2 VPN tunnels between 2 devices on separate links

Similar Questions

• VPN tunnel between the concentrator 3005 and router Cisco 827

  I am trying to establish a VPN tunnel between the Central Office with VPN 3005 and controller branch Cisco 827 router.

  There is a router of perimeter with access set up in front of the 3005 list.

  I quote the ACLs on the Central perimeter router instructionsuivante to allow traffic to permit ip 3005 - acl 101 all 193.188.X.X (address of the hub)

  I get the following message appears when I try to ping a local host in the Central site.

  Can Anyoune give me the correct steps to 827 and 3005.

  Thank you

  CCNP Ansar.

  ------------------------------------------------------------------------------------------------------

  Debug crypto ISAKMP

  encryption of debugging engine

  Debug crypto his

  debug output

  ------------------

  1d20h: IPSEC (sa_request):,.

  (Eng. msg key.) Local OUTGOING = 172.22.113.41, distance = 193.188.108.165.

  local_proxy = 202.71.244.160/255.255.255.240/0/0 (type = 4),

  remote_proxy = 128.128.1.78/255.255.255.255/0/0 (type = 1),

  Protocol = ESP, transform = esp - esp-md5-hmac.

  lifedur = 3600 s and KB 4608000,

  SPI = 0x83B8AC1B (2209917979), id_conn = 0, keysize = 0, flags = 0x400D

  1d20h: ISAKMP: ke received message (1/1)

  1d20h: ISAKMP: 500 local port, remote port 500

  1d20h: ISAKMP (0:1): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

  Former State = new State IKE_READY = IKE_I_MM1

  1d20h: ISAKMP (0:1): early changes of Main Mode

  1d20h: ISAKMP (0:1): lot of 193.188.108.165 sending (I) MM_NO_STATE

  1d20h: ISAKMP (0:1): retransmission phase 1 MM_NO_STATE...

  1d20h: ISAKMP (0:1): will increment the error counter on his: retransmit the phase 1

  1d20h: ISAKMP (0:1): retransmission phase 1 MM_NO_STATE

  1d20h: ISAKMP (0:1): lot of 193.188.108.165 sending (I) MM_NO_STATE

  1d20h: ISAKMP (0:1): retransmission phase 1 MM_NO_STATE...

  1d20h: ISAKMP (0:1): will increment the error counter on his: retransmit the phase 1

  1d20h: ISAKMP (0:1): retransmission phase 1 MM_NO_STATE

  1d20h: ISAKMP (0:1): lot of 193.188.108.165 sending (I) MM_NO_STATE

  1d20h: IPSEC (key_engine): request timer shot: count = 1,.

  You must also allow the esp Protocol in your ACL.

  access-list 101 permit esp any host x.x.x.x (address of the hub)

  Hope this helps,

  -Nairi

• VPN tunnel between 3 places

  Expertise of expensive

  Recently we hava configured vpn tunnel between two locations. Want to create a tunnel vpn on a third location. What configuration will be valid on the version of firewall cisco PIX 501 6.3.4.

  Please see thr existing pix config at two location.

  Please post the latest config?

• VPN connectivity between three devices

  Hi all

  In this scenario, we have 3 cisco devices: 1 Cisco router connected to another 2nd Cisco router with IPSEC site-to-site VPN and the 2nd router Cisco is connected with IPSEC site-to-site to the 3rd ASA firewall.

  1 router has lan network 192.168.1.0/24 linking 2nd router lan via VPN site-to-site

  2nd router has lan 192.168.2.0/24 linking 1 router & 3rd ASA lan via VPN site to site (intermediate device)

  3rd ASA FW has lan 192.168.3.0/24 linking 2nd router lan via VPN site-to-site

  My question is: is it possible for the 1st network of routers can communicate with 3rd ASA network by changing only config Router 1 and 2 and how?

  Thanks in advance.

  Yes it is possible, but the solution is not very "elegant". If you could change the config of the ASA-3 there are two ways to cope:

  1. A tunnel between Rtr - 1 and ASA-3
  2. Extend existing tunnels to carry also the traffic of LAN1 LAN3

  Without this possibility, you can still obtain access to LAN1 to the LAN3. To:

  1. extend the R1 - R2 tunnel to protect the traffic of LAN1 to LAN3
  2. Configure RTR - 2 to translate the addresses of the LAN1 to the address in LAN2.
  3. Now this traffic can be sent through the tunnel between R2-ASA3

• Lost the VPN tunnel between 2 site when internal client using client vpn

  We currently have VPN tunnel connected to the remote desktop using router VPN Hotbrick 2.

  When 1 of the internal computer try to connect to another server VPN customer using Cisco VPN Client v4.8, she will appear in drop/disable/loss of the tunnel between us VPN and remote offices. The tunnel is still established but no traffice between site 2. (cannot all ping)

  What are the causes of the problem? Hotbrik problem? Customer Cisco VPN setting or something else?

  I don't know what causes the problem. Help, please. Thanks in advance.

  Hello

  The problem is that your NAT device will not translating properly, and when the 2nd customer triggers (ISAKMP packets-UDP 500) connections port isn't transalated, so for the SAA is as the first user tries to connect again, then it rejects the initial connection.

  The trick is, as you have discovered, use global UDP.

  The problem is that UDP 10000 is not a standard, so you need to check if multiple users can be connected at the same time behind the same NAT device.

  If this is not the case, use the NAT transparency standard industry (UDP 4500). This should be configured only on the SAA.

  Please rate if this helped.

  Kind regards

  Daniel

• Help with a VPN tunnel between ASA 5510 and Juniper SSG20

  Hello

  We have a customer wanting to configure a VPN Site to Site tunnel between a new purchased 5510 of ASA located in his direction with its Juniper SSG20 Office, located in the main office. We contacted HP and they send us a Cisco professional to do the job.

  After 2 days from 16:00 to 22:00 and error and countless hours of research online and nunerous calls, we are still unable to get traffic from the network of agencies to enter the tunnel.

  Main branch
  1.1.1.2                                 1.1.1.1
  -----                                               -----------
  192.168.8.0/24 | ASA|-----------------------------------| Juniper |    192.168.1.0/24
  -----                                               -----------
  192.168.8.254 192.168.1.254

  According to Cisco professionals, the tunnel is now in place but no traffic through. We are unable to ping anything on the network on the other side (192.168.1.0/24). We receive timeout ping all the time. The Cisco professional told us it's a routing or NAT problem and he's working on a solution!

  Through research, I came across a post on Experts-Exchange (here) [the 1st comment on the original post] which States "...". that both sides of the VPN must have a different class of LAN for the VPN to work... " Would that be our problem?

  It has become a critical issue to the point that he had to replace the Cisco ASA with a temporary Juniper SSG5 on another subnet (192.168.7.0/24) to get the tunnel upward and through traffic until the ASA VPN issue is resolved and I didn't need to say that the client is killing us!

  Help is very appreciated.

  Thank you

  1. Yes, ping package from the interface of the ASA is considered valuable traffic to the LAN of Juniper.

  SAA, need you traffic from the interface source ASA's private, because interesting to determine by crypto ACL MYLIST traffic between 192.168.8.0/24 and 192.168.1.0/24.

  You will also need to add the following configuration to be able to get the ping of the interface of the ASA:

  management-private access

  To initiate the ping of the private interface ASA:

  ping 192.168.1.254 private

  2. the default time before the next generation of new key is normally 28800 seconds, and if there is no interesting traffic flowing between 2 subnets, he'll tear the VPN tunnel down. As soon as there is interesting traffic, the VPN tunnel will be built automatically into the next generation of new key. However, if there is traffic before generating a new key, the new tunnel will be established, and VPN tunnel will remain standing and continue encrypt and decrypt traffic.

  Currently, your configuration has been defined with ITS lifetime of 3600 seconds GOLD / 4608000 kilobytes of traffic before the next generate a new key (it will be either 3600 seconds, or 4608000 kilobytes period expires first). You can certainly change it by default to 28800 seconds without configuring kilobytes. SA life is negotiated between the ASA and Juniper, and whatever is the lowest value will be used.

  Hope that helps.

• VPN tunnel between 2 ASA 5505 with the same default gateway

  Hello

  Is it possible to create a vpn ipsec site to site (laboratory environment) between two 5505 (ASA IOS 8.2 (5) & asdm-645-206) with the same default gateway. That is a VPN tunnel or a back to back-to-one site that I have to deploy a router and hang each 5505 out a different interface? We have a lot of public IP but only one gateway our ISP (Internet). Any suggestions or recommendations are very appeciated!

  d

  Yes - you can even do it with a xover cable and a 30 ip on both external interfaces.

• Site to Site VPN tunnel between two ASA

  I use the Site Wizard to Site on an ASA 5520, and ASA 5505 of the ADSM. Both are using 8.4 (5). When you create configurations. You follow the wizard configurations with manual what ACL s to allow the traffic of every subnet connected to talk to each other? Or they are automatically generated in the configuration file? Have not been to school yet to understand how to create the CLI VPN tunnels and what to look for.

  Thank you

  Carlos

  Hello

  First, I would like to say that I don't personally use ASDM for the configuration.

  But you should be able to configure all the necessary elements for a connection VPN L2L base through the wizard.

  I guess that typical problems to do so could relate to the lack of configuration NAT exempt or might not choose the setting "Bypass Interface Access List" that would mean you would allow traffic from the remote site in the 'external' ACL of ASA local interface. Like all other traffic coming from behind the 'outer' interface

  If you share format CLI configurations and say what networks must be able to connect via VPN L2L then I could give the required CLI format configurations.

  -Jouni

• RV110W replaces WRV210. IPsec VPN tunnel between them?

  I have a VPN between two locations using WRV210s at the end of work. Now, I want to replace a 210 with a new RV110W. Can I get both to work together? The config is quite different.

  Rod, the rv110w must be on the latest version of the software. The original version firmware did not support site to site vpn.

  http://www.Cisco.com/Cisco/software/release.html?mdfid=283879340&flowid=&softwareid=282487380&OS=null&release=1.2.0.9&relind=null&rellifecycle=null&RelType=null

  Site of the tunnel to the other, simply to match the parameters. If you need help with this, you can call the support center, make sure you have access to the pages of each router configuration.

  -Tom
  Please evaluate the useful messages

• Established VPN tunnel between 4.8 Client and 525 PIX but cannot ping

  When there is no tunnel that is established, the client can ping all devices onsite / remote. However when the tunnel is established and the client picks up its expected the address pool IP address, the client can ping or local / remote.

  Debug trace of icmp on the shows of PIX inside devices responding to pings from the client but the client

  does not receive these responses and shows demand exceeded.

  VPN client also shows only the transmitted data.

  I'm guessing that there is a problem of routing/natting somewhere?

  Would really appreciate some help on this? Ask some q If my problem is too vague.

  Thanks in advance!

  Would it be possible to show the hidden config of the PIX with the public IP addresses? Some things to check

  --> ISAKMP Nat traversal

  --> Windows Firewall

  --> syspot allowed

• SBS 2008 office1 Serv2008 Office 2 need to share assets between them via a site to site VPN tunnel

  Hi all.

  I really need help on this one.

  The office 1 installer running SBS2008 Office 2 running Server 2008.

  Each firm has its own FQDN Office 1 CompanyABC 2 A_B_C of the company office.

  Each firm has its own internal IP address pool Office 1 192.168.69.xxx and office 192.168.20.xxx 2.

  Site to site VPN tunnel between 2 office routers Netgear SRX5308 1 and 2 Netgear FVS318G Office established and working.

  Each firm has its own DNS server and acts as a domain controller

  How to configure the 2 networks to see each other and be able to use assets on every network (files, printers)?

  Is it so simple that the addition of another pool internal IP for each DNS server?

  Thanks in advance for your help.

  Hello

  Your Question is beyond the scope of this community.

  I suggest that repost you your question in the Forums of SBS.

  https://social.technet.Microsoft.com/forums/en-us/home?Forum=smallbusinessserver

  "Windows Small Business Server 2011 Essentials online help"

  https://msdn.Microsoft.com/en-us/library/home-client.aspx

  TechNet Server forums.

  http://social.technet.Microsoft.com/forums/WindowsServer/en-us/home?category=WindowsServer

  See you soon.

• Traffic is failed on plain IPSec tunnel between two 892 s

  Have a weird case and you are looking for some suggestions/thougs where to dig because I have exhausted the options.

  Note: I replaced the Networkid real to a mentined below.

  Topology: a classic IPSec VPN tunnel between two 892 s of Cisco, with pre-shared key and no GRE. A 892 (branch_892) has access to the Internet using PPPoE and has three network / VLAN behind it. A VLAN is coordinated to the PPPoE internet access. Access to the other two VLAN - VL92 (100.100.200.0/24) and VL93 (100.100.100.0/24) is performed via the VPN tunnel.

  Second 892 (892_DC) has just one interface - WAN on Gigabit enabled/connected and a static route to the default GW. It doesn't have any defined interal network. If the router is strictly used to send traffic to VL92/VL93 to the domestic 892 via IPSec tunnel.

  Here's the problem: access to VL93 (100.100.100.0/24) works, however for VL92 (100.100.100.0/24) - does not work.

  Devices in VL92 I ping IP address of 892_DC through the VPN tunnel. The 892_DC router I can ping devices in VL92. However, I can't VL92 ping any device beyond the 892_DC and at the same time the packets arriving on 892_DC for VL92 are not sent through the VPN tunnel.

  I took the package trace on 892_DC using capture point/buffer to nathalie caron to VL92 packages and saw that the traffic coming to the 892_DC. I run the nathalie caron even on Branch_892, and there was not a single package.

  So... What's the problem? More interesting, I modified the way left on VL92 access list and still - no packets are sent through the tunnel.

  Any idea? Two routers config are below

  -------

  892_DC #show ru

  !

  crypto ISAKMP policy 10

  BA aes 256

  hash sha256

  preshared authentication

  Group 2

  isakmp encryption key * address 1.2.3.4

  ISAKMP crypto keepalive 10 periodicals

  !

  address of 1.2.3.4 crypto isakmp peers

  Description of-COIL-892

  !

  !

  Crypto ipsec transform-set IT-IPSec-Transform-Set esp - aes 256 sha256-esp-hmac

  Crypto ipsec df - bit clear

  !

  map IT ipsec - IPSec crypto - Crypto - map 10-isakmp

  defined peer 1.2.3.4

  disable the kilobytes of life together - the security association

  86400 seconds, life of security association set

  the transform-set IT-IPSec-Transform-Set value

  match a lists 101

  market arriere-route

  QoS before filing

  !

  interface GigabitEthernet0

  IP 10,20,30,40 255.255.255.240

  IP 1400 MTU

  IP tcp adjust-mss 1360

  automatic duplex

  automatic speed

  card crypto IT-IPSec-Crypto-map

  !

  IP route 0.0.0.0 0.0.0.0 10.20.30.41

  !

  access list 101 ip allow any 100.100.100.0 0.0.0.255 connect

  access list 101 ip allow any 100.100.200.0 0.0.0.255 connect

  -------------------------------------------------------------------------------------

  Branch_892 #sh run

  !

  crypto ISAKMP policy 10

  BA aes 256

  hash sha256

  preshared authentication

  Group 2

  isakmp encryption key * address 10,20,30,40

  ISAKMP crypto keepalive 10 periodicals

  !

  address peer isakmp crypto 10,20,30,40

  !

  !

  Crypto ipsec transform-set IT-IPSec-Transform-Set esp - aes 256 sha256-esp-hmac

  Crypto ipsec df - bit clear

  !

  map IT ipsec - IPSec crypto - Crypto - map 10-isakmp

  defined peer 10,20,30,40

  disable the kilobytes of life together - the security association

  86400 seconds, life of security association set

  the transform-set IT-IPSec-Transform-Set value

  match address 101

  market arriere-route

  QoS before filing

  !

  FastEthernet6 interface

  Description VL92

  switchport access vlan 92

  !

  interface FastEthernet7

  Description VL93

  switchport access vlan 93

  !

  interface GigabitEthernet0

  Description # to WAN #.

  no ip address

  automatic duplex

  automatic speed

  PPPoE-client dial-pool-number 1

  !

  interface Vlan1

  Description # local to #.

  IP 192.168.1.254 255.255.255.0

  IP nat inside

  IP virtual-reassembly in

  !

  interface Vlan92

  Description fa6-nexus e100/0/40

  IP 100.100.200.1 255.255.255.0

  !

  interface Vlan93

  Description fa7-nexus e100/0/38

  IP 100.100.100.1 255.255.255.0

  !

  interface Dialer0

  no ip address

  No cdp enable

  !

  interface Dialer1

  IP 1.2.3.4 255.255.255.248

  IP mtu 1454

  NAT outside IP

  IP virtual-reassembly in max-pumping 256

  encapsulation ppp

  IP tcp adjust-mss 1414

  Dialer pool 1

  Dialer-Group 1

  Authentication callin PPP chap Protocol

  PPP chap hostname ~ ~ ~

  PPP chap password =.

  No cdp enable

  card crypto IT-IPSec-Crypto-map

  !

  Dialer-list 1 ip protocol allow

  !

  access-list 101 permit ip 100.100.100.0 0.0.0.255 any

  access-list 101 permit ip 100.100.200.0 0.0.0.255 any

  !

  IP route 0.0.0.0 0.0.0.0 Dialer1

  Yes correct sounds - so another possible problem is the routing is routing 100% correct on both sides? Can you put the two sides config for review?

• RV042 VPN tunnel with Samsung Ubigate ibg2600 need help

  Hi all, ok before I completely remove all of my hair, I thought stop by here and ask the volume for you all with the hope that someone can track down the problem.

  In short I am configuring a 'Gateway to gateway' vpn tunnel between two sites, I don't have access to the config of the router from Samsung, but the ISPS making sure that they followed my setup - watching newspapers RV042, I don't however see the reason for the failure - im no expert vpn...

  Sorry if the log file turns on a bit, I didn't know where the beginning and the end was stupid I know... any advice would be greatly welcomed lol.

  System log
  Current time: Fri Sep 2 03:37:52 2009 all THE Log Log Log Log VPN Firewall Access system
   
  Time
  Type of event Message
  2 sep 03:36:01 2009 value of VPN Log [Tunnel negotiation Info] Inbound SPI = c3bdba08
  2 sep 03:36:01 2009 value of outbound SPI VPN Log [Tunnel negotiation Info] = c664c1ca
  2 sep 03:36:02 2009 VPN Log [Tunnel negotiation Info] > initiator send fast Mode 3rd package
  2 sep 03:36:02 2009 VPN Log [Tunnel negotiation Info] Quick Mode Phase 2 SA established, IPSec Tunnel connected
  2 sep 03:36:02 2009 VPN journal Dead Peer Detection start, DPD delay = timeout = 10 sec 10 sec timer
  2 sep 03:36:02 2009 VPN received log delete SA payload: ISAKMP State #627 removal
  2 sep 03:36:02 2009 VPN Log Main Mode initiator
  2 sep 03:36:02 2009 VPN Log [Tunnel negotiation Info] > Send main initiator Mode 1 package
  2 sep 03:36:02 2009 charge of VPN journal received Vendor ID Type = [Dead Peer Detection]
  2 sep 03:36:02 2009 VPN Log [Tunnel negotiation of Info]< initiator="" received="" main="" mode="" 2nd="" packet="">
  2 sep 03:36:02 2009 VPN Log [Tunnel negotiation Info] > initiator send Mode main 3rd package
  2 sep 03:36:03 2009 VPN Log [Tunnel negotiation of Info]< initiator="" received="" main="" mode="" 4th="" packet="">
  2 sep 03:36:03 2009 Log [Tunnel negotiation Info] VPN > main initiator Mode to send 5 packs
  2 sep 03:36:03 2009 Log [Tunnel negotiation Info] VPN > initiator receive hand Mode 6 Pack
  2 sep 03:36:03 2009 log VPN main mode peer ID is ID_IPV4_ADDR: '87.85.xxx.xxx '.
  2 sep 03:36:03 2009 Log [Tunnel negotiation Info] VPN Mode main Phase 1 SA established
  2 sep 03:36:03 2009 log VPN [Tunnel negotiation Info] initiator Cookies = c527 d584 595 c 2c3b
  2 sep 03:36:03 2009 log VPN [Tunnel negotiation Info] responder Cookies = b62c ca31 1a5f 673f
  2 sep 03:36:03 2009 log quick launch Mode PSK VPN + TUNNEL + PFS
  2 sep 03:36:03 2009 Log [Tunnel negotiation Info] VPN > initiator send fast Mode 1 package
  2 sep 03:36:04 2009 VPN Log [Tunnel negotiation of Info]< initiator="" received="" quick="" mode="" 2nd="" packet="">
  2 sep 03:36:04 2009 value of VPN Log [Tunnel negotiation Info] Inbound SPI = c3bdba09
  2 sep 03:36:04 2009 value of outbound SPI VPN Log [Tunnel negotiation Info] = e3da1469
  2 sep 03:36:04 2009 VPN Log [Tunnel negotiation Info] > initiator send fast Mode 3rd package
  2 sep 03:36:04 2009 VPN Log [Tunnel negotiation Info] Quick Mode Phase 2 SA established, IPSec Tunnel connected
  2 sep 03:36:04 2009 VPN journal Dead Peer Detection start, DPD delay = timeout = 10 sec 10 sec timer
  2 sep 03:36:05 2009 VPN received log delete SA payload: ISAKMP State #629 removal

  PFS - off on tada and linksys router does not support the samsung lol! connected!

• VPN tunnel cascade w / SW NSA FWs

  

  Hello

  I have questions about VPN cascading between 3 firewall SonicWALL NSA. Let me explain my situation and what I want to achieve.

  As shown in the diagram above, I have 3 branches connected to the Internet, which advanced to the LAN is the NSA SW FW. There is a VPN tunnel between each site: Site_A Site_ B, Site_A Site_ C, Site_B Site_ C. The Internet of the Site A traffic is redirected to the Site B. This Site A Cross Site B to access the Internet and LAN B. Site A through C access LAN C Site.

  My question is: is it possible to remove the tunnel VPN Site_A-Site_C to and instead, through Site B to C LAN access? If so, how you can achieve this configuration?

  What worries me is the VPN tunnel options that allow you to redirect all Internet traffic or a specific destination of LAN through objects (screenshots from Site A) address:

  

  

  Without the redirection of Internet traffic, I thought about creating a group of addresses, including 2 B LAN and LAN C address objects. But I want to keep the Internet through Site B traffic redirection.

  What do you think?

  Thanks in advance for your help.

  Hello

  My comments below:

  If you route indeed all traffic from A to B, the following must fill.

  1. remove the tunnel A C

  Ok.

  2. site B will have A subnet that is defined as a local resource for C

  Do you mean this by local resource?

  

  3 C is going to have A subnet defined as remote resource

  Ok.

  If you route any traffic from A to B, the following must fill.

  First step would be to remove the tunnel VPN between A and C, but I guess that you have assumed that it was already done.

  1. define the C subnet as a remote resource on Site A

  Yes, like a remote network for the A - B VPN tunnel.

  2. tunnel of site B to A will need to subnet C defined as local resource

  Ok.

  3. tunnel of site B and C will need subnet defined as local resource

  Ok.

  4. the site will need to subnet C has defined as remote resource

  Yes.

  I'll do a test soon with 3 sites and see how it goes.

• Site to site VPN tunnel - cannot ping the second interface of the firewall peer inside2

  I have two ASA 5505 firewall each with a basic license: FWa and FWb. currently there is a VPN tunnel between them work. I added a second (inside2) interface to the firewall, FWb, but I can't ping firewall FWa, so that I can ping the inside interface of FWa.

  I can ping the FWb inside interface 192.168.20.1 from the FWa inside 172.16.1.1 interface, but I can not ping to the 10.52.100.10 of the FWa FWb inside2 interface. I can not ping the gateway host FWa 10.52.100.1.

  I show the essential configuration of two firewalls as well as the debug icmp output on the two firewalls that I ping the internal interfaces and of FWa FWb inside2.
  =========================================================

  Here is a skeleton of the FWa configuration:

  name 172.16.1.0 network-inside
  name 192.168.20.0 HprCnc Thesys
  name 10.52.100.0 ring52-network
  name 10.53.100.0 ring53-network
  name S.S.S.S outside-interface

  interface Vlan1
  nameif inside
  security-level 100
  IP 172.16.1.1 255.255.255.0
  !
  interface Vlan2
  Description Connection to 777 VLAN to work around static Comast external Modem and IP address.
  nameif outside
  security-level 0
  outside interface IP address 255.255.255.240

  the DM_INLINE_NETWORK_5 object-group network
  network-object HprCnc Thesys 255.255.255.0
  ring52-network 255.255.255.0 network-object
  ring53-network 255.255.255.0 network-object

  the DM_INLINE_NETWORK_3 object-group network
  ring52-network 255.255.255.0 network-object
  network-object HprCnc Thesys 255.255.255.0
  ring53-network 255.255.255.0 network-object

  outside-interface of the access-list extended permitted Outside_5_cryptomap ip host object-group DM_INLINE_NETWORK_3
  inside_nat_outbound list extended access allowed inside-network ip, 255.255.255.0 DM_INLINE_NETWORK_5 object-group
  permit access list extended ip host 173.162.149.72 Outside_nat0_outbound aus_asx_uat 255.255.255.0

  NAT (inside) 0 access-list sheep
  NAT (inside) 101-list of access inside_nat_outbound
  NAT (inside) 101 0.0.0.0 0.0.0.0
  NAT (outside) 0-list of access Outside_nat0_outbound

  card crypto VPN 5 corresponds to the address Outside_5_cryptomap
  card crypto VPN 5 set pfs Group1
  VPN 5 set peer D.D.D.D crypto card
  VPN 5 value transform-set VPN crypto card
  tunnel-group D.D.D.D type ipsec-l2l
  IPSec-attributes tunnel-Group D.D.D.D
  pre-shared key *.

  =========================================================

  FWb:

  name 10.52.100.0 ring52-network
  name 10.53.100.0 ring53-network
  name 10.51.100.0 ring51-network
  name 10.54.100.0 ring54-network

  interface Vlan1
  nameif inside
  security-level 100
  address 192.168.20.1 255.255.255.0
  !
  interface Vlan2
  nameif outside
  security-level 0
  address IP D.D.D.D 255.255.255.240
  !
  interface Vlan52
  prior to interface Vlan1
  nameif inside2
  security-level 100
  IP 10.52.100.10 255.255.255.0

  the DM_INLINE_NETWORK_3 object-group network
  ring52-network 255.255.255.0 network-object
  ring53-network 255.255.255.0 network-object

  the DM_INLINE_NETWORK_2 object-group network
  ring52-network 255.255.255.0 network-object
  object-network 192.168.20.0 255.255.255.0
  ring53-network 255.255.255.0 network-object

  inside_nat0_outbound to access extended list ip 192.168.20.0 allow 255.255.255.0 host S.S.S.S
  inside2_nat0_outbound list extended access allowed object-group DM_INLINE_NETWORK_3 S.S.S.S ip host

  outside_1_cryptomap list extended access allowed object-group DM_INLINE_NETWORK_2 S.S.S.S ip host

  NAT (inside) 0-list of access inside_nat0_outbound
  NAT (inside) 1 0.0.0.0 0.0.0.0
  inside2_nat0_outbound (inside2) NAT 0 access list
  NAT (inside2) 1 0.0.0.0 0.0.0.0

  Route inside2 network ring51 255.255.255.0 10.52.100.1 1
  Route inside2 network ring53 255.255.255.0 10.52.100.1 1
  Route inside2 network ring54 255.255.255.0 10.52.100.1 1

  card crypto outside_map 1 match address outside_1_cryptomap
  card crypto outside_map 1 set pfs Group1
  outside_map game 1 card crypto peer S.S.S.S
  card crypto outside_map 1 set of transformation-ESP-3DES-SHA
  outside_map interface card crypto outside

  tunnel-group S.S.S.S type ipsec-l2l
  IPSec-attributes tunnel-group S.S.S.S
  pre-shared key *.

  =========================================================================
  I'm Tournai on icmp trace debugging on both firewalls and could see the traffic arriving at the inside2 interface, but never return to FWa.

  Ping Successul FWa inside the interface on FWb

  FWa # ping 192.168.20.1
  Type to abort escape sequence.
  Send 5, echoes ICMP 100 bytes to 192.168.20.1, time-out is 2 seconds:
  Echo request ICMP from outside-interface to 192.168.20.1 ID = 32068 seq = 23510 len = 72
  ! ICMP echo reply to 192.168.20.1 in outside-interface ID = 32068 seq = 23510 len = 72
  ....

  FWb #.
  Echo ICMP of S.S.S.S to 192.168.20.1 ID request = 32068 seq = 23510 len = 72
  ICMP echo reply 192.168.20.1 S.S.S.S ID = 32068 seq = 23510 len = 72
  ==============================================================================
  Successful ping of Fwa on a host connected to the inside interface on FWb

  FWa # ping 192.168.20.15
  Type to abort escape sequence.
  Send 5, echoes ICMP 100 bytes to 192.168.20.15, wait time is 2 seconds:
  Echo request ICMP from outside-interface to 192.168.20.15 ID = seq 50862 = 18608 len = 72
  ! ICMP echo reply to 192.168.20.15 in outside-interface ID = seq 50862 = 18608 len = 72
  ...

  FWb #.
  Inside outside:S.S.S.S ICMP echo request: 192.168.20.15 ID = seq 50862 = 18608 len = 72
  ICMP echo reply to Interior: 192.168.20.15 outside:S.S.S.S ID = seq 50862 = 18608 len = 72

  ===========================
  Unsuccessful ping of FWa to inside2 on FWb interface

  FWa # ping 10.52.100.10
  Send 5, echoes ICMP 100 bytes to 10.52.100.10, wait time is 2 seconds:
  Echo request ICMP from outside-interface to 10.52.100.10 ID = 19752 seq = 63173 len = 72
  ? Echo request ICMP from outside-interface to 10.52.100.10 ID = 19752 seq = 63173 len = 72
  ...

  FWb #.
  10.52.100.10 ID of S.S.S.S ICMP echo request = 19752 seq = 63173 len = 72
  10.52.100.10 ID of S.S.S.S ICMP echo request = 19752 seq = 63173 len = 72
  ....

  ==================================================================================

  Unsuccessful ping of Fwa to a host of related UI inside2 on FWb

  FWa # ping 10.52.100.1
  Type to abort escape sequence.
  Send 5, echoes ICMP 100 bytes to 10.52.100.1, wait time is 2 seconds:
  Echo request ICMP from outside-interface to 10.52.100.1 ID = 11842 seq = 15799 len = 72

  FWb #.
  Echo request ICMP outside:S.S.S.S to inside2:10.52.100.1 ID = 11842 seq = 15799 len = 72
  Echo request ICMP outside:S.S.S.S to inside2:10.52.100.1 ID = 11842 seq = 15799 len = 72

  =======================

  Thank you

  Hi odelaporte2,

  Is very probably the "access management" command is not applied in the second inside, only inside primary (see the race management) which will confirm.

  This command can be applied to an interface at a time, for example, if the law is now applied to the inside, it can not be applied to the inside2 at the same time.

  It may be useful

  -Randy-