Question:
I have estabilished a WS-C3560X-48T-L site-to-site VPN. The
config is as follows: 192.168.32.0/24 (SITE A) >--> 192.168.30.0/24 (SITE
B)
Site B has 192.168.30.1 as outside address
of the ASA firewall. On the other peer of the cable I have a Debian server
(192.168.31.2) that re-routes the packets from/to the internal network
(192.168.31.0/24). All the packets arriving to the ASA from the internal
network appear as 192.168.31.2 (the ip of the debian server).
When VPN is estabilished, from the Site A I
can ping the debian server installed on the Site B correctly.
If I try to ping any server on the site B
from the Debian server, the ping works correctly.
When I try to ping any host of the internal
network of the site B behind the debian from the site A, I get the following
message:
"Teardown ICMP connection for faddr
192.168.31.11/0 gaddr 192.168.32.10/1 laddr 192.168.32.10/1".
Any idea why this happens? I mapped both
the networks (192.168.30.0/24 and 192.168.31.24) when I created the VPNs tunnel
using the wizard.
Thanks,
Dario
SITEA Configuration:
object-group network DM_INLINE_NETWORK_1
network-object object SITE-B-DEBIAN-SUBNET
network-object object
SITE-B-INTERNAL-NETWORK
access-list outside_cryptomap extended
permit ip object SITE-A-INTERNAL-NETWORK object-group DM_INLINE_NETWORK_1
nat (inside,outside) source static
SITE-A-INTERNAL-NETWORK SITE-A-INTERNAL-NETWORK destination static
DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 no-proxy-arp route-lookup
!
object network SITE-A-INTERNAL-NETWORK
nat (inside,outside) dynamic interface
object network obj_any
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy GroupPolicy_XXXXXXXX internal
group-policy GroupPolicy_XXXXXXXX
attributes
vpn-tunnel-protocol ikev2
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group XXXXXXXX general-attributes
default-group-policy GroupPolicy_XXXXXXXX
tunnel-group XXXXXXXX ipsec-attributes
ikev2 remote-authentication pre-shared-key
*****
ikev2 local-authentication pre-shared-key
*****
!
class-map inspection_default
match default-inspection-traffic
!
===============
SITEB CONFIGURATION
object network SITE-B-INTERNAL-NETWORK
subnet 192.168.31.0 255.255.255.0
object network SITE-A-INTERNAL-NETWORK
subnet 192.168.32.0 255.255.255.0
object network SITE-B-DEBIAN-SUBNET
subnet 192.168.30.0 255.255.255.0
object-group network DM_INLINE_NETWORK_1
network-object object SITE-B-EXTERNAL-IP
network-object object SITE-B-VPN-SERVER
object-group network DM_INLINE_NETWORK_2
network-object object SITE-B-DEBIAN-SUBNET
network-object object
SITE-B-INTERNAL-NETWORK
access-list outside_cryptomap extended
permit ip object-group DM_INLINE_NETWORK_2 object SITE-A-INTERNAL-NETWORK
nat (inside,outside) source static
DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 destination static
SITE-A-INTERNAL-NETWORK SITE-A-INTERNAL-NETWORK no-proxy-arp route-lookup
!
route inside 192.168.31.0 255.255.255.0
192.168.30.2 1
group-policy GroupPolicy_YYYYYYYYYYYYYYYYY
internal
group-policy GroupPolicy_YYYYYYYYYYYYYYYYY
attributes
vpn-tunnel-protocol ikev2
tunnel-group YYYYYYYYYYYYYYYYY type
ipsec-l2l
tunnel-group YYYYYYYYYYYYYYYYY
general-attributes
default-group-policy
GroupPolicy_YYYYYYYYYYYYYYYYY
tunnel-group YYYYYYYYYYYYYYYYY
ipsec-attributes
ikev2 remote-authentication pre-shared-key
*****
ikev2 local-authentication pre-shared-key
*****
Answer:
In that case, you would need to remove all
the crypto map and disable isakmp configuration from the ASA.
That port is already reserved on the ASA
outside interface because you have those VPN tunnel configured earlier.
no crypto isakmp enable outside WS-C3560X-48T-S Price
没有评论:
发表评论