Hi all,
I was wondering if someone with more ASA experience than me could help with a problem I'm having with a crypto-map based site-site vpn between this ASA 5520 and a Palo Alto PA-220. The ASA is the side closer to me and the PA is in a remote site. An interface within the encryption domain/Proxy ID on the Palo Alto can reach an internal (the "inside") interface of my ASA. However, it can't reach anything past the ASA, which it should by routing through the inside interface. I'm not sure what's wrong but I think I'm missing something on the ASA side. It's pretty basic config and I've pasted it below (with no sensitive IPs/information).
(crypto map is already applied to outside interface)
I would appreciate any help or tips on things to check/make sure of.
access-list crypto_map_100 line 1 extended permit ip 10.0.0.0 255.0.0.0 10.109.100.0 255.255.252.0
!
access-list crypto_map_100 line 2 extended permit ip 172.21.0.0 255.255.128.0 10.109.100.0 255.255.252.0
!
crypto map outside_map 100 match address crypto_map_100
crypto map outside_map 100 set peer x.x.x.x
crypto map outside_map 100 set ikev1 transform-set [transform-set]
crypto map outside_map 100 set reverse-route
!
group-policy GroupPolicy_x.x.x.x internal
group-policy GroupPolicy_x.x.x.x attributes
vpn-tunnel-protocol ikev1
!
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x general-attributes
default-group-policy GroupPolicy_x.x.x.x
tunnel-group x.x.x.x ipsec-attributes
ikev1 pre-shared-key *****
!
crypto ikev1 policy 100
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800
No comments:
Post a Comment