Advertisement

01.17.2008 at 03:01PM PST, ID: 23091949
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
8.6

L2L VPN between Cisco ASA5510 and Watchdog Firebox not working

Zones: IPSec Security Protocol, Cisco PIX Firewall, Watchguard Firewall
Tags: asa, firebox, 5510
I have setup a VPN from our corp. site which uses ASA 5510, to a remote site with the watchdog. If the remote site initiates the traffic via ICMP the tunnel builds and it seems to work. Only the replies never make it back to the remote site. When a host on my network initiates the traffic nothing happens, no phase 1 nothing. Below is the config to my ASA to see if its something I have done wrong. I have spent to much time here so any help is appreciated.

ASA Version 7.0(6)
!
hostname Corp
domain-name my.net
enable password NjbVwqCOcHgOwXAw encrypted
names
dns-guard
!
interface Ethernet0/0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address 64.73.x.x 255.255.255.192 standby 64.73.x.x
!
interface Ethernet0/1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 10.1.126.4 255.255.255.0 standby 10.1.126.5
!
interface Ethernet0/2
 description LAN/STATE Failover Interface
 speed 100
 duplex full
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
 management-only
!
passwd u6gwbwFJvYXXbZCX encrypted
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
object-group network ALLPRIVATENETS
 network-object 10.0.0.0 255.0.0.0
 network-object 192.168.0.0 255.255.0.0
 network-object 172.16.0.0 255.240.0.0
 network-object 10.2.1.0 255.255.255.0
 network-object 10.2.5.0 255.255.255.0
object-group network ConfigManagers
 network-object host 64.73.42.170
 network-object host 64.73.42.185
 network-object host 64.73.34.100
 network-object host 64.73.136.99
object-group network NimbusRootHubs
 network-object 64.73.50.208 255.255.255.240
 network-object 64.73.141.224 255.255.255.240
object-group network Monitoring
 network-object host 64.73.34.97
 network-object host 64.73.136.103
object-group service CommonTCP tcp
 port-object eq www
 port-object eq https
 port-object eq domain
 port-object eq ftp
 port-object eq smtp
object-group service CommonUDP udp
 port-object eq domain
 port-object eq ntp
object-group service REMACCS-PortsTCP tcp
 port-object eq 3389
 port-object eq citrix-ica
 port-object eq telnet
 port-object eq ssh
 port-object eq pcanywhere-data
object-group service REMACCS-PortsUDP udp
 port-object eq pcanywhere-status
 port-object eq 1604
object-group network NimbusSNMPCollectors
 network-object host 64.73.50.211
 network-object host 64.73.50.212
 network-object host 64.73.141.227
 network-object host 64.73.141.228
object-group network TSMServers
 network-object host 64.73.0.158
 network-object host 64.73.128.158
object-group service TSMPorts tcp
 port-object eq 1500
object-group network REMACCS-Hosts
 network-object host 64.73.42.168
object-group network ScanNetworks
 description Security scanning source IP addresses. A deny should be on the bottom of the outside ACL.
 network-object host 64.73.34.170
access-list inside_nat0_outbound extended permit ip any 10.1.126.192 255.255.255.192
access-list inside_nat0_outbound extended permit ip 10.1.125.0 255.255.255.0 10.1.126.192 255.255.255.192
access-list inside_nat0_outbound extended permit ip 10.1.124.0 255.255.255.0 10.1.126.192 255.255.255.192
access-list inside_nat0_outbound extended permit ip 10.1.126.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.126.0 255.255.255.0 host 143.159.8.178
access-list inside_nat0_outbound extended permit ip 10.1.126.0 255.255.255.0 172.19.18.0 255.255.254.0
access-list inside_nat0_outbound extended permit ip 10.1.125.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.125.0 255.255.255.0 host 143.159.8.178
access-list inside_nat0_outbound extended permit ip 10.1.125.0 255.255.255.0 172.19.18.0 255.255.254.0
access-list inside_nat0_outbound extended permit ip 10.1.124.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.124.0 255.255.255.0 host 143.159.8.178
access-list inside_nat0_outbound extended permit ip 10.1.124.0 255.255.255.0 172.19.18.0 255.255.254.0
access-list inside_nat0_outbound extended permit ip 10.1.124.0 255.255.255.0 10.2.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.124.0 255.255.255.0 10.2.5.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.125.0 255.255.255.0 10.2.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.125.0 255.255.255.0 10.2.5.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.126.0 255.255.255.0 10.2.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.126.0 255.255.255.0 10.2.5.0 255.255.255.0
access-list outside_cryptomap_60 extended permit ip 10.1.124.0 255.255.255.0 172.19.18.0 255.255.254.0
access-list outside_cryptomap_60 extended permit ip 10.1.124.0 255.255.255.0 host 143.159.8.178
access-list outside_cryptomap_60 extended permit ip 10.1.124.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list outside_cryptomap_60 extended permit ip 10.1.125.0 255.255.255.0 172.19.18.0 255.255.254.0
access-list outside_cryptomap_60 extended permit ip 10.1.125.0 255.255.255.0 host 143.159.8.178
access-list outside_cryptomap_60 extended permit ip 10.1.125.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list outside_cryptomap_60 extended permit ip 10.1.126.0 255.255.255.0 172.19.18.0 255.255.254.0
access-list outside_cryptomap_60 extended permit ip 10.1.126.0 255.255.255.0 host 143.159.8.178
access-list outside_cryptomap_60 extended permit ip 10.1.126.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list outside_cryptomap_80 extended permit ip 10.1.124.0 255.255.255.0 10.2.1.0 255.255.255.0
access-list outside_cryptomap_80 extended permit ip 10.1.124.0 255.255.255.0 10.2.5.0 255.255.255.0
access-list outside_cryptomap_80 extended permit ip 10.1.125.0 255.255.255.0 10.2.1.0 255.255.255.0
access-list outside_cryptomap_80 extended permit ip 10.1.125.0 255.255.255.0 10.2.5.0 255.255.255.0
access-list outside_cryptomap_80 extended permit ip 10.1.126.0 255.255.255.0 10.2.1.0 255.255.255.0
access-list outside_cryptomap_80 extended permit ip 10.1.126.0 255.255.255.0 10.2.5.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging standby
logging emblem
logging monitor critical
logging buffered alerts
logging trap warnings
logging asdm informational
logging facility 23
logging ftp-bufferwrap
logging ftp-server 10.1.124.20 /tturner.FTP hdusa\tturner ****
no logging message 110001
logging message 713213 level warnings
logging message 713214 level warnings
logging message 109005 level critical
logging message 106014 level warnings
logging message 109012 level critical
logging message 106006 level warnings
logging message 713123 level warnings
logging message 713122 level warnings
logging message 106001 level warnings
logging message 313001 level warnings
logging message 713902 level warnings
logging message 106021 level warnings
logging message 713119 level warnings
logging message 305006 level warnings
logging message 305005 level warnings
logging message 713060 level warnings
logging message 710003 level warnings
logging message 713048 level warnings
logging message 111009 level critical
logging message 111008 level critical
logging message 110001 level warnings
logging message 713235 level warnings
logging message 112001 level warnings
mtu outside 1500
mtu inside 1500
ip local pool IT 10.1.125.200-10.1.125.250 mask 255.255.255.0
failover
failover lan unit primary
failover lan interface stateful Ethernet0/2
failover polltime unit 1 holdtime 3
failover polltime interface 4
failover key *****
failover mac address Ethernet0/0 001b.0c38.e2e8 001b.0c38.e392
failover mac address Ethernet0/1 001b.0c38.e2e9 001b.0c38.e393
failover link stateful Ethernet0/2
failover interface ip stateful 192.168.254.1 255.255.255.252 standby 192.168.254.2
monitor-interface outside
monitor-interface inside
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_nat0_outbound
route outside 0.0.0.0 0.0.0.0 64.73.27.65 1
route inside 10.1.124.0 255.255.255.0 10.1.126.1 1
route inside 10.1.125.0 255.255.255.0 10.1.126.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 100
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 secure-unit-authentication disable
 user-authentication enable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 client-firewall none
 client-access-rule none
 webvpn
  functions none
  port-forward-name value Application Access
username tturner password GYqIyHCIqI1WrvE6 encrypted privilege 15
username mdieter password fUGjF1Nosc62qBRu encrypted privilege 15
username jatkins password DkyvAzTE.o9zggfd encrypted privilege 15
http server enable
http 65.x.55.0 255.255.255.0 outside
http 172.19.16.0 255.255.252.0 inside
http 172.19.16.0 255.255.248.0 inside
http 172.19.0.0 255.255.0.0 inside
http 0.0.18.0 0.0.255.255 inside
http 172.19.18.0 255.255.254.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 60 match address outside_cryptomap_60
crypto map outside_map 60 set peer 65.247.x.x
crypto map outside_map 60 set transform-set ESP-3DES-MD5
crypto map outside_map 80 match address outside_cryptomap_80
crypto map outside_map 80 set peer 209.60.x.x
crypto map outside_map 80 set transform-set ESP-3DES-MD5
crypto map outside_map 80 set security-association lifetime seconds 86400
crypto map outside_map 80 set security-association lifetime kilobytes 128000
crypto map outside_map 80 set nat-t-disable
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp identity auto
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp nat-traversal  20
isakmp disconnect-notify
isakmp reload-wait
group-delimiter !
tunnel-group DefaultRAGroup general-attributes
 address-pool IT
tunnel-group DefaultRAGroup ipsec-attributes
 isakmp keepalive threshold 10
tunnel-group 209.60.x.x type ipsec-l2l
tunnel-group 209.60.x.x ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 30 retry 5
tunnel-group 65.247.x.x type ipsec-l2l
tunnel-group 65.247.x.x ipsec-attributes
 pre-shared-key *
no tunnel-group-map enable ou
no tunnel-group-map enable ike-id
tunnel-group-map default-group DefaultL2LGroup
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
vpn-sessiondb max-session-limit 150
telnet timeout 5
ssh 64.73.x.x 255.255.255.255 outside
ssh 64.73.x.x 255.255.255.255 outside
ssh 65.247.x.x 255.255.255.0 outside
ssh 64.73.x.x 255.255.255.255 outside
ssh 172.19.18.0 255.255.254.0 inside
ssh timeout 10
ssh version 2
console timeout 0
management-access inside
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect http
!
service-policy global_policy global
ntp server 64.73.0.24 source outside prefer
ntp server 64.73.0.56 source outside
ntp server 64.73.128.24 source outside
ntp server 64.73.128.56 source outside
Cryptochecksum:29ae897e7309f02929e52488584926b3
Start your free trial to view this solution
Question Stats
Zone: Networking
Question Asked By: cartunes25
Solution Provided By: batry_boy
Participating Experts: 1
Solution Grade: A
Views: 28
Translate:
Loading Advertisement...
01.20.2008 at 06:01AM PST, ID: 20701097

Rank: Sage

batry_boy:

All comments and solutions are available to Premium Service Members only.

Start your 7-day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
01.20.2008 at 06:02AM PST, ID: 20701100

Rank: Sage

batry_boy:

All comments and solutions are available to Premium Service Members only.

Start your 7-day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
01.20.2008 at 10:09AM PST, ID: 20701919
cartunes25:

All comments and solutions are available to Premium Service Members only.

Start your 7-day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
01.20.2008 at 10:14AM PST, ID: 20701929
cartunes25:

All comments and solutions are available to Premium Service Members only.

Start your 7-day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
01.20.2008 at 10:22AM PST, ID: 20701953

Rank: Sage

batry_boy:

All comments and solutions are available to Premium Service Members only.

Start your 7-day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
 
Loading Advertisement...
20080236-EE-VQP-29 / EE_QW_2_20070628