Spoke to Spoke Enhanced Config (ASA-PIX) NEED HELP ASAP!!

Discussion in 'Hardware' started by T-Mak, Oct 27, 2006.

  1. T-Mak

    T-Mak

    Joined:
    Oct 27, 2006
    Messages:
    2
    Scenario: I have 2 PIXes (PIX1 and PIX2) at remote sites each connected with a site-to-site VPN to the central ASA (ASA1). I can ping to and from the ASA1 from either site but I can't ping from one remote site to the other remote site (PIX1 to PIX2).
    PIX1 Internet traffic goes through ASA1 thru the VPN to PIX1.
    Internet traffic for PIX2 is through it's gateway.
    (There is a 3rd PIX (10.100.103.0 network), but for simplicity's sake I've left it out, it has the same functionality as PIX2)
    I'm using the "Enhanced Spoke-to-Spoke config" example to assist me but I still can't get it to work:

    http://www.cisco.com/en/US/products...s_configuration_example09186a00804675ac.shtml

    In reference to the above document:
    I’m using static site-to-site VPNs between the Hub (ASA1) and spokes (PIX1 and PIX2).

    ASA1 = PIX1 in the config example (internal network of 172.17.16.0)
    PIX2 = PIX2 in the config example (internal network of 10.100.101.0)
    PIX3 = PIX3 in the config example (internal network of 10.100.102.0)

    ASA1:
    -------------------------------
    ASA Version 7.0(4)
    !
    hostname ASA1
    domain-name something.com
    enable password AuktubEUZPg0RqiA encrypted
    names
    !
    interface Ethernet0/0
    nameif Outside
    security-level 0
    ip address 64.56.XXX.AA 255.255.255.0
    !
    interface Ethernet0/1
    nameif Inside
    security-level 90
    ip address 172.17.16.2 255.255.255.0
    !
    interface Ethernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Management0/0
    nameif management
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    management-only
    !
    passwd AuktubEUZPg0RqiA encrypted
    ftp mode passive
    same-security-traffic permit intra-interface
    access-list Inside_nat0_outbound extended permit ip 172.17.16.0 255.255.255.0 10.100.101.0 255.255.255.0
    access-list Inside_nat0_outbound extended permit ip 172.17.16.0 255.255.255.0 10.100.103.0 255.255.255.0
    access-list Inside_nat0_outbound extended permit ip 172.17.16.0 255.255.255.0 10.100.102.0 255.255.255.0
    access-list Inside_nat0_outbound extended permit ip 10.100.102.0 255.255.255.0 10.100.101.0 255.255.255.0
    access-list Inside_nat0_outbound extended permit ip 10.100.101.0 255.255.255.0 10.100.102.0 255.255.255.0

    access-list Outside_cryptomap_20_1 extended permit ip 172.17.16.0 255.255.255.0 10.100.102.0 255.255.255.0
    access-list Outside_cryptomap_40_1 extended permit ip any 10.100.101.0 255.255.255.0
    access-list Outside_cryptomap_40_1 extended permit ip 10.100.101.0 255.255.255.0 10.100.102.0 255.255.255.0
    access-list Outside_cryptomap_60_1 extended permit ip any 10.100.103.0 255.255.255.0
    access-list Outside_cryptomap_60_1 extended permit ip 10.100.103.0 255.255.255.0 10.100.101.0 255.255.255.0

    pager lines 24
    logging enable
    logging buffered informational
    logging asdm informational
    mtu Outside 1500
    mtu Inside 1500
    mtu management 1500
    ERROR: Command requires failover license
    ERROR: Command requires failover license
    icmp permit any Outside
    icmp permit any echo-reply Outside
    icmp permit any Inside
    asdm image disk0:/asdm-504.bin
    no asdm history enable
    arp timeout 14400
    nat-control
    global (Outside) 10 interface
    nat (Outside) 10 10.100.101.0 255.255.255.0
    nat (Outside) 10 10.100.103.0 255.255.255.0
    nat (Inside) 0 access-list Inside_nat0_outbound
    nat (Inside) 10 172.17.16.0 255.255.255.0
    route Outside 0.0.0.0 0.0.0.0 64.56.128.BB 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
    timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    username XXX password 0WAOHb3RX3lpmtdS encrypted privilege 15
    aaa authorization command LOCAL
    http server enable
    http 172.17.16.0 255.255.255.0 Inside
    http 192.168.1.0 255.255.255.0 management
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto map Outside_map 20 match address Outside_cryptomap_20_1
    crypto map Outside_map 20 set peer 64.56.XXX.XX
    crypto map Outside_map 20 set transform-set ESP-3DES-SHA
    crypto map Outside_map 40 match address Outside_cryptomap_40_1
    crypto map Outside_map 40 set peer 64.56.XXX.YY
    crypto map Outside_map 40 set transform-set ESP-3DES-SHA
    crypto map Outside_map 60 match address Outside_cryptomap_60_1
    crypto map Outside_map 60 set peer 64.56.XXX.ZZ
    crypto map Outside_map 60 set transform-set ESP-3DES-SHA
    crypto map Outside_map interface Outside
    isakmp enable Outside
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash sha
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    tunnel-group 64.56.XXX.XX type ipsec-l2l
    tunnel-group 64.56.XXX.XX ipsec-attributes
    pre-shared-key *
    tunnel-group 64.56.XXX.YY type ipsec-l2l
    tunnel-group 64.56.XXX.YY ipsec-attributes
    pre-shared-key *
    tunnel-group 64.56.XXX.ZZ type ipsec-l2l
    tunnel-group 64.56.XXX.ZZ ipsec-attributes
    pre-shared-key *
    telnet 172.17.16.0 255.255.255.0 Inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd address 172.17.16.51-172.17.16.254 Inside
    dhcpd address 192.168.1.2-192.168.1.254 management
    dhcpd dns 199.185.200.36
    dhcpd lease 3600
    dhcpd ping_timeout 50
    dhcpd auto_config Inside
    dhcpd enable Inside
    dhcpd enable management
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map global_policy
    class inspection_default
    inspect dns maximum-length 512
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    !
    service-policy global_policy global
    Cryptochecksum:f6af796bcb0ebfe00b3bc4623ef86330
    : end

    PIX2
    ----------------------------------------------
    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password AuktubEUZPg0RqiA encrypted
    passwd AuktubEUZPg0RqiA encrypted
    hostname PIX2
    domain-name something.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 172.17.16.0 Volvo
    access-list inside_outbound_nat0_acl permit ip 10.100.101.0 255.255.255.0 172.17.16.0 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip 10.100.101.0 255.255.255.0 10.100.102.0 255.255.255.0
    access-list outside_cryptomap_20 permit ip 10.100.101.0 255.255.255.0 172.17.16.0 255.255.255.0
    access-list outside_cryptomap_20 permit ip 10.100.101.0 255.255.255.0 10.100.102.0 255.255.255.0
    pager lines 24
    logging on
    icmp permit any outside
    icmp permit any echo-reply outside
    icmp permit any inside
    mtu outside 1500
    mtu inside 1500
    ip address outside 64.56.XXX.YY 255.255.255.0
    ip address inside 10.100.101.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm location 10.100.101.0 255.255.255.0 inside
    pdm location 10.100.102.0 255.255.255.0 inside
    pdm location 192.168.1.0 255.255.255.0 inside
    pdm location Volvo 255.255.255.0 outside
    pdm location 192.168.XXX.XXX 255.255.255.0 inside
    pdm location 10.100.104.0 255.255.255.0 outside
    pdm location 198.166.XXX.XXX 255.255.255.255 outside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    route outside 0.0.0.0 0.0.0.0 64.56.XXX.BB 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http 10.100.102.0 255.255.255.0 inside
    http 10.100.101.0 255.255.255.0 inside
    http 192.168.1.0 255.255.255.0 inside
    http 192.168.101.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto map outside_map 20 ipsec-isakmp
    crypto map outside_map 20 match address outside_cryptomap_20
    crypto map outside_map 20 set peer 64.56.XXX.AA
    crypto map outside_map 20 set transform-set ESP-3DES-SHA
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key ******** address 64.56.XXX.AA netmask 255.255.255.255 no-xauth no-config-mode
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash sha
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    telnet 192.168.1.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd address 10.100.101.51-10.100.101.175 inside
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    dhcpd enable inside
    terminal width 80
    Cryptochecksum:0697a863dcb9faaa9154f7df41191139
    : end
    [OK]
     
    T-Mak, Oct 27, 2006
    #1
    1. Advertising

  2. T-Mak

    T-Mak

    Joined:
    Oct 27, 2006
    Messages:
    2
    PIX3
    ----------------------------------------------
    Building configuration...
    : Saved
    :
    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password AuktubEUZPg0RqiA encrypted
    passwd AuktubEUZPg0RqiA encrypted
    hostname PIX3
    domain-name something.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 172.17.16.0 Volvo
    access-list inside_outbound_nat0_acl permit ip 10.100.102.0 255.255.255.0 172.17.16.0 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip 10.100.102.0 255.255.255.0 10.100.101.0 255.255.255.0
    access-list outside_cryptomap_20 permit ip 10.100.102.0 255.255.255.0 172.17.16.0 255.255.255.0
    access-list outside_cryptomap_20 permit ip 10.100.102.0 255.255.255.0 10.100.101.0 255.255.255.0
    pager lines 24
    logging on
    icmp permit any outside
    icmp permit any echo-reply outside
    icmp permit any inside
    mtu outside 1500
    mtu inside 1500
    ip address outside 64.56.XXX.XX 255.255.255.0
    ip address inside 10.100.102.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm location 10.100.102.0 255.255.255.0 inside
    pdm location 10.100.101.0 255.255.255.0 inside
    pdm location 10.100.102.0 255.255.255.255 inside
    pdm location 192.168.1.0 255.255.255.0 inside
    pdm location Volvo 255.255.255.0 outside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    route outside 0.0.0.0 0.0.0.0 64.56.128.BB 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http 10.100.101.0 255.255.255.0 inside
    http 10.100.102.0 255.255.255.0 inside
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto map outside_map 20 ipsec-isakmp
    crypto map outside_map 20 match address outside_cryptomap_20
    crypto map outside_map 20 set peer 64.56.XXX.AA
    crypto map outside_map 20 set transform-set ESP-3DES-SHA
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key ******** address 64.56.XXX.AA netmask 255.255.255.255 no-xauth no-config-mode
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash sha
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    telnet 10.100.102.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd address 10.100.102.51-10.100.102.178 inside
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    dhcpd enable inside
    terminal width 80
    Cryptochecksum:816ba758685e8d4bca4ec84a29843198
    : end
    [OK]

    I can ping between the ASA and PIX2 and between ASA and PIX3 but not between the spokes (PIX2 and PIX3).
    I get a "305005: No Translation group found for icmp src Outside: 10.100.10X.XX dst. Outside: 10.100.10Y.XX (type 8, code 0)" each time I ping.
    I also get
    1 IKE Tunnel and 3 IPSEC Tunnels on PIX2
    1 IKE Tunnel and 1 IKE Tunnel on PIX3
    and
    4 IKE Tunnels and 6 IPSEC Tunnels on ASA1
    after I ping the different sites.

    Thanks in advance for any help you can give!
     
    T-Mak, Oct 27, 2006
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Remco Bressers
    Replies:
    1
    Views:
    535
    Jyri Korhonen
    Nov 21, 2003
  2. Dave

    IOS 7 Spoke to Spoke VPN

    Dave, Jul 19, 2005, in forum: Cisco
    Replies:
    2
    Views:
    2,467
  3. Rick Payne
    Replies:
    0
    Views:
    965
    Rick Payne
    Oct 10, 2005
  4. shankar26

    Cisco PIX Probelm - Plz help asap

    shankar26, Feb 19, 2009, in forum: Cisco
    Replies:
    2
    Views:
    466
    shankar26
    Feb 23, 2009
  5. chase0911

    Hp Server PC Config !!NEED HELP !! ASAP

    chase0911, Oct 17, 2012, in forum: Hardware
    Replies:
    0
    Views:
    874
    chase0911
    Oct 17, 2012
Loading...

Share This Page