Comptx
asked on
ASA 5505 experts, please help. VPN problem - Time Sensitive
hi all,
i installed an asa 5505 then created VPNs to 2 different sites, one work, and one doesnt.
The one that doesnt work, only works one-way.
here is the info that could help you, help me.
ASA site info:external ip 64.*.*.22
internal 10.3.3.1
Remote site external IP: 208.*.*.163
internal ip 10.1.1.1
Dont know why it works with 1, but no the other.. not sure what im missing in the config.
I would like to get this resolved as soon as posible, one site down :(
ASA running conf:
: Saved
:
ASA Version 7.2(3)
!
hostname ciscoasa
domain-name *
enable password u1N2uiTOMgtVzzpC encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.3.3.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 64.*.*.22 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name *
access-list outside_1_cryptomap extended permit ip host 64.*.*.22 host 208.*.*.242
access-list outside_1_cryptomap extended permit ip 10.3.3.0 255.255.255.0 host 208.*.*.242
access-list outside_1_cryptomap extended permit ip 10.3.3.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.0.0.0 255.255.255.0 host 64.*.*.22
access-list outside_1_cryptomap extended permit ip 10.0.0.0 255.255.255.0 host 10.3.3.1
access-list outside_1_cryptomap extended permit ip host 64.*.*.22 host 208.*.*.163
access-list outside_1_cryptomap extended permit ip 10.3.3.0 255.255.255.0 host 208.*.*.163
access-list outside_1_cryptomap extended permit ip 10.3.3.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 host 64.*.*.22
access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 host 10.3.3.1
access-list outside_1_cryptomap extended permit ip host 208.*.*.163 host 64.*.*.22
access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 10.3.3.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip host 64.*.*.22 host 208.*.*.242
access-list inside_nat0_outbound extended permit ip 10.3.3.0 255.255.255.0 host 208.*.*.242
access-list inside_nat0_outbound extended permit ip 10.3.3.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip host 64.*.*.22 host 208.*.*.163
access-list inside_nat0_outbound extended permit ip 10.3.3.0 255.255.255.0 host 208.*.*.163
access-list inside_nat0_outbound extended permit ip 10.3.3.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 host 64.*.*.22
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.3.3.0 255.255.255.0
access-list rdp-capture extended permit tcp any interface outside eq 3389
access-list 100 extended permit ip 10.3.3.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list 100 extended permit ip 10.3.3.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 100 extended permit ip 10.1.1.0 255.255.255.0 10.3.3.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip host 64.*.*.22 host 208.*.*.163
access-list outside_20_cryptomap extended permit ip 10.1.1.0 255.255.255.0 10.3.3.0 255.255.255.0
access-list outside_20_cryptomap extended permit ip 10.3.3.0 255.255.255.0 10.1.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
monitor-interface inside
monitor-interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 64.*.*.21 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 208.*.*.163 255.255.255.255 outside
http 10.1.1.0 255.255.255.255 inside
http 10.0.0.0 255.255.255.255 inside
http 67.*.*.34 255.255.255.255 outside
http 208.*.*.242 255.255.255.255 outside
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 208.49.31.242
crypto map outside_map 1 set transform-set ESP-DES-MD5
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set peer 208.*.*.163
crypto map outside_map 2 set transform-set ESP-DES-MD5
crypto map outside_map 2 set nat-t-disable
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 1
lifetime 86400
crypto isakmp nat-traversal 20
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
username admin password X4zeva05OugtPWs0 encrypted
tunnel-group 208.*.*.242 type ipsec-l2l
tunnel-group 208.*.*.242 ipsec-attributes
pre-shared-key *
tunnel-group 208.*.*.163 type ipsec-l2l
tunnel-group 208.*.*.163 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:d57c7a87f1b 00e1626440 59a0ed948c e
: end
asdm image disk0:/asdm-523.bin
no asdm history enable
i installed an asa 5505 then created VPNs to 2 different sites, one work, and one doesnt.
The one that doesnt work, only works one-way.
here is the info that could help you, help me.
ASA site info:external ip 64.*.*.22
internal 10.3.3.1
Remote site external IP: 208.*.*.163
internal ip 10.1.1.1
Dont know why it works with 1, but no the other.. not sure what im missing in the config.
I would like to get this resolved as soon as posible, one site down :(
ASA running conf:
: Saved
:
ASA Version 7.2(3)
!
hostname ciscoasa
domain-name *
enable password u1N2uiTOMgtVzzpC encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.3.3.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 64.*.*.22 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name *
access-list outside_1_cryptomap extended permit ip host 64.*.*.22 host 208.*.*.242
access-list outside_1_cryptomap extended permit ip 10.3.3.0 255.255.255.0 host 208.*.*.242
access-list outside_1_cryptomap extended permit ip 10.3.3.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.0.0.0 255.255.255.0 host 64.*.*.22
access-list outside_1_cryptomap extended permit ip 10.0.0.0 255.255.255.0 host 10.3.3.1
access-list outside_1_cryptomap extended permit ip host 64.*.*.22 host 208.*.*.163
access-list outside_1_cryptomap extended permit ip 10.3.3.0 255.255.255.0 host 208.*.*.163
access-list outside_1_cryptomap extended permit ip 10.3.3.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 host 64.*.*.22
access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 host 10.3.3.1
access-list outside_1_cryptomap extended permit ip host 208.*.*.163 host 64.*.*.22
access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 10.3.3.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip host 64.*.*.22 host 208.*.*.242
access-list inside_nat0_outbound extended permit ip 10.3.3.0 255.255.255.0 host 208.*.*.242
access-list inside_nat0_outbound extended permit ip 10.3.3.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip host 64.*.*.22 host 208.*.*.163
access-list inside_nat0_outbound extended permit ip 10.3.3.0 255.255.255.0 host 208.*.*.163
access-list inside_nat0_outbound extended permit ip 10.3.3.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 host 64.*.*.22
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.3.3.0 255.255.255.0
access-list rdp-capture extended permit tcp any interface outside eq 3389
access-list 100 extended permit ip 10.3.3.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list 100 extended permit ip 10.3.3.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 100 extended permit ip 10.1.1.0 255.255.255.0 10.3.3.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip host 64.*.*.22 host 208.*.*.163
access-list outside_20_cryptomap extended permit ip 10.1.1.0 255.255.255.0 10.3.3.0 255.255.255.0
access-list outside_20_cryptomap extended permit ip 10.3.3.0 255.255.255.0 10.1.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
monitor-interface inside
monitor-interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 64.*.*.21 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 208.*.*.163 255.255.255.255 outside
http 10.1.1.0 255.255.255.255 inside
http 10.0.0.0 255.255.255.255 inside
http 67.*.*.34 255.255.255.255 outside
http 208.*.*.242 255.255.255.255 outside
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 208.49.31.242
crypto map outside_map 1 set transform-set ESP-DES-MD5
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set peer 208.*.*.163
crypto map outside_map 2 set transform-set ESP-DES-MD5
crypto map outside_map 2 set nat-t-disable
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 1
lifetime 86400
crypto isakmp nat-traversal 20
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
username admin password X4zeva05OugtPWs0 encrypted
tunnel-group 208.*.*.242 type ipsec-l2l
tunnel-group 208.*.*.242 ipsec-attributes
pre-shared-key *
tunnel-group 208.*.*.163 type ipsec-l2l
tunnel-group 208.*.*.163 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:d57c7a87f1b
: end
asdm image disk0:/asdm-523.bin
no asdm history enable
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The message makes it appear that the IKE policies are slightly off, though if the tunnel is active, it is not likely. Verify the IKE policies are the same on both ends and also try removing the nat-t-disable option in the second sequence for the outside map.
no crypto map outside_map 2 set nat-t-disable
no crypto map outside_map 2 set nat-t-disable
ASKER
ok, tried the no crypto map outside_map 2 set nat-t-disable command, but still no traffic flows. Seems the settings are the same both ends.
ASKER
Well, now that the VPN shows active between sites, theres no longer 1-way traffic. now theres no traffic at all.
ASKER
getting this now again.
3 Apr 30 2009 08:05:21 713902 Group = 208.*.*.242, IP = 208.*.*.242, QM FSM error (P2 struct &0x3cf0a50, mess id 0xbe21b51b)!
1 Apr 30 2009 08:05:21 713900 Group = 208.*.*.242, IP = 208.*.*.242, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
3 Apr 30 2009 08:05:21 713902 Group = 208.*.*.242, IP = 208.*.*.242, Removing peer from correlator table failed, no match!
5 Apr 30 2009 08:05:23 713041 Group = 208.*.*.242, IP = 208.*.*.242, IKE Initiator: New Phase 2, Intf inside, IKE Peer 208.49.31.242 local Proxy Address 10.3.3.0, remote Proxy Address 10.1.1.0, Crypto map (outside_map)
5 Apr 30 2009 08:05:23 713068 Group = 208.*.*.242, IP = 208.*.*.242, Received non-routine Notify message: Invalid ID info (18)
3 Apr 30 2009 08:05:21 713902 Group = 208.*.*.242, IP = 208.*.*.242, QM FSM error (P2 struct &0x3cf0a50, mess id 0xbe21b51b)!
1 Apr 30 2009 08:05:21 713900 Group = 208.*.*.242, IP = 208.*.*.242, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
3 Apr 30 2009 08:05:21 713902 Group = 208.*.*.242, IP = 208.*.*.242, Removing peer from correlator table failed, no match!
5 Apr 30 2009 08:05:23 713041 Group = 208.*.*.242, IP = 208.*.*.242, IKE Initiator: New Phase 2, Intf inside, IKE Peer 208.49.31.242 local Proxy Address 10.3.3.0, remote Proxy Address 10.1.1.0, Crypto map (outside_map)
5 Apr 30 2009 08:05:23 713068 Group = 208.*.*.242, IP = 208.*.*.242, Received non-routine Notify message: Invalid ID info (18)
Can you post the config from both sides (local and remote).
ASKER
I can post you the ASA one, the other side is a SonicWall 2040Pro that already had the VPN before. (i changed old vpn router for the asa)
Also, the asa also connets to the main site's SonicWall, and that sonic wall has the same settings as the sonicwall in remote that is failing to connect.
: Saved
:
ASA Version 7.2(3)
!
hostname ciscoasa
domain-name *
enable password u1N2uiTOMgtVzzpC encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.3.3.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 64.*.*.22 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name *
access-list outside_1_cryptomap extended permit ip host 64.*.*.22 host 208.*.*.242
access-list outside_1_cryptomap extended permit ip 10.3.3.0 255.255.255.0 host 208.*.*.242
access-list outside_1_cryptomap extended permit ip 10.3.3.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.0.0.0 255.255.255.0 host 64.*.*.22
access-list outside_1_cryptomap extended permit ip 10.0.0.0 255.255.255.0 host 10.3.3.1
access-list outside_1_cryptomap extended permit ip host 64.*.*.22 host 208.*.*.163
access-list outside_1_cryptomap extended permit ip 10.3.3.0 255.255.255.0 host 208.*.*.163
access-list outside_1_cryptomap extended permit ip 10.3.3.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 host 64.*.*.22
access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 host 10.3.3.1
access-list outside_1_cryptomap extended permit ip host 208.*.*.163 host 64.*.*.22
access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 10.3.3.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip host 64.*.*.22 host 208.*.*.242
access-list inside_nat0_outbound extended permit ip 10.3.3.0 255.255.255.0 host 208.*.*.242
access-list inside_nat0_outbound extended permit ip 10.3.3.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip host 64.*.*.22 host 208.*.*.163
access-list inside_nat0_outbound extended permit ip 10.3.3.0 255.255.255.0 host 208.*.*.163
access-list inside_nat0_outbound extended permit ip 10.3.3.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 host 64.*.*.22
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.3.3.0 255.255.255.0
access-list rdp-capture extended permit tcp any interface outside eq 3389
access-list 100 extended permit ip 10.3.3.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list 100 extended permit ip 10.3.3.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 100 extended permit ip 10.1.1.0 255.255.255.0 10.3.3.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 10.3.3.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 10.1.1.0 255.255.255.0 10.3.3.0 255.255.255.0
access-list outside_20_cryptomap extended permit ip 10.1.1.0 255.255.255.0 10.3.3.0 255.255.255.0
access-list outside_20_cryptomap extended permit ip 10.3.3.0 255.255.255.0 10.1.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
monitor-interface inside
monitor-interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 64.*.*.21 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 208.*.*.163 255.255.255.255 outside
http 10.1.1.0 255.255.255.255 inside
http 10.0.0.0 255.255.255.255 inside
http 67.*.*.34 255.255.255.255 outside
http 208.*.*.242 255.255.255.255 outside
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 208.*.*.242
crypto map outside_map 1 set transform-set ESP-DES-MD5
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set peer 208.*.*.163
crypto map outside_map 2 set transform-set ESP-DES-MD5
crypto map outside_map 2 set phase1-mode aggressive group1
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 1
lifetime 86400
crypto isakmp nat-traversal 20
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
username admin password X4zeva05OugtPWs0 encrypted
tunnel-group 208.*.*.242 type ipsec-l2l
tunnel-group 208.*.*.242 ipsec-attributes
pre-shared-key *
tunnel-group 208.*.*.163 type ipsec-l2l
tunnel-group 208.*.*.163 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:a809eb91781 8b64409165 53f97aeb68 c
: end
asdm image disk0:/asdm-523.bin
no asdm history enable
Also, the asa also connets to the main site's SonicWall, and that sonic wall has the same settings as the sonicwall in remote that is failing to connect.
: Saved
:
ASA Version 7.2(3)
!
hostname ciscoasa
domain-name *
enable password u1N2uiTOMgtVzzpC encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.3.3.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 64.*.*.22 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name *
access-list outside_1_cryptomap extended permit ip host 64.*.*.22 host 208.*.*.242
access-list outside_1_cryptomap extended permit ip 10.3.3.0 255.255.255.0 host 208.*.*.242
access-list outside_1_cryptomap extended permit ip 10.3.3.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.0.0.0 255.255.255.0 host 64.*.*.22
access-list outside_1_cryptomap extended permit ip 10.0.0.0 255.255.255.0 host 10.3.3.1
access-list outside_1_cryptomap extended permit ip host 64.*.*.22 host 208.*.*.163
access-list outside_1_cryptomap extended permit ip 10.3.3.0 255.255.255.0 host 208.*.*.163
access-list outside_1_cryptomap extended permit ip 10.3.3.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 host 64.*.*.22
access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 host 10.3.3.1
access-list outside_1_cryptomap extended permit ip host 208.*.*.163 host 64.*.*.22
access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 10.3.3.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip host 64.*.*.22 host 208.*.*.242
access-list inside_nat0_outbound extended permit ip 10.3.3.0 255.255.255.0 host 208.*.*.242
access-list inside_nat0_outbound extended permit ip 10.3.3.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip host 64.*.*.22 host 208.*.*.163
access-list inside_nat0_outbound extended permit ip 10.3.3.0 255.255.255.0 host 208.*.*.163
access-list inside_nat0_outbound extended permit ip 10.3.3.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 host 64.*.*.22
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.3.3.0 255.255.255.0
access-list rdp-capture extended permit tcp any interface outside eq 3389
access-list 100 extended permit ip 10.3.3.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list 100 extended permit ip 10.3.3.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 100 extended permit ip 10.1.1.0 255.255.255.0 10.3.3.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 10.3.3.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 10.1.1.0 255.255.255.0 10.3.3.0 255.255.255.0
access-list outside_20_cryptomap extended permit ip 10.1.1.0 255.255.255.0 10.3.3.0 255.255.255.0
access-list outside_20_cryptomap extended permit ip 10.3.3.0 255.255.255.0 10.1.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
monitor-interface inside
monitor-interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 64.*.*.21 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 208.*.*.163 255.255.255.255 outside
http 10.1.1.0 255.255.255.255 inside
http 10.0.0.0 255.255.255.255 inside
http 67.*.*.34 255.255.255.255 outside
http 208.*.*.242 255.255.255.255 outside
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 208.*.*.242
crypto map outside_map 1 set transform-set ESP-DES-MD5
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set peer 208.*.*.163
crypto map outside_map 2 set transform-set ESP-DES-MD5
crypto map outside_map 2 set phase1-mode aggressive group1
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 1
lifetime 86400
crypto isakmp nat-traversal 20
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
username admin password X4zeva05OugtPWs0 encrypted
tunnel-group 208.*.*.242 type ipsec-l2l
tunnel-group 208.*.*.242 ipsec-attributes
pre-shared-key *
tunnel-group 208.*.*.163 type ipsec-l2l
tunnel-group 208.*.*.163 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:a809eb91781
: end
asdm image disk0:/asdm-523.bin
no asdm history enable
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Sometimes, with Cisco to <Other Vendor> configurations for VPN, the sequence number of the Crypto Map makes a difference. In one such experience I've had, the NetGear unit wanted to be Crypto Map sequence number 1 or it wouldn't work.
Unfortunately, in order to test this with your setup, you'll have to take down the other tunnel.
Unfortunately, in order to test this with your setup, you'll have to take down the other tunnel.
ASKER
JF, once again, Thanks alot.
After removing those entries that you told me, traffic started flowing both ways.
I saw this in log tho, and has both my internal ips on it..
6 Apr 30 2009 08:32:50 106015 10.0.0.23 10.3.3.57 Deny TCP (no connection) from 10.0.0.23/80 to 10.3.3.57/1672 flags RST on interface outside
Why would it be denying traffic like that?
After removing those entries that you told me, traffic started flowing both ways.
I saw this in log tho, and has both my internal ips on it..
6 Apr 30 2009 08:32:50 106015 10.0.0.23 10.3.3.57 Deny TCP (no connection) from 10.0.0.23/80 to 10.3.3.57/1672 flags RST on interface outside
Why would it be denying traffic like that?
This is most likely a normal teardown log message. Are you able to access 10.0.0.23 on port 80?
ASKER
Ah well, i guess its fine, nothing important from .23 to go to the ASA site.
Thanks alot!!
Thanks alot!!
ASKER
access-list outside_2_cryptomap extended permit ip 10.3.3.0 255.255.255.0 10.1.1.0 255.255.255.0
no access-list outside_2_cryptomap extended permit ip host 64.*.*.22 host 208.*.*.163
access-list outside_2_cryptomap extended permit ip 10.1.1.0 255.255.255.0 10.3.3.0 255.255.255.0
And now the vpn tunnel is established!!
But...
Cannot rdp, or do anything from the remote to the ASA, here is what i get when i try.
3 Apr 30 2009 07:29:16 713042 IKE Initiator unable to find policy: Intf outside, Src: 10.3.3.54, Dst: 10.1.1.104
We're getting there!!