Solved

Can't ping though Site-2-Site VPN Tunnel between ASA 5510 and 5505

Posted on 2008-10-23
3
1,832 Views
Last Modified: 2012-05-05
I have succesfully established the VPN Tunnel between an ASA 5510 and an ASA 5505, but i can't pass any traffic through the tunnel. Please help, kind of in a hurry
**********************

ASA 5510 - SANITIZED

**********************

asdm image disk0:/asdm-508.bin

asdm location 192.168.50.48 255.255.255.240 outside

no asdm history enable

: Saved

:

ASA Version 7.0(8) 

!

hostname ciscoasa

domain-name xxxxx.net

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

dns-guard

!

interface Ethernet0/0

 nameif outside

 security-level 0

 ip address A.A.A.A 255.255.255.248 

!

interface Ethernet0/1

 nameif inside

 security-level 100

 ip address 192.168.5.150 255.255.255.0 

!

interface Ethernet0/2

 nameif DICOM

 security-level 100

 ip address 10.0.5.150 255.255.255.0 

!

interface Management0/0

 nameif management

 security-level 0

 ip address 192.168.1.1 255.255.255.0 

 management-only

!

ftp mode passive

same-security-traffic permit inter-interface

access-list inside_nat0_outbound extended permit ip any 192.168.50.48 255.255.255.240 

access-list inside_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 10.0.5.0 255.255.255.0 

access-list inside_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 192.168.15.0 255.255.255.0 

access-list remoteuser_splitTunnelAcl standard permit any 

access-list dicom_nat0_outbound extended permit ip 10.0.5.0 255.255.255.0 192.168.5.0 255.255.255.0 

access-list outside_cryptomap_dyn_20 extended permit ip 192.168.5.0 255.255.255.0 192.168.15.0 255.255.255.0 

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu DICOM 1500

mtu management 1500

ip local pool remoteusers 192.168.50.50-192.168.50.60 mask 255.255.255.0

icmp permit any outside

icmp permit any inside

icmp permit any DICOM

asdm image disk0:/asdm-508.bin

no asdm history enable

arp timeout 14400

global (outside) 10 interface

global (inside) 10 interface

global (DICOM) 10 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 10 0.0.0.0 0.0.0.0

nat (DICOM) 0 access-list dicom_nat0_outbound

nat (DICOM) 10 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 A.A.A.A 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

group-policy remoteuser internal

group-policy remoteuser attributes

 dns-server value 24.93.41.127 24.93.41.128

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value remoteuser_splitTunnelAcl

 webvpn

group-policy MTECH internal

group-policy MTECH attributes

 vpn-tunnel-protocol IPSec 

 webvpn

username mtech password V6B59GRyHeAuo8yI encrypted privilege 0

username mtech attributes

 vpn-group-policy remoteuser

 webvpn

http server enable

http 192.168.5.0 255.255.255.0 inside

http 10.0.5.0 255.255.255.0 DICOM

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set pfs 

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800

crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 20 set reverse-route

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

tunnel-group remoteuser type ipsec-ra

tunnel-group remoteuser general-attributes

 address-pool remoteusers

 default-group-policy remoteuser

tunnel-group remoteuser ipsec-attributes

 pre-shared-key *

tunnel-group B.B.B.B type ipsec-l2l

tunnel-group B.B.B.B ipsec-attributes

 pre-shared-key *

telnet 192.168.5.0 255.255.255.0 inside

telnet 10.0.5.0 255.255.255.0 DICOM

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.5.20-192.168.5.25 inside

dhcpd address 10.0.5.50-10.0.5.60 DICOM

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd dns 207.191.50.10 207.191.1.10

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd auto_config inside

dhcpd enable management

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map global_policy

 class inspection_default

  inspect dns maximum-length 512 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny 

  inspect sunrpc 

  inspect xdmcp 

  inspect sip 

  inspect netbios 

  inspect tftp 

!

service-policy global_policy global

Cryptochecksum:52ec086e41aa78714800f8c454cbad7c

: end
 
 

********************

ASA 5505 - SANITIZED

********************'

: Saved

:

ASA Version 7.2(3) 

!

hostname MTECH-ASA5505

domain-name xxxx.com

enable password MEYZflDSP3eDNoIU encrypted

names

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 192.168.15.1 255.255.255.0 

!

interface Vlan2

 nameif outside

 security-level 0

 ip address A.A.A.A 255.255.255.248 

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd MEYZflDSP3eDNoIU encrypted

banner login Welcome to the XXXXXX Network

ftp mode passive

clock timezone MST -7

clock summer-time MDT recurring

dns server-group DefaultDNS

 domain-name xxxx.com

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service Trixbox udp

 port-object range 10000 20000

 port-object range 5036 5036

 port-object range sip sip

object-group service TrixboxTCP tcp

 port-object range sip sip

 port-object range www www

access-list inside_nat0_outbound extended permit ip 192.168.15.0 255.255.255.0 172.20.0.0 255.255.254.0 

access-list inside_nat0_outbound extended permit ip 192.168.15.0 255.255.255.0 192.168.1.0 255.255.255.0 

access-list inside_nat0_outbound extended permit ip any 192.168.15.0 255.255.255.128 

access-list inside_nat0_outbound extended permit ip 192.168.15.0 255.255.255.0 192.168.0.0 255.255.255.0 

access-list inside_nat0_outbound extended permit ip 192.168.15.0 255.255.255.0 192.168.5.0 255.255.255.0 

access-list outside_2_cryptomap extended permit ip 192.168.15.0 255.255.255.0 172.20.0.0 255.255.254.0 

access-list outside_access_in extended permit ip 192.168.5.0 255.255.255.0 192.168.15.0 255.255.255.0 

access-list outside_access_in extended permit ip 192.168.1.0 255.255.255.0 192.168.15.0 255.255.255.0 

access-list outside_access_in extended permit tcp any interface outside eq www 

access-list outside_access_in extended permit tcp any interface outside eq https 

access-list outside_access_in extended permit tcp any interface outside eq ftp 

access-list outside_access_in extended permit udp any interface outside eq 3101 

access-list outside_access_in extended permit tcp any interface outside eq 3101 

access-list outside_access_in extended permit tcp any interface outside eq smtp 

access-list outside_access_in extended permit tcp any host x.x.x.x eq https 

access-list outside_access_in extended permit tcp any host y.y.y.y eq https 

access-list outside_access_in extended permit tcp any host z.z.z.z eq 5543 

access-list outside_access_in extended permit tcp any host z.z.z.z eq https 

access-list outside_access_in extended permit tcp any host y.y.y.y eq 10000 

access-list outside_access_in extended permit tcp any host w.w.w.w eq 10000 

access-list outside_access_in extended permit tcp any host y.y.y.y eq ssh 

access-list outside_access_in extended permit tcp any host w.w.w.w eq ssh 

access-list outside_access_in extended permit tcp any host x.x.x.x eq www 

access-list outside_access_in extended permit udp any host z.z.z.z object-group Trixbox 

access-list outside_access_in extended permit tcp any host x.x.x.x object-group TrixboxTCP 

access-list outside_access_in extended permit tcp any host x.x.x.x eq www 

access-list vpn_split_tunnel standard permit 192.168.15.0 255.255.255.0 

access-list egarcia_splitTunnelAcl standard permit any 

access-list outside_in extended permit tcp any interface outside eq https 

access-list outside_in extended permit tcp any interface outside eq www 

access-list hmasser_splitTunnelAcl standard permit any 

access-list vmasser_splitTunnelAcl standard permit any 

access-list outside_1_cryptomap extended permit ip 192.168.15.0 255.255.255.0 192.168.0.0 255.255.255.0 

access-list outside_3_cryptomap extended permit ip 192.168.15.0 255.255.255.0 192.168.5.0 255.255.255.0 

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool vpnclientpool 192.168.15.60-192.168.15.65 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface smtp 192.168.15.30 smtp netmask 255.255.255.255 

static (inside,outside) tcp interface www 192.168.15.30 www netmask 255.255.255.255 

static (inside,outside) tcp interface https 192.168.15.30 https netmask 255.255.255.255 

static (inside,outside) tcp interface ftp 192.168.15.30 ftp netmask 255.255.255.255 

static (inside,outside) udp interface 3101 192.168.15.30 3101 netmask 255.255.255.255 

static (inside,outside) tcp interface 3101 192.168.15.30 3101 netmask 255.255.255.255 

static (inside,outside) a.a.a.a 192.168.15.95 netmask 255.255.255.255 

static (inside,outside) b.b.b.b 192.168.15.96 netmask 255.255.255.255 

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 75.19.70.182 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.15.0 255.255.255.0 outside

http 192.168.15.0 255.255.255.0 inside

snmp-server host inside 192.168.15.240 community mtechsnmp

snmp-server host outside 192.168.15.240 community mtechsnmp

snmp-server location Data Center

no snmp-server contact

snmp-server community mtechsnmp

snmp-server enable traps snmp authentication linkup linkdown coldstart

snmp-server enable traps syslog

snmp-server enable traps ipsec start stop

snmp-server enable traps entity config-change fru-insert fru-remove

snmp-server enable traps remote-access session-threshold-exceeded

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto dynamic-map outside_dyn_map 20 set pfs 

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 20 set reverse-route

crypto dynamic-map outside_dyn_map 40 set pfs 

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 40 set reverse-route

crypto dynamic-map outside_dyn_map 60 set pfs 

crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 60 set reverse-route

crypto dynamic-map outside_dyn_map 80 set pfs 

crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 100 set pfs 

crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 120 set pfs 

crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 140 set pfs 

crypto dynamic-map outside_dyn_map 140 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 160 set pfs 

crypto dynamic-map outside_dyn_map 160 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 180 set pfs 

crypto dynamic-map outside_dyn_map 180 set transform-set ESP-3DES-SHA

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs 

crypto map outside_map 1 set peer a.a.a.a

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set pfs 

crypto map outside_map 2 set peer a.a.a.a 

crypto map outside_map 2 set transform-set ESP-3DES-SHA

crypto map outside_map 3 match address outside_3_cryptomap

crypto map outside_map 3 set pfs 

crypto map outside_map 3 set peer a.a.a.a

crypto map outside_map 3 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

crypto isakmp nat-traversal  20

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

telnet 192.168.15.0 255.255.255.0 inside

telnet 192.168.15.0 255.255.255.0 outside

telnet timeout 5

ssh 192.168.15.0 255.255.255.0 inside

ssh 192.168.15.0 255.255.255.0 outside

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!
 

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny 

  inspect sunrpc 

  inspect xdmcp 

  inspect sip 

  inspect netbios 

  inspect tftp 

!

service-policy global_policy global

group-policy egarcia internal

group-policy egarcia attributes

 dns-server value 192.168.15.30

 vpn-tunnel-protocol IPSec 

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value vpn_split_tunnel

group-policy DfltGrpPolicy attributes

 banner value Welcome to the Masser Technologies VPN Network

 wins-server none

 dns-server none

 dhcp-network-scope none

 vpn-access-hours none

 vpn-simultaneous-logins 3

 vpn-idle-timeout 30

 vpn-session-timeout none

 vpn-filter none

 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn

 password-storage disable

 ip-comp disable

 re-xauth disable

 group-lock none

 pfs disable

 ipsec-udp disable

 ipsec-udp-port 10000

 split-tunnel-policy tunnelall

 split-tunnel-network-list value vpn_split_tunnel

 default-domain none

 split-dns none

 intercept-dhcp 255.255.255.255 disable

 secure-unit-authentication disable

 user-authentication disable

 user-authentication-idle-timeout 30

 ip-phone-bypass disable

 leap-bypass disable

 nem enable

 backup-servers keep-client-config

 msie-proxy server none

 msie-proxy method no-modify

 msie-proxy except-list none

 msie-proxy local-bypass disable

 nac disable

 nac-sq-period 300

 nac-reval-period 36000

 nac-default-acl none

 address-pools none

 smartcard-removal-disconnect enable

 client-firewall none

 client-access-rule none

 webvpn

  functions url-entry

  html-content-filter none

  homepage none

  keep-alive-ignore 4

  http-comp gzip

  filter none

  url-list none

  customization value DfltCustomization

  port-forward none

  port-forward-name value Application Access

  sso-server none

  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information

  svc none

  svc keep-installer installed

  svc keepalive none

  svc rekey time none

  svc rekey method none

  svc dpd-interval client none

  svc dpd-interval gateway none

  svc compression deflate

group-policy hmasser internal

group-policy hmasser attributes

 dns-server value 192.168.15.30

 vpn-tunnel-protocol IPSec 

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value vpn_split_tunnel

group-policy RestoreIT internal

group-policy RestoreIT attributes

 vpn-tunnel-protocol IPSec l2tp-ipsec 

 split-tunnel-policy tunnelall

 split-tunnel-network-list none

 default-domain none

 split-dns none

 secure-unit-authentication disable

 user-authentication disable

 user-authentication-idle-timeout none

 ip-phone-bypass disable

 leap-bypass disable

 nem enable

group-policy vmasser internal

group-policy vmasser attributes

 dns-server value 192.168.15.30

 vpn-tunnel-protocol IPSec 

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value vpn_split_tunnel

username user1 password 7fMghx1Qu1uKfopH encrypted privilege 0

username user1 attributes

 vpn-group-policy user1

username user2 password UR6H3WSGc3Yey/w6 encrypted privilege 0

username user2 attributes

 vpn-group-policy user2

username user3 password dj2cUCod9y4PQ7B. encrypted

username user3 attributes

 vpn-group-policy user3

 group-lock value user3

username user4 password FJ/fPC98CLzqISt9 encrypted privilege 0

username user4 attributes

 vpn-group-policy user4

tunnel-group A.A.A.A type ipsec-l2l

tunnel-group A.A.A.A ipsec-attributes

 pre-shared-key *

tunnel-group user5 type ipsec-ra

tunnel-group user5 general-attributes

 address-pool vpnclientpool

 default-group-policy user5

tunnel-group user5 ipsec-attributes

 pre-shared-key *

tunnel-group group1 type ipsec-ra

tunnel-group group1 general-attributes

 default-group-policy group1

tunnel-group group1 ipsec-attributes

 pre-shared-key *

 isakmp ikev1-user-authentication (outside) none

tunnel-group group3 type ipsec-ra

tunnel-group group3 general-attributes

 address-pool vpnclientpool

 default-group-policy group3

tunnel-group egarcia ipsec-attributes

 pre-shared-key *

tunnel-group group4 type ipsec-ra

tunnel-group group4 general-attributes

 address-pool vpnclientpool

 default-group-policy group4

tunnel-group group4 ipsec-attributes

 pre-shared-key *

tunnel-group A.A.A.A type ipsec-l2l

tunnel-group A.A.A.A  ipsec-attributes

 pre-shared-key *

tunnel-group B.B.B.B type ipsec-l2l

tunnel-group B.B.B.B ipsec-attributes

 pre-shared-key *

smtp-server 192.168.15.30

prompt hostname context 

Cryptochecksum:0c9b70033d5b3514a99e2bf9548e8d06

: end

asdm image disk0:/asdm-523.bin

no asdm history enable

Open in new window

0
Comment
Question by:hmassertech
  • 2
3 Comments
 

Author Comment

by:hmassertech
ID: 22789489
I tried to ping from source to destination and vice-versa as well as to establish Remote Desktop Connections but can't seem to get anything through... I see the requests on the logs come through but then it Tears down the TCP Package.... Must be something simple, but i am missing it....
0
 

Accepted Solution

by:
hmassertech earned 0 total points
ID: 22791598
I figured out. it is working now.
0
 
LVL 1

Expert Comment

by:orci
ID: 23496345
What was the solution
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now