On Thu, 24 Apr 2014, Daljit Singh wrote:
Actually I am trying to configure ipsec tunnel between two asa 5520 ver 8.0(3) and advertising static nat IP towards tunnel. But whenever my remote trying to initiate traffic then tunnel established but nothing is happening, I cant even see the logs on asdm if I filter remote ip. Is there any other configuration needs to be done.
192.168.x.x addresses are not globally routable. Do these two devices have globally routable addresses, for the purpose of things like terminating VPN tunnels? Assuming these devices aren't on some sort of private network (in other words: trying to communicate over the Internet), they will need globally routable addresses to talk to each other, or traffic between these two devices will need to be NAT'd to globally routable addresses. Keep in mind that NAT and IPSEC don't always play nicely with each other.
jms
FW1# sh ip System IP Addresses: Interface Name IP address Subnet mask Method GigabitEthernet0/0 Internet-Link 192.168.215.6 255.255.255.240 CONFIG GigabitEthernet0/1 Inside-Seachange 192.168.216.129 255.255.255.240 CONFIG crypto map outside_map 5 match address Internet-Link_2_cryptomap crypto map outside_map 5 set peer 192.168.41.68 crypto map outside_map 5 set transform-set ESP-3DES-SHA crypto map outside_map 5 set security-association lifetime seconds 28800 crypto map outside_map 5 set security-association lifetime kilobytes 4608000 crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface Internet-Link access-list Internet-Link_2_cryptomap extended permit ip host 192.168.215.142 host 192.168.42.170 static (Inside-Seachange,Internet-Link) 192.168.215.142 172.31.25.12 netmask 255.255.255.255 I DON'T have a config of remote firewall. Regards Daljit Singh Disclaimer: This e-mail & attachment(s) within it are for sole use of intended recipient(s) & may contain confidential & privileged information. If you are not the intended recipient, please intimate the sender by replying to this email & destroy all copies & the original message. Any unauthorized review, use, disclosure, dissemination, forwarding, printing or copying of this email or any action taken in reliance on this e-mail is strictly prohibited & unlawful. The recipient acknowledges that COMPANY , its subsidiaries, associated companies or persons authorized by it (collectively "THE Group"), are unable to exercise control, ensure, guarantee the integrity of/over the contents of the information contained in e-mail transmissions & further acknowledges that any views expressed in this message are those of the individual sender & no binding nature of the message shall be implied or assumed unless the sender does so expressly with due authority of THE Group. Disclaimer: This e-mail & attachment(s) within it are for sole use of intended recipient(s) & may contain confidential & privileged information. If you are not the intended recipient, please intimate the sender by replying to this email & destroy all copies & the original message. Any unauthorized review, use, disclosure, dissemination, forwarding, printing or copying of this email or any action taken in reliance on this e-mail is strictly prohibited & unlawful. The recipient acknowledges that COMPANY , its subsidiaries, associated companies or persons authorized by it (collectively "THE Group"), are unable to exercise control, ensure, guarantee the integrity of/over the contents of the information contained in e-mail transmissions & further acknowledges that any views expressed in this message are those of the individual sender & no binding nature of the message shall be implied or assumed unless the sender does so expressly with due authority of THE Group. _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
