hmassertech
asked on
Can't ping though Site-2-Site VPN Tunnel between ASA 5510 and 5505
I have succesfully established the VPN Tunnel between an ASA 5510 and an ASA 5505, but i can't pass any traffic through the tunnel. Please help, kind of in a hurry
**********************
ASA 5510 - SANITIZED
**********************
asdm image disk0:/asdm-508.bin
asdm location 192.168.50.48 255.255.255.240 outside
no asdm history enable
: Saved
:
ASA Version 7.0(8)
!
hostname ciscoasa
domain-name xxxxx.net
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address A.A.A.A 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.5.150 255.255.255.0
!
interface Ethernet0/2
nameif DICOM
security-level 100
ip address 10.0.5.150 255.255.255.0
!
interface Management0/0
nameif management
security-level 0
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
same-security-traffic permit inter-interface
access-list inside_nat0_outbound extended permit ip any 192.168.50.48 255.255.255.240
access-list inside_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 10.0.5.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 192.168.15.0 255.255.255.0
access-list remoteuser_splitTunnelAcl standard permit any
access-list dicom_nat0_outbound extended permit ip 10.0.5.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list outside_cryptomap_dyn_20 extended permit ip 192.168.5.0 255.255.255.0 192.168.15.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DICOM 1500
mtu management 1500
ip local pool remoteusers 192.168.50.50-192.168.50.60 mask 255.255.255.0
icmp permit any outside
icmp permit any inside
icmp permit any DICOM
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
global (inside) 10 interface
global (DICOM) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0
nat (DICOM) 0 access-list dicom_nat0_outbound
nat (DICOM) 10 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 A.A.A.A 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy remoteuser internal
group-policy remoteuser attributes
dns-server value 24.93.41.127 24.93.41.128
split-tunnel-policy tunnelspecified
split-tunnel-network-list value remoteuser_splitTunnelAcl
webvpn
group-policy MTECH internal
group-policy MTECH attributes
vpn-tunnel-protocol IPSec
webvpn
username mtech password V6B59GRyHeAuo8yI encrypted privilege 0
username mtech attributes
vpn-group-policy remoteuser
webvpn
http server enable
http 192.168.5.0 255.255.255.0 inside
http 10.0.5.0 255.255.255.0 DICOM
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group remoteuser type ipsec-ra
tunnel-group remoteuser general-attributes
address-pool remoteusers
default-group-policy remoteuser
tunnel-group remoteuser ipsec-attributes
pre-shared-key *
tunnel-group B.B.B.B type ipsec-l2l
tunnel-group B.B.B.B ipsec-attributes
pre-shared-key *
telnet 192.168.5.0 255.255.255.0 inside
telnet 10.0.5.0 255.255.255.0 DICOM
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.5.20-192.168.5.25 inside
dhcpd address 10.0.5.50-10.0.5.60 DICOM
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd dns 207.191.50.10 207.191.1.10
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd auto_config inside
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:52ec086e41aa78714800f8c454cbad7c
: end
********************
ASA 5505 - SANITIZED
********************'
: Saved
:
ASA Version 7.2(3)
!
hostname MTECH-ASA5505
domain-name xxxx.com
enable password MEYZflDSP3eDNoIU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.15.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address A.A.A.A 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd MEYZflDSP3eDNoIU encrypted
banner login Welcome to the XXXXXX Network
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns server-group DefaultDNS
domain-name xxxx.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service Trixbox udp
port-object range 10000 20000
port-object range 5036 5036
port-object range sip sip
object-group service TrixboxTCP tcp
port-object range sip sip
port-object range www www
access-list inside_nat0_outbound extended permit ip 192.168.15.0 255.255.255.0 172.20.0.0 255.255.254.0
access-list inside_nat0_outbound extended permit ip 192.168.15.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.15.0 255.255.255.128
access-list inside_nat0_outbound extended permit ip 192.168.15.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.15.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 192.168.15.0 255.255.255.0 172.20.0.0 255.255.254.0
access-list outside_access_in extended permit ip 192.168.5.0 255.255.255.0 192.168.15.0 255.255.255.0
access-list outside_access_in extended permit ip 192.168.1.0 255.255.255.0 192.168.15.0 255.255.255.0
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit tcp any interface outside eq ftp
access-list outside_access_in extended permit udp any interface outside eq 3101
access-list outside_access_in extended permit tcp any interface outside eq 3101
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp any host x.x.x.x eq https
access-list outside_access_in extended permit tcp any host y.y.y.y eq https
access-list outside_access_in extended permit tcp any host z.z.z.z eq 5543
access-list outside_access_in extended permit tcp any host z.z.z.z eq https
access-list outside_access_in extended permit tcp any host y.y.y.y eq 10000
access-list outside_access_in extended permit tcp any host w.w.w.w eq 10000
access-list outside_access_in extended permit tcp any host y.y.y.y eq ssh
access-list outside_access_in extended permit tcp any host w.w.w.w eq ssh
access-list outside_access_in extended permit tcp any host x.x.x.x eq www
access-list outside_access_in extended permit udp any host z.z.z.z object-group Trixbox
access-list outside_access_in extended permit tcp any host x.x.x.x object-group TrixboxTCP
access-list outside_access_in extended permit tcp any host x.x.x.x eq www
access-list vpn_split_tunnel standard permit 192.168.15.0 255.255.255.0
access-list egarcia_splitTunnelAcl standard permit any
access-list outside_in extended permit tcp any interface outside eq https
access-list outside_in extended permit tcp any interface outside eq www
access-list hmasser_splitTunnelAcl standard permit any
access-list vmasser_splitTunnelAcl standard permit any
access-list outside_1_cryptomap extended permit ip 192.168.15.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list outside_3_cryptomap extended permit ip 192.168.15.0 255.255.255.0 192.168.5.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnclientpool 192.168.15.60-192.168.15.65 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 192.168.15.30 smtp netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.15.30 www netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.15.30 https netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.15.30 ftp netmask 255.255.255.255
static (inside,outside) udp interface 3101 192.168.15.30 3101 netmask 255.255.255.255
static (inside,outside) tcp interface 3101 192.168.15.30 3101 netmask 255.255.255.255
static (inside,outside) a.a.a.a 192.168.15.95 netmask 255.255.255.255
static (inside,outside) b.b.b.b 192.168.15.96 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 75.19.70.182 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.15.0 255.255.255.0 outside
http 192.168.15.0 255.255.255.0 inside
snmp-server host inside 192.168.15.240 community mtechsnmp
snmp-server host outside 192.168.15.240 community mtechsnmp
snmp-server location Data Center
no snmp-server contact
snmp-server community mtechsnmp
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps remote-access session-threshold-exceeded
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set reverse-route
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set reverse-route
crypto dynamic-map outside_dyn_map 80 set pfs
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set pfs
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 120 set pfs
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 140 set pfs
crypto dynamic-map outside_dyn_map 140 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 160 set pfs
crypto dynamic-map outside_dyn_map 160 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 180 set pfs
crypto dynamic-map outside_dyn_map 180 set transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer a.a.a.a
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer a.a.a.a
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set pfs
crypto map outside_map 3 set peer a.a.a.a
crypto map outside_map 3 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 192.168.15.0 255.255.255.0 inside
telnet 192.168.15.0 255.255.255.0 outside
telnet timeout 5
ssh 192.168.15.0 255.255.255.0 inside
ssh 192.168.15.0 255.255.255.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
group-policy egarcia internal
group-policy egarcia attributes
dns-server value 192.168.15.30
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_split_tunnel
group-policy DfltGrpPolicy attributes
banner value Welcome to the Masser Technologies VPN Network
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list value vpn_split_tunnel
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem enable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
smartcard-removal-disconnect enable
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
group-policy hmasser internal
group-policy hmasser attributes
dns-server value 192.168.15.30
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_split_tunnel
group-policy RestoreIT internal
group-policy RestoreIT attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout none
ip-phone-bypass disable
leap-bypass disable
nem enable
group-policy vmasser internal
group-policy vmasser attributes
dns-server value 192.168.15.30
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_split_tunnel
username user1 password 7fMghx1Qu1uKfopH encrypted privilege 0
username user1 attributes
vpn-group-policy user1
username user2 password UR6H3WSGc3Yey/w6 encrypted privilege 0
username user2 attributes
vpn-group-policy user2
username user3 password dj2cUCod9y4PQ7B. encrypted
username user3 attributes
vpn-group-policy user3
group-lock value user3
username user4 password FJ/fPC98CLzqISt9 encrypted privilege 0
username user4 attributes
vpn-group-policy user4
tunnel-group A.A.A.A type ipsec-l2l
tunnel-group A.A.A.A ipsec-attributes
pre-shared-key *
tunnel-group user5 type ipsec-ra
tunnel-group user5 general-attributes
address-pool vpnclientpool
default-group-policy user5
tunnel-group user5 ipsec-attributes
pre-shared-key *
tunnel-group group1 type ipsec-ra
tunnel-group group1 general-attributes
default-group-policy group1
tunnel-group group1 ipsec-attributes
pre-shared-key *
isakmp ikev1-user-authentication (outside) none
tunnel-group group3 type ipsec-ra
tunnel-group group3 general-attributes
address-pool vpnclientpool
default-group-policy group3
tunnel-group egarcia ipsec-attributes
pre-shared-key *
tunnel-group group4 type ipsec-ra
tunnel-group group4 general-attributes
address-pool vpnclientpool
default-group-policy group4
tunnel-group group4 ipsec-attributes
pre-shared-key *
tunnel-group A.A.A.A type ipsec-l2l
tunnel-group A.A.A.A ipsec-attributes
pre-shared-key *
tunnel-group B.B.B.B type ipsec-l2l
tunnel-group B.B.B.B ipsec-attributes
pre-shared-key *
smtp-server 192.168.15.30
prompt hostname context
Cryptochecksum:0c9b70033d5b3514a99e2bf9548e8d06
: end
asdm image disk0:/asdm-523.bin
no asdm history enable
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
What was the solution
ASKER