Solved

Can't ping though Site-2-Site VPN Tunnel between ASA 5510 and 5505

Posted on 2008-10-23
3
1,851 Views
Last Modified: 2012-05-05
I have succesfully established the VPN Tunnel between an ASA 5510 and an ASA 5505, but i can't pass any traffic through the tunnel. Please help, kind of in a hurry
**********************
ASA 5510 - SANITIZED
**********************
asdm image disk0:/asdm-508.bin
asdm location 192.168.50.48 255.255.255.240 outside
no asdm history enable
: Saved
:
ASA Version 7.0(8) 
!
hostname ciscoasa
domain-name xxxxx.net
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address A.A.A.A 255.255.255.248 
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.5.150 255.255.255.0 
!
interface Ethernet0/2
 nameif DICOM
 security-level 100
 ip address 10.0.5.150 255.255.255.0 
!
interface Management0/0
 nameif management
 security-level 0
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
ftp mode passive
same-security-traffic permit inter-interface
access-list inside_nat0_outbound extended permit ip any 192.168.50.48 255.255.255.240 
access-list inside_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 10.0.5.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 192.168.15.0 255.255.255.0 
access-list remoteuser_splitTunnelAcl standard permit any 
access-list dicom_nat0_outbound extended permit ip 10.0.5.0 255.255.255.0 192.168.5.0 255.255.255.0 
access-list outside_cryptomap_dyn_20 extended permit ip 192.168.5.0 255.255.255.0 192.168.15.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DICOM 1500
mtu management 1500
ip local pool remoteusers 192.168.50.50-192.168.50.60 mask 255.255.255.0
icmp permit any outside
icmp permit any inside
icmp permit any DICOM
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
global (inside) 10 interface
global (DICOM) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0
nat (DICOM) 0 access-list dicom_nat0_outbound
nat (DICOM) 10 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 A.A.A.A 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy remoteuser internal
group-policy remoteuser attributes
 dns-server value 24.93.41.127 24.93.41.128
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value remoteuser_splitTunnelAcl
 webvpn
group-policy MTECH internal
group-policy MTECH attributes
 vpn-tunnel-protocol IPSec 
 webvpn
username mtech password V6B59GRyHeAuo8yI encrypted privilege 0
username mtech attributes
 vpn-group-policy remoteuser
 webvpn
http server enable
http 192.168.5.0 255.255.255.0 inside
http 10.0.5.0 255.255.255.0 DICOM
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set pfs 
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group remoteuser type ipsec-ra
tunnel-group remoteuser general-attributes
 address-pool remoteusers
 default-group-policy remoteuser
tunnel-group remoteuser ipsec-attributes
 pre-shared-key *
tunnel-group B.B.B.B type ipsec-l2l
tunnel-group B.B.B.B ipsec-attributes
 pre-shared-key *
telnet 192.168.5.0 255.255.255.0 inside
telnet 10.0.5.0 255.255.255.0 DICOM
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.5.20-192.168.5.25 inside
dhcpd address 10.0.5.50-10.0.5.60 DICOM
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd dns 207.191.50.10 207.191.1.10
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd auto_config inside
dhcpd enable management
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
Cryptochecksum:52ec086e41aa78714800f8c454cbad7c
: end
 
 
********************
ASA 5505 - SANITIZED
********************'
: Saved
:
ASA Version 7.2(3) 
!
hostname MTECH-ASA5505
domain-name xxxx.com
enable password MEYZflDSP3eDNoIU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.15.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address A.A.A.A 255.255.255.248 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd MEYZflDSP3eDNoIU encrypted
banner login Welcome to the XXXXXX Network
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns server-group DefaultDNS
 domain-name xxxx.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service Trixbox udp
 port-object range 10000 20000
 port-object range 5036 5036
 port-object range sip sip
object-group service TrixboxTCP tcp
 port-object range sip sip
 port-object range www www
access-list inside_nat0_outbound extended permit ip 192.168.15.0 255.255.255.0 172.20.0.0 255.255.254.0 
access-list inside_nat0_outbound extended permit ip 192.168.15.0 255.255.255.0 192.168.1.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip any 192.168.15.0 255.255.255.128 
access-list inside_nat0_outbound extended permit ip 192.168.15.0 255.255.255.0 192.168.0.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.15.0 255.255.255.0 192.168.5.0 255.255.255.0 
access-list outside_2_cryptomap extended permit ip 192.168.15.0 255.255.255.0 172.20.0.0 255.255.254.0 
access-list outside_access_in extended permit ip 192.168.5.0 255.255.255.0 192.168.15.0 255.255.255.0 
access-list outside_access_in extended permit ip 192.168.1.0 255.255.255.0 192.168.15.0 255.255.255.0 
access-list outside_access_in extended permit tcp any interface outside eq www 
access-list outside_access_in extended permit tcp any interface outside eq https 
access-list outside_access_in extended permit tcp any interface outside eq ftp 
access-list outside_access_in extended permit udp any interface outside eq 3101 
access-list outside_access_in extended permit tcp any interface outside eq 3101 
access-list outside_access_in extended permit tcp any interface outside eq smtp 
access-list outside_access_in extended permit tcp any host x.x.x.x eq https 
access-list outside_access_in extended permit tcp any host y.y.y.y eq https 
access-list outside_access_in extended permit tcp any host z.z.z.z eq 5543 
access-list outside_access_in extended permit tcp any host z.z.z.z eq https 
access-list outside_access_in extended permit tcp any host y.y.y.y eq 10000 
access-list outside_access_in extended permit tcp any host w.w.w.w eq 10000 
access-list outside_access_in extended permit tcp any host y.y.y.y eq ssh 
access-list outside_access_in extended permit tcp any host w.w.w.w eq ssh 
access-list outside_access_in extended permit tcp any host x.x.x.x eq www 
access-list outside_access_in extended permit udp any host z.z.z.z object-group Trixbox 
access-list outside_access_in extended permit tcp any host x.x.x.x object-group TrixboxTCP 
access-list outside_access_in extended permit tcp any host x.x.x.x eq www 
access-list vpn_split_tunnel standard permit 192.168.15.0 255.255.255.0 
access-list egarcia_splitTunnelAcl standard permit any 
access-list outside_in extended permit tcp any interface outside eq https 
access-list outside_in extended permit tcp any interface outside eq www 
access-list hmasser_splitTunnelAcl standard permit any 
access-list vmasser_splitTunnelAcl standard permit any 
access-list outside_1_cryptomap extended permit ip 192.168.15.0 255.255.255.0 192.168.0.0 255.255.255.0 
access-list outside_3_cryptomap extended permit ip 192.168.15.0 255.255.255.0 192.168.5.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnclientpool 192.168.15.60-192.168.15.65 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 192.168.15.30 smtp netmask 255.255.255.255 
static (inside,outside) tcp interface www 192.168.15.30 www netmask 255.255.255.255 
static (inside,outside) tcp interface https 192.168.15.30 https netmask 255.255.255.255 
static (inside,outside) tcp interface ftp 192.168.15.30 ftp netmask 255.255.255.255 
static (inside,outside) udp interface 3101 192.168.15.30 3101 netmask 255.255.255.255 
static (inside,outside) tcp interface 3101 192.168.15.30 3101 netmask 255.255.255.255 
static (inside,outside) a.a.a.a 192.168.15.95 netmask 255.255.255.255 
static (inside,outside) b.b.b.b 192.168.15.96 netmask 255.255.255.255 
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 75.19.70.182 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.15.0 255.255.255.0 outside
http 192.168.15.0 255.255.255.0 inside
snmp-server host inside 192.168.15.240 community mtechsnmp
snmp-server host outside 192.168.15.240 community mtechsnmp
snmp-server location Data Center
no snmp-server contact
snmp-server community mtechsnmp
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps remote-access session-threshold-exceeded
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map outside_dyn_map 20 set pfs 
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto dynamic-map outside_dyn_map 40 set pfs 
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set reverse-route
crypto dynamic-map outside_dyn_map 60 set pfs 
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set reverse-route
crypto dynamic-map outside_dyn_map 80 set pfs 
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set pfs 
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 120 set pfs 
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 140 set pfs 
crypto dynamic-map outside_dyn_map 140 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 160 set pfs 
crypto dynamic-map outside_dyn_map 160 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 180 set pfs 
crypto dynamic-map outside_dyn_map 180 set transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs 
crypto map outside_map 1 set peer a.a.a.a
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs 
crypto map outside_map 2 set peer a.a.a.a 
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set pfs 
crypto map outside_map 3 set peer a.a.a.a
crypto map outside_map 3 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 192.168.15.0 255.255.255.0 inside
telnet 192.168.15.0 255.255.255.0 outside
telnet timeout 5
ssh 192.168.15.0 255.255.255.0 inside
ssh 192.168.15.0 255.255.255.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
 
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
group-policy egarcia internal
group-policy egarcia attributes
 dns-server value 192.168.15.30
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vpn_split_tunnel
group-policy DfltGrpPolicy attributes
 banner value Welcome to the Masser Technologies VPN Network
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list value vpn_split_tunnel
 default-domain none
 split-dns none
 intercept-dhcp 255.255.255.255 disable
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem enable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 nac disable
 nac-sq-period 300
 nac-reval-period 36000
 nac-default-acl none
 address-pools none
 smartcard-removal-disconnect enable
 client-firewall none
 client-access-rule none
 webvpn
  functions url-entry
  html-content-filter none
  homepage none
  keep-alive-ignore 4
  http-comp gzip
  filter none
  url-list none
  customization value DfltCustomization
  port-forward none
  port-forward-name value Application Access
  sso-server none
  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
  svc none
  svc keep-installer installed
  svc keepalive none
  svc rekey time none
  svc rekey method none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
group-policy hmasser internal
group-policy hmasser attributes
 dns-server value 192.168.15.30
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vpn_split_tunnel
group-policy RestoreIT internal
group-policy RestoreIT attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout none
 ip-phone-bypass disable
 leap-bypass disable
 nem enable
group-policy vmasser internal
group-policy vmasser attributes
 dns-server value 192.168.15.30
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vpn_split_tunnel
username user1 password 7fMghx1Qu1uKfopH encrypted privilege 0
username user1 attributes
 vpn-group-policy user1
username user2 password UR6H3WSGc3Yey/w6 encrypted privilege 0
username user2 attributes
 vpn-group-policy user2
username user3 password dj2cUCod9y4PQ7B. encrypted
username user3 attributes
 vpn-group-policy user3
 group-lock value user3
username user4 password FJ/fPC98CLzqISt9 encrypted privilege 0
username user4 attributes
 vpn-group-policy user4
tunnel-group A.A.A.A type ipsec-l2l
tunnel-group A.A.A.A ipsec-attributes
 pre-shared-key *
tunnel-group user5 type ipsec-ra
tunnel-group user5 general-attributes
 address-pool vpnclientpool
 default-group-policy user5
tunnel-group user5 ipsec-attributes
 pre-shared-key *
tunnel-group group1 type ipsec-ra
tunnel-group group1 general-attributes
 default-group-policy group1
tunnel-group group1 ipsec-attributes
 pre-shared-key *
 isakmp ikev1-user-authentication (outside) none
tunnel-group group3 type ipsec-ra
tunnel-group group3 general-attributes
 address-pool vpnclientpool
 default-group-policy group3
tunnel-group egarcia ipsec-attributes
 pre-shared-key *
tunnel-group group4 type ipsec-ra
tunnel-group group4 general-attributes
 address-pool vpnclientpool
 default-group-policy group4
tunnel-group group4 ipsec-attributes
 pre-shared-key *
tunnel-group A.A.A.A type ipsec-l2l
tunnel-group A.A.A.A  ipsec-attributes
 pre-shared-key *
tunnel-group B.B.B.B type ipsec-l2l
tunnel-group B.B.B.B ipsec-attributes
 pre-shared-key *
smtp-server 192.168.15.30
prompt hostname context 
Cryptochecksum:0c9b70033d5b3514a99e2bf9548e8d06
: end
asdm image disk0:/asdm-523.bin
no asdm history enable

Open in new window

0
Comment
Question by:hmassertech
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 

Author Comment

by:hmassertech
ID: 22789489
I tried to ping from source to destination and vice-versa as well as to establish Remote Desktop Connections but can't seem to get anything through... I see the requests on the logs come through but then it Tears down the TCP Package.... Must be something simple, but i am missing it....
0
 

Accepted Solution

by:
hmassertech earned 0 total points
ID: 22791598
I figured out. it is working now.
0
 
LVL 1

Expert Comment

by:orci
ID: 23496345
What was the solution
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question