Cisco ASA 5510 Lan2Lan IPSec tunnel

Hi all,

We would like to build an IPSec tunnel to a customer of ours. We have several tunnels and they are working fine, but this one just won't come up.
This is the scenario, we can use 2 ip adresses to connect to the customer, and we use natting to translate some IP ranges from the inside to those 2 ip adresses. When I start a ping from the inside (192.168.40.30 to be exact) to the cust.ip.addres.17 nothing happens.
I've tried debug crypto ipsec/isakmp but they don't show me any info on this tunnel. I don't see anything in the  logs about this tunnel either. It seems that he doesn't use the tunnel to try to get to the customer ip.

What am I doing wrong?

Thanks!
Cisco Adaptive Security Appliance Software Version 7.2(3)
Device Manager Version 5.2(3)
 
access-list crypto_customer remark VPN Tunnel to customer
access-list crypto_customer extended permit ip our.ip.addr.104 255.255.255.254 cust.ip.addr.16 255.255.255.248
access-list nat_customer remark NAT for VPN tunnel to customer
access-list nat_customer extended permit ip 192.168.45.0 255.255.255.0 cust.ip.addr.16 255.255.255.248
access-list nat_customer extended permit ip host 192.168.40.30 cust.ip.addr.16 255.255.255.248
 
global (outside) 3 our.ip.addr.104
 
nat (inside) 3 access-list nat_customer
 
static (inside,outside) our.ip.addr.104 192.168.40.2 netmask 255.255.255.255 dns
static (inside,outside) our.ip.addr.105 192.168.40.67 netmask 255.255.255.255 dns
 
crypto ipsec transform-set ESP_AES_SHA esp-aes-256 esp-sha-hmac
 
crypto map outside_map 140 match address crypto_customer
crypto map outside_map 140 set pfs
crypto map outside_map 140 set peer PEERIP
crypto map outside_map 140 set transform-set ESP_AES_SHA
crypto map outside_map 140 set security-association lifetime seconds 3600
 
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 5
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
 
 
tunnel-group PEERIP type ipsec-l2l
tunnel-group PEERIP ipsec-attributes
 pre-shared-key *

Open in new window

o-tvw-eeAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Alan Huseyin KayahanCommented:
  Hi o-tvw-ee
        Try this
no access-list crypto_customer extended permit ip our.ip.addr.104 255.255.255.254 cust.ip.addr.16 255.255.255.248
access-list crypto_customer permit ip host our.ip.addr.104 cust.ip.addr.16 255.255.255.248
       Also watch Syslog output in ASDM window and paste error messages if any

Regards
0
o-tvw-eeAuthor Commented:
We need to access the other end from 2 ip addresses: .104 and .105, so I need the 255.255.255.254 netmask. I don't see any error msg's in the syslog.
0
Alan Huseyin KayahanCommented:
then you should do the following modification

no global (outside) 3 our.ip.addr.104
global (outside) 3 our.ip.addr.104 netmask 255.255.255.254
also
"When I start a ping from the inside (192.168.40.30 to be exact) to the cust.ip.addres.17 nothing happens. "
 you have crypto and nat entries for  cust.ip.addres.16 not 17
0
Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

o-tvw-eeAuthor Commented:
We'r using the our.ip.addr.104 through the global setting, and the our.ip.addr.105 through a static for a specific server.
Also, on the customer side we have a netmask of 255.255.255.248 so the .17 address is included in the crypto and the nat
0
Alan Huseyin KayahanCommented:
 Ah I see.
   Do you have a NAT-global staement before 3 that use something like
   nat (inside) 1 0 0
   If yes, trafic would be flowing through that statement before reaches yours. So I suggest giving a higher value to that knd of statements.
   Please post here the output of following command
   packet-tracer input inside 192.168.40.30 3389 cust.ip.addres.17 3389 detailed
0
o-tvw-eeAuthor Commented:
Interesting command :) I learn something new every day...

I can see the packet is dropped, but I have no clue why.....

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x4436780, priority=1, domain=permit, deny=false
        hits=43569747, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0000.0000.0000
 
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
 
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside
 
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x4439aa8, priority=0, domain=permit-ip-option, deny=true
        hits=13198981, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0
 
Phase: 5
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x4cb32b0, priority=20, domain=lu, deny=false
        hits=11580544, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0
 
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 3 access-list nat_customer
  match ip inside host 192.168.40.30 outside cust.ip.addr.16 255.255.255.248
    dynamic translation to pool 3 (our.ip.addr.104)
    translate_hits = 514, untranslate_hits = 0
Additional Information:
Dynamic translate 192.168.40.30/3389 to our.ip.addr.104/1024 using netmask 255.255.255.255
 Forward Flow based lookup yields rule:
 in  id=0x4593aa0, priority=2, domain=nat, deny=false
        hits=513, user_data=0x4593a30, cs_id=0x0, flags=0x0, protocol=0
        src ip=192.168.40.30, mask=255.255.255.255, port=0
        dst ip=cust.ip.addr.16, mask=255.255.255.248, port=0
 
Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 3 access-list nat_customer
  match ip inside host 192.168.40.30 outside cust.ip.addr.16 255.255.255.248
    dynamic translation to pool 3 (our.ip.addr.104)
    translate_hits = 514, untranslate_hits = 0
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x4593cf0, priority=2, domain=host, deny=false
        hits=551, user_data=0x4593a30, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=192.168.40.30, mask=255.255.255.255, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0
 
Phase: 8
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x525d2d8, priority=70, domain=encrypt, deny=false
        hits=37, user_data=0x0, cs_id=0x4c23f80, reverse, flags=0x0, protocol=0
        src ip=our.ip.addr.104, mask=255.255.255.254, port=0
        dst ip=cust.ip.addr.16, mask=255.255.255.248, port=0
 
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Open in new window

0
o-tvw-eeAuthor Commented:
Also, we don't have a nat (inside) 1 0 0 command. We use nat (inside) 1 192.168.0.0 255.255.0.0
0
Alan Huseyin KayahanCommented:
We use nat (inside) 1 192.168.0.0 255.255.0.0
 192.168.0.0 covers 192.168.40.30 so packet should not be passing via this translation and nat 3 should be ignored but packet-tracer does not say so(interesting)
  What I would suggest is issuing the following exactly (make sure you take steps below via console, not remotely because it may cause disconnectivity)
  no nat (inside) 1 192.168.0.0 255.255.0.0
  no global (outisde) 1 xxxxwhatever
  no global (outside) 3 our.ip.addr.104
  no nat (inside) 3 access-list nat_customer
  nat (inside) 5 192.168.0.0 255.255.0.0
  global (outside) 5 xxxxwhatever
  nat (inside) 1 access-list nat_customer
  global (outside) 1 our.ip.addr.104
  clear xlate
 
  Packet-analyzer says your config is OK, it says drop in phase 8 VPN because VPN tunnel is not established. Something may be wrong at remote end.
  Next, configure your ASDM syslog options for logging notifications not informational, so you will be able to see the essential syslogs about VPN. As you try pinging or telnet remote host, a log saying "IKE initiator bla bla" in blue color should appear in syslogs
 
0
o-tvw-eeAuthor Commented:
I get these error messages in my logfile as soon as I start pinging the remote LAN:

%ASA-3-713063: IKE Peer address not configured for destination X.X.X.X

(X.X.X.X is a random IP address that changes with each error message). The  dissappear as soon as I stop pinging...
0
Alan Huseyin KayahanCommented:
 Can you post your full config? (then you can ask moderator to delete it)  
  can you type sme example IPs that x.x.x.x take randomly?
0
Alan Huseyin KayahanCommented:
Try this

no access-list crypto_valuesource extended permit ip our.ip.address.104 255.255.255.254 193.244.115.16 255.255.255.248
access-list crypto_valuesource permit ip host our.ip.address.104 193.244.115.16 255.255.255.248
access-list crypto_valuesource permit ip host our.ip.address.105 255.255.255.254 193.244.115.16 255.255.255.248

Then in CLI, type PING. As source address for ping, type 192.168.40.7 and destination as 193.244.115.16

Open your ASDM, click on monitor> click VPN, choose sessions then filter L2L. Click refresh after PING trials and see if the tunnel is established or not. May be tunnel establishes but no traffic flows
0
Alan Huseyin KayahanCommented:
correction

"Then in CLI, type PING. As source address for ping, type 192.168.40.7 and destination as 193.244.115.17 try 18 and 19 after
0
Alan Huseyin KayahanCommented:
correction
access-list crypto_valuesource permit ip host our.ip.address.105 193.244.115.16 255.255.255.248
0
o-tvw-eeAuthor Commented:
nothing changed.. I still get the error messages and I don't see any output in the debug isakmp or ipsec from this tunnel.

I did the packet trace again and that seems ok... The translation to the external IP address works, but it seems that the ASA just doesn't recognize that the traffic should go through the tunnel...





Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
 
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside
 
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 
Phase: 4
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
 
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 3 access-list nat_valuesource
  match ip inside 192.168.0.0 255.255.0.0 outside 193.244.115.16 255.255.255.248
    dynamic translation to pool 3 (212.35.120.104)
    translate_hits = 27142, untranslate_hits = 0
Additional Information:
Dynamic translate 192.168.40.30/3389 to 212.35.120.104/1025 using netmask 255.255.255.255
 
Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 3 access-list nat_valuesource
  match ip inside 192.168.0.0 255.255.0.0 outside 193.244.115.16 255.255.255.248
    dynamic translation to pool 3 (212.35.120.104)
    translate_hits = 27142, untranslate_hits = 0
Additional Information:
 
Phase: 7
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
 
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Open in new window

0
Alan Huseyin KayahanCommented:
Ah, totally forgot that one. Computer101 would you please let me have the full config once then I will reply for removal.
0
o-tvw-eeAuthor Commented:
I'll post the config again. We changed it a bit (removed the PAT and increased the external IP addresses we use from 2 to 4 to make it less complex, symptoms stay the same though..)


: Saved
:
ASA Version 7.2(3)
!
hostname ORDFW01
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address our.ip.address.90 0.0.0.0 standby our.ip.address.91
!
interface Ethernet0/1
 description Inside MPLS interface
 nameif inside
 security-level 100
 ip address 0.0.0.0 0.0.0.0 standby 0.0.0.0
!
interface Ethernet0/2
 description DMZ Zone
 nameif dmz
 security-level 50
 ip address 0.0.0.0 0.0.0.0 standby 0.0.0.0
!
interface Ethernet0/3
 description LAN/STATE Failover Interface
!
interface Management0/0
 nameif management
 security-level 0
 ip address 0.0.0.0 0.0.0.0 standby 0.0.0.0
 management-only
!
boot system disk0:/asa723-k8.bin
ftp mode passive
clock timezone CET 2
dns server-group DefaultDNS
access-list acl_outside extended permit udp any host our.ip.address.90 eq 1701 inactive
access-list acl_outside extended permit icmp any any echo
access-list acl_outside extended permit icmp any any echo-reply
access-list acl_outside extended permit icmp any any time-exceeded
access-list acl_outside extended permit ip 0.0.0.0 0.0.0.0 any
access-list acl_outside remark Iterum Planningstool - Marc Van Damme
access-list acl_outside extended permit tcp any host our.ip.address.89 eq www
access-list acl_outside extended permit tcp any host our.ip.address.89 eq https
access-list acl_outside remark Telefooncentrale Leuven - Rudi Potoms
access-list acl_outside extended permit tcp any host our.ip.address.120 eq 5000
access-list acl_outside extended permit tcp any host our.ip.address.120 eq 6000
access-list acl_outside extended permit tcp any host our.ip.address.120 eq 6100
access-list acl_outside extended permit tcp any host our.ip.address.120 eq 9000
access-list acl_outside remark ORDSCS - Gunter De Neef
access-list acl_outside extended permit tcp any host our.ip.address.92 eq ftp
access-list acl_outside remark SAPRouter - Hans Lauwers
access-list acl_outside extended permit tcp any host our.ip.address.93 eq 3299
access-list acl_outside extended permit tcp any host our.ip.address.103 eq 3299
access-list acl_outside remark TVWBSupport connection to HoTH database
access-list acl_outside extended permit tcp host our.ip.address.69 host our.ip.address.93 eq 1433
access-list acl_outside remark Webserver
access-list acl_outside extended permit tcp any host our.ip.address.69 eq www
access-list acl_outside extended permit tcp any host our.ip.address.69 eq https
access-list acl_outside extended permit tcp any host our.ip.address.69 eq ftp
access-list acl_outside extended permit tcp any host our.ip.address.69 eq 3389
access-list acl_outside remark Evobizz
access-list acl_outside extended permit tcp any host our.ip.address.80 eq www
access-list acl_outside extended permit tcp any host our.ip.address.80 eq https
access-list acl_outside remark Email/Antispam
access-list acl_outside extended permit tcp any host our.ip.address.78 eq 995
access-list acl_outside extended permit tcp any host our.ip.address.78 eq 993
access-list acl_outside extended permit tcp any host our.ip.address.78 eq 8000
access-list acl_outside extended permit tcp any host our.ip.address.78 eq https
access-list acl_outside extended permit tcp any host our.ip.address.78 eq www
access-list acl_outside extended permit tcp any host our.ip.address.78 eq smtp
access-list acl_outside remark Intranet
access-list acl_outside extended permit tcp any host our.ip.address.82 eq www
access-list acl_outside extended permit tcp any host our.ip.address.82 eq https
access-list acl_outside extended permit tcp any host our.ip.address.82 eq 8091
access-list acl_outside extended permit tcp any host our.ip.address.82 eq 8090
access-list acl_outside extended permit tcp any host our.ip.address.82 eq 90
access-list acl_outside extended permit tcp any host our.ip.address.82 eq 91
access-list acl_outside remark ORDWsus - Geert Coelmont
access-list acl_outside extended permit tcp any host our.ip.address.94 eq ftp
access-list acl_outside remark ORDVPCDEV11 - Paul Hermans
access-list acl_outside extended permit tcp any host our.ip.address.86 eq www
access-list acl_outside remark ORDVMORACLE01 - Dimitri Gielis
access-list acl_outside extended permit tcp any host our.ip.address.87 eq https
access-list acl_outside remark ORDvmsappi - Cedric Laridon
access-list acl_outside extended permit tcp any host our.ip.address.85 eq 50001
access-list acl_outside extended permit tcp any host our.ip.address.85 eq 50000
access-list acl_outside extended permit tcp any host our.ip.address.85 eq 8000
access-list acl_outside extended permit icmp host 0.0.0.0 host 0.0.0.0
access-list acl_outside remark JIRA production - Yves Thomas
access-list acl_outside extended permit tcp any host our.ip.address.100 eq www
access-list acl_outside remark Webserver
access-list acl_outside extended permit tcp any host our.ip.address.101 eq www
access-list acl_outside extended permit tcp any host our.ip.address.101 eq 3389
access-list acl_outside extended permit tcp any host our.ip.address.101 eq https
access-list acl_outside remark Development - Daan Kets
access-list acl_outside extended permit tcp any host our.ip.address.97
access-list acl_outside extended permit tcp any host our.ip.address.98
access-list acl_outside extended permit tcp any host our.ip.address.99
access-list acl_outside extended permit tcp any host 0.0.0.0 eq ftp
access-list acl_outside remark ORDVMNWMON01 - SeKo - SNMP
access-list acl_outside extended permit udp host 0.0.0.0 host our.ip.address.84 eq syslog
access-list acl_outside remark Access to SAPRouter for SAP - SAP Tech
access-list acl_outside extended permit tcp host 0.0.0.0 host our.ip.address.103 eq 3200
access-list acl_outside extended permit tcp host 0.0.0.0 host our.ip.address.103 eq 3300
access-list acl_outside extended permit tcp host 0.0.0.0 host our.ip.address.103 eq 3399
access-list acl_outside extended permit tcp host 0.0.0.0 host our.ip.address.103 eq 3600
access-list acl_outside extended permit tcp host 0.0.0.0 host our.ip.address.103 eq 3299
access-list acl_outside remark Production Webserver
access-list acl_outside extended permit tcp any host our.ip.address.115 eq www
access-list acl_outside extended permit tcp any host our.ip.address.115 eq https
access-list acl_outside extended permit tcp any host our.ip.address.115 eq 990
access-list acl_outside remark Access for Texaco to download SAP Notes - SAP Tech
access-list acl_outside extended permit tcp 0.0.0.0 0.0.0.0 host 0.0.0.0 eq 3299
access-list acl_outside extended permit tcp any host our.ip.address.78 eq ssh
access-list acl_outside remark FTP Server
access-list acl_outside extended permit tcp any host our.ip.address.116 eq 990
access-list acl_outside extended permit tcp any host our.ip.address.116 eq ssh
access-list acl_outside extended permit tcp any host our.ip.address.116 eq ftp
access-list acl_outside extended permit tcp any host our.ip.address.116 eq ftp-data
access-list acl_outside extended permit tcp any host our.ip.address.115 eq ftp
access-list acl_outside remark MOSS environment J&J Demo Server . Elke Bogaerts
access-list acl_outside extended permit tcp any host our.ip.address.117 eq www
access-list acl_outside extended permit tcp any host our.ip.address.117 eq 8080
access-list acl_outside extended permit tcp any host our.ip.address.117 eq 7000
access-list acl_outside remark Topdesk - Yves Thomas
access-list acl_outside extended permit tcp any host our.ip.address.118 eq https
access-list acl_outside remark Team Foundation Server - Paul Hermans
access-list acl_outside extended permit tcp any host our.ip.address.105 eq 81
access-list acl_outside remark JTech Server - Frederick Beernaert
access-list acl_outside extended permit tcp any host our.ip.address.81 eq www
access-list acl_outside extended permit icmp any any
access-list nonat remark Remote VPN users
access-list nonat extended permit ip 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
access-list nonat remark VPN tunnel to NTT for NAGIOS alerts from KUBOTA Servers - Steven Helsen
access-list nonat extended permit ip host 0.0.0.0 0.0.0.0 0.0.0.0
access-list nonat remark VPN tunnel to PAB - Hans Lauwers
access-list nonat extended permit ip 0.0.0.0 0.0.0.0 host 0.0.0.0
access-list nonat extended permit ip 0.0.0.0 0.0.0.0 host 0.0.0.0
access-list nonat remark VPN tunnel to SUBARU for SAP - Hans Lauwers
access-list nonat extended permit ip 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
access-list nonat remark Nonat to DMZ
access-list nonat extended permit ip 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
access-list nonat remark VPN tunnel to Texaco - Hans Lauwers
access-list nonat extended permit ip 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
access-list nonat remark VPN Tunnel to HQ GCeurope for SAP - Hans Lauwers
access-list nonat remark VPN Tunnel to Toerisme Vlaandere for SAP - Hans Lauwers
access-list nonat extended permit ip 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
access-list nonat remark VPN Tunnel to Texaco (Delek) for SAP - Hans Lauwers
access-list nonat extended permit ip 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
access-list nonat remark VPN Tunnel to Sanico - Hans Lauwers
access-list nonat extended permit ip 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
access-list nonat remark VPN Tunnel to Blankedale for SAP - Hans Lauwers
access-list nonat extended permit ip 0.0.0.0 0.0.0.0 host 0.0.0.0
access-list nonat extended permit ip 0.0.0.0 0.0.0.0 host 0.0.0.0
access-list nonatBPI extended permit ip 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
access-list crypto_BPI remark VPN tunnel to BPI for DENKART - Gery Laeremans
access-list crypto_BPI extended permit ip 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
access-list crypto_SUBARU remark VPN tunnel to SUBARU for SAP - Hans Lauwers
access-list crypto_SUBARU extended permit ip 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
access-list crypto_SUBARU extended permit ip 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
access-list crypto_SUBARU extended permit ip 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
access-list crypto_SUBARU extended permit ip 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
access-list crypto_SUBARU extended permit ip 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
access-list crypto_NAGIOS_to_NTT remark VPN tunnel to NTT for NAGIOS alerts from KUBOTA Servers - Steven Helsen
access-list crypto_NAGIOS_to_NTT extended permit ip host 0.0.0.0 0.0.0.0 0.0.0.0
access-list crypto_RUTGES remark VPN tunnel to Rutges - Gunther De Neef
access-list crypto_RUTGES extended permit ip host our.ip.address.92 0.0.0.0 0.0.0.0
access-list crypto_PAB remark VPN tunnel to PAB - Hans Lauwers
access-list crypto_PAB extended permit ip 0.0.0.0 0.0.0.0 host 0.0.0.0
access-list crypto_PAB extended permit ip 0.0.0.0 0.0.0.0 host 0.0.0.0
access-list crypto_sanico remark VPN Tunnel to Sanico - Hans Lauwers
access-list crypto_sanico extended permit ip 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
access-list crypto_hqgceurope remark VPN Tunnel to HQ GCeurope for SAP - Hans Lauwers
access-list acl_dmz extended permit ip any interface outside
access-list acl_dmz extended permit tcp any any eq https
access-list acl_dmz extended permit tcp any any eq www
access-list acl_dmz extended permit udp any any eq domain
access-list acl_dmz extended permit tcp any any eq domain
access-list acl_dmz extended permit icmp any any echo
access-list acl_dmz extended permit icmp any any echo-reply
access-list acl_dmz extended permit icmp any any time-exceeded
access-list acl_dmz extended permit tcp host 0.0.0.0 host 0.0.0.0 eq smtp
access-list acl_dmz extended permit tcp any any eq 3389
access-list acl_dmz extended permit tcp host 0.0.0.0 host 0.0.0.0 eq smtp
access-list acl_dmz extended permit tcp any any eq 1433
access-list crypto_toerismevlaanderen remark VPN Tunnel to Toerisme Vlaanderen for SAP - Hans Lauwers
access-list crypto_toerismevlaanderen extended permit ip 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
access-list crypto_kubota remark VPN Tunnel to Kubota - SAP Tech
access-list crypto_kubota extended permit ip host our.ip.address.103 0.0.0.0 0.0.0.0
access-list crypto_kubota extended permit ip host our.ip.address.103 0.0.0.0 0.0.0.0
access-list crypto_kubota extended permit ip host our.ip.address.103 0.0.0.0 0.0.0.0
access-list crypto_kubota extended permit ip host our.ip.address.103 host 0.0.0.0
access-list crypto_texaco remark VPN Tunnel to Texaco (Delek) for SAP - Hans Lauwers
access-list crypto_texaco extended permit ip 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
access-list crypto_punch remark VPN Tunnel to Punch for SAP - Hans Lauwers
access-list crypto_punch extended permit ip host our.ip.address.90 0.0.0.0 0.0.0.0
access-list crypto_punch extended permit ip host our.ip.address.90 0.0.0.0 0.0.0.0
access-list crypto_punch extended permit ip host our.ip.address.90 0.0.0.0 0.0.0.0
access-list crypto_punch extended permit ip host our.ip.address.103 0.0.0.0 0.0.0.0
access-list crypto_punch extended permit ip host our.ip.address.103 0.0.0.0 0.0.0.0
access-list crypto_punch extended permit ip host our.ip.address.103 0.0.0.0 0.0.0.0
access-list crypto_QuickBarracuda remark VPN tunnel to Quick (Interoute) for managing Barracuda
access-list crypto_QuickBarracuda extended permit ip host our.ip.address.90 0.0.0.0 0.0.0.0
access-list crypto_SAP remark VPN Tunnel to SAP for maintenance - SAP Tech
access-list crypto_SAP extended permit ip host our.ip.address.103 host 0.0.0.0
access-list crypto_valuesource remark VPN Tunnel to KBC - ValueSource
access-list crypto_valuesource extended permit ip our.ip.address.104 0.0.0.0 0.0.0.0 0.0.0.0
pager lines 24
logging enable
logging monitor notifications
logging trap notifications
logging asdm warnings
logging host inside 0.0.0.0
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
ip local pool clientVPNpool 0.0.0.0-0.0.0.0 mask 0.0.0.0
failover
failover lan unit primary
failover lan interface fo Ethernet0/3
failover link fo Ethernet0/3
failover interface ip fo 0.0.0.0 0.0.0.0 standby 0.0.0.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 2 our.ip.address.78
global (outside) 100 interface
nat (inside) 0 access-list nonat
nat (inside) 2 0.0.0.0 0.0.0.0
nat (inside) 100 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
static (inside,outside) our.ip.address.89 0.0.0.0 netmask 0.0.0.0
static (inside,outside) our.ip.address.120 0.0.0.0 netmask 0.0.0.0
static (inside,outside) our.ip.address.93 0.0.0.0 netmask 0.0.0.0
static (inside,outside) our.ip.address.92 0.0.0.0 netmask 0.0.0.0
static (inside,outside) 0.0.0.0  access-list nonatBPI
static (inside,outside) our.ip.address.86 0.0.0.0 netmask 0.0.0.0
static (inside,outside) our.ip.address.85 0.0.0.0 netmask 0.0.0.0
static (inside,outside) our.ip.address.94 0.0.0.0 netmask 0.0.0.0
static (inside,outside) our.ip.address.82 0.0.0.0 netmask 0.0.0.0 dns
static (inside,outside) our.ip.address.80 0.0.0.0 netmask 0.0.0.0 dns
static (inside,outside) our.ip.address.97 0.0.0.0 netmask 0.0.0.0
static (inside,outside) our.ip.address.98 0.0.0.0 netmask 0.0.0.0
static (inside,outside) our.ip.address.99 0.0.0.0 netmask 0.0.0.0
static (inside,outside) our.ip.address.100 0.0.0.0 netmask 0.0.0.0 dns
static (inside,outside) our.ip.address.87 0.0.0.0 netmask 0.0.0.0 dns
static (dmz,outside) our.ip.address.101 0.0.0.0 netmask 0.0.0.0 dns
static (inside,outside) our.ip.address.102 0.0.0.0 netmask 0.0.0.0
static (inside,outside) our.ip.address.103 0.0.0.0 netmask 0.0.0.0
static (inside,outside) our.ip.address.104 0.0.0.0 netmask 0.0.0.0 dns
static (inside,outside) our.ip.address.84 0.0.0.0 netmask 0.0.0.0
static (inside,outside) our.ip.address.105 0.0.0.0 netmask 0.0.0.0 dns
static (dmz,outside) our.ip.address.115 0.0.0.0 netmask 0.0.0.0 dns
static (dmz,outside) our.ip.address.116 0.0.0.0 netmask 0.0.0.0 dns
static (inside,outside) our.ip.address.78 0.0.0.0 netmask 0.0.0.0 dns
static (inside,outside) our.ip.address.117 0.0.0.0 netmask 0.0.0.0 dns
static (inside,outside) our.ip.address.118 0.0.0.0 netmask 0.0.0.0 dns
static (inside,outside) our.ip.address.81 0.0.0.0 netmask 0.0.0.0 dns
static (inside,outside) our.ip.address.106 0.0.0.0 netmask 0.0.0.0 dns
access-group acl_outside in interface outside
access-group acl_dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 our.ip.address.65 1
route inside 0.0.0.0 0.0.0.0 0.0.0.0 1
route inside 0.0.0.0 0.0.0.0 0.0.0.0 1
route inside 0.0.0.0 0.0.0.0 0.0.0.0 1
route inside 0.0.0.0 0.0.0.0 0.0.0.0 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server we_radius protocol radius
aaa-server we_radius host 192.168.40.2
 key OrD1Na2007
aaa authentication ssh console we_radius
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 management
http 0.0.0.0 0.0.0.0 outside
snmp-server host inside 0.0.0.0 community we
snmp-server host inside 0.0.0.0 community we
no snmp-server location
no snmp-server contact
snmp-server community we
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps remote-access session-threshold-exceeded
service resetoutside
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP_AES_SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA
crypto map outside_map 10 match address crypto_SUBARU
crypto map outside_map 10 set pfs
crypto map outside_map 10 set peer our.ip.address.70
crypto map outside_map 10 set transform-set ESP_3DES_SHA
crypto map outside_map 10 set security-association lifetime seconds 7200
crypto map outside_map 20 match address crypto_texaco
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer 0.0.0.0
crypto map outside_map 20 set transform-set ESP_3DES_SHA
crypto map outside_map 20 set security-association lifetime seconds 7200
crypto map outside_map 20 set security-association lifetime kilobytes 4096000
crypto map outside_map 30 match address crypto_PAB
crypto map outside_map 30 set pfs
crypto map outside_map 30 set peer 0.0.0.0
crypto map outside_map 30 set transform-set ESP_3DES_SHA
crypto map outside_map 30 set security-association lifetime seconds 7200
crypto map outside_map 40 match address crypto_RUTGES
crypto map outside_map 40 set pfs
crypto map outside_map 40 set peer 0.0.0.0
crypto map outside_map 40 set transform-set ESP_3DES_SHA
crypto map outside_map 40 set security-association lifetime seconds 3600
crypto map outside_map 50 match address crypto_NAGIOS_to_NTT
crypto map outside_map 50 set pfs
crypto map outside_map 50 set peer 0.0.0.0
crypto map outside_map 50 set transform-set ESP_3DES_SHA
crypto map outside_map 50 set security-association lifetime seconds 7200
crypto map outside_map 60 match address crypto_BPI
crypto map outside_map 60 set pfs
crypto map outside_map 60 set peer 0.0.0.0
crypto map outside_map 60 set transform-set ESP_3DES_SHA
crypto map outside_map 60 set security-association lifetime seconds 1800
crypto map outside_map 80 match address crypto_toerismevlaanderen
crypto map outside_map 80 set pfs
crypto map outside_map 80 set peer 0.0.0.0
crypto map outside_map 80 set transform-set ESP_3DES_SHA
crypto map outside_map 80 set security-association lifetime seconds 7200
crypto map outside_map 80 set security-association lifetime kilobytes 4096000
crypto map outside_map 90 match address crypto_kubota
crypto map outside_map 90 set pfs
crypto map outside_map 90 set peer 0.0.0.0
crypto map outside_map 90 set transform-set ESP_3DES_SHA
crypto map outside_map 90 set security-association lifetime seconds 7200
crypto map outside_map 90 set security-association lifetime kilobytes 4096000
crypto map outside_map 100 match address crypto_sanico
crypto map outside_map 100 set pfs
crypto map outside_map 100 set peer 0.0.0.0
crypto map outside_map 100 set transform-set ESP_3DES_SHA
crypto map outside_map 100 set security-association lifetime seconds 7200
crypto map outside_map 100 set security-association lifetime kilobytes 4096000
crypto map outside_map 110 match address crypto_punch
crypto map outside_map 110 set peer 0.0.0.0
crypto map outside_map 110 set transform-set ESP_3DES_SHA
crypto map outside_map 110 set security-association lifetime seconds 3600
crypto map outside_map 110 set security-association lifetime kilobytes 4096000
crypto map outside_map 140 match address crypto_valuesource
crypto map outside_map 140 set pfs
crypto map outside_map 140 set peer 0.0.0.0
crypto map outside_map 140 set transform-set ESP_AES_SHA
crypto map outside_map 140 set security-association lifetime seconds 3600
crypto map outside_map 150 match address crypto_SAP
crypto map outside_map 150 set peer 0.0.0.0
crypto map outside_map 150 set transform-set ESP_3DES_MD5
crypto map outside_map 150 set security-association lifetime seconds 7200
crypto map outside_map 160 match address crypto_QuickBarracuda
crypto map outside_map 160 set pfs
crypto map outside_map 160 set peer 0.0.0.0
crypto map outside_map 160 set transform-set ESP_3DES_SHA
crypto map outside_map 160 set security-association lifetime seconds 7200
crypto map outside_map 160 set security-association lifetime kilobytes 4096000
crypto map outside_map 900 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 5
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
crypto isakmp am-disable
crypto isakmp disconnect-notify
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect pptp
!
service-policy global_policy global
ntp server 0.0.0.0 source outside
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 wins-server value 0.0.0.0
 dns-server value 0.0.0.0
 vpn-tunnel-protocol IPSec l2tp-ipsec
 default-domain value we.be
username admin_we password U46J02nhFY9Kn8Zgvy7rsQ== nt-encrypted
tunnel-group DefaultRAGroup general-attributes
 address-pool ClientVPNpool
 authentication-server-group we_radius LOCAL
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
 no authentication chap
 authentication ms-chap-v2
tunnel-group 0.0.0.0 type ipsec-l2l
tunnel-group 0.0.0.0 ipsec-attributes
 pre-shared-key *
tunnel-group 0.0.0.0 type ipsec-l2l
tunnel-group 0.0.0.0 ipsec-attributes
 pre-shared-key *
tunnel-group our.ip.address.70 type ipsec-l2l
tunnel-group our.ip.address.70 ipsec-attributes
 pre-shared-key *
tunnel-group 0.0.0.0 type ipsec-l2l
tunnel-group 0.0.0.0 ipsec-attributes
 pre-shared-key *
tunnel-group 0.0.0.0 type ipsec-l2l
tunnel-group 0.0.0.0 ipsec-attributes
 pre-shared-key *
tunnel-group 0.0.0.0 type ipsec-l2l
tunnel-group 0.0.0.0 ipsec-attributes
 pre-shared-key *
tunnel-group 0.0.0.0 type ipsec-l2l
tunnel-group 0.0.0.0 ipsec-attributes
 pre-shared-key *
tunnel-group 0.0.0.0 type ipsec-l2l
tunnel-group 0.0.0.0 ipsec-attributes
 pre-shared-key *
tunnel-group 0.0.0.0 type ipsec-l2l
tunnel-group 0.0.0.0 ipsec-attributes
 pre-shared-key *
tunnel-group 0.0.0.0 type ipsec-l2l
tunnel-group 0.0.0.0 ipsec-attributes
 pre-shared-key *
tunnel-group 0.0.0.0 type ipsec-l2l
tunnel-group 0.0.0.0 ipsec-attributes
 pre-shared-key *
tunnel-group 0.0.0.0 type ipsec-l2l
tunnel-group 0.0.0.0 ipsec-attributes
 pre-shared-key *
tunnel-group 0.0.0.0 type ipsec-l2l
tunnel-group 0.0.0.0 ipsec-attributes
 pre-shared-key *
tunnel-group 0.0.0.0 type ipsec-l2l
tunnel-group 0.0.0.0 ipsec-attributes
 pre-shared-key *
tunnel-group 0.0.0.0 type ipsec-l2l
tunnel-group 0.0.0.0 ipsec-attributes
 pre-shared-key *
tunnel-group 0.0.0.0 type ipsec-l2l
tunnel-group 0.0.0.0 ipsec-attributes
 pre-shared-key *
smtp-server 0.0.0.0
prompt hostname context
Cryptochecksum:ccb1162205f841109b3c6ea5863faec3
: end
[OK]

Open in new window

0
Alan Huseyin KayahanCommented:
Thanks I got the config and begin to check as I get free time.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
o-tvw-eeAuthor Commented:
Hmm Rebooting the cisco's fixed the problem. We applied the crypto map several times to the outside interface, but nothing helped..

Thanks for the help! I'll give you the points for being so nice to stick with me through this problem ;)
0
Alan Huseyin KayahanCommented:
"Hmm Rebooting the cisco's fixed the problem"
clear xlate should have done the same effect, was an interesting issue. But glad that it is sorted out
Thanks for points :)
0
o-tvw-eeAuthor Commented:
I cleared the xlate several times... This is probably a 'feature' of the ASA devices :)
0
ForestDenizenCommented:
Altered last code snippet to convert all IP addresses to 0.0.0.0 at 0-tvw-ee's request.

ForestDenizen
Community Support Moderator
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.