allegroconmolto
asked on
Cisco ASA L2L VPN Not Initializing
We have a new Cisco ASA5510 plugged into a new ISP. It is replacing a Cisco 871 on an old ISP. The old 871 has two site-to-site VPN tunnels with a client that need to be moved over to the ASA.
I have not communicated with the far-end yet to move the tunnel. I want to do as much testing as possible on our end first. I am concerned because I have issued the following commands:
asa# debug crypto ipsec 255
asa# debug crypto isakmp 255
asa# debug crypto engine 255
asa# ping 10.217.61.1
Sending 5, 100-byte ICMP Echos to 10.217.61.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
I would expect the ping to fail because the the far-end has not configured the tunnel. My concern is that I see no ISAKMP or IPSEC debug output whatsoever. I would expect to see the ASA attempt to initialize the tunnel, and then fail. The fact that I'm not seeing this makes me think I might have missed some options in the config.
192.168.2.0 is our network. 10.217.0.0 is their network, specifically 10.217.60-63 and 10.217.70-72.
Any ideas?
I have not communicated with the far-end yet to move the tunnel. I want to do as much testing as possible on our end first. I am concerned because I have issued the following commands:
asa# debug crypto ipsec 255
asa# debug crypto isakmp 255
asa# debug crypto engine 255
asa# ping 10.217.61.1
Sending 5, 100-byte ICMP Echos to 10.217.61.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
I would expect the ping to fail because the the far-end has not configured the tunnel. My concern is that I see no ISAKMP or IPSEC debug output whatsoever. I would expect to see the ASA attempt to initialize the tunnel, and then fail. The fact that I'm not seeing this makes me think I might have missed some options in the config.
192.168.2.0 is our network. 10.217.0.0 is their network, specifically 10.217.60-63 and 10.217.70-72.
Any ideas?
asdm image disk0:/asdm-508.bin
asdm history enable
: Saved
:
ASA Version 7.0(8)
!
hostname asa
domain-name xxx.local
enable password *** encrypted
passwd *** encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address xxx.30.60.54 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.2.253 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring 1 Sun Apr 2:00 last Sun Oct 2:00
access-list outside_access_in remark Allow ICMP replies
access-list outside_access_in extended permit icmp any any
access-list outside_access_in remark Allow ICMP traceroutes
access-list outside_access_in extended permit icmp any any traceroute
access-list outside_access_in extended permit tcp any host xxx.30.62.161 eq pptp
access-list outside_access_in extended permit gre any host xxx.30.62.161
access-list outside_access_in extended permit tcp any host xxx.30.62.162 eq www log errors
**lots more entries for our servers**
access-list outside_access_in remark xxx-Prod ISAKMP
access-list outside_access_in extended permit udp host yyy.67.186.132 host xxx.30.60.54 eq isakmp
access-list outside_access_in remark xxx-Prod ESP
access-list outside_access_in extended permit esp host yyy.67.186.132 host xxx.30.60.54
access-list outside_access_in remark xxx-Staging ISAKMP
access-list outside_access_in extended permit udp host yyy.67.186.135 host xxx.30.60.54 eq isakmp
access-list outside_access_in remark xxx-Staging ESP
access-list outside_access_in extended permit esp host yyy.67.186.135 host xxx.30.60.54
access-list outside_access_in extended permit ip 10.217.0.0 255.255.0.0 192.168.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 10.217.60.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 10.217.61.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 10.217.62.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 10.217.63.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 10.217.70.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 10.217.71.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 10.217.72.0 255.255.255.0
access-list outside_cryptomap_20 extended permit ip 192.168.2.0 255.255.255.0 10.217.60.0 255.255.255.0
access-list outside_cryptomap_20 extended permit ip 192.168.2.0 255.255.255.0 10.217.61.0 255.255.255.0
access-list outside_cryptomap_20 extended permit ip 192.168.2.0 255.255.255.0 10.217.62.0 255.255.255.0
access-list outside_cryptomap_20 extended permit ip 192.168.2.0 255.255.255.0 10.217.63.0 255.255.255.0
access-list outside_cryptomap_40 extended permit ip 192.168.2.0 255.255.255.0 10.217.70.0 255.255.255.0
access-list outside_cryptomap_40 extended permit ip 192.168.2.0 255.255.255.0 10.217.71.0 255.255.255.0
access-list outside_cryptomap_40 extended permit ip 192.168.2.0 255.255.255.0 10.217.72.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
monitor-interface outside
monitor-interface inside
monitor-interface management
asdm image disk0:/asdm-508.bin
asdm history enable
arp timeout 14400
global (outside) 10 69.30.62.160
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) xxx.30.62.161 192.168.2.2 netmask 255.255.255.255
static (inside,outside) xxx.30.62.162 192.168.2.9 netmask 255.255.255.255
static (inside,outside) xxx.30.62.163 192.168.2.15 netmask 255.255.255.255
static (inside,outside) xxx.30.62.164 192.168.2.30 netmask 255.255.255.255
static (inside,outside) xxx.30.62.165 192.168.2.33 netmask 255.255.255.255
static (inside,outside) xxx.30.62.166 192.168.2.36 netmask 255.255.255.255
static (inside,outside) xxx.30.62.167 192.168.2.38 netmask 255.255.255.255
static (inside,outside) xxx.30.62.168 192.168.2.55 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.30.60.49 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.2.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer yyy.67.186.132
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 20 set security-association lifetime seconds 28800
crypto map outside_map 20 set security-association lifetime kilobytes 4608000
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer yyy.67.186.135
crypto map outside_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 40 set security-association lifetime seconds 28800
crypto map outside_map 40 set security-association lifetime kilobytes 4608000
crypto map outside_map interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal 20
tunnel-group yyy.67.186.132 type ipsec-l2l
tunnel-group yyy.67.186.132 ipsec-attributes
pre-shared-key *
tunnel-group yyy.67.186.135 type ipsec-l2l
tunnel-group yyy.67.186.135 ipsec-attributes
pre-shared-key *
telnet 192.168.2.0 255.255.255.0 inside
telnet 192.186.1.0 255.255.255.0 management
telnet timeout 5
ssh 192.168.2.0 255.255.255.0 inside
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect http
!
service-policy global_policy global
ntp server 206.103.37.2 source outside prefer
smtp-server 192.168.2.9
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Open in new window