-set ESP-AES256-SHA set ikev2-profile ASA-DC match address SPOKE2-VPN-ACL interface Vlan1 ip address 192.168.210.65 255.255.255.224 ip helper-address 172.16.5.32 ip nat inside ip virtual-reassembly in interface Dialer1 ip address negotiated ip nat outside ip virtual-reassembly in encapsulation ppp dialer pool 1 ppp chap hostname This email address is being protected from spambots. You need JavaScript enabled to view it. ppp chap password 7 zzzzzzzzz crypto map SPOKE2-ASA ip nat inside source list NONAT interface Dialer1 overload ip route 0.0.0.0 0.0.0.0 Dialer1 ip access-list extended SPOKE2-VPN-ACL permit ip 192.168.210.64 0.0.0.31 172.16.0.0 0.0.255.255 permit ip 192.168.210.64 0.0.0.31 192.168.210.224 0.0.0.31 ip access-list extended NONAT deny ip 192.168.210.64 0.0.0.31 172.16.0.0 0.0.255.255 permit ip 192.168.210.64 0.0.0.31 any ** HUB (ASA5525, v.8.6(1)2) ** =============================== object network SPOKE1 subnet 192.168.210.224 255.255.255.224 object network SPOKE2 subnet 192.168.210.64 255.255.255.224 object-group network INSIDE-SUBNET network-object 172.16.0.0 255.255.0.0 access-list VPN-SPOKE1 extended permit ip object-group INSIDE-SUBNET object SPOKE1 access-list VPN-SPOKE1 extended permit ip object SPOKE2 object SPOKE1 access-list VPN-SPOKE2 extended permit ip object-group INSIDE-SUBNET object SPOKE2 access-list VPN-SPOKE2 extended permit ip object SPOKE1 object SPOKE2 nat (inside,outside) source static inside-subnet-source INSIDE-SUBNET destination static SPOKE1 SPOKE1 no-proxy-arp route-lookup nat (inside,outside) source static inside-subnet-source INSIDE-SUBNET destination static SPOKE2 SPOKE2 no-proxy-arp route-lookup nat (any,outside) source static inside-subnet-source INSIDE-SUBNET destination static SPOKE1 SPOKE1 no-proxy-arp nat (any,outside) source static inside-subnet-source INSIDE-SUBNET destination static SPOKE2 SPOKE2 no-proxy-arp route outside 192.168.210.64 255.255.255.224 200.200.200.1 1 route outside 192.168.210.224 255.255.255.224 200.200.200.1 1 crypto ipsec ikev2 ipsec-proposal AES256-192-128-PROPOSAL protocol esp encryption aes-256 aes-192 aes protocol esp integrity sha-1 crypto map ASA-VPN-SITE 10 match address VPN-SPOKE1 crypto map ASA-VPN-SITE 10 set peer 50.50.50.1 crypto map ASA-VPN-SITE 20 set ikev2 ipsec-proposal AES256-192-128-PROPOSAL crypto map ASA-VPN-SITE 20 match address VPN-SPOKE2 crypto map ASA-VPN-SITE 20 set peer 100.100.100.1 crypto map ASA-VPN-SITE 20 set ikev2 ipsec-proposal AES256-192-128-PROPOSAL tunnel-group 50.50.50.1 type ipsec-l2l tunnel-group 50.50.50.1 ipsec-attributes ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key ***** tunnel-group 100.100.100.1 type ipsec-l2l tunnel-group 100.100.100.1 ipsec-attributes ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key ***** same-security-traffic permit intra-interface Thank You, Kind Regards Rohit. |
|
Time to create page: 0.097 seconds