Solved

Cisco Site-to-Site VPN unable to bring up from remote site.

Posted on 2008-10-16
9
386 Views
Last Modified: 2012-06-21
Hj gurus :)
I have the following problem that's bugging me alot lately:

I have a ASA 5540 on site A and 871W on site B, The problem occurs when the Internet connection on site B drops (for some reason this happens a lot there) and therefor the site-to-site vpn between the sites drops, which is normal, but when the internet "comes" back on site B the only way to bring up the tunnel is by originating traffic only from site A and not from site B.
My question is, is there a way to make site B, be able to bring up the tunnel when a pc from its local network tries to communicate through "interesting" traffc with site A?
Thank you!

Here is the config of site B:
=================================================================
burgaslkv871W#sh run
Building configuration...

Current configuration : 7145 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname burgaslkv871W
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-3984440544
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3984440544
 revocation-check none
 rsakeypair TP-self-signed-3984440544
!
!
crypto pki certificate chain TP-self-signed-3984440544
 certificate self-signed 01
  30820254 308201BD A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33393834 34343035 3434301E 170D3032 30333035 31373432
  32305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 39383434
  34303534 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100B0C4 D3FB047C A3458531 752E2AE6 57786D07 62020FDC 0A379A0D 925332CC
  DF6C3BBF 53BD8B00 FF89B857 3F45B5F7 8ABDB469 897FDDCA B1F471AC FAE908AB
  30FBFEFE FBA77CA8 B28BED8E D2BA1CF6 24C948E0 B367A6FB B160BFEF 4F94F94C
  C05655B9 FA1B6811 7B4DB9DD AD2BD255 B37532C5 D72C3B69 0BAC0A04 D4752FF2
  ABEB0203 010001A3 7C307A30 0F060355 1D130101 FF040530 030101FF 30270603
  551D1104 20301E82 1C627572 6761736C 6B763837 31572E79 6F757264 6F6D6169
  6E2E636F 6D301F06 03551D23 04183016 8014582B 7C333CB2 77FAA0A6 44DFB7A5
  B0415344 6BC7301D 0603551D 0E041604 14582B7C 333CB277 FAA0A644 DFB7A5B0
  4153446B C7300D06 092A8648 86F70D01 01040500 03818100 90507D0F 0C932C10
  EBCB748D 072C0F8E E32C4C87 823A6DE1 41F1C4E7 AA8233D9 974F4ABF 525C6174
  0FE8879E 27CA6554 80069172 DCDD132F 52CDA5A2 253CD24D 34F4EC30 21E06C3D
  609CB5A1 83918E9A 97BB7F8F 4161FB0B FD2A1685 2964959B 60E158EA 07A694F8
  9A19EFC9 6397B6AD 5DA22D99 7F0A9199 F3637F3A 0721E7C8
        quit
dot11 syslog
!
dot11 ssid armeecwifi
   authentication open
   guest-mode
!
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.120.1
!
ip dhcp pool sdm-pool
   import all
   network 192.168.120.0 255.255.255.0
   default-router 192.168.120.1
   dns-server 192.168.120.1 192.168.100.1
   lease infinite
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip bootp server
no ip domain lookup
ip domain name yourdomain.com
ip name-server 192.168.120.1
ip name-server 192.168.100.1
!
!
!
username XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
!
crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 5
crypto isakmp key XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX address XXX.XXX.XXX.XXX
crypto isakmp keepalive 10
crypto isakmp nat keepalive 20
crypto isakmp aggressive-mode disable
!
!
crypto ipsec transform-set transasa esp-aes 256 esp-sha-hmac
!
crypto map vpnasa 13 ipsec-isakmp
 set peer XXX.XXX.XXX.XXX
 set security-association lifetime seconds 86400
 set transform-set transasa
 match address INTTRAFFIC
!
archive
 log config
  hidekeys
!
!
ip tcp synwait-time 10
!
bridge irb
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 no ip address
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface Dot11Radio0
 no ip address
 !
 encryption key 1 size 128bit XXXXXXXXXXXXXXXXXXXXXXXXX transmit-key
 encryption mode wep mandatory
 !
 ssid armeecwifi
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 no ip address
 ip tcp adjust-mss 1452
 bridge-group 1
!
interface Dialer0
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1452
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname XXXXXXXXXXXX
 ppp chap password XXXXXXXXXXXX
 ppp pap sent-username XXXXXXXXXXXX password XXXXXXX
 crypto map vpnasa
!
interface BVI1
 ip address 192.168.120.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool ALL 192.168.120.2 192.168.120.254 netmask 255.255.255.0
ip nat inside source route-map ROUTEMAP pool ALL overload
!
ip access-list extended INTTRAFFIC
 permit ip 192.168.120.0 0.0.0.255 192.168.100.0 0.0.0.255
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 deny   ip 192.168.120.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 100 permit ip 192.168.120.0 0.0.0.255 any
no cdp run
!
!
route-map ROUTEMAP permit 1
 match ip address 100
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip

!
line con 0
 login local
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
end
==================================================================
0
Comment
Question by:lichahin
  • 6
  • 3
9 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 22735972
>p nat pool ALL 192.168.120.2 192.168.120.254 netmask 255.255.255.0
>ip nat inside source route-map ROUTEMAP pool ALL overload

You are natting internal 192.168.120.0 IPs to themselves in the pool???

I would expect something like:

ip nat inside source route-map ROUTEMAP interface Dialer0 overload

Otherwise, the crypto and VPN tunnel config looks fine and should trigger the vpn tunnel to come back  up on its own.



0
 

Author Comment

by:lichahin
ID: 22739863
Yes this was a mistake but they don't use NAT anyway they use proxy server over the vpn . However i removed the NAT but doesn't seem to have helped.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22740017
>crypto isakmp aggressive-mode disable
Try removing this...

Seeing your ASA config might help...

0
 

Author Comment

by:lichahin
ID: 22740067
I put this line trying to fix the problem so it is the same with or without it . I'll show you the config in a while.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:lichahin
ID: 22740473
Here is the ASA config, just make clear this happens with all site-ti-site vpns, but the other peers don't loose internet connectiviti so often.


ASA5540# sh run
: Saved
:
ASA Version 8.0(3)6
!
hostname ASA5540
domain-name armeec
enable password XXXXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXXXXXXXXX encrypted
names
name 192.168.100.1 armserver
name 192.168.100.2 mailserver
name 192.168.100.6 slack
name 192.168.100.3 archimed
name 192.168.100.15 luboxp
name 192.168.100.59 oracle
name 192.168.100.225 trmsrvclr
name 192.168.100.8 tsm
name 192.168.100.124 vladol
name 192.168.100.134 capelle
name 192.168.100.130 lvl
name 192.168.100.67 taniat
name 192.168.100.147 canka
name 192.168.100.156 oracle2
name 192.168.100.136 dk
name 84.43.190.82 Varna
name 84.43.191.132 Varnalkv
name 192.168.100.155 Ilian
name 83.228.37.50 Gabrovo
!
interface GigabitEthernet0/0
 nameif Outside
 security-level 0
 ip address XXX.XXX.XXX.XXX 255.255.255.240
!
interface GigabitEthernet0/1
 nameif Inside
 security-level 100
 ip address 192.168.100.7 255.255.255.0
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 security-level 0
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
dns domain-lookup Inside
dns server-group DefaultDNS
 name-server armserver
 name-server XXX.XXX.XXX.XXX
 domain-name armeec
object-group network NAT_allowed_computers
 network-object host armserver
 network-object host lvl
 network-object host 192.168.100.135
 network-object host 192.168.100.192
 network-object host 192.168.100.60
 network-object host 192.168.100.68
 network-object host 192.168.100.74
 network-object host 192.168.100.58
 network-object host Ilian
 network-object host 192.168.100.241
 network-object host 192.168.100.242
 network-object host canka
 network-object host luboxp
 network-object host 192.168.100.4
 network-object host 192.168.100.72
 network-object host 192.168.100.70
 network-object host 192.168.100.214
 network-object host 192.168.100.168
object-group service ArmeecWebServer tcp
 port-object eq www
 port-object eq https
 port-object eq pop3
 port-object eq smtp
 port-object eq ssh
object-group service RDP tcp
 port-object eq 3389
object-group service Slackware tcp
 port-object eq 1194
 port-object eq ftp
 port-object eq www
 port-object eq https
 port-object eq ssh
object-group service OpenVPN tcp-udp
 port-object eq 1194
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service IpSec tcp
 port-object eq 10000
object-group network DM_INLINE_NETWORK_1
 network-object host trmsrvclr
 network-object host mailserver
 network-object host oracle
object-group network Administrators
 network-object host vladol
 network-object host lvl
 network-object host 192.168.100.135
 network-object host dk
 network-object host canka
 network-object host Ilian
 network-object host luboxp
 network-object host armserver
 network-object host archimed
 network-object host taniat
 network-object host XXX.XXX.XXX.XXX
 network-object host XXX.XXX.XXX.XXX
 network-object host XXX.XXX.XXX.XXX
object-group service VPN tcp
 port-object eq 10000
access-list Inside_nat_outbound extended permit ip object-group NAT_allowed_computers any
access-list Inside_access_in extended permit ip host vladol any log disable
access-list Inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.130.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.120.0 255.255.255.0 <---------SITE B!
access-list Brokers_splitTunnelAcl standard permit host trmsrvclr
access-list Brokers_splitTunnelAcl standard permit host oracle
access-list Brokers_splitTunnelAcl standard permit host mailserver
access-list Outside_1_cryptomap extended permit ip 192.168.100.0 255.255.255.0 192.168.130.0 255.255.255.0
access-list Inside_nat_outbound_1 extended permit ip object-group NAT_allowed_computers any
access-list Outside_3_cryptomap extended permit ip 192.168.100.0 255.255.255.0 192.168.131.0 255.255.255.0
access-list Inside_nat0_outbound_1 extended permit ip 192.168.100.0 255.255.255.0 192.168.130.0 255.255.255.0
access-list Inside_nat0_outbound_1 extended permit ip 192.168.100.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list Inside_nat0_outbound_1 extended permit ip 192.168.100.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list Inside_nat0_outbound_1 extended permit ip 192.168.100.0 255.255.255.0 192.168.120.0 255.255.255.0 <---------SITE B!
access-list Inside_nat0_outbound_1 extended permit ip object-group DM_INLINE_NETWORK_1 10.10.11.0 255.255.255.0
access-list Inside_nat0_outbound_1 extended permit ip 192.168.100.0 255.255.255.0 192.168.131.0 255.255.255.0
access-list Inside_nat0_outbound_1 extended permit ip 192.168.100.0 255.255.255.0 host 10.10.12.1
access-list Inside_nat0_outbound_1 extended permit ip 192.168.100.0 255.255.255.0 192.168.170.0 255.255.255.0
access-list Inside_nat_static extended permit ip host vladol any
access-list Outside_access_in extended permit tcp any host XXX.XXX.XXX.XXX eq www
access-list Outside_access_in extended permit tcp any host XXX.XXX.XXX.XXX object-group RDP
access-list Outside_access_in extended permit tcp any host XXX.XXX.XXX.XXX eq www
access-list Outside_access_in extended permit tcp any host XXX.XXX.XXX.XXX object-group ArmeecWebServer
access-list Outside_access_in extended permit tcp any host XXX.XXX.XXX.XXX object-group RDP
access-list Outside_access_in extended permit tcp any host XXX.XXX.XXX.XXX object-group Slackware
access-list Outside_access_in extended permit object-group TCPUDP any host XXX.XXX.XXX.XXX object-group OpenVPN
access-list Outside_access_in remark Intech connection check
access-list Outside_access_in extended permit icmp host XXX.XXX.XXX.XXX host XXX.XXX.XXX.XXX
access-list Outside_access_in extended permit icmp any object-group Administrators
access-list Outside_access_in extended permit ip any host XXX.XXX.XXX.XXX
access-list Outside_access_in extended permit tcp any host XXX.XXX.XXX.XXX object-group VPN
access-list web_access_in extended permit tcp any host XXX.XXX.XXX.XXX eq www
access-list web_access_in_1 extended permit tcp any host XXX.XXX.XXX.XXX eq www
access-list Inside_nat_static_1 extended permit ip host mailserver any
access-list Inside_nat_static_2 extended permit ip host slack any
access-list vpnclient_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0
access-list Inside_nat_static_3 extended permit ip host taniat any
access-list Outside_2_cryptomap extended permit ip 192.168.100.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list Inside_nat_static_4 extended permit ip host dk any
access-list Outside_4_cryptomap extended permit ip 192.168.100.0 255.255.255.0 192.168.120.0 255.255.255.0 <---------SITE B!
access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0
access-list vladol_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0
access-list vladol_splitTunnelAcl_1 standard permit 192.168.100.0 255.255.255.0
access-list Outside_5_cryptomap extended permit ip 192.168.100.0 255.255.255.0 192.168.170.0 255.255.255.0
pager lines 24
logging enable
logging asdm notifications
mtu Outside 1500
mtu Inside 1500
mtu management 1500
ip local pool VPN_pool 10.10.10.1-10.10.10.254 mask 255.255.255.0
ip local pool Brokers_pool 10.10.11.1-10.10.11.254 mask 255.255.255.0
ip local pool vladol 10.10.12.1 mask 255.255.255.255
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (Outside) 101 interface
nat (Inside) 0 access-list Inside_nat0_outbound_1
nat (Inside) 101 access-list Inside_nat_outbound_1
nat (management) 101 0.0.0.0 0.0.0.0
static (Inside,Outside) tcp XXX.XXX.XXX.XXX 3389 trmsrvclr 3389 netmask 255.255.255.255
static (Inside,Outside) tcp XXX.XXX.XXX.XXX www tsm www netmask 255.255.255.255
static (Inside,Outside) tcp XXX.XXX.XXX.XXX 3389 oracle2 3389 netmask 255.255.255.255
static (Inside,Outside) tcp XXX.XXX.XXX.XXX www oracle2 www netmask 255.255.255.255
static (Inside,Outside) XXX.XXX.XXX.XXX  access-list Inside_nat_static
static (Inside,Outside) XXX.XXX.XXX.XXX  access-list Inside_nat_static_1
static (Inside,Outside) XXX.XXX.XXX.XXX  access-list Inside_nat_static_2
static (Inside,Outside) XXX.XXX.XXX.XXX  access-list Inside_nat_static_3
static (Inside,Outside) XXX.XXX.XXX.XXX  access-list Inside_nat_static_4
access-group Outside_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server brokers protocol kerberos
aaa-server brokers (Inside) host tsm
 kerberos-realm ARMEEC
aaa-server kerbeos protocol kerberos
aaa-server kerbeos (Inside) host armserver
 kerberos-realm ARMEEC
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.100.168 255.255.255.255 Inside
http 10.10.12.1 255.255.255.255 Outside
http 10.10.12.1 255.255.255.255 Inside
http XXX.XXX.XXX.XXX 255.255.255.255 Outside
http XXX.XXX.XXX.XXX 255.255.255.255 Outside
http Ilian 255.255.255.255 Inside
http luboxp 255.255.255.255 Inside
http lvl 255.255.255.255 Inside
http XXX.XXX.XXX.XXX 255.255.255.255 Outside
http tsm 255.255.255.255 Inside
http 192.168.1.0 255.255.255.0 management
http vladol 255.255.255.255 Inside
no snmp-server location
no snmp-server contact
snmp-server community armeec
snmp-server enable traps snmp authentication linkup linkdown coldstart
auth-prompt prompt Armeec Domain Network
auth-prompt accept Wellcome to Armeec Domain Network
auth-prompt reject Sorry your username or password are incorrect!
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_AES-256_SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_AES-256_SHA mode transport
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map Outside_map 1 match address Outside_1_cryptomap
crypto map Outside_map 1 set pfs
crypto map Outside_map 1 set peer Varnalkv
crypto map Outside_map 1 set transform-set ESP-AES-256-SHA
crypto map Outside_map 1 set security-association lifetime seconds 86400
crypto map Outside_map 1 set security-association lifetime kilobytes 2147483647
crypto map Outside_map 2 match address Outside_2_cryptomap
crypto map Outside_map 2 set pfs
crypto map Outside_map 2 set peer XXX.XXX.XXX.XXX                
crypto map Outside_map 2 set transform-set ESP-AES-256-SHA
crypto map Outside_map 2 set security-association lifetime seconds 86400
crypto map Outside_map 2 set security-association lifetime kilobytes 2147483647
crypto map Outside_map 2 set nat-t-disable
crypto map Outside_map 3 match address Outside_3_cryptomap
crypto map Outside_map 3 set pfs
crypto map Outside_map 3 set peer Varna
crypto map Outside_map 3 set transform-set ESP-AES-256-SHA
crypto map Outside_map 3 set security-association lifetime seconds 86400
crypto map Outside_map 3 set security-association lifetime kilobytes 2147483647
crypto map Outside_map 4 match address Outside_4_cryptomap
crypto map Outside_map 4 set pfs
crypto map Outside_map 4 set peer XXX.XXX.XXX.XXX                    <---------SITE B!        
crypto map Outside_map 4 set transform-set ESP-AES-256-SHA
crypto map Outside_map 4 set security-association lifetime seconds 86400
crypto map Outside_map 4 set security-association lifetime kilobytes 2147483647
crypto map Outside_map 4 set nat-t-disable
crypto map Outside_map 5 match address Outside_5_cryptomap
crypto map Outside_map 5 set pfs
crypto map Outside_map 5 set peer Gabrovo
crypto map Outside_map 5 set transform-set ESP-AES-256-SHA
crypto map Outside_map 5 set security-association lifetime seconds 86400
crypto map Outside_map 5 set security-association lifetime kilobytes 2147483647
crypto map Outside_map interface Outside
crypto ca trustpoint ASDM_TrustPoint1
 no client-types
 id-usage code-signer
 crl configure
crypto ca trustpoint ASDM_TrustPoint2
 fqdn ASA5540
 subject-name CN=ASA5540
 no client-types
 crl configure
crypto isakmp enable Outside
crypto isakmp enable Inside
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400
crypto isakmp policy 50
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal 40
crypto isakmp ipsec-over-tcp port 10000
no vpn-addr-assign aaa
telnet vladol 255.255.255.255 Inside
telnet 192.168.100.168 255.255.255.255 Inside
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
ssh vladol 255.255.255.255 Inside
ssh luboxp 255.255.255.255 Inside
ssh 192.168.100.30 255.255.255.255 Inside
ssh 192.168.100.168 255.255.255.255 Inside
ssh 192.168.1.2 255.255.255.255 management
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
!
vpn load-balancing
 interface lbpublic Inside
 interface lbprivate Inside
threat-detection basic-threat
threat-detection scanning-threat shun
threat-detection statistics
ntp authenticate
ntp server 82.68.206.125 source Outside prefer
webvpn
 enable Outside
group-policy Brokers internal
group-policy Brokers attributes
 wins-server value 192.168.100.1
 dns-server value 192.168.100.1 192.168.100.8
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Brokers_splitTunnelAcl
 default-domain value ARMEEC
 address-pools value Brokers_pool
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 wins-server value 192.168.100.1
 dns-server value 192.168.100.1
 vpn-tunnel-protocol l2tp-ipsec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
 default-domain value ARMEEC
group-policy DfltGrpPolicy attributes
 vpn-simultaneous-logins 100
 vpn-idle-timeout none
 password-storage enable
 ipsec-udp enable
 split-tunnel-network-list value vpnclient_splitTunnelAcl
 address-pools value VPN_pool
group-policy vpnclient internal
group-policy vpnclient attributes
 wins-server value 192.168.100.1
 dns-server value 192.168.100.1 192.168.100.8
 vpn-tunnel-protocol IPSec webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vpnclient_splitTunnelAcl
 default-domain value armeec
 intercept-dhcp 255.255.255.0 enable
 msie-proxy method use-server
 msie-proxy local-bypass enable
 address-pools value VPN_pool
 webvpn
  url-list value helpdesk
group-policy vladol internal
group-policy vladol attributes
 wins-server value 192.168.100.8
 dns-server value 192.168.100.1 192.168.100.8
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vladol_splitTunnelAcl_1
 default-domain value armeec
username iiliev password XXXXXXXXXXXXXXXXXXX encrypted privilege 5
username capelle password XXXXXXXXXXXXXXXXXX encrypted privilege 5
username lyubenow password XXXXXXXXXXXXXXXXX encrypted privilege 5
username joro password XXXXXXXXXXXXXXXXX encrypted privilege 5
username administrator password XXXXXXXXXXXXXXXXX encrypted privilege 15
username vladol password XXXXXXXXXXXXXXXXXXX nt-encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
 address-pool VPN_pool
 authentication-server-group kerbeos
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l
tunnel-group XXX.XXX.XXX.XXX ipsec-attributes
 pre-shared-key *
tunnel-group vpnclient type remote-access
tunnel-group vpnclient general-attributes
 address-pool VPN_pool
 authentication-server-group kerbeos
 default-group-policy vpnclient
tunnel-group vpnclient ipsec-attributes
 pre-shared-key *
tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l
tunnel-group XXX.XXX.XXX.XXX ipsec-attributes
 pre-shared-key *
tunnel-group Brokers type remote-access
tunnel-group Brokers general-attributes
 address-pool Brokers_pool
 authentication-server-group kerbeos
 default-group-policy Brokers
tunnel-group Brokers ipsec-attributes
 pre-shared-key *
tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l
tunnel-group XXX.XXX.XXX.XXX ipsec-attributes
 pre-shared-key *
tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l        <---------SITE B!
tunnel-group XXX.XXX.XXX.XXX ipsec-attributes
 pre-shared-key *
tunnel-group vladol type remote-access
tunnel-group vladol general-attributes
 address-pool vladol
 authentication-server-group kerbeos
 default-group-policy vladol
tunnel-group vladol ipsec-attributes
 pre-shared-key *
tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l
tunnel-group XXX.XXX.XXX.XXX ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
smtp-server 192.168.100.2
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
Cryptochecksum:XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
: end
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 22741198
>crypto map Outside_map 4 set pfs
I don't see pfs set on the router side. Suggest disabling it on the ASA


0
 

Author Comment

by:lichahin
ID: 22741330
I removed it I'l see if it works and i'll write back.
Thanks

0
 

Author Comment

by:lichahin
ID: 22755337
I guess this was the problem, now it works just fine, thank you for your help.


0
 

Author Closing Comment

by:lichahin
ID: 31506628
Thanks!
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now