djroh
asked on
Cisco ASA 5510 site to site VPN tunnel issue
After using the ASDM wizard to setup the tunnel between two ASA 5510, I still cannot communicate between the local inside network and the remote inside network. Can anyone please take a look at my config and shed some knowledge my way. Thanks.
ASA1# sh run
: Saved
:
ASA Version 7.2(2)10
!
hostname ASA1
domain-name default.domain.invalid
enable password wOxhKGo/tyiLkXIn encrypted
names
dns-guard
!
interface Ethernet0/0
speed 100
nameif outside
security-level 0
ip address x.x.x.66 255.255.255.192
!
interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd w9ITcun.WwJmfyK5 encrypted
boot system disk0:/asa722-10-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list acl_out extended permit tcp x.x.53.0 255.255.255.0 x.x.x.64 255.255.255.192 eq 3389
access-list acl_out extended permit tcp x.x.53.0 255.255.255.0 x.x.x.64 255.255.255.192 eq 4899
access-list acl_out extended permit icmp any any echo-reply
access-list outside_20_cryptomap extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list nonat extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list site-to-site extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm522-54.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.1.1.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer x.x.x.2 (this is the remote outside ip address)a
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group asatoasa type ipsec-l2l
tunnel-group asatoasa ipsec-attributes
pre-shared-key *
ASA1# sh run
: Saved
:
ASA Version 7.2(2)10
!
hostname ASA1
domain-name default.domain.invalid
enable password wOxhKGo/tyiLkXIn encrypted
names
dns-guard
!
interface Ethernet0/0
speed 100
nameif outside
security-level 0
ip address x.x.x.66 255.255.255.192
!
interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd w9ITcun.WwJmfyK5 encrypted
boot system disk0:/asa722-10-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list acl_out extended permit tcp x.x.53.0 255.255.255.0 x.x.x.64 255.255.255.192 eq 3389
access-list acl_out extended permit tcp x.x.53.0 255.255.255.0 x.x.x.64 255.255.255.192 eq 4899
access-list acl_out extended permit icmp any any echo-reply
access-list outside_20_cryptomap extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list nonat extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list site-to-site extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm522-54.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.1.1.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer x.x.x.2 (this is the remote outside ip address)a
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group asatoasa type ipsec-l2l
tunnel-group asatoasa ipsec-attributes
pre-shared-key *
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I also added the crypto isakmp nat-traversal on both side. Still no connection. Thanks..
Issue the following commands:
debug crypto isakmp 200
debug crypto ipsec 200
debug crypto engine 200
Then try to ping a remote host and watch to see if you see any messages on the screen indicating that the tunnel is trying to be brought up...you should see tons of messages if it is trying.
If you see the debug messages, please post. If you don't see any messages, please post the remote site ASA config so we can compare the configs and make sure everything looks right...
debug crypto isakmp 200
debug crypto ipsec 200
debug crypto engine 200
Then try to ping a remote host and watch to see if you see any messages on the screen indicating that the tunnel is trying to be brought up...you should see tons of messages if it is trying.
If you see the debug messages, please post. If you don't see any messages, please post the remote site ASA config so we can compare the configs and make sure everything looks right...
ASKER
Built ICMP connection for faddr 10.1.2.6/0 gaddr x.x.x.66/4388 laddr x.x.x.66/4388
User 'enable_15' executed the 'ping 10.1.2.6' command.
Teardown ICMP connection for faddr 10.1.2.6/0 gaddr x.x.x.66/4388 laddr x.x.x.66/4388
Here is the remote config:
ASA Version 7.2(2)10
!
hostname ASA2
domain-name default.domain.invalid
enable password 5frNYRGa9UhR7jLh encrypted
names
dns-guard
!
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address x.x.x.2 255.255.255.0
!
interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 10.1.2.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd w9ITcun.WwJmfyK5 encrypted
boot system disk0:/asa722-10-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list acl_out extended permit tcp any host x.x.x.12 eq www
access-list acl_out extended permit tcp any host x.x.x.12 eq 5000
access-list acl_out extended permit tcp any host x.x.x.12 eq 5002
access-list acl_out extended permit tcp any host x.x.x.6 eq www
access-list acl_out extended permit tcp any host x.x.x.6 eq 5000
access-list acl_out extended permit tcp any host x.x.x.6 eq 5002
access-list acl_out extended permit icmp any any echo-reply
access-list nonat extended permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 110 extended permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm522-54.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.1.2.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) x.x.x.12 10.1.2.12 netmask 255.255.255.255
static (inside,outside) x.x.x.6 10.1.2.6 netmask 255.255.255.255
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.1.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 set peer x.x.x.66
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group asatoasa2 type ipsec-l2l
tunnel-group asatoasa2 ipsec-attributes
pre-shared-key *
telnet 10.1.2.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
prompt hostname context
Cryptochecksum:ff2c7d84927 360fef8acf acd302215e d
: end
User 'enable_15' executed the 'ping 10.1.2.6' command.
Teardown ICMP connection for faddr 10.1.2.6/0 gaddr x.x.x.66/4388 laddr x.x.x.66/4388
Here is the remote config:
ASA Version 7.2(2)10
!
hostname ASA2
domain-name default.domain.invalid
enable password 5frNYRGa9UhR7jLh encrypted
names
dns-guard
!
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address x.x.x.2 255.255.255.0
!
interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 10.1.2.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd w9ITcun.WwJmfyK5 encrypted
boot system disk0:/asa722-10-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list acl_out extended permit tcp any host x.x.x.12 eq www
access-list acl_out extended permit tcp any host x.x.x.12 eq 5000
access-list acl_out extended permit tcp any host x.x.x.12 eq 5002
access-list acl_out extended permit tcp any host x.x.x.6 eq www
access-list acl_out extended permit tcp any host x.x.x.6 eq 5000
access-list acl_out extended permit tcp any host x.x.x.6 eq 5002
access-list acl_out extended permit icmp any any echo-reply
access-list nonat extended permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 110 extended permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm522-54.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.1.2.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) x.x.x.12 10.1.2.12 netmask 255.255.255.255
static (inside,outside) x.x.x.6 10.1.2.6 netmask 255.255.255.255
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.1.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 set peer x.x.x.66
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group asatoasa2 type ipsec-l2l
tunnel-group asatoasa2 ipsec-attributes
pre-shared-key *
telnet 10.1.2.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
prompt hostname context
Cryptochecksum:ff2c7d84927
: end
ASKER
batry boy, I forgot to mention on one end of the cisco asa, I have cisco router as well. Here is the config on that:
Router#sh run
Building configuration...
Current configuration : 2610 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname router
!
boot-start-marker
boot system disk0:c7200-jk9o3s-mz.123- 3.bin
boot system disk1:c7200-jk9o3s-mz.123- 3.bin
boot bootldr bootflash:c7200-boot-mz.12 0-2.XE2
boot-end-marker
!
enable secret 5 $1$r6HJ$TnPlU4u.3aQAn8R8tI JUA.
!
username sadmin password 7 11274A4E47025E
aaa new-model
!
!
aaa authentication login default local-case
aaa authentication login ops local-case
aaa session-id common
ip subnet-zero
!
!
ip domain name blank.com
!
ip cef
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
no voice hpi capture buffer
no voice hpi capture destination
!
controller T1 1/0
framing esf
linecode b8zs
channel-group 0 timeslots 1-24
!
controller T1 1/1
framing esf
linecode b8zs
channel-group 0 timeslots 1-24
!
controller T1 1/2
framing esf
linecode b8zs
channel-group 0 timeslots 1-24
!
controller T1 1/3
framing esf
linecode b8zs
channel-group 0 timeslots 1-24
!
interface FastEthernet0/0
description VDat LAN
ip address x.x.x.1 255.255.255.0
no ip redirects
no ip mroute-cache
duplex full
no cdp enable
!
interface Serial1/0:0
ip address x.x.x.98 255.255.255.252
ip load-sharing per-packet
encapsulation ppp
no cdp enable
!
interface Serial1/1:0
ip address x.x.x.114 255.255.255.252
ip load-sharing per-packet
encapsulation ppp
no cdp enable
!
interface Serial1/2:0
ip address x.x.x.122 255.255.255.252
ip load-sharing per-packet
encapsulation ppp
no cdp enable
!
interface Serial1/3:0
ip address x.x.x.126 255.255.255.252
ip load-sharing per-packet
encapsulation ppp
no cdp enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.x.97
ip route 0.0.0.0 0.0.0.0 x.x.x.113
ip route 0.0.0.0 0.0.0.0 x.x.x.121
ip route 0.0.0.0 0.0.0.0 x.x.x.125
no ip http server
no ip http secure-server
!
access-list 101 permit ip host x.x.x.66 any
no cdp run
!
dial-peer cor custom
!
gatekeeper
shutdown
!
end
Router#sh run
Building configuration...
Current configuration : 2610 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname router
!
boot-start-marker
boot system disk0:c7200-jk9o3s-mz.123-
boot system disk1:c7200-jk9o3s-mz.123-
boot bootldr bootflash:c7200-boot-mz.12
boot-end-marker
!
enable secret 5 $1$r6HJ$TnPlU4u.3aQAn8R8tI
!
username sadmin password 7 11274A4E47025E
aaa new-model
!
!
aaa authentication login default local-case
aaa authentication login ops local-case
aaa session-id common
ip subnet-zero
!
!
ip domain name blank.com
!
ip cef
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
no voice hpi capture buffer
no voice hpi capture destination
!
controller T1 1/0
framing esf
linecode b8zs
channel-group 0 timeslots 1-24
!
controller T1 1/1
framing esf
linecode b8zs
channel-group 0 timeslots 1-24
!
controller T1 1/2
framing esf
linecode b8zs
channel-group 0 timeslots 1-24
!
controller T1 1/3
framing esf
linecode b8zs
channel-group 0 timeslots 1-24
!
interface FastEthernet0/0
description VDat LAN
ip address x.x.x.1 255.255.255.0
no ip redirects
no ip mroute-cache
duplex full
no cdp enable
!
interface Serial1/0:0
ip address x.x.x.98 255.255.255.252
ip load-sharing per-packet
encapsulation ppp
no cdp enable
!
interface Serial1/1:0
ip address x.x.x.114 255.255.255.252
ip load-sharing per-packet
encapsulation ppp
no cdp enable
!
interface Serial1/2:0
ip address x.x.x.122 255.255.255.252
ip load-sharing per-packet
encapsulation ppp
no cdp enable
!
interface Serial1/3:0
ip address x.x.x.126 255.255.255.252
ip load-sharing per-packet
encapsulation ppp
no cdp enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.x.97
ip route 0.0.0.0 0.0.0.0 x.x.x.113
ip route 0.0.0.0 0.0.0.0 x.x.x.121
ip route 0.0.0.0 0.0.0.0 x.x.x.125
no ip http server
no ip http secure-server
!
access-list 101 permit ip host x.x.x.66 any
no cdp run
!
dial-peer cor custom
!
gatekeeper
shutdown
!
end
Your debug output that you posted did not show that a tunnel is even trying to establish when you ping a remote host on the other side of the tunnel. What host did you try to ping?
Never mind...I see it.
Set up an ACL to reference in a capture command:
access-list cap_acl permit ip 10.1.1.0 255.255.255.0 host 10.1.2.6
capture vpncap access-list cap_acl interface inside
Then perform your "ping 10.1.2.6" test again from a host on the 10.1.1.0 network. Then look at your capture to see what it says and post the output:
show capture vpncap
Set up an ACL to reference in a capture command:
access-list cap_acl permit ip 10.1.1.0 255.255.255.0 host 10.1.2.6
capture vpncap access-list cap_acl interface inside
Then perform your "ping 10.1.2.6" test again from a host on the 10.1.1.0 network. Then look at your capture to see what it says and post the output:
show capture vpncap
ASKER
Here is the logs and show capture vpncap below.
6 Apr 02 2007 13:37:25 302021 10.1.2.6 x.x.x.66 Teardown ICMP connection for faddr 10.1.2.6/0 gaddr x.x.x.66/4388 laddr x.x.x.66/4388
5 Apr 02 2007 13:37:25 111008 User 'enable_15' executed the 'ping 10.1.2.6' command.
6 Apr 02 2007 13:37:15 302020 10.1.2.6 x.x.x.66 Built ICMP connection for faddr 10.1.2.6/0 gaddr x.x.x.66/4388 laddr x.x.x.66/4388
5 Apr 02 2007 13:37:09 111008 User 'enable_15' executed the 'access-list cap_acl permit ip 10.1.1.0 255.255.255.0 host 10.1.2.6' command.
5 Apr 02 2007 13:37:03 111008 User 'enable_15' executed the 'capture vpncap access-list cap_acl interface inside' command.
5 Apr 02 2007 13:37:01 111008 User 'enable_15' executed the 'access-list cap_acl permit ip 10.1.1.0 255.255.255.0 host 10.1.2.6' command.
sh capture vpncap
0 packet captured
0 packet shown
6 Apr 02 2007 13:37:25 302021 10.1.2.6 x.x.x.66 Teardown ICMP connection for faddr 10.1.2.6/0 gaddr x.x.x.66/4388 laddr x.x.x.66/4388
5 Apr 02 2007 13:37:25 111008 User 'enable_15' executed the 'ping 10.1.2.6' command.
6 Apr 02 2007 13:37:15 302020 10.1.2.6 x.x.x.66 Built ICMP connection for faddr 10.1.2.6/0 gaddr x.x.x.66/4388 laddr x.x.x.66/4388
5 Apr 02 2007 13:37:09 111008 User 'enable_15' executed the 'access-list cap_acl permit ip 10.1.1.0 255.255.255.0 host 10.1.2.6' command.
5 Apr 02 2007 13:37:03 111008 User 'enable_15' executed the 'capture vpncap access-list cap_acl interface inside' command.
5 Apr 02 2007 13:37:01 111008 User 'enable_15' executed the 'access-list cap_acl permit ip 10.1.1.0 255.255.255.0 host 10.1.2.6' command.
sh capture vpncap
0 packet captured
0 packet shown
That looks like syslog output. I'm talking about the debug output from a console session on the ASA.
ASKER
when I run the command sh capturn vpngroup I get:
sh capture vpncap
4 packets captured
1: 13:51:02.300780 10.1.1.71 > 10.1.2.6: icmp: echo request
2: 13:51:07.386759 10.1.1.71 > 10.1.2.6: icmp: echo request
3: 13:51:12.887390 10.1.1.71 > 10.1.2.6: icmp: echo request
4: 13:51:18.388087 10.1.1.71 > 10.1.2.6: icmp: echo request
4 packets shown
sh capture vpncap
4 packets captured
1: 13:51:02.300780 10.1.1.71 > 10.1.2.6: icmp: echo request
2: 13:51:07.386759 10.1.1.71 > 10.1.2.6: icmp: echo request
3: 13:51:12.887390 10.1.1.71 > 10.1.2.6: icmp: echo request
4: 13:51:18.388087 10.1.1.71 > 10.1.2.6: icmp: echo request
4 packets shown
ASKER
Any access I need to set on the cisco router that I posted. Please let me know.
When you are pinging the remote host and are looking at the ASA and you have the debug levels for ISAKMP, IPSEC and the crypto engine set at level 200, you should see output similar to the following that shows the tunnel is trying to come up:
asa# Apr 02 20:42:11 [IKEv1]: IP = x.x.x.2, IKE_DECODE RECEIVED Message (msgid=27e6e24e) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Apr 02 20:42:11 [IKEv1 DEBUG]: Group = x.x.x.2, IP = x.x.x.2, processing hash payload
Apr 02 20:42:11 [IKEv1 DEBUG]: Group = x.x.x.2, IP = x.x.x.2, processing notify payload
Apr 02 20:42:11 [IKEv1 DEBUG]: Group = x.x.x.2, IP = x.x.x.2, Received keep-alive of type DPD R-U-THERE (seq number 0x4d485715)
Apr 02 20:42:11 [IKEv1 DEBUG]: Group = x.x.x.2, IP = x.x.x.2, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x4d485715)
Apr 02 20:42:11 [IKEv1 DEBUG]: Group = x.x.x.2, IP = x.x.x.2, constructing blank hash payload
Apr 02 20:42:11 [IKEv1 DEBUG]: Group = x.x.x.2, IP = x.x.x.2, constructing qm hash payload
Apr 02 20:42:11 [IKEv1]: IP = x.x.x.2, IKE_DECODE SENDING Message (msgid=4ee452d4) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Apr 02 20:42:11 [IKEv1 DEBUG]: Group = x.x.x.2, IP = x.x.x.2, Sending keep-alive of type DPD R-U-THERE (seq number 0x7a72a709)
Apr 02 20:42:11 [IKEv1 DEBUG]: Group = x.x.x.2, IP = x.x.x.2, constructing blank hash payload
Apr 02 20:42:11 [IKEv1 DEBUG]: Group = x.x.x.2, IP = x.x.x.2, constructing qm hash payload
Apr 02 20:42:11 [IKEv1]: IP = x.x.x.2, IKE_DECODE SENDING Message (msgid=a40931cd) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Apr 02 20:42:11 [IKEv1]: IP = x.x.x.2, IKE_DECODE RECEIVED Message (msgid=235f0f5a) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Apr 02 20:42:11 [IKEv1 DEBUG]: Group = x.x.x.2, IP = x.x.x.2, processing hash payload
Apr 02 20:42:11 [IKEv1 DEBUG]: Group = x.x.x.2, IP = x.x.x.2, processing notify payload
Apr 02 20:42:11 [IKEv1 DEBUG]: Group = x.x.x.2, IP = x.x.x.2, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x7a72a709)
Do you see anything like this?
asa# Apr 02 20:42:11 [IKEv1]: IP = x.x.x.2, IKE_DECODE RECEIVED Message (msgid=27e6e24e) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Apr 02 20:42:11 [IKEv1 DEBUG]: Group = x.x.x.2, IP = x.x.x.2, processing hash payload
Apr 02 20:42:11 [IKEv1 DEBUG]: Group = x.x.x.2, IP = x.x.x.2, processing notify payload
Apr 02 20:42:11 [IKEv1 DEBUG]: Group = x.x.x.2, IP = x.x.x.2, Received keep-alive of type DPD R-U-THERE (seq number 0x4d485715)
Apr 02 20:42:11 [IKEv1 DEBUG]: Group = x.x.x.2, IP = x.x.x.2, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x4d485715)
Apr 02 20:42:11 [IKEv1 DEBUG]: Group = x.x.x.2, IP = x.x.x.2, constructing blank hash payload
Apr 02 20:42:11 [IKEv1 DEBUG]: Group = x.x.x.2, IP = x.x.x.2, constructing qm hash payload
Apr 02 20:42:11 [IKEv1]: IP = x.x.x.2, IKE_DECODE SENDING Message (msgid=4ee452d4) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Apr 02 20:42:11 [IKEv1 DEBUG]: Group = x.x.x.2, IP = x.x.x.2, Sending keep-alive of type DPD R-U-THERE (seq number 0x7a72a709)
Apr 02 20:42:11 [IKEv1 DEBUG]: Group = x.x.x.2, IP = x.x.x.2, constructing blank hash payload
Apr 02 20:42:11 [IKEv1 DEBUG]: Group = x.x.x.2, IP = x.x.x.2, constructing qm hash payload
Apr 02 20:42:11 [IKEv1]: IP = x.x.x.2, IKE_DECODE SENDING Message (msgid=a40931cd) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Apr 02 20:42:11 [IKEv1]: IP = x.x.x.2, IKE_DECODE RECEIVED Message (msgid=235f0f5a) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Apr 02 20:42:11 [IKEv1 DEBUG]: Group = x.x.x.2, IP = x.x.x.2, processing hash payload
Apr 02 20:42:11 [IKEv1 DEBUG]: Group = x.x.x.2, IP = x.x.x.2, processing notify payload
Apr 02 20:42:11 [IKEv1 DEBUG]: Group = x.x.x.2, IP = x.x.x.2, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x7a72a709)
Do you see anything like this?
ASKER
I have the debug level at 200 and the vpn capture as you have recommended. I do not see the output that you posted. I'm pinging the 10.1.2.6 and all I get is that echo request. Debug messages should pop up right on the CLI correct? I'm on limbo on this. I appreciate all your help.
Yes, you should see the debug output in the CLI.
I just noticed on your remote ASA config that you don't have a line that specifies the crypto ACL. You need to add a line to the remote config that looks like this:
crypto map outside_map 20 match address 110
If that doesn't fix it, please repost your current configs since I know you've made some changes since the last config posts.
I just noticed on your remote ASA config that you don't have a line that specifies the crypto ACL. You need to add a line to the remote config that looks like this:
crypto map outside_map 20 match address 110
If that doesn't fix it, please repost your current configs since I know you've made some changes since the last config posts.
ASKER
Here you go.. Both configs:<><><
<><>><>><
ASA1(config)# sh run
: Saved
:
ASA Version 7.2(2)10
!
hostname ASA1
domain-name default.domain.invalid
enable password wOxhKGo/tyiLkXIn encrypted
names
dns-guard
!
interface Ethernet0/0
speed 100
nameif outside
security-level 0
ip address x.x.x.66 255.255.255.192
!
interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd w9ITcun.WwJmfyK5 encrypted
boot system disk0:/asa722-10-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list outside_cryptomap_20 extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list acl_out extended permit icmp any any echo-reply
access-list acl_out extended permit icmp 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 110 extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list nonat extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list cap_acl extended permit ip 10.1.1.0 255.255.255.0 host 10.1.2.6
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm522-54.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.1.1.0 255.255.255.0
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) x.x.x.71 10.1.1.71 netmask 255.255.255.255
static (inside,outside) x.x.x.72 10.1.1.72 netmask 255.255.255.255
static (inside,outside) x.x.x.73 10.1.1.73 netmask 255.255.255.255
static (inside,outside) x.x.x.74 10.1.1.74 netmask 255.255.255.255
static (inside,outside) x.x.x.75 10.1.1.75 netmask 255.255.255.255
static (inside,outside) x.x.x.76 10.1.1.76 netmask 255.255.255.255
static (inside,outside) x.x.x.77 10.1.1.77 netmask 255.255.255.255
static (inside,outside) x.x.x.70 10.1.1.70 netmask 255.255.255.255
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 match address 110
crypto map outside_map 20 set peer x.x.23.2
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group x.x.23.2 type ipsec-l2l
tunnel-group x.x.23.2 ipsec-attributes
pre-shared-key *
telnet 10.1.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
ssh version 2
console timeout 0
!
!
prompt hostname context
Cryptochecksum:f58f5a18a2f 3531a3f171 0d73b86039 0
: end
-------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ------
ASA2(config)# sh run
: Saved
:
ASA Version 7.2(2)10
!
hostname ASA2
domain-name default.domain.invalid
enable password 5frNYRGa9UhR7jLh encrypted
names
dns-guard
!
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address x.x.23.2 255.255.255.0
!
interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 10.1.2.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd w9ITcun.WwJmfyK5 encrypted
boot system disk0:/asa722-10-k8.bin
ftp mode passive
clock timezone EST -5
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list outside_cryptomap_20 extended permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list acl_out extended permit tcp any host x.x.23.12 eq www
access-list acl_out extended permit tcp any host x.x.23.12 eq 5000
access-list acl_out extended permit tcp any host x.x.23.12 eq 5002
access-list acl_out extended permit tcp any host x.x.23.6 eq www
access-list acl_out extended permit tcp any host x.x.23.6 eq 5000
access-list acl_out extended permit tcp any host x.x.23.6 eq 5002
access-list acl_out extended permit icmp any any echo-reply
access-list acl_out extended permit icmp 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list cap_acl extended permit ip 10.1.2.0 255.255.255.0 host 10.1.1.70
access-list nonat extended permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 110 extended permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm522-54.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.1.2.0 255.255.255.0
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) x.x.23.6 10.1.2.6 netmask 255.255.255.255
static (inside,outside) x.x.23.12 10.1.2.12 netmask 255.255.255.255
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.23.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.1.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 match address 110
crypto map outside_map 20 set peer x.x.x.66
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group x.x.x.66 type ipsec-l2l
tunnel-group x.x.x.66 ipsec-attributes
pre-shared-key *
telnet 10.1.2.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
!
prompt hostname context
Cryptochecksum:c2e4131013c 321415ec90 4bf75a1efa 8
: end
<><>><>><
ASA1(config)# sh run
: Saved
:
ASA Version 7.2(2)10
!
hostname ASA1
domain-name default.domain.invalid
enable password wOxhKGo/tyiLkXIn encrypted
names
dns-guard
!
interface Ethernet0/0
speed 100
nameif outside
security-level 0
ip address x.x.x.66 255.255.255.192
!
interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd w9ITcun.WwJmfyK5 encrypted
boot system disk0:/asa722-10-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list outside_cryptomap_20 extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list acl_out extended permit icmp any any echo-reply
access-list acl_out extended permit icmp 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 110 extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list nonat extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list cap_acl extended permit ip 10.1.1.0 255.255.255.0 host 10.1.2.6
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm522-54.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.1.1.0 255.255.255.0
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) x.x.x.71 10.1.1.71 netmask 255.255.255.255
static (inside,outside) x.x.x.72 10.1.1.72 netmask 255.255.255.255
static (inside,outside) x.x.x.73 10.1.1.73 netmask 255.255.255.255
static (inside,outside) x.x.x.74 10.1.1.74 netmask 255.255.255.255
static (inside,outside) x.x.x.75 10.1.1.75 netmask 255.255.255.255
static (inside,outside) x.x.x.76 10.1.1.76 netmask 255.255.255.255
static (inside,outside) x.x.x.77 10.1.1.77 netmask 255.255.255.255
static (inside,outside) x.x.x.70 10.1.1.70 netmask 255.255.255.255
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 match address 110
crypto map outside_map 20 set peer x.x.23.2
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group x.x.23.2 type ipsec-l2l
tunnel-group x.x.23.2 ipsec-attributes
pre-shared-key *
telnet 10.1.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
ssh version 2
console timeout 0
!
!
prompt hostname context
Cryptochecksum:f58f5a18a2f
: end
--------------------------
ASA2(config)# sh run
: Saved
:
ASA Version 7.2(2)10
!
hostname ASA2
domain-name default.domain.invalid
enable password 5frNYRGa9UhR7jLh encrypted
names
dns-guard
!
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address x.x.23.2 255.255.255.0
!
interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 10.1.2.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd w9ITcun.WwJmfyK5 encrypted
boot system disk0:/asa722-10-k8.bin
ftp mode passive
clock timezone EST -5
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list outside_cryptomap_20 extended permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list acl_out extended permit tcp any host x.x.23.12 eq www
access-list acl_out extended permit tcp any host x.x.23.12 eq 5000
access-list acl_out extended permit tcp any host x.x.23.12 eq 5002
access-list acl_out extended permit tcp any host x.x.23.6 eq www
access-list acl_out extended permit tcp any host x.x.23.6 eq 5000
access-list acl_out extended permit tcp any host x.x.23.6 eq 5002
access-list acl_out extended permit icmp any any echo-reply
access-list acl_out extended permit icmp 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list cap_acl extended permit ip 10.1.2.0 255.255.255.0 host 10.1.1.70
access-list nonat extended permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 110 extended permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm522-54.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.1.2.0 255.255.255.0
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) x.x.23.6 10.1.2.6 netmask 255.255.255.255
static (inside,outside) x.x.23.12 10.1.2.12 netmask 255.255.255.255
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.23.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.1.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 match address 110
crypto map outside_map 20 set peer x.x.x.66
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group x.x.x.66 type ipsec-l2l
tunnel-group x.x.x.66 ipsec-attributes
pre-shared-key *
telnet 10.1.2.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
!
prompt hostname context
Cryptochecksum:c2e4131013c
: end
add the following on both devices
crypto isakmp identity address
Let me know
crypto isakmp identity address
Let me know
I do not see the Crypto-map ISAKMP. Try adding following
crypto map Outside_map 20 ipsec-isakmp
This crypto map defines the IKE SA.
crypto map Outside_map 20 ipsec-isakmp
This crypto map defines the IKE SA.
ASKER
There are no ipsec sas
There are no isakmp sas
All I still see is 0 stats. Any other suggestions.