Cisco ASA 5510 site to site VPN tunnel issue : asa, cisco, vpn, site, tunnel

May 16, 2008 11:25pm pdt

1. batry_boy 55,660
2. lrmoore 22,725
3. arnold 12,000
4. RobWill 11,200
5. mkielar 10,500
6. dpk_wal 8,625
7. ebjers 8,130
8. SteveH_UK 8,000
9. mwecompu... 7,985
10. trinak96 7,865
11. MrHusy 7,000
12. Cyclops3590 6,900
13. PeteLong 5,975
14. Voltz-dk 5,920
15. keith_al... 4,700

1. lrmoore 282,067
2. RobWill 166,424
3. richrumble 111,037
4. batry_boy 102,035
5. rsivanandan 47,017
6. ahoffmann 44,523
7. grblades 35,012
8. pseudocyber 34,059
9. Cyclops3590 31,775
10. tim_holman 27,445
11. kbbcnet 26,524
12. arnold 25,260
13. Tolomir 23,651
14. sciwriter 23,050
15. keith_al... 22,600

03.30.2007 at 09:52PM PDT, ID: 22484290

	[x] Attachment Details

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

7.0

Cisco ASA 5510 site to site VPN tunnel issue

Zones: IPSec Security Protocol, Virtual Private Networking (VPN), Enterprise Firewalls

Tags: asa, cisco, vpn, site, tunnel

After using the ASDM wizard to setup the tunnel between two ASA 5510, I still cannot communicate between the local inside network and the remote inside network. Can anyone please take a look at my config and shed some knowledge my way. Thanks.

ASA1# sh run
: Saved
:
ASA Version 7.2(2)10
!
hostname ASA1
domain-name default.domain.invalid
enable password wOxhKGo/tyiLkXIn encrypted
names
dns-guard
!
interface Ethernet0/0
speed 100
nameif outside
security-level 0
ip address x.x.x.66 255.255.255.192
!
interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd w9ITcun.WwJmfyK5 encrypted
boot system disk0:/asa722-10-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list acl_out extended permit tcp x.x.53.0 255.255.255.0 x.x.x.64 255.255.255.192 eq 3389
access-list acl_out extended permit tcp x.x.53.0 255.255.255.0 x.x.x.64 255.255.255.192 eq 4899
access-list acl_out extended permit icmp any any echo-reply
access-list outside_20_cryptomap extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list nonat extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list site-to-site extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm522-54.bin
no asdm history enable
arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat
nat (inside) 1 10.1.1.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0

access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.65 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute

http server enable
http 192.168.1.0 255.255.255.0 management
http 10.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer x.x.x.2 (this is the remote outside ip address)a
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group asatoasa type ipsec-l2l
tunnel-group asatoasa ipsec-attributes
pre-shared-key *

Start your free trial to view this solution

Question Stats

Zone: Networking

Question Asked By: djroh

Solution Provided By: batry_boy

Participating Experts: 2

Solution Grade: A

Translate:

Loading Advertisement...

Microsoft

Internet Protocols
Applications

Development
OS

Hardware
Windows Security

Apple

Operating Systems
Hardware

Programming
Networking

Software

Internet

Search Engines
File Sharing
WebTrends / Stats
Spy / Ad Blockers

Web Browsers
New Net Users
Web Development
Chat / IM

Anti Spam
Web Servers
Anti-Virus
Email Clients

Gamers

Tips
Online / MMORPG
Puzzle
Emulators

Action / Adventure
Role Playing
Consoles
Game Programming

Strategy
Sports
Misc
Computer Games

Digital Living

Hardware
New Net Users
New Users

Software
Digital Music
Gaming World

Home Security
Apple
Networking Hardware

Virus & Spyware

Vulnerabilities
IDS
Encryption
Anti-Virus

Operating Systems Security
Software Firewalls
WebApplications
Cell Phones

Operating Systems
Internet
Hardware Firewalls

Hardware

Handhelds / PDAs
Displays / Monitors
Components
Networking Hardware

Peripherals
Laptops/Notebooks
Storage
Servers

Desktops
New Users
Misc
Apple

Software

System Utilities
Industry Specific
Network Management
Photos / Graphics
Page Layout
VMWare
Misc
Web Development

OS
CYGWIN
Voice Recognition
Message Queue
Quality Assurance
Security
Firewalls
MultiMedia Applications

Development
Database
Office / Productivity
Business Management
OS/2 Apps
Server Software
Internet / Email

ITPro

OS
Storage
Encryption
Operating Systems Security
Apple Hardware
Laptops & Notebooks
Servers
Networking Hardware
Peripherals

Devices
Displays / Monitors
WebTrends / Stats
Search Engines
Firewalls
WebApplications
IDS
Vulnerabilities
Email Clients

File Sharing
Spy / Ad Blockers
Web Browsers
Web Servers
Networking
Anti-Virus
Chat / IM
Anti Spam

Developer

Web Servers
Web Browsers
Game Programming
Dev Tools
Industry Specific
Office / Productivity

Database
CYGWIN
Web Development
Search Engines
File Sharing
WebTrends / Stats

Programming
Content Management
Application Servers
Protocols

Storage

Removable Backup Media
Storage Technology
Servers

Grid
Remote Access
Backup / Restore

Misc
Hard Drives

Miscellaneous
Security
Development
Linux
VMWare

MainFrame OS
Unix
Apple
OS / 2
AS / 400

BeOS
Microsoft
VMS / OpenVMS

Database

Oracle
Miscellaneous
MySQL
Software
Sybase
Contact Management
PostgreSQL
Data Manipulation
Clarion
InterSystems Cache

Siebel
MUMPS
OLAP
SQLBase
SAS
GIS & GPS
4GL
Berkeley DB
DB2
Informix

Interbase / Firebird
FoxPro
Reporting
LDAP
Filemaker Pro
MS SQL Server
dBase
MS Access

Security

Misc
Web Browsers
Software Firewalls
Operating Systems Security
File Sharing

Spy / Ad Blockers
Vulnerabilities
WebApplications
IDS
Anti-Virus

Encryption
Anti Spam
Email Clients
VPN
Chat / IM

Programming

Editors IDEs
Installation
Handhelds / PDAs
Multimedia Programming
System / Kernel

Algorithms
Game
Signal Processing
Project Management
Open Source

Database
Misc
Languages
Processor Platforms
Theory

Web Development

Scripting
Blogs
Web Servers
Software
Search Engines
Web Graphics
Images

Internet Marketing
Images and Photos
Components
Document Imaging
Web Languages/Standards
Illustration
WebApplications

Fonts
WebTrends / Stats
Authoring
Digital Camera Software
Miscellaneous

Networking

Protocols
Apple Networking
Network Management
Message Queue
Application Servers
Content Management
File Servers
Email Servers
Misc
Java Editors & IDEs

Wireless
Networking Hardware
Backup / Restore
System Utilities
ISPs & Hosting
Web Servers
Storage Technology
Removable Backup Media
Servers
Broadband

Grid
OS / 2
Novell Netware
Unix Networking
Windows Networking
Security
Telecommunications
Operating Systems
Linux Networking

Other

Community Advisor
Lounge
Community Support
New Net Users

Philosophy / Religion
Math / Science
Miscellaneous
URLs

Expert Lounge
Politics
Puzzles / Riddles

Community Support

Suggestions
New to EE
New Topics
Community Advisor

CleanUp
Announcements
General

Feedback
Input
EE Bugs

03.31.2007 at 05:33AM PDT, ID: 18828432

Rank: Wizard

batry_boy:

From the CLI, try removing (use the "no" form of the command):

crypto map outside_map 20 set pfs

from both sides and adding

crypto isakmp nat-traversal

to both sides.

Then, try a ping again and make sure the tunnel is coming up to begin with. Issue the command:

show crypto isakmp sa

And see if you see the tunel in with MM_ACTIVE state. You can also do a

show crypto ipsec sa

to see the amount of traffic being sent down the tunnel. What do you see?

Accepted Solution

03.31.2007 at 07:31AM PDT, ID: 18828661

djroh:

Ok I have removed the crypto map_outside map 20 set pfs and selected the sho crypto isakmp sa and sho crypto ipsec sa and my resutls were:

There are no ipsec sas
There are no isakmp sas

All I still see is 0 stats. Any other suggestions.

03.31.2007 at 08:54AM PDT, ID: 18828839

djroh:

I also added the crypto isakmp nat-traversal on both side. Still no connection. Thanks..

03.31.2007 at 02:34PM PDT, ID: 18829796

Rank: Wizard

batry_boy:

Issue the following commands:

debug crypto isakmp 200
debug crypto ipsec 200
debug crypto engine 200

Then try to ping a remote host and watch to see if you see any messages on the screen indicating that the tunnel is trying to be brought up...you should see tons of messages if it is trying.

If you see the debug messages, please post. If you don't see any messages, please post the remote site ASA config so we can compare the configs and make sure everything looks right...

03.31.2007 at 04:54PM PDT, ID: 18830408

djroh:

Built ICMP connection for faddr 10.1.2.6/0 gaddr x.x.x.66/4388 laddr x.x.x.66/4388
User 'enable_15' executed the 'ping 10.1.2.6' command.
Teardown ICMP connection for faddr 10.1.2.6/0 gaddr x.x.x.66/4388 laddr x.x.x.66/4388

Here is the remote config:

ASA Version 7.2(2)10
!
hostname ASA2
domain-name default.domain.invalid
enable password 5frNYRGa9UhR7jLh encrypted
names
dns-guard
!
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address x.x.x.2 255.255.255.0
!
interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 10.1.2.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd w9ITcun.WwJmfyK5 encrypted
boot system disk0:/asa722-10-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid

access-list acl_out extended permit tcp any host x.x.x.12 eq www
access-list acl_out extended permit tcp any host x.x.x.12 eq 5000
access-list acl_out extended permit tcp any host x.x.x.12 eq 5002
access-list acl_out extended permit tcp any host x.x.x.6 eq www
access-list acl_out extended permit tcp any host x.x.x.6 eq 5000
access-list acl_out extended permit tcp any host x.x.x.6 eq 5002
access-list acl_out extended permit icmp any any echo-reply
access-list nonat extended permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 110 extended permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0

pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm522-54.bin
no asdm history enable
arp timeout 14400

global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.1.2.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) x.x.x.12 10.1.2.12 netmask 255.255.255.255
static (inside,outside) x.x.x.6 10.1.2.6 netmask 255.255.255.255

access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.1 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute

http server enable
http 192.168.1.0 255.255.255.0 management
http 10.1.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 set peer x.x.x.66
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20

tunnel-group asatoasa2 type ipsec-l2l
tunnel-group asatoasa2 ipsec-attributes
pre-shared-key *

telnet 10.1.2.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0

prompt hostname context
Cryptochecksum:ff2c7d84927360fef8acfacd302215ed
: end

04.02.2007 at 08:01AM PDT, ID: 18836869

djroh:

batry boy, I forgot to mention on one end of the cisco asa, I have cisco router as well. Here is the config on that:

Router#sh run
Building configuration...

Current configuration : 2610 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname router
!
boot-start-marker
boot system disk0:c7200-jk9o3s-mz.123-3.bin
boot system disk1:c7200-jk9o3s-mz.123-3.bin
boot bootldr bootflash:c7200-boot-mz.120-2.XE2
boot-end-marker
!
enable secret 5 $1$r6HJ$TnPlU4u.3aQAn8R8tIJUA.
!
username sadmin password 7 11274A4E47025E
aaa new-model
!
!
aaa authentication login default local-case
aaa authentication login ops local-case
aaa session-id common
ip subnet-zero
!
!
ip domain name blank.com
!
ip cef
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
no voice hpi capture buffer
no voice hpi capture destination
!
controller T1 1/0
framing esf
linecode b8zs
channel-group 0 timeslots 1-24
!
controller T1 1/1
framing esf
linecode b8zs
channel-group 0 timeslots 1-24
!
controller T1 1/2
framing esf
linecode b8zs
channel-group 0 timeslots 1-24
!
controller T1 1/3
framing esf
linecode b8zs
channel-group 0 timeslots 1-24
!
interface FastEthernet0/0
description VDat LAN
ip address x.x.x.1 255.255.255.0
no ip redirects
no ip mroute-cache
duplex full
no cdp enable
!
interface Serial1/0:0
ip address x.x.x.98 255.255.255.252
ip load-sharing per-packet
encapsulation ppp
no cdp enable
!
interface Serial1/1:0
ip address x.x.x.114 255.255.255.252
ip load-sharing per-packet
encapsulation ppp
no cdp enable
!
interface Serial1/2:0
ip address x.x.x.122 255.255.255.252
ip load-sharing per-packet
encapsulation ppp
no cdp enable
!
interface Serial1/3:0
ip address x.x.x.126 255.255.255.252
ip load-sharing per-packet
encapsulation ppp
no cdp enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.x.97
ip route 0.0.0.0 0.0.0.0 x.x.x.113
ip route 0.0.0.0 0.0.0.0 x.x.x.121
ip route 0.0.0.0 0.0.0.0 x.x.x.125
no ip http server
no ip http secure-server
!
access-list 101 permit ip host x.x.x.66 any
no cdp run
!
dial-peer cor custom
!
gatekeeper
shutdown
!
end

04.02.2007 at 09:21AM PDT, ID: 18837526

Rank: Wizard

batry_boy:

Your debug output that you posted did not show that a tunnel is even trying to establish when you ping a remote host on the other side of the tunnel. What host did you try to ping?

04.02.2007 at 09:25AM PDT, ID: 18837555

Rank: Wizard

batry_boy:

Never mind...I see it.

Set up an ACL to reference in a capture command:

access-list cap_acl permit ip 10.1.1.0 255.255.255.0 host 10.1.2.6
capture vpncap access-list cap_acl interface inside

Then perform your "ping 10.1.2.6" test again from a host on the 10.1.1.0 network. Then look at your capture to see what it says and post the output:

show capture vpncap

04.02.2007 at 10:42AM PDT, ID: 18838148

djroh:

Here is the logs and show capture vpncap below.

6 Apr 02 2007      13:37:25      302021      10.1.2.6      x.x.x.66       Teardown ICMP connection for faddr 10.1.2.6/0 gaddr x.x.x.66/4388 laddr x.x.x.66/4388
5      Apr 02 2007      13:37:25      111008                   User 'enable_15' executed the 'ping 10.1.2.6' command.
6      Apr 02 2007      13:37:15      302020      10.1.2.6      x.x.x.66       Built ICMP connection for faddr 10.1.2.6/0 gaddr x.x.x.66/4388 laddr x.x.x.66/4388
5      Apr 02 2007      13:37:09      111008                   User 'enable_15' executed the 'access-list cap_acl permit ip 10.1.1.0 255.255.255.0 host 10.1.2.6' command.
5      Apr 02 2007      13:37:03      111008                   User 'enable_15' executed the 'capture vpncap access-list cap_acl interface inside' command.
5      Apr 02 2007      13:37:01      111008                   User 'enable_15' executed the 'access-list cap_acl permit ip 10.1.1.0 255.255.255.0 host 10.1.2.6' command.

sh capture vpncap
0 packet captured
0 packet shown

04.02.2007 at 10:56AM PDT, ID: 18838256

Rank: Wizard

batry_boy:

That looks like syslog output. I'm talking about the debug output from a console session on the ASA.

04.02.2007 at 11:08AM PDT, ID: 18838346

djroh:

when I run the command sh capturn vpngroup I get:

sh capture vpncap
4 packets captured
1: 13:51:02.300780 10.1.1.71 > 10.1.2.6: icmp: echo request
2: 13:51:07.386759 10.1.1.71 > 10.1.2.6: icmp: echo request
3: 13:51:12.887390 10.1.1.71 > 10.1.2.6: icmp: echo request
4: 13:51:18.388087 10.1.1.71 > 10.1.2.6: icmp: echo request
4 packets shown

04.02.2007 at 11:30AM PDT, ID: 18838510

djroh:

Any access I need to set on the cisco router that I posted. Please let me know.

04.02.2007 at 01:53PM PDT, ID: 18839548

Rank: Wizard

batry_boy:

When you are pinging the remote host and are looking at the ASA and you have the debug levels for ISAKMP, IPSEC and the crypto engine set at level 200, you should see output similar to the following that shows the tunnel is trying to come up:

asa# Apr 02 20:42:11 [IKEv1]: IP = x.x.x.2, IKE_DECODE RECEIVED Message (msgid=27e6e24e) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Apr 02 20:42:11 [IKEv1 DEBUG]: Group = x.x.x.2, IP = x.x.x.2, processing hash payload
Apr 02 20:42:11 [IKEv1 DEBUG]: Group = x.x.x.2, IP = x.x.x.2, processing notify payload
Apr 02 20:42:11 [IKEv1 DEBUG]: Group = x.x.x.2, IP = x.x.x.2, Received keep-alive of type DPD R-U-THERE (seq number 0x4d485715)
Apr 02 20:42:11 [IKEv1 DEBUG]: Group = x.x.x.2, IP = x.x.x.2, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x4d485715)
Apr 02 20:42:11 [IKEv1 DEBUG]: Group = x.x.x.2, IP = x.x.x.2, constructing blank hash payload
Apr 02 20:42:11 [IKEv1 DEBUG]: Group = x.x.x.2, IP = x.x.x.2, constructing qm hash payload
Apr 02 20:42:11 [IKEv1]: IP = x.x.x.2, IKE_DECODE SENDING Message (msgid=4ee452d4) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Apr 02 20:42:11 [IKEv1 DEBUG]: Group = x.x.x.2, IP = x.x.x.2, Sending keep-alive of type DPD R-U-THERE (seq number 0x7a72a709)
Apr 02 20:42:11 [IKEv1 DEBUG]: Group = x.x.x.2, IP = x.x.x.2, constructing blank hash payload
Apr 02 20:42:11 [IKEv1 DEBUG]: Group = x.x.x.2, IP = x.x.x.2, constructing qm hash payload
Apr 02 20:42:11 [IKEv1]: IP = x.x.x.2, IKE_DECODE SENDING Message (msgid=a40931cd) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Apr 02 20:42:11 [IKEv1]: IP = x.x.x.2, IKE_DECODE RECEIVED Message (msgid=235f0f5a) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Apr 02 20:42:11 [IKEv1 DEBUG]: Group = x.x.x.2, IP = x.x.x.2, processing hash payload
Apr 02 20:42:11 [IKEv1 DEBUG]: Group = x.x.x.2, IP = x.x.x.2, processing notify payload
Apr 02 20:42:11 [IKEv1 DEBUG]: Group = x.x.x.2, IP = x.x.x.2, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x7a72a709)

Do you see anything like this?

04.02.2007 at 02:18PM PDT, ID: 18839695

djroh:

I have the debug level at 200 and the vpn capture as you have recommended. I do not see the output that you posted. I'm pinging the 10.1.2.6 and all I get is that echo request. Debug messages should pop up right on the CLI correct? I'm on limbo on this. I appreciate all your help.

04.02.2007 at 02:28PM PDT, ID: 18839763

Rank: Wizard

batry_boy:

Yes, you should see the debug output in the CLI.

I just noticed on your remote ASA config that you don't have a line that specifies the crypto ACL. You need to add a line to the remote config that looks like this:

crypto map outside_map 20 match address 110

If that doesn't fix it, please repost your current configs since I know you've made some changes since the last config posts.

04.02.2007 at 02:50PM PDT, ID: 18839886

djroh:

Here you go.. Both configs:<><><
<><>><>><

ASA1(config)# sh run
: Saved
:
ASA Version 7.2(2)10
!
hostname ASA1
domain-name default.domain.invalid
enable password wOxhKGo/tyiLkXIn encrypted
names
dns-guard
!
interface Ethernet0/0
speed 100
nameif outside
security-level 0
ip address x.x.x.66 255.255.255.192
!
interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd w9ITcun.WwJmfyK5 encrypted
boot system disk0:/asa722-10-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list outside_cryptomap_20 extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list acl_out extended permit icmp any any echo-reply
access-list acl_out extended permit icmp 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 110 extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list nonat extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list cap_acl extended permit ip 10.1.1.0 255.255.255.0 host 10.1.2.6
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm522-54.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.1.1.0 255.255.255.0
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) x.x.x.71 10.1.1.71 netmask 255.255.255.255
static (inside,outside) x.x.x.72 10.1.1.72 netmask 255.255.255.255
static (inside,outside) x.x.x.73 10.1.1.73 netmask 255.255.255.255
static (inside,outside) x.x.x.74 10.1.1.74 netmask 255.255.255.255
static (inside,outside) x.x.x.75 10.1.1.75 netmask 255.255.255.255
static (inside,outside) x.x.x.76 10.1.1.76 netmask 255.255.255.255
static (inside,outside) x.x.x.77 10.1.1.77 netmask 255.255.255.255
static (inside,outside) x.x.x.70 10.1.1.70 netmask 255.255.255.255
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 match address 110
crypto map outside_map 20 set peer x.x.23.2
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group x.x.23.2 type ipsec-l2l
tunnel-group x.x.23.2 ipsec-attributes
pre-shared-key *
telnet 10.1.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
ssh version 2
console timeout 0
!
!
prompt hostname context
Cryptochecksum:f58f5a18a2f3531a3f1710d73b860390
: end

--------------------------------------------------------------------------------------------

ASA2(config)# sh run
: Saved
:
ASA Version 7.2(2)10
!
hostname ASA2
domain-name default.domain.invalid
enable password 5frNYRGa9UhR7jLh encrypted
names
dns-guard
!
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address x.x.23.2 255.255.255.0
!
interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 10.1.2.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd w9ITcun.WwJmfyK5 encrypted
boot system disk0:/asa722-10-k8.bin
ftp mode passive
clock timezone EST -5
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list outside_cryptomap_20 extended permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list acl_out extended permit tcp any host x.x.23.12 eq www
access-list acl_out extended permit tcp any host x.x.23.12 eq 5000
access-list acl_out extended permit tcp any host x.x.23.12 eq 5002
access-list acl_out extended permit tcp any host x.x.23.6 eq www
access-list acl_out extended permit tcp any host x.x.23.6 eq 5000
access-list acl_out extended permit tcp any host x.x.23.6 eq 5002
access-list acl_out extended permit icmp any any echo-reply
access-list acl_out extended permit icmp 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list cap_acl extended permit ip 10.1.2.0 255.255.255.0 host 10.1.1.70
access-list nonat extended permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 110 extended permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm522-54.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.1.2.0 255.255.255.0
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) x.x.23.6 10.1.2.6 netmask 255.255.255.255
static (inside,outside) x.x.23.12 10.1.2.12 netmask 255.255.255.255
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.23.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute

http server enable
http 192.168.1.0 255.255.255.0 management
http 10.1.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 match address 110
crypto map outside_map 20 set peer x.x.x.66
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group x.x.x.66 type ipsec-l2l
tunnel-group x.x.x.66 ipsec-attributes
pre-shared-key *
telnet 10.1.2.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
!
prompt hostname context
Cryptochecksum:c2e4131013c321415ec904bf75a1efa8
: end

JEEGO

01.02.2008 at 02:04PM PST, ID: 20568587

add the following on both devices

crypto isakmp identity address

Let me know

20080236-EE-VQP-29