Solved

Cisco ASA 5510 site to site VPN tunnel issue

Posted on 2007-03-30
18
23,847 Views
Last Modified: 2013-11-16
After using the ASDM wizard to setup the tunnel between two ASA 5510,  I still cannot communicate between the local inside network and the remote inside network.  Can anyone please take a look at my config and shed some knowledge my way.  Thanks.

ASA1# sh run
: Saved
:
ASA Version 7.2(2)10
!
hostname ASA1
domain-name default.domain.invalid
enable password wOxhKGo/tyiLkXIn encrypted
names
dns-guard
!
interface Ethernet0/0
 speed 100
 nameif outside
 security-level 0
 ip address x.x.x.66 255.255.255.192
!
interface Ethernet0/1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 10.1.1.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd w9ITcun.WwJmfyK5 encrypted
boot system disk0:/asa722-10-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list acl_out extended permit tcp x.x.53.0 255.255.255.0 x.x.x.64 255.255.255.192 eq 3389
access-list acl_out extended permit tcp x.x.53.0 255.255.255.0 x.x.x.64 255.255.255.192 eq 4899
access-list acl_out extended permit icmp any any echo-reply
access-list outside_20_cryptomap extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list nonat extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list site-to-site extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm522-54.bin
no asdm history enable
arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat
nat (inside) 1 10.1.1.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0

access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.65 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute

http server enable
http 192.168.1.0 255.255.255.0 management
http 10.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer x.x.x.2                (this is the remote outside ip address)a
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
tunnel-group asatoasa type ipsec-l2l
tunnel-group asatoasa ipsec-attributes
 pre-shared-key *
0
Comment
Question by:djroh
18 Comments
 
LVL 28

Accepted Solution

by:
batry_boy earned 500 total points
ID: 18828432
From the CLI, try removing (use the "no" form of the command):

crypto map outside_map 20 set pfs

from both sides and adding

crypto isakmp nat-traversal

to both sides.

Then, try a ping again and make sure the tunnel is coming up to begin with.  Issue the command:

show crypto isakmp sa

And see if you see the tunel in with MM_ACTIVE state.  You can also do a

show crypto ipsec sa

to see the amount of traffic being sent down the tunnel.  What do you see?
0
 

Author Comment

by:djroh
ID: 18828661
Ok I have removed the crypto map_outside map 20 set pfs and selected the sho crypto isakmp sa and sho crypto ipsec sa and my resutls were:

There are no ipsec sas
There are no isakmp sas
 
All I still see is 0 stats.  Any other suggestions.
0
 

Author Comment

by:djroh
ID: 18828839
I also added the crypto isakmp nat-traversal on both side.  Still no connection.  Thanks..
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 18829796
Issue the following commands:

debug crypto isakmp 200
debug crypto ipsec 200
debug crypto engine 200

Then try to ping a remote host and watch to see if you see any messages on the screen indicating that the tunnel is trying to be brought up...you should see tons of messages if it is trying.

If you see the debug messages, please post.  If you don't see any messages, please post the remote site ASA config so we can compare the configs and make sure everything looks right...
0
 

Author Comment

by:djroh
ID: 18830408
Built ICMP connection for faddr 10.1.2.6/0 gaddr x.x.x.66/4388 laddr x.x.x.66/4388
User 'enable_15' executed the 'ping 10.1.2.6' command.
Teardown ICMP connection for faddr 10.1.2.6/0 gaddr x.x.x.66/4388 laddr x.x.x.66/4388

Here is the remote config:

ASA Version 7.2(2)10
!
hostname ASA2
domain-name default.domain.invalid
enable password 5frNYRGa9UhR7jLh encrypted
names
dns-guard
!
interface Ethernet0/0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address x.x.x.2 255.255.255.0
!
interface Ethernet0/1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 10.1.2.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd w9ITcun.WwJmfyK5 encrypted
boot system disk0:/asa722-10-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid

access-list acl_out extended permit tcp any host x.x.x.12 eq www
access-list acl_out extended permit tcp any host x.x.x.12 eq 5000
access-list acl_out extended permit tcp any host x.x.x.12 eq 5002
access-list acl_out extended permit tcp any host x.x.x.6 eq www
access-list acl_out extended permit tcp any host x.x.x.6 eq 5000
access-list acl_out extended permit tcp any host x.x.x.6 eq 5002
access-list acl_out extended permit icmp any any echo-reply
access-list nonat extended permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 110 extended permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0


pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm522-54.bin
no asdm history enable
arp timeout 14400

global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.1.2.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0


static (inside,outside) x.x.x.12 10.1.2.12 netmask 255.255.255.255
static (inside,outside) x.x.x.6 10.1.2.6 netmask 255.255.255.255

access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.1 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute

http server enable
http 192.168.1.0 255.255.255.0 management
http 10.1.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 set peer x.x.x.66
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20

tunnel-group asatoasa2 type ipsec-l2l
tunnel-group asatoasa2 ipsec-attributes
 pre-shared-key *

telnet 10.1.2.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0

prompt hostname context
Cryptochecksum:ff2c7d84927360fef8acfacd302215ed
: end

0
 

Author Comment

by:djroh
ID: 18836869
batry boy, I forgot to mention on one end of the cisco asa, I have cisco router as well.  Here is the config on that:

Router#sh run
Building configuration...

Current configuration : 2610 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname router
!
boot-start-marker
boot system disk0:c7200-jk9o3s-mz.123-3.bin
boot system disk1:c7200-jk9o3s-mz.123-3.bin
boot bootldr bootflash:c7200-boot-mz.120-2.XE2
boot-end-marker
!
enable secret 5 $1$r6HJ$TnPlU4u.3aQAn8R8tIJUA.
!
username sadmin password 7 11274A4E47025E
aaa new-model
!
!
aaa authentication login default local-case
aaa authentication login ops local-case
aaa session-id common
ip subnet-zero
!
!
ip domain name blank.com
!
ip cef
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
no voice hpi capture buffer
no voice hpi capture destination
!
controller T1 1/0
 framing esf
 linecode b8zs
 channel-group 0 timeslots 1-24
!
controller T1 1/1
 framing esf
 linecode b8zs
 channel-group 0 timeslots 1-24
!
controller T1 1/2
 framing esf
 linecode b8zs
 channel-group 0 timeslots 1-24
!
controller T1 1/3
 framing esf
 linecode b8zs
 channel-group 0 timeslots 1-24
!
interface FastEthernet0/0
 description VDat LAN
 ip address x.x.x.1 255.255.255.0
 no ip redirects
 no ip mroute-cache
 duplex full
 no cdp enable
!
interface Serial1/0:0
 ip address x.x.x.98 255.255.255.252
 ip load-sharing per-packet
 encapsulation ppp
 no cdp enable
!
interface Serial1/1:0
 ip address x.x.x.114 255.255.255.252
 ip load-sharing per-packet
 encapsulation ppp
 no cdp enable
!
interface Serial1/2:0
 ip address x.x.x.122 255.255.255.252
 ip load-sharing per-packet
 encapsulation ppp
 no cdp enable
!
interface Serial1/3:0
 ip address x.x.x.126 255.255.255.252
 ip load-sharing per-packet
 encapsulation ppp
 no cdp enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.x.97
ip route 0.0.0.0 0.0.0.0 x.x.x.113
ip route 0.0.0.0 0.0.0.0 x.x.x.121
ip route 0.0.0.0 0.0.0.0 x.x.x.125
no ip http server
no ip http secure-server
!
access-list 101 permit ip host x.x.x.66 any
no cdp run
!
dial-peer cor custom
!
gatekeeper
 shutdown
!
end
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 18837526
Your debug output that you posted did not show that a tunnel is even trying to establish when you ping a remote host on the other side of the tunnel.  What host did you try to ping?
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 18837555
Never mind...I see it.

Set up an ACL to reference in a capture command:

access-list cap_acl permit ip 10.1.1.0 255.255.255.0 host 10.1.2.6
capture vpncap access-list cap_acl interface inside

Then perform your "ping 10.1.2.6" test again from a host on the 10.1.1.0 network.  Then look at your capture to see what it says and post the output:

show capture vpncap
0
 

Author Comment

by:djroh
ID: 18838148
Here is the logs and show capture vpncap below.

6                    Apr 02 2007      13:37:25      302021      10.1.2.6      x.x.x.66       Teardown ICMP connection for faddr 10.1.2.6/0 gaddr x.x.x.66/4388 laddr x.x.x.66/4388
5      Apr 02 2007      13:37:25      111008                   User 'enable_15' executed the 'ping 10.1.2.6' command.
6      Apr 02 2007      13:37:15      302020      10.1.2.6      x.x.x.66       Built ICMP connection for faddr 10.1.2.6/0 gaddr x.x.x.66/4388 laddr x.x.x.66/4388
5      Apr 02 2007      13:37:09      111008                   User 'enable_15' executed the 'access-list cap_acl permit ip 10.1.1.0 255.255.255.0 host 10.1.2.6' command.
5      Apr 02 2007      13:37:03      111008                   User 'enable_15' executed the 'capture vpncap access-list cap_acl interface inside' command.
5      Apr 02 2007      13:37:01      111008                   User 'enable_15' executed the 'access-list cap_acl permit ip 10.1.1.0 255.255.255.0 host 10.1.2.6' command.


sh capture vpncap
0 packet captured
0 packet shown

0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 28

Expert Comment

by:batry_boy
ID: 18838256
That looks like syslog output.  I'm talking about the debug output from a console session on the ASA.
0
 

Author Comment

by:djroh
ID: 18838346
when I run the command sh capturn vpngroup I get:

sh capture vpncap
4 packets captured
   1: 13:51:02.300780 10.1.1.71 > 10.1.2.6: icmp: echo request
   2: 13:51:07.386759 10.1.1.71 > 10.1.2.6: icmp: echo request
   3: 13:51:12.887390 10.1.1.71 > 10.1.2.6: icmp: echo request
   4: 13:51:18.388087 10.1.1.71 > 10.1.2.6: icmp: echo request
4 packets shown


0
 

Author Comment

by:djroh
ID: 18838510
Any access I need to set on the cisco router that I posted.  Please let me know.
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 18839548
When you are pinging the remote host and are looking at the ASA and you have the debug levels for ISAKMP, IPSEC and the crypto engine set at level 200, you should see output similar to the following that shows the tunnel is trying to come up:

asa# Apr 02 20:42:11 [IKEv1]: IP = x.x.x.2, IKE_DECODE RECEIVED Message (msgid=27e6e24e) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Apr 02 20:42:11 [IKEv1 DEBUG]: Group = x.x.x.2, IP = x.x.x.2, processing hash payload
Apr 02 20:42:11 [IKEv1 DEBUG]: Group = x.x.x.2, IP = x.x.x.2, processing notify payload
Apr 02 20:42:11 [IKEv1 DEBUG]: Group = x.x.x.2, IP = x.x.x.2, Received keep-alive of type DPD R-U-THERE (seq number 0x4d485715)
Apr 02 20:42:11 [IKEv1 DEBUG]: Group = x.x.x.2, IP = x.x.x.2, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x4d485715)
Apr 02 20:42:11 [IKEv1 DEBUG]: Group = x.x.x.2, IP = x.x.x.2, constructing blank hash payload
Apr 02 20:42:11 [IKEv1 DEBUG]: Group = x.x.x.2, IP = x.x.x.2, constructing qm hash payload
Apr 02 20:42:11 [IKEv1]: IP = x.x.x.2, IKE_DECODE SENDING Message (msgid=4ee452d4) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Apr 02 20:42:11 [IKEv1 DEBUG]: Group = x.x.x.2, IP = x.x.x.2, Sending keep-alive of type DPD R-U-THERE (seq number 0x7a72a709)
Apr 02 20:42:11 [IKEv1 DEBUG]: Group = x.x.x.2, IP = x.x.x.2, constructing blank hash payload
Apr 02 20:42:11 [IKEv1 DEBUG]: Group = x.x.x.2, IP = x.x.x.2, constructing qm hash payload
Apr 02 20:42:11 [IKEv1]: IP = x.x.x.2, IKE_DECODE SENDING Message (msgid=a40931cd) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Apr 02 20:42:11 [IKEv1]: IP = x.x.x.2, IKE_DECODE RECEIVED Message (msgid=235f0f5a) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Apr 02 20:42:11 [IKEv1 DEBUG]: Group = x.x.x.2, IP = x.x.x.2, processing hash payload
Apr 02 20:42:11 [IKEv1 DEBUG]: Group = x.x.x.2, IP = x.x.x.2, processing notify payload
Apr 02 20:42:11 [IKEv1 DEBUG]: Group = x.x.x.2, IP = x.x.x.2, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x7a72a709)


Do you see anything like this?
0
 

Author Comment

by:djroh
ID: 18839695
I have the debug level at 200 and the vpn capture as you have recommended.  I do not see the output that you posted.   I'm pinging the 10.1.2.6 and all I get is that echo request.  Debug messages should pop up right on the CLI correct?  I'm on limbo on this.  I appreciate all your help.

0
 
LVL 28

Expert Comment

by:batry_boy
ID: 18839763
Yes, you should see the debug output in the CLI.

I just noticed on your remote ASA config that you don't have a line that specifies the crypto ACL.  You need to add a line to the remote config that looks like this:

crypto map outside_map 20 match address 110

If that doesn't fix it, please repost your current configs since I know you've made some changes since the last config posts.
0
 

Author Comment

by:djroh
ID: 18839886
Here you go.. Both configs:<><><
<><>><>><

ASA1(config)# sh run
: Saved
:
ASA Version 7.2(2)10
!
hostname ASA1
domain-name default.domain.invalid
enable password wOxhKGo/tyiLkXIn encrypted
names
dns-guard
!
interface Ethernet0/0
 speed 100
 nameif outside
 security-level 0
 ip address x.x.x.66 255.255.255.192
!
interface Ethernet0/1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 10.1.1.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd w9ITcun.WwJmfyK5 encrypted
boot system disk0:/asa722-10-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list outside_cryptomap_20 extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list acl_out extended permit icmp any any echo-reply
access-list acl_out extended permit icmp 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 110 extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list nonat extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list cap_acl extended permit ip 10.1.1.0 255.255.255.0 host 10.1.2.6
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm522-54.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.1.1.0 255.255.255.0
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) x.x.x.71 10.1.1.71 netmask 255.255.255.255
static (inside,outside) x.x.x.72 10.1.1.72 netmask 255.255.255.255
static (inside,outside) x.x.x.73 10.1.1.73 netmask 255.255.255.255
static (inside,outside) x.x.x.74 10.1.1.74 netmask 255.255.255.255
static (inside,outside) x.x.x.75 10.1.1.75 netmask 255.255.255.255
static (inside,outside) x.x.x.76 10.1.1.76 netmask 255.255.255.255
static (inside,outside) x.x.x.77 10.1.1.77 netmask 255.255.255.255
static (inside,outside) x.x.x.70 10.1.1.70 netmask 255.255.255.255
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 match address 110
crypto map outside_map 20 set peer x.x.23.2
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
tunnel-group x.x.23.2 type ipsec-l2l
tunnel-group x.x.23.2 ipsec-attributes
 pre-shared-key *
telnet 10.1.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
ssh version 2
console timeout 0
!
!
prompt hostname context
Cryptochecksum:f58f5a18a2f3531a3f1710d73b860390
: end

--------------------------------------------------------------------------------------------

ASA2(config)# sh run
: Saved
:
ASA Version 7.2(2)10
!
hostname ASA2
domain-name default.domain.invalid
enable password 5frNYRGa9UhR7jLh encrypted
names
dns-guard
!
interface Ethernet0/0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address x.x.23.2 255.255.255.0
!
interface Ethernet0/1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 10.1.2.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd w9ITcun.WwJmfyK5 encrypted
boot system disk0:/asa722-10-k8.bin
ftp mode passive
clock timezone EST -5
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list outside_cryptomap_20 extended permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list acl_out extended permit tcp any host x.x.23.12 eq www
access-list acl_out extended permit tcp any host x.x.23.12 eq 5000
access-list acl_out extended permit tcp any host x.x.23.12 eq 5002
access-list acl_out extended permit tcp any host x.x.23.6 eq www
access-list acl_out extended permit tcp any host x.x.23.6 eq 5000
access-list acl_out extended permit tcp any host x.x.23.6 eq 5002
access-list acl_out extended permit icmp any any echo-reply
access-list acl_out extended permit icmp 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list cap_acl extended permit ip 10.1.2.0 255.255.255.0 host 10.1.1.70
access-list nonat extended permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 110 extended permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm522-54.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.1.2.0 255.255.255.0
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) x.x.23.6 10.1.2.6 netmask 255.255.255.255
static (inside,outside) x.x.23.12 10.1.2.12 netmask 255.255.255.255
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.23.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute

http server enable
http 192.168.1.0 255.255.255.0 management
http 10.1.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 match address 110
crypto map outside_map 20 set peer x.x.x.66
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
tunnel-group x.x.x.66 type ipsec-l2l
tunnel-group x.x.x.66 ipsec-attributes
 pre-shared-key *
telnet 10.1.2.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
!
prompt hostname context
Cryptochecksum:c2e4131013c321415ec904bf75a1efa8
: end
0
 
LVL 1

Expert Comment

by:JEEGO
ID: 20568587
add the following on both devices

crypto isakmp identity address

Let me know
0
 
LVL 6

Expert Comment

by:davbouchard
ID: 23724579
I do not see the Crypto-map ISAKMP. Try adding following

crypto map Outside_map 20 ipsec-isakmp

This crypto map defines the IKE SA.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

One of the Top 10  common Cisco VPN problems are not-matching shared keys. This is an easy one to fix, but not always easy to notice, see the case below. A simple IPsec tunnel between fast Ethernet interfaces of routers SW1 (f1/1) and R1(f0/0). …
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now