?
Solved

ASA 5510 Site-to-Site VPN

Posted on 2007-07-30
7
Medium Priority
?
523 Views
Last Modified: 2008-01-09
I'm having trouble getting a Site-to-Site VPN stood up between a couple of ASA 5510's at remote locations.  It doesn't look like the two ASA's are even attempting to bring up the tunnel - "show crypto ipsec sa" says there are no SA's.  Here is some info regarding the locations and the configs of the two firewalls:

Location 1:
Internet IP: a.b.c.34
Internal IP: 192.168.40.0/24

Location 2:
Internet IP: x.y.z.116
Internal IP: 192.168.100.0/24

#########################################################################
# Firewall 1
#########################################################################

ASA Version 7.2(2)10
!
hostname *********
domain-name *******************
enable password *********** encrypted
names
dns-guard
!
interface Ethernet0/0
 speed 10
 duplex full
 nameif Internet
 security-level 0
 ip address a.b.c.34 255.255.255.240
!
interface Ethernet0/1
 speed 100
 duplex full
 nameif corporate
 security-level 75
 ip address 192.168.40.1 255.255.255.0
!
interface Ethernet0/2
 speed 100
 duplex full
 nameif DSL
 security-level 0
 ip address 192.168.0.2 255.255.255.0
!
interface Ethernet0/3
 speed 100
 duplex full
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd ************* encrypted
boot system disk0:/asa722-10-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name ************
object-group icmp-type icmp_allowed_into_corporateNet
 icmp-object echo-reply
 icmp-object time-exceeded
 icmp-object traceroute
 icmp-object unreachable
 icmp-object echo
access-list internal_access_in remark allow internal users any icmp thru the firewall for now
access-list internal_access_in extended permit icmp any any
access-list internal_access_in remark allow anything outbound for now
access-list internal_access_in extended permit ip any any
access-list DSL_access_in extended permit icmp any any object-group icmp_allowed_into_corporateNet
access-list Internet_20_cryptomap extended permit ip 192.168.40.0 255.255.255.0 host x.y.z.116
access-list corporate_nat0_outbound extended permit ip 192.168.40.0 255.255.255.0 host x.y.z.116
pager lines 50
logging enable
logging asdm informational
mtu Internet 1500
mtu corporate 1500
mtu DSL 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Internet
icmp permit any corporate
icmp permit any DSL
asdm image disk0:/asdm522-54.bin
asdm history enable
arp timeout 14400
nat-control
global (Internet) 10 interface
global (DSL) 10 interface
nat (corporate) 0 access-list corporate_nat0_outbound
nat (corporate) 10 192.168.1.0 255.255.255.0
nat (corporate) 10 192.168.40.0 255.255.255.0
access-group internet_access_in in interface Internet
access-group internal_access_in in interface corporate
access-group DSL_access_in in interface DSL
route Internet 0.0.0.0 0.0.0.0 a.b.c.33 1 track 1
route corporate 192.168.1.0 255.255.255.0 192.168.40.8 1
route DSL 0.0.0.0 0.0.0.0 192.168.0.1 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.40.0 255.255.255.0 corporate
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
 type echo protocol ipIcmpEcho a.b.c.33 interface Internet
 num-packets 3
 frequency 10
sla monitor schedule 123 life forever start-time now
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map Internet_map 20 match address Internet_20_cryptomap
crypto map Internet_map 20 set pfs
crypto map Internet_map 20 set peer x.y.z.116
crypto map Internet_map 20 set transform-set ESP-3DES-SHA
crypto map Internet_map interface Internet
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
!
track 1 rtr 123 reachability
tunnel-group x.y.z.116 type ipsec-l2l
tunnel-group x.y.z.116 ipsec-attributes
 pre-shared-key *
telnet 192.168.1.0 255.255.255.0 corporate
telnet 192.168.40.0 255.255.255.0 corporate
telnet timeout 15
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map asa_global_fw_policy
 class inspection_default
  inspect ftp
  inspect dns
!
service-policy asa_global_fw_policy global
ntp server 192.5.41.41 source Internet prefer
prompt hostname context
Cryptochecksum:716f3096c3c4381fafa9e15ea0c94fba
: end


#########################################################################
# Firewall 2
#########################################################################

ASA Version 7.2(2)10
!
hostname ******
domain-name *******************
enable password ********** encrypted
names
dns-guard
!
interface Ethernet0/0
 speed 100
 duplex full
 nameif Internet
 security-level 0
 ip address x.y.z.116 255.255.255.248 standby x.y.z.117
!
interface Ethernet0/1
 speed 100
 duplex full
 nameif SomeNet
 security-level 100
 ip address 192.168.100.253 255.255.255.0 standby 192.168.100.254
!
interface Ethernet0/2
 speed 100
 duplex full
 nameif DMZ
 security-level 0
 ip address 192.168.53.1 255.255.255.0 standby 192.168.53.2
!
interface Ethernet0/3
 speed 100
 duplex full
 nameif corporate
 security-level 0
 ip address 192.168.48.1 255.255.255.0 standby 192.168.48.2
!
interface Management0/0
 description LAN/STATE Failover Interface
!
passwd ************ encrypted
boot system disk0:/asa722-10-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name corp.precysesolutions.com
object-group icmp-type icmp_allowed_in
 icmp-object echo
 icmp-object echo-reply
 icmp-object time-exceeded
 icmp-object traceroute
 icmp-object unreachable
access-list SomeNet_access_in extended permit ip any any
access-list Internet_access_in extended permit icmp any any object-group icmp_allowed_in
access-list SomeNet_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 host a.b.c.34
access-list Internet_20_cryptomap extended permit ip 192.168.100.0 255.255.255.0 host a.b.c.34
pager lines 24
logging enable
logging asdm informational
mtu Internet 1500
mtu SomeNet 1500
mtu DMZ 1500
mtu corporate 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Internet
icmp permit any SomeNet
icmp permit any DMZ
icmp permit any corporate
asdm image disk0:/asdm522-54.bin
no asdm history enable
arp timeout 14400
nat-control
global (Internet) 1 interface
nat (SomeNet) 0 access-list SomeNet_nat0_outbound
nat (SomeNet) 1 192.168.100.0 255.255.255.0
access-group Internet_access_in in interface Internet
access-group SomeNet_access_in in interface SomeNet
route Internet 0.0.0.0 0.0.0.0 x.y.z.113 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.100.0 255.255.255.0 SomeNet
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map Internet_map 20 match address Internet_20_cryptomap
crypto map Internet_map 20 set pfs
crypto map Internet_map 20 set peer a.b.c.34
crypto map Internet_map 20 set transform-set ESP-3DES-SHA
crypto map Internet_map interface Internet
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
tunnel-group a.b.c.34 type ipsec-l2l
tunnel-group a.b.c.34 ipsec-attributes
 pre-shared-key *
telnet 192.168.100.0 255.255.255.0 SomeNet
telnet timeout 15
ssh timeout 5
console timeout 0
!
!
ntp authenticate
ntp server 192.5.41.41 source Internet prefer
prompt hostname context
Cryptochecksum:be267d2521225057f7eccf7195a95941
: end
0
Comment
Question by:j4llen
  • 5
  • 2
7 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 19597591
>access-list Internet_20_cryptomap extended permit ip 192.168.40.0 255.255.255.0 host x.y.z.116
>access-list corporate_nat0_outbound extended permit ip 192.168.40.0 255.255.255.0 host x.y.z.116
Do NOT put the remote host in the access-lists. Remove them and start over:
access-list Internet_20_cryptomap permit ip 192.168.40.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list corporate_nat0_outbound  permit ip 192.168.40.0 255.255.255.0 192.168.100.0 255.255.255.0

Re-apply these because they disappear when you remove the acls in the first step:
nat (corporate) 0 access-list corporate_nat0_outbound
crypto map Internet_map 20 match address Internet_20_cryptomap

Do the same on the remote site, mirror image:
no access-list SomeNet_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 host a.b.c.34
no access-list Internet_20_cryptomap extended permit ip 192.168.100.0 255.255.255.0 host a.b.c.34
access-list SomeNet_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list Internet_20_cryptomap extended permit ip 192.168.100.0 255.255.255.0 192.168.40.0 255.255.255.0
nat (corporate) 0 access-list SomeNet_nat0_outbound
crypto map Internet_map 20 match address Internet_20_cryptomap


0
 

Author Comment

by:j4llen
ID: 19600656
Made the changes you suggested, but still having issues.  I imagine I should be able to ping from the 40.x network to the 100.x network if the tunnel was up.  I'm not seeing anything in the ASDM "Home" dashboard or "show crypto ipsec sa" saying that there are any tunnels.  I'm not sure how to tell if one end or the other is even trying to establish the SA or tunnel.  New config:

#########################################################################
# Firewall 1
#########################################################################

ASA Version 7.2(2)10
!
hostname *********
domain-name *******************
enable password *********** encrypted
names
dns-guard
!
interface Ethernet0/0
 speed 10
 duplex full
 nameif Internet
 security-level 0
 ip address a.b.c.34 255.255.255.240
!
interface Ethernet0/1
 speed 100
 duplex full
 nameif corporate
 security-level 75
 ip address 192.168.40.1 255.255.255.0
!
interface Ethernet0/2
 speed 100
 duplex full
 nameif DSL
 security-level 0
 ip address 192.168.0.2 255.255.255.0
!
interface Ethernet0/3
 speed 100
 duplex full
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd ************* encrypted
boot system disk0:/asa722-10-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name ************
object-group icmp-type icmp_allowed_into_corporateNet
 icmp-object echo-reply
 icmp-object time-exceeded
 icmp-object traceroute
 icmp-object unreachable
 icmp-object echo
access-list internal_access_in remark allow internal users any icmp thru the firewall for now
access-list internal_access_in extended permit icmp any any
access-list internal_access_in remark allow anything outbound for now
access-list internal_access_in extended permit ip any any
access-list DSL_access_in extended permit icmp any any object-group icmp_allowed_into_corporateNet
access-list Internet_20_cryptomap permit ip 192.168.40.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list corporate_nat0_outbound  permit ip 192.168.40.0 255.255.255.0 192.168.100.0 255.255.255.0
pager lines 50
logging enable
logging asdm informational
mtu Internet 1500
mtu corporate 1500
mtu DSL 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Internet
icmp permit any corporate
icmp permit any DSL
asdm image disk0:/asdm522-54.bin
asdm history enable
arp timeout 14400
nat-control
global (Internet) 10 interface
global (DSL) 10 interface
nat (corporate) 0 access-list corporate_nat0_outbound
nat (corporate) 10 192.168.1.0 255.255.255.0
nat (corporate) 10 192.168.40.0 255.255.255.0
access-group internet_access_in in interface Internet
access-group internal_access_in in interface corporate
access-group DSL_access_in in interface DSL
route Internet 0.0.0.0 0.0.0.0 a.b.c.33 1 track 1
route corporate 192.168.1.0 255.255.255.0 192.168.40.8 1
route DSL 0.0.0.0 0.0.0.0 192.168.0.1 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.40.0 255.255.255.0 corporate
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
 type echo protocol ipIcmpEcho a.b.c.33 interface Internet
 num-packets 3
 frequency 10
sla monitor schedule 123 life forever start-time now
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map Internet_map 20 match address Internet_20_cryptomap
crypto map Internet_map 20 set pfs
crypto map Internet_map 20 set peer x.y.z.116
crypto map Internet_map 20 set transform-set ESP-3DES-SHA
crypto map Internet_map interface Internet
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
!
track 1 rtr 123 reachability
tunnel-group x.y.z.116 type ipsec-l2l
tunnel-group x.y.z.116 ipsec-attributes
 pre-shared-key *
telnet 192.168.1.0 255.255.255.0 corporate
telnet 192.168.40.0 255.255.255.0 corporate
telnet timeout 15
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map asa_global_fw_policy
 class inspection_default
  inspect ftp
  inspect dns
!
service-policy asa_global_fw_policy global
ntp server 192.5.41.41 source Internet prefer
prompt hostname context
Cryptochecksum:716f3096c3c4381fafa9e15ea0c94fba
: end


#########################################################################
# Firewall 2
#########################################################################

ASA Version 7.2(2)10
!
hostname ******
domain-name *******************
enable password ********** encrypted
names
dns-guard
!
interface Ethernet0/0
 speed 100
 duplex full
 nameif Internet
 security-level 0
 ip address x.y.z.116 255.255.255.248 standby x.y.z.117
!
interface Ethernet0/1
 speed 100
 duplex full
 nameif SomeNet
 security-level 100
 ip address 192.168.100.253 255.255.255.0 standby 192.168.100.254
!
interface Ethernet0/2
 speed 100
 duplex full
 nameif DMZ
 security-level 0
 ip address 192.168.53.1 255.255.255.0 standby 192.168.53.2
!
interface Ethernet0/3
 speed 100
 duplex full
 nameif corporate
 security-level 0
 ip address 192.168.48.1 255.255.255.0 standby 192.168.48.2
!
interface Management0/0
 description LAN/STATE Failover Interface
!
passwd ************ encrypted
boot system disk0:/asa722-10-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name corp.precysesolutions.com
object-group icmp-type icmp_allowed_in
 icmp-object echo
 icmp-object echo-reply
 icmp-object time-exceeded
 icmp-object traceroute
 icmp-object unreachable
access-list SomeNet_access_in extended permit ip any any
access-list Internet_access_in extended permit icmp any any object-group icmp_allowed_in
access-list SomeNet_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list Internet_20_cryptomap extended permit ip 192.168.100.0 255.255.255.0 192.168.40.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu Internet 1500
mtu SomeNet 1500
mtu DMZ 1500
mtu corporate 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Internet
icmp permit any SomeNet
icmp permit any DMZ
icmp permit any corporate
asdm image disk0:/asdm522-54.bin
no asdm history enable
arp timeout 14400
nat-control
global (Internet) 1 interface
nat (SomeNet) 0 access-list SomeNet_nat0_outbound
nat (SomeNet) 1 192.168.100.0 255.255.255.0
access-group Internet_access_in in interface Internet
access-group SomeNet_access_in in interface SomeNet
route Internet 0.0.0.0 0.0.0.0 x.y.z.113 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.100.0 255.255.255.0 SomeNet
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map Internet_map 20 match address Internet_20_cryptomap
crypto map Internet_map 20 set pfs
crypto map Internet_map 20 set peer a.b.c.34
crypto map Internet_map 20 set transform-set ESP-3DES-SHA
crypto map Internet_map interface Internet
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
tunnel-group a.b.c.34 type ipsec-l2l
tunnel-group a.b.c.34 ipsec-attributes
 pre-shared-key *
telnet 192.168.100.0 255.255.255.0 SomeNet
telnet timeout 15
ssh timeout 5
console timeout 0
!
!
ntp authenticate
ntp server 192.5.41.41 source Internet prefer
prompt hostname context
Cryptochecksum:be267d2521225057f7eccf7195a95941
: end
0
 

Author Comment

by:j4llen
ID: 19603052
This question can be closed.  I was able to establish the tunnel.
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 

Author Comment

by:j4llen
ID: 19603458
Actually don't close...the tunnel is up, and I was able to establish a telnet session to the firewall at the remote location via internal IP.  But I'm having trouble passing traffic.  I can't ping anything, or even do a tcp bind with telnet to the webservers, etc.

Irmoore - I see where I made that mistake listing the tunnel end-point instead of the remote network.  I corrected that initially, but still wasn't able to bring up the tunnel.  Cleaned out config and completely re-did it, first via CLI (which worked), then through the GUI again (also worked).
0
 

Author Comment

by:j4llen
ID: 19603504
New Config - tunnel works, can't pass any traffic.

###############################################################
# Firewall 1
###############################################################

ASA Version 7.2(2)10
!
hostname fw01
domain-name *******************
enable password ****************encrypted
names
dns-guard
!
interface Ethernet0/0
 speed 10
 duplex full
 nameif Internet
 security-level 0
 ip address a.b.c.34 255.255.255.240
!
interface Ethernet0/1
 speed 100
 duplex full
 nameif corporate
 security-level 75
 ip address 192.168.40.1 255.255.255.0
!
interface Ethernet0/2
 speed 100
 duplex full
 nameif DSL
 security-level 0
 ip address 192.168.0.2 255.255.255.0
!
interface Ethernet0/3
 speed 100
 duplex full
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd ****************encrypted
boot system disk0:/asa722-10-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name *******************
object-group icmp-type icmp_allowed_into_corporateNet
 icmp-object echo-reply
 icmp-object time-exceeded
 icmp-object traceroute
 icmp-object unreachable
 icmp-object echo
access-list internal_access_in remark allow internal users any icmp thru the firewall for now
access-list internal_access_in extended permit icmp any any
access-list internal_access_in remark allow anything outbound for now
access-list internal_access_in extended permit ip any any
access-list Internet_20_cryptomap extended permit ip 192.168.40.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list DSL_access_in extended permit icmp any any object-group icmp_allowed_into_corporateNet
access-list corporate_nat0_outbound extended permit ip 192.168.40.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list Internet_cryptomap_1 extended permit icmp 192.168.40.0 255.255.255.0 192.168.100.0 255.255.255.0 object-group icmp_allowed_into_corporateNet
access-list Internet_cryptomap_2 extended permit icmp 192.168.40.0 255.255.255.0 192.168.100.0 255.255.255.0
pager lines 50
logging enable
logging asdm informational
mtu Internet 1500
mtu corporate 1500
mtu DSL 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Internet
icmp permit any corporate
icmp permit any DSL
asdm image disk0:/asdm522-54.bin
asdm history enable
arp timeout 14400
nat-control
global (Internet) 10 interface
global (DSL) 10 interface
nat (corporate) 0 access-list corporate_nat0_outbound
nat (corporate) 10 192.168.1.0 255.255.255.0
nat (corporate) 10 192.168.40.0 255.255.255.0
access-group internet_access_in in interface Internet
access-group internal_access_in in interface corporate
access-group DSL_access_in in interface DSL
route Internet 0.0.0.0 0.0.0.0 a.b.c.33 1 track 1
route corporate 192.168.1.0 255.255.255.0 192.168.40.8 1
route DSL 0.0.0.0 0.0.0.0 192.168.0.1 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.40.0 255.255.255.0 corporate
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
 type echo protocol ipIcmpEcho a.b.c.33 interface Internet
 num-packets 3
 frequency 10
sla monitor schedule 123 life forever start-time now
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map Internet_map 1 match address Internet_cryptomap_2
crypto map Internet_map 1 set pfs
crypto map Internet_map 1 set peer x.y.z.116
crypto map Internet_map 1 set transform-set ESP-3DES-SHA
crypto map Internet_map 1 set reverse-route
crypto map Internet_map 20 match address Internet_20_cryptomap
crypto map Internet_map 20 set pfs
crypto map Internet_map 20 set peer x.y.z.116
crypto map Internet_map 20 set transform-set ESP-3DES-SHA
crypto map Internet_map interface Internet
crypto isakmp enable Internet
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
!
track 1 rtr 123 reachability
tunnel-group x.y.z.116 type ipsec-l2l
tunnel-group x.y.z.116 ipsec-attributes
 pre-shared-key *
telnet 192.168.1.0 255.255.255.0 corporate
telnet 192.168.40.0 255.255.255.0 corporate
telnet timeout 15
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map asa_global_fw_policy
 class inspection_default
  inspect ftp
  inspect dns
!
service-policy asa_global_fw_policy global
ntp server 192.5.41.41 source Internet prefer
prompt hostname context
Cryptochecksum:716f3096c3c4381fafa9e15ea0c94fba
: end
fw01#


###############################################################
# Firewall 2
###############################################################

ASA Version 7.2(2)10
!
hostname fw02
domain-name *******************
enable password ****************encrypted
names
dns-guard
!
interface Ethernet0/0
 speed 100
 duplex full
 nameif Internet
 security-level 0
 ip address x.y.z.116 255.255.255.248 standby x.y.z.117
!
interface Ethernet0/1
 speed 100
 duplex full
 nameif SomeNet
 security-level 100
 ip address 192.168.100.253 255.255.255.0 standby 192.168.100.254
!
interface Ethernet0/2
 speed 100    
 duplex full
 nameif DMZ
 security-level 0
 ip address 192.168.53.1 255.255.255.0 standby 192.168.53.2
!
interface Ethernet0/3
 speed 100
 duplex full
 nameif corporate
 security-level 0
 ip address 192.168.48.1 255.255.255.0 standby 192.168.48.2
!
interface Management0/0
 description LAN/STATE Failover Interface
!
passwd ****************encrypted
boot system disk0:/asa722-10-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name *******************
object-group icmp-type icmp_allowed_in
 icmp-object echo
 icmp-object echo-reply
 icmp-object time-exceeded
 icmp-object traceroute
 icmp-object unreachable
access-list SomeNet_access_in extended permit ip any any
access-list SomeNet_access_in extended permit icmp any any object-group icmp_allowed_in
access-list Internet_access_in extended permit icmp any any object-group icmp_allowed_in
access-list SomeNet_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list Internet_20_cryptomap extended permit ip 192.168.100.0 255.255.255.0 192.168.40.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu Internet 1500
mtu SomeNet 1500
mtu DMZ 1500
mtu corporate 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Internet
icmp permit any SomeNet
icmp permit any DMZ
icmp permit any corporate
asdm image disk0:/asdm522-54.bin
no asdm history enable
arp timeout 14400
nat-control
global (Internet) 1 interface
nat (SomeNet) 0 access-list SomeNet_nat0_outbound
nat (SomeNet) 1 192.168.100.0 255.255.255.0
access-group Internet_access_in in interface Internet
access-group SomeNet_access_in in interface SomeNet
route Internet 0.0.0.0 0.0.0.0 x.y.z.113 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.40.0 255.255.255.0 Internet
http 192.168.100.0 255.255.255.0 SomeNet
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map Internet_map 20 match address Internet_20_cryptomap
crypto map Internet_map 20 set pfs
crypto map Internet_map 20 set peer a.b.c.34
crypto map Internet_map 20 set transform-set ESP-3DES-SHA
crypto map Internet_map interface Internet
crypto isakmp enable Internet
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
tunnel-group a.b.c.34 type ipsec-l2l
tunnel-group a.b.c.34 ipsec-attributes
 pre-shared-key *
telnet 192.168.40.0 255.255.255.0 Internet
telnet 192.168.100.0 255.255.255.0 SomeNet
telnet timeout 15
ssh timeout 5
console timeout 0
!
!
ntp authenticate
ntp server 192.5.41.41 source Internet prefer
webvpn
 svc enable
prompt hostname context
Cryptochecksum:be267d2521225057f7eccf7195a95941
: end
fw02#
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 19605674
no access-group internal_access_in in interface corporate

Never put an acl on the inside interface unless you want to severly restrict outbound traffic. Your acl pertty much permits anything anyway, so just remove it.

Same on remote site:
no access-group SomeNet_access_in in interface SomeNet

Add this to both sides:
 sysopt connection permit-ipsec
0
 

Author Comment

by:j4llen
ID: 19638315
Wanted to go ahead and close this out - your original response (I was using peer address instead of destination network) helped me resolve the problem I originally posted, and set me on the way of getting everything I needed working.  Once I cleared this hurdle, I was able to get the rest of what I needed working, and then some.  :)  Thanks!
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Suggested Courses
Course of the Month14 days, 6 hours left to enroll

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question