Cisco ASA site to site VPN

I have a site to site vpn configured between an 5505 and 5520. Phase 1 is established, but I am unable to pass any traffic.

5505 config:

access-list nonat extended permit ip 10.30.2.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list outside_1_cryptomap extended permit ip 10.30.2.0 255.255.255.0 10.1.0.0 255.255.0.0
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 207.136.182.5
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
!
tunnel-group 207.136.182.5 type ipsec-l2l
tunnel-group 207.136.182.5 ipsec-attributes
 pre-shared-key *


5520 config

access-list nonat-vpn extended permit ip 10.1.0.0 255.255.0.0 10.30.2.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.1.0.0 255.255.0.0 10.30.2.0 255.255.255.0
!
crypto map SAPmap 1 match address outside_1_cryptomap
crypto map SAPmap 1 set peer 67.95.151.228
crypto map SAPmap 1 set transform-set ESP-3DES-SHA
crypto map SAPmap 1 set security-association lifetime seconds 28800
crypto map SAPmap 1 set security-association lifetime kilobytes 4608000
!
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
!
tunnel-group 67.95.151.228 type ipsec-l2l
tunnel-group 67.95.151.228 ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 15 retry 2
dtadminAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Alan Huseyin KayahanCommented:
Hello dtadmin,
Try removing these

tunnel-group 67.95.151.228 ipsec-attributes
 pre-shared-key *
no isakmp keepalive threshold 15 retry 2

no crypto map SAPmap 1 set security-association lifetime seconds 28800
no crypto map SAPmap 1 set security-association lifetime kilobytes 4608000

Make sure following statement exists in ASA
nat (inside) 0 access-list nonat

Make sure remote site networks for each site is not routed to somewhere else other than default gateway. Post sh route in ASA and show ip route in cisco

Regards
0
dtadminAuthor Commented:
I thought I needed a tunnel group/crypto map built on both sides??
0
dtadminAuthor Commented:
I decided to rebuild the tunnel on both sides. Here is the running-config for the 5505 at my remote office.

TCOT-Wayne-PA# sh run
: Saved
:
ASA Version 8.0(4)32
!
hostname TCOT-Wayne-PA
domain-name ad.davey-tree.com
enable password h37.ayH5ADOgldoQ encrypted
passwd h37.ayH5ADOgldoQ encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.30.2.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 67.95.151.228 255.255.255.224
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name ad.davey-tree.com
access-list nonat extended permit ip 10.30.2.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list outside_1_cryptomap extended permit ip 10.30.2.0 255.255.255.0 10.1.0.0 255.255.0.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any echo-reply outside
asdm image disk0:/asdm-61551.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 67.95.151.225 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
url-server (inside) vendor websense host 10.1.200.77 timeout 30 protocol TCP version 4 connections 5
url-cache dst 128
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow longurl-truncate
filter url 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
http server enable
http 10.1.0.0 255.255.0.0 inside
http 10.30.2.0 255.255.255.0 inside
http 207.136.182.0 255.255.255.224 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 207.136.182.5
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 inside
ssh 207.136.182.0 255.255.255.224 outside
ssh timeout 5
console timeout 0
dhcpd dns 10.1.200.108 10.1.200.16
dhcpd wins 10.1.200.17 10.1.200.16
dhcpd domain ad.davey-tree.com
!
dhcpd address 10.30.2.10-10.30.2.30 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec
tunnel-group 207.136.182.5 type ipsec-l2l
tunnel-group 207.136.182.5 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:09a4a2573ee776e924fc8bc7d91a0f88
: end
0
Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

dtadminAuthor Commented:
here is the partial config for my 5520 at my corporate office.

access-list nonat-vpn extended permit ip 10.1.0.0 255.255.0.0 10.30.2.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.1.0.0 255.255.0.0 10.30.2.0 255.255.255.0
!
nat-control
global (outside) 1 interface
nat (inside) 0 access-list nonat-vpn
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list nonat-vpn
nat (dmz) 1 0.0.0.0 0.0.0.0
!
crypto map SAPmap 1 match address outside_1_cryptomap
crypto map SAPmap 1 set peer 67.95.151.228
crypto map SAPmap 1 set transform-set ASAset
crypto map SAPmap 1 set security-association lifetime seconds 28800
crypto map SAPmap 1 set security-association lifetime kilobytes 4608000
!
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
!
tunnel-group 67.95.151.228 type ipsec-l2l
tunnel-group 67.95.151.228 ipsec-attributes
 pre-shared-key *
0
Alan Huseyin KayahanCommented:
Is the transform set of 5520 ESP-3DES-MD5 ?
Run debug crypto isakmp and debug crypto ipsec commands, then paste the output occurs during VPN connection, also post sh route outputs
0
dtadminAuthor Commented:
crypto ipsec transform-set ASAset esp-3des esp-md5-hmac

debug crypto isakmp

ran the "debug crypto isakmp"

%ASA-7-715047: IP = 67.95.151.228, processing SA payload
%ASA-7-713906: IP = 67.95.151.228, Oakley proposal is acceptable
%ASA-7-715047: IP = 67.95.151.228, processing VID payload
%ASA-7-715049: IP = 67.95.151.228, Received NAT-Traversal ver 02 VID
%ASA-7-715047: IP = 67.95.151.228, processing VID payload
%ASA-7-715049: IP = 67.95.151.228, Received NAT-Traversal ver 03 VID
%ASA-7-715047: IP = 67.95.151.228, processing VID payload
%ASA-7-715049: IP = 67.95.151.228, Received Fragmentation VID
%ASA-7-715064: IP = 67.95.151.228, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  True
%ASA-7-715047: IP = 67.95.151.228, processing IKE SA payload
%ASA-7-715028: IP = 67.95.151.228, IKE SA Proposal # 1, Transform # 1 acceptable  Matches global IKE entry # 5
%ASA-7-715046: IP = 67.95.151.228, constructing ISAKMP SA payload
%ASA-7-715046: IP = 67.95.151.228, constructing NAT-Traversal VID ver 02 payload
%ASA-7-715046: IP = 67.95.151.228, constructing Fragmentation VID + extended capabilities payload
%ASA-7-713236: IP = 67.95.151.228, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
%ASA-7-713236: IP = 67.95.151.228, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 296
%ASA-7-715047: IP = 67.95.151.228, processing ke payload
%ASA-7-715047: IP = 67.95.151.228, processing ISA_KE payload
%ASA-7-715047: IP = 67.95.151.228, processing nonce payload
%ASA-7-715047: IP = 67.95.151.228, processing VID payload
%ASA-7-715049: IP = 67.95.151.228, Received Cisco Unity client VID
%ASA-7-715047: IP = 67.95.151.228, processing VID payload
%ASA-7-715049: IP = 67.95.151.228, Received xauth V6 VID
%ASA-7-715047: IP = 67.95.151.228, processing VID payload
%ASA-7-715038: IP = 67.95.151.228, Processing VPN3000/ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
%ASA-7-715047: IP = 67.95.151.228, processing VID payload
%ASA-7-715049: IP = 67.95.151.228, Received Altiga/Cisco VPN3000/Cisco ASA GW VID
%ASA-7-715047: IP = 67.95.151.228, processing NAT-Discovery payload
%ASA-7-713906: IP = 67.95.151.228, computing NAT Discovery hash
%ASA-7-715047: IP = 67.95.151.228, processing NAT-Discovery payload
%ASA-7-713906: IP = 67.95.151.228, computing NAT Discovery hash
%ASA-7-715046: IP = 67.95.151.228, constructing ke payload
%ASA-7-715046: IP = 67.95.151.228, constructing nonce payload
%ASA-7-715046: IP = 67.95.151.228, constructing Cisco Unity VID payload
%ASA-7-715046: IP = 67.95.151.228, constructing xauth V6 VID payload
%ASA-7-715048: IP = 67.95.151.228, Send IOS VID
%ASA-7-715038: IP = 67.95.151.228, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
%ASA-7-715046: IP = 67.95.151.228, constructing VID payload
%ASA-7-715048: IP = 67.95.151.228, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
%ASA-7-715046: IP = 67.95.151.228, constructing NAT-Discovery payload
%ASA-7-713906: IP = 67.95.151.228, computing NAT Discovery hash
%ASA-7-715046: IP = 67.95.151.228, constructing NAT-Discovery payload
%ASA-7-713906: IP = 67.95.151.228, computing NAT Discovery hash
%ASA-7-713906: IP = 67.95.151.228, Connection landed on tunnel_group 67.95.151.228
%ASA-7-713906: Group = 67.95.151.228, IP = 67.95.151.228, Generating keys for Responder...
%ASA-7-713236: IP = 67.95.151.228, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 296
%ASA-7-713236: IP = 67.95.151.228, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 92
%ASA-7-715047: Group = 67.95.151.228, IP = 67.95.151.228, processing ID payload
%ASA-7-714011: Group = 67.95.151.228, IP = 67.95.151.228, ID_IPV4_ADDR ID received
67.95.151.228
%ASA-7-715047: Group = 67.95.151.228, IP = 67.95.151.228, processing hash payload
%ASA-7-715076: Group = 67.95.151.228, IP = 67.95.151.228, Computing hash for ISAKMP
%ASA-7-715034: IP = 67.95.151.228, Processing IOS keep alive payload: proposal=32767/32767 sec.
%ASA-7-715047: Group = 67.95.151.228, IP = 67.95.151.228, processing VID payload
%ASA-7-715049: Group = 67.95.151.228, IP = 67.95.151.228, Received DPD VID
%ASA-6-713172: Group = 67.95.151.228, IP = 67.95.151.228, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end is NOT behind a NAT device
%ASA-7-713906: IP = 67.95.151.228, Connection landed on tunnel_group 67.95.151.228
%ASA-4-713903: Group = 67.95.151.228, IP = 67.95.151.228, Freeing previously allocated memory for authorization-dn-attributes
%ASA-7-715046: Group = 67.95.151.228, IP = 67.95.151.228, constructing ID payload
%ASA-7-715046: Group = 67.95.151.228, IP = 67.95.151.228, constructing hash payload
%ASA-7-715076: Group = 67.95.151.228, IP = 67.95.151.228, Computing hash for ISAKMP
%ASA-7-715034: IP = 67.95.151.228, Constructing IOS keep alive payload: proposal=32767/32767 sec.
%ASA-7-715046: Group = 67.95.151.228, IP = 67.95.151.228, constructing dpd vid payload
%ASA-7-713236: IP = 67.95.151.228, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 92
%ASA-5-713119: Group = 67.95.151.228, IP = 67.95.151.228, PHASE 1 COMPLETED
%ASA-7-713121: IP = 67.95.151.228, Keep-alive type for this connection: DPD
%ASA-7-715080: Group = 67.95.151.228, IP = 67.95.151.228, Starting P1 rekey timer: 82080 seconds.
%ASA-7-714003: IP = 67.95.151.228, IKE Responder starting QM: msg id = 4f159a1a
%ASA-7-713236: IP = 67.95.151.228, IKE_DECODE RECEIVED Message (msgid=4f159a1a) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 192
%ASA-7-715047: Group = 67.95.151.228, IP = 67.95.151.228, processing hash payload
%ASA-7-715047: Group = 67.95.151.228, IP = 67.95.151.228, processing SA payload
%ASA-7-715047: Group = 67.95.151.228, IP = 67.95.151.228, processing nonce payload
%ASA-7-715047: Group = 67.95.151.228, IP = 67.95.151.228, processing ID payload
%ASA-7-714011: Group = 67.95.151.228, IP = 67.95.151.228, ID_IPV4_ADDR_SUBNET ID received--10.30.2.0--255.255.255.0
%ASA-7-713035: Group = 67.95.151.228, IP = 67.95.151.228, Received remote IP Proxy Subnet data in ID Payload:   Address 10.30.2.0, Mask 255.255.255.0, Protocol 0, Port 0
%ASA-7-715047: Group = 67.95.151.228, IP = 67.95.151.228, processing ID payload
%ASA-7-714011: Group = 67.95.151.228, IP = 67.95.151.228, ID_IPV4_ADDR_SUBNET ID received--10.1.0.0--255.255.0.0
%ASA-7-713034: Group = 67.95.151.228, IP = 67.95.151.228, Received local IP Proxy Subnet data in ID Payload:   Address 10.1.0.0, Mask 255.255.0.0, Protocol 0, Port 0
%ASA-7-715047: Group = 67.95.151.228, IP = 67.95.151.228, processing notify payload
%ASA-7-713906: Group = 67.95.151.228, IP = 67.95.151.228, QM IsRekeyed old sa not found by addr
%ASA-7-713221: Group = 67.95.151.228, IP = 67.95.151.228, Static Crypto Map check, checking map = SAPmap, seq = 1...
%ASA-7-713225: Group = 67.95.151.228, IP = 67.95.151.228, Static Crypto Map check, map SAPmap, seq = 1 is a successful match
%ASA-7-713066: Group = 67.95.151.228, IP = 67.95.151.228, IKE Remote Peer configured for crypto map: SAPmap
%ASA-7-715047: Group = 67.95.151.228, IP = 67.95.151.228, processing IPSec SA payload
%ASA-7-715027: Group = 67.95.151.228, IP = 67.95.151.228, IPSec SA Proposal # 1, Transform # 1 acceptable  Matches global IPSec SA entry # 1
%ASA-7-713906: Group = 67.95.151.228, IP = 67.95.151.228, IKE: requesting SPI!
%ASA-7-715006: Group = 67.95.151.228, IP = 67.95.151.228, IKE got SPI from key engine: SPI = 0x1292f0b3
%ASA-7-713906: Group = 67.95.151.228, IP = 67.95.151.228, oakley constucting quick mode
%ASA-7-715046: Group = 67.95.151.228, IP = 67.95.151.228, constructing blank hash payload
%ASA-7-715046: Group = 67.95.151.228, IP = 67.95.151.228, constructing IPSec SA payload
%ASA-7-715046: Group = 67.95.151.228, IP = 67.95.151.228, constructing IPSec nonce payload
%ASA-7-715001: Group = 67.95.151.228, IP = 67.95.151.228, constructing proxy ID
%ASA-7-713906: Group = 67.95.151.228, IP = 67.95.151.228, Transmitting Proxy Id:
  Remote subnet: 10.30.2.0  Mask 255.255.255.0 Protocol 0  Port 0
  Local subnet:  10.1.0.0  mask 255.255.0.0 Protocol 0  Port 0
%ASA-7-715046: Group = 67.95.151.228, IP = 67.95.151.228, constructing qm hash payload
%ASA-7-714005: Group = 67.95.151.228, IP = 67.95.151.228, IKE Responder sending 2nd QM pkt: msg id = 4f159a1a
%ASA-7-713236: IP = 67.95.151.228, IKE_DECODE SENDING Message (msgid=4f159a1a) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 164
%ASA-7-713236: IP = 67.95.151.228, IKE_DECODE RECEIVED Message (msgid=4f159a1a) with payloads : HDR + HASH (8) + NONE (0) total length : 48
%ASA-7-715047: Group = 67.95.151.228, IP = 67.95.151.228, processing hash payload
%ASA-7-713906: Group = 67.95.151.228, IP = 67.95.151.228, loading all IPSEC SAs
%ASA-7-715001: Group = 67.95.151.228, IP = 67.95.151.228, Generating Quick Mode Key!
%ASA-7-715001: Group = 67.95.151.228, IP = 67.95.151.228, Generating Quick Mode Key!
%ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0x57E0C40D) between 207.136.182.5 and 67.95.151.228 (user= 67.95.151.228) has been created.
%ASA-5-713049: Group = 67.95.151.228, IP = 67.95.151.228, Security negotiation complete for LAN-to-LAN Group (67.95.151.228)  Responder, Inbound SPI = 0x1292f0b3, Outbound SPI = 0x57e0c40d
%ASA-7-715007: Group = 67.95.151.228, IP = 67.95.151.228, IKE got a KEY_ADD msg for SA: SPI = 0x57e0c40d
%ASA-6-602303: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x1292F0B3) between 207.136.182.5 and 67.95.151.228 (user= 67.95.151.228) has been created.
%ASA-7-715077: Group = 67.95.151.228, IP = 67.95.151.228, Pitcher: received KEY_UPDATE, spi 0x1292f0b3
%ASA-7-715080: Group = 67.95.151.228, IP = 67.95.151.228, Starting P2 rekey timer: 27360 seconds.
%ASA-5-713120: Group = 67.95.151.228, IP = 67.95.151.228, PHASE 2 COMPLETED (msgid=4f159a1a)
0
dtadminAuthor Commented:
looks like phase 2 completed on the last line of the negotiation.......but why can I not pass any traffic?
0
Alan Huseyin KayahanCommented:
Please post the sh route outputs from both devices, also post sh crypto ipsec sa and sh crypto isakmp sa outputs
0
dtadminAuthor Commented:
5520 routes (corporate)

ciscoasa# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 207.136.182.1 to network 0.0.0.0

C    172.17.1.0 255.255.255.0 is directly connected, failover
S    172.16.0.0 255.255.0.0 [1/0] via 10.0.0.1, inside
S    147.179.0.192 255.255.255.192 [1/0] via 10.0.0.1, inside
C    10.3.0.0 255.255.255.0 is directly connected, dmz
S    10.0.0.0 255.0.0.0 [1/0] via 10.0.0.1, inside
C    10.0.0.0 255.255.255.0 is directly connected, inside
S    10.3.2.27 255.255.255.255 [1/0] via 207.136.182.1, outside
S    10.3.2.26 255.255.255.255 [1/0] via 207.136.182.1, outside
S    10.10.17.0 255.255.255.0 [1/0] via 10.0.0.1, inside
S    10.3.2.25 255.255.255.255 [1/0] via 207.136.182.1, outside
S    10.3.2.31 255.255.255.255 [1/0] via 207.136.182.1, outside
S    10.10.20.0 255.255.255.0 [1/0] via 10.0.0.1, inside
S    10.3.2.30 255.255.255.255 [1/0] via 207.136.182.1, outside
S    10.3.2.29 255.255.255.255 [1/0] via 207.136.182.1, outside
S    10.3.2.28 255.255.255.255 [1/0] via 207.136.182.1, outside
S    10.3.2.23 255.255.255.255 [1/0] via 207.136.182.1, outside
S    10.3.2.21 255.255.255.255 [1/0] via 207.136.182.1, outside
S    10.3.2.43 255.255.255.255 [1/0] via 207.136.182.1, outside
S    10.3.2.42 255.255.255.255 [1/0] via 207.136.182.1, outside
S    10.3.2.41 255.255.255.255 [1/0] via 207.136.182.1, outside
S    10.3.2.40 255.255.255.255 [1/0] via 207.136.182.1, outside
S    10.3.2.47 255.255.255.255 [1/0] via 207.136.182.1, outside
S    10.3.2.46 255.255.255.255 [1/0] via 207.136.182.1, outside
S    10.3.2.45 255.255.255.255 [1/0] via 207.136.182.1, outside
S    10.3.2.44 255.255.255.255 [1/0] via 207.136.182.1, outside
S    10.3.2.35 255.255.255.255 [1/0] via 207.136.182.1, outside
S    10.3.2.34 255.255.255.255 [1/0] via 207.136.182.1, outside
S    10.3.2.33 255.255.255.255 [1/0] via 207.136.182.1, outside
S    10.3.2.32 255.255.255.255 [1/0] via 207.136.182.1, outside
S    10.3.2.39 255.255.255.255 [1/0] via 207.136.182.1, outside
S    10.3.2.36 255.255.255.255 [1/0] via 207.136.182.1, outside
S    10.3.2.59 255.255.255.255 [1/0] via 207.136.182.1, outside
S    10.3.2.58 255.255.255.255 [1/0] via 207.136.182.1, outside
S    10.3.2.63 255.255.255.255 [1/0] via 207.136.182.1, outside
S    10.3.2.51 255.255.255.255 [1/0] via 207.136.182.1, outside
S    10.3.2.50 255.255.255.255 [1/0] via 207.136.182.1, outside
S    10.3.2.49 255.255.255.255 [1/0] via 207.136.182.1, outside
S    10.3.2.48 255.255.255.255 [1/0] via 207.136.182.1, outside
S    10.3.2.53 255.255.255.255 [1/0] via 207.136.182.1, outside
S    10.3.2.52 255.255.255.255 [1/0] via 207.136.182.1, outside
S    10.3.2.74 255.255.255.255 [1/0] via 207.136.182.1, outside
S    10.3.2.73 255.255.255.255 [1/0] via 207.136.182.1, outside
S    10.3.2.72 255.255.255.255 [1/0] via 207.136.182.1, outside
S    10.3.2.67 255.255.255.255 [1/0] via 207.136.182.1, outside
S    10.3.2.71 255.255.255.255 [1/0] via 207.136.182.1, outside
S    10.3.2.70 255.255.255.255 [1/0] via 207.136.182.1, outside
S    10.3.2.69 255.255.255.255 [1/0] via 207.136.182.1, outside
S    10.3.2.68 255.255.255.255 [1/0] via 207.136.182.1, outside
S    10.3.2.203 255.255.255.255 [1/0] via 207.136.182.1, outside
S    10.3.2.207 255.255.255.255 [1/0] via 207.136.182.1, outside
S    10.3.2.221 255.255.255.255 [1/0] via 207.136.182.1, outside
S    10.3.2.220 255.255.255.255 [1/0] via 207.136.182.1, outside
S    10.3.2.210 255.255.255.255 [1/0] via 207.136.182.1, outside
S    10.3.2.215 255.255.255.255 [1/0] via 207.136.182.1, outside
S    10.3.2.224 255.255.255.255 [1/0] via 207.136.182.1, outside
C    207.136.182.0 255.255.255.224 is directly connected, outside
S    192.168.100.0 255.255.255.0 [1/0] via 10.0.0.1, inside
S*   0.0.0.0 0.0.0.0 [1/0] via 207.136.182.1, outside

5505 routes (remote office)

TCOT-Wayne-PA# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 67.95.151.225 to network 0.0.0.0

C    67.95.151.224 255.255.255.224 is directly connected, outside
C    10.30.2.0 255.255.255.0 is directly connected, inside
S*   0.0.0.0 0.0.0.0 [1/0] via 67.95.151.225, outside


5520 "crypto ipsec sa"

 Crypto map tag: SAPmap, seq num: 1, local addr: 207.136.182.5

      access-list outside_1_cryptomap permit ip 10.1.0.0 255.255.0.0 10.30.2.0 255.255.255.0
      local ident (addr/mask/prot/port): (10.1.0.0/255.255.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.30.2.0/255.255.255.0/0/0)
      current_peer: 67.95.151.228

      #pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14
      #pkts decaps: 14, #pkts decrypt: 14, #pkts verify: 14
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 14, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 207.136.182.5, remote crypto endpt.: 67.95.151.228

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 57E0C40D

    inbound esp sas:
      spi: 0x1292F0B3 (311619763)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 20983808, crypto-map: SAPmap
         sa timing: remaining key lifetime (kB/sec): (4373998/27651)
         IV size: 8 bytes
         replay detection support: Y
Anti replay bitmap:
        0x00000000 0x00007FFF
    outbound esp sas:
      spi: 0x57E0C40D (1474348045)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 20983808, crypto-map: SAPmap
         sa timing: remaining key lifetime (kB/sec): (4373998/27649)
         IV size: 8 bytes
         replay detection support: Y

5520 "sh crypto isakmp sa"

IKE Peer: 67.95.151.228
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE
0
Alan Huseyin KayahanCommented:
S    10.0.0.0 255.0.0.0 [1/0] via 10.0.0.1, inside

Above route in 5520 covers remote site subnet 10.30.2.0 255.255.255.0, so traffic is routed to 10.0.0.1 device located in inside network. Is it statically entered?

Tunnel encrypts and decrypts well, it looks like working, but IKE state should hav ebeen QM_IDLE, not MM_ACTIVE.
0
dtadminAuthor Commented:
I have a static route in my core switch that points 10.30.2.0/24 traffic to the ASA. the 10.0.0.1 is the VLAN on my core switch that the ASA belongs to.
0
Alan Huseyin KayahanCommented:
"have a static route in my core switch that points 10.30.2.0/24 traffic to the ASA"
    Thats fine, but the route I mentioned that exists in 5520 routes 10.0.0.0/8 back to 10.0.0.1.
    Considering that firewall should take the longest prefix match first, adding following entry in 5520 may resolve the issue
   route outside 10.30.2.0 255.255.255.0 207.136.182.1
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.