Cisco VPN between Concentrator 3000 and ASA 5505
I am trying to establish a Lan to Lan connection between two locations and the tunnel phase 1 is coming up but it stops at phase 2 giving me the following error
Connection terminated for peer 64.0.98.195. Reason: Peer Terminate Remote Proxy N/A, Local Proxy N/A
Connection terminated for peer 64.0.98.195. Reason: Peer Terminate Remote Proxy N/A, Local Proxy N/A
ASA Version 7.2(4)
!
hostname Savannah-ASA
domain-name www.dawnmist.com
enable password zWKz5LEv5u2PzDdj encrypted
passwd zWKz5LEv5u2PzDdj encrypted
names
name 192.168.100.0 tampa-network
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 64.0.98.196 255.255.255.224
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name www.dawnmist.com
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 tampa-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 tampa-network 255.255.255.0
access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 tampa-network 255.255.255.0
access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 any
access-list inside_access_in extended permit icmp any any
access-list outside_access_in remark Clean Up Rule with logging.
access-list outside_access_in extended permit ip tampa-network 255.255.255.0 any
pager lines 24
logging enable
logging console informational
logging monitor debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 64.0.98.193 1
route outside tampa-network 255.255.255.0 64.0.98.195 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http 216.251.225.55 255.255.255.255 outside
http 192.168.1.0 255.255.255.0 inside
http 75.68.243.143 255.255.255.255 outside
http 75.67.243.143 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 64.0.98.195
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption aes
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 20
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 5
ssh 75.67.243.143 255.255.255.255 outside
ssh 173.65.65.197 255.255.255.255 outside
ssh 216.251.225.55 255.255.255.255 outside
ssh timeout 5
console timeout 0
management-access outside
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd enable inside
!
username pcconection password EmomzQnne30VORPA encrypted privilege 15
username admin password 31Nzf4.jOv71JR3g encrypted
username erik password bujbE/OOQ/F8OzY/ encrypted privilege 15
tunnel-group 64.0.98.195 type ipsec-l2l
tunnel-group 64.0.98.195 ipsec-attributes
pre-shared-key *
!
class-map global-class
match default-inspection-traffic
!
!
policy-map global-policy
class global-class
inspect ftp
inspect icmp
!
service-policy global-policy global
prompt hostname context
Cryptochecksum:715d5c0cbc670472f476c8b95bac98ca
: end
Can you upload a screenshot of the ltl config on the 3000
ASKER
Looking at screenshot you haven't put in the phase 2 ACL information (the last 2 boxes which say local network and remote network)..Those boxes need to mirror the cryptomap you put on the ASA:
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 tampa-network 255.255.255.0
So on the ASA you defined local traffic as 192.168.1.0 255.255.255.0 and remote traffic as tampa-network which is defined in the config as 192.168.100.0 255.255.255.0..So on the 3000 you need to mirror those entries and it wants to use wildwards intead of the tradiational subnet mask..You can find the wildcard mask from the subnet mask with any subnet calculator online (http://www.subnet-calculator.com/)..In this case on the 3000 you want to put these entries:
Local Network
IP Address: 192.168.100.0
Wildcard: 0.0.0.255
Remote Network:
IP address: 192.168.1.0
Wildcard: 0.0.0.255
I would also change the routing setting to reverse route..You can turn on reverse route on the ASA too with the following line:
crypto map outside_map 1 set reverse-route
Let me know how it goes..
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 tampa-network 255.255.255.0
So on the ASA you defined local traffic as 192.168.1.0 255.255.255.0 and remote traffic as tampa-network which is defined in the config as 192.168.100.0 255.255.255.0..So on the 3000 you need to mirror those entries and it wants to use wildwards intead of the tradiational subnet mask..You can find the wildcard mask from the subnet mask with any subnet calculator online (http://www.subnet-calculator.com/)..In this case on the 3000 you want to put these entries:
Local Network
IP Address: 192.168.100.0
Wildcard: 0.0.0.255
Remote Network:
IP address: 192.168.1.0
Wildcard: 0.0.0.255
I would also change the routing setting to reverse route..You can turn on reverse route on the ASA too with the following line:
crypto map outside_map 1 set reverse-route
Let me know how it goes..
ASKER
That'e where I figured the problem was happening and I've tried a dozen times or more to put those entries in the VPN - I even created them as Network Lists - but it just won't accept the entries.
Every time I try to put those in the LTL page and hit apply - it looks like it's accepting the entries but then when you go back to the LTL config page it isn't selected or nothing is in the IP/Wildcard or in the select menus.
Any suggestions on what else could be causing that config to not work?
Every time I try to put those in the LTL page and hit apply - it looks like it's accepting the entries but then when you go back to the LTL config page it isn't selected or nothing is in the IP/Wildcard or in the select menus.
Any suggestions on what else could be causing that config to not work?
What version of software are you running on the 3000?
ASKER
This is from the System Status screen. I just took over the IT department here a few months ago so I inherited this thing. I may need to go ahead and purchase another ASA but if this thing is capable of handling the tunnel I'd rather not spend any more on it for an office of three people.
Screen-shot-2010-08-27-at-10.34..png
Screen-shot-2010-08-27-at-10.34..png
OK that code is a bit old, but still shouldn't be the problem...Do you see anything in the log from when you attempt to update the ltl? Does it generate any message when trying to make the change?
Just so you know the latest software release for that box is "Software for VPN 3005 Concentrators 4.7.2.P" released in Aug of 08..Do you have SMARTnet? We could try updating the software.
ASKER
I'm not sure if I have access to SMARTnet or not - I just purchased the ASA so I probably do. Maybe I'll just try to update the software on this thing and see if that does the trick. I am assuming this error in the 3000 is pretty much saying the same thing as the errors I see in the ASA
All IPSec SA proposals found unacceptable!
I'll see if I can figure out how to get into the SMARTnet - haven't been in there for like 8 years!
All IPSec SA proposals found unacceptable!
I'll see if I can figure out how to get into the SMARTnet - haven't been in there for like 8 years!
ASKER
I am still unable to get this tunnel to come up - Phase 1 is successful but Phase 2 still does not establish correctly.
I do not have access to SMARTnet so I do not have the available software to update this 3000 Concentrator - I assume that will probably solve the issue it's probably a discrepency between the IKE proposals -
I get the following on the 3000
Phase 1 completed
group 64.0.98.196 connected
LTL tunnel to headend device 64.0.98.196 connected
Received remote ip proxy address 192.168.1.0 mask 255.255.255.0 protocol 0, port 0
Next line is
QM FSM error (P2 struct &0x361f5a0, mess id 0x8bfabd0c)!
It then just disconnects and tries again!
AM I SOL - Or is there a way to get the updated version of the OS for the ASA from Cisco without SMARTnet?
I do not have access to SMARTnet so I do not have the available software to update this 3000 Concentrator - I assume that will probably solve the issue it's probably a discrepency between the IKE proposals -
I get the following on the 3000
Phase 1 completed
group 64.0.98.196 connected
LTL tunnel to headend device 64.0.98.196 connected
Received remote ip proxy address 192.168.1.0 mask 255.255.255.0 protocol 0, port 0
Next line is
QM FSM error (P2 struct &0x361f5a0, mess id 0x8bfabd0c)!
It then just disconnects and tries again!
AM I SOL - Or is there a way to get the updated version of the OS for the ASA from Cisco without SMARTnet?
ASKER
Ok I got the tunnel to come up going through all the settings and trying every available IKE proposal.
Finally
But now I can't ping between networks - on the ASA it says:
No translation group found for udp src outside:64.0.98.200/53 dst inside:192.168.1.2
192.168.1.2 is my laptop where I am running a perpetual ping from that address to 192.168.100.2 (my local Tampa network DNS server)
Finally
But now I can't ping between networks - on the ASA it says:
No translation group found for udp src outside:64.0.98.200/53 dst inside:192.168.1.2
192.168.1.2 is my laptop where I am running a perpetual ping from that address to 192.168.100.2 (my local Tampa network DNS server)
ASKER
When I turn on debugging the error is
IPSEC: Received a non-IPSEC packet (protocol= ICMP) from 192.168.100.2 to 192.168.1.2
IPSEC: Received a non-IPSEC packet (protocol= ICMP) from 192.168.100.2 to 192.168.1.2
its definitely the fact that you can't enter the remote and local networks on the LTL on the 3000..We need to figure out why it doesn't like what you are putting in. Have you tried deleting the profile and building a new one from scratch. If it still doesn't work can you send me a screenshot of what you type in before you hit apply?
ASKER
Sorry I didn't clarify that one - I was able to get those to go in - I had routing set to Network Auto-Discovery so it wouldn't let me tell it to discover the network - and then define the network - DUH!
Routing is set to none and now it let me put the Network Lists in there - I've tried entering them using IP address and mask directly in the L2L page and using Network Lists but in both cases I get the following error on the 3000:
Tunnel rejected: Policy not found for Src:192.168.1.0, Dst: 192.168.100.0!
And it still shows this on the ASA:
IPSEC: Received a non-IPSEC packet (protocol= ICMP) from 192.168.100.2 to 192.168.1.2
So I've been looking at the SAs and Rules
I have an SA for L2L: tunnel_to_savannah
That looks like the screen capture below
Screen-shot-2010-08-27-at-4.45.2.png
Routing is set to none and now it let me put the Network Lists in there - I've tried entering them using IP address and mask directly in the L2L page and using Network Lists but in both cases I get the following error on the 3000:
Tunnel rejected: Policy not found for Src:192.168.1.0, Dst: 192.168.100.0!
And it still shows this on the ASA:
IPSEC: Received a non-IPSEC packet (protocol= ICMP) from 192.168.100.2 to 192.168.1.2
So I've been looking at the SAs and Rules
I have an SA for L2L: tunnel_to_savannah
That looks like the screen capture below
Screen-shot-2010-08-27-at-4.45.2.png
ASKER
Anyone have any more suggestions on getting my routing to work properly between my Cisco 3k and my ASA? I am still unable to communicate between sites even though my tunnel is now fully established. I am stuck! Please help!
ASKER
I've upgraded my Cisco 3000 Concentrator to 4.7.2P and my configuration is still not routing through my tunnel.
My 3k says it completes both Phase 1 and Phase 2 and logs no other errors so I can only assume that the error is somewhere in the ASA Configuration. If you look at the configuration at the beginning of this question - is there something missing in the tunnel or the routing that will enable the transport between these two boxes?
My 3k says it completes both Phase 1 and Phase 2 and logs no other errors so I can only assume that the error is somewhere in the ASA Configuration. If you look at the configuration at the beginning of this question - is there something missing in the tunnel or the routing that will enable the transport between these two boxes?
ASKER
The ping from a computer behind the ASA to a computer on the 192.160.100.0 network still creates the following error
IPSEC: Received a non-IPSEC packet (protocol= ICMP) from 192.168.100.2 to 192.168.1.2
IPSEC: Received a non-IPSEC packet (protocol= ICMP) from 192.168.100.2 to 192.168.1.2
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Here's the current config and the reverse route screen from the 3k
: Saved
:
ASA Version 7.2(4)
hostname Savannah-ASA
domain-name www.dawnmist.com
enable password zWKz5LEv5u2PzDdj encrypted
passwd zWKz5LEv5u2PzDdj encrypted
names
name 192.168.100.0 tampa-network
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 64.0.98.196 255.255.255.224
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
domain-name www.dawnmist.com
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 tampa-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 tampa-network 255.255.255.0
access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 tampa-network 255.255.255.0
access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 any
access-list inside_access_in extended permit icmp any any
access-list outside_access_in remark Clean Up Rule with logging.
access-list outside_access_in extended permit ip tampa-network 255.255.255.0 any
pager lines 24
logging enable
logging console emergencies
logging monitor debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 64.0.98.193 1
route outside tampa-network 255.255.255.0 64.0.98.195 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http 75.67.243.143 255.255.255.255 outside
http 75.68.243.143 255.255.255.255 outside
http 192.168.1.0 255.255.255.0 inside
http 216.251.225.55 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 64.0.98.195
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set reverse-route
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption aes
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 20
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 5
ssh 75.67.243.143 255.255.255.255 outside
ssh 173.65.65.197 255.255.255.255 outside
ssh 216.251.225.55 255.255.255.255 outside
ssh timeout 5
console timeout 0
management-access outside
dhcpd dns 65.106.1.196 192.168.100.2
dhcpd auto_config outside
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd enable inside
username pcconection password EmomzQnne30VORPA encrypted privilege 15
username admin password 31Nzf4.jOv71JR3g encrypted
username erik password bujbE/OOQ/F8OzY/ encrypted privilege 15
tunnel-group 64.0.98.195 type ipsec-l2l
tunnel-group 64.0.98.195 ipsec-attributes
pre-shared-key *
class-map global-class
match default-inspection-traffic
policy-map global-policy
class global-class
inspect ftp
inspect icmp
service-policy global-policy global
prompt hostname context
Cryptochecksum:393b21c6f4a432f888b064f51b6d92bc
: end
ASKER
This is my static routing table on the 3k
Screen-shot-2010-09-03-at-11.34..png
Screen-shot-2010-09-03-at-11.34..png
ASKER
I just tried setting up OSPF between routers and it appears to be negotiating the network discover between networks but still doesn't ping and the following is what appears when logging on the console is on.
I deleted the static routes and enabled OSPF on the inside and outside interfaces of the 3k and then enabled the OSPF on the ASA - it then looks like it's negotiating and gets the routes in the routing tables in both routers but my suspicion is still that I am missing some kind of permissions in the routing maps on the ASA
I deleted the static routes and enabled OSPF on the inside and outside interfaces of the 3k and then enabled the OSPF on the ASA - it then looks like it's negotiating and gets the routes in the routing tables in both routers but my suspicion is still that I am missing some kind of permissions in the routing maps on the ASA
%ASA-7-715047: Group = 64.0.98.195, IP = 64.0.98.195, processing hash payload
%ASA-7-715076: Group = 64.0.98.195, IP = 64.0.98.195, Computing hash for ISAKMP
%ASA-7-609001: Built local-host inside:192.168.1.2
%ASA-7-609001: Built local-host outside:192.168.100.2
%ASA-7-609002: Teardown local-host inside:192.168.1.2 duration 0:00:00
%ASA-7-609002: Teardown local-host outside:192.168.100.2 duration 0:00:00
%ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
%ASA-5-713041: IP = 64.0.98.195, IKE Initiator: New Phase 1, Intf inside, IKE Peer 64.0.98.195 local Proxy Address 192.168.1.0, remote Proxy Address 192.168.100.0, Crypto map (outside_map)
%ASA-7-713236: IP = 64.0.98.195, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 96
%ASA-7-715047: Group = 64.0.98.195, IP = 64.0.98.195, processing ID payload
%ASA-7-714011: Group = 64.0.98.195, IP = 64.0.98.195, ID_IPV4_ADDR ID received
64.0.98.195
can you post the latest version of your ASA config
ASKER
Here's the current ASA
: Saved
:
ASA Version 7.2(4)
!
hostname Savannah-ASA
domain-name www.dawnmist.com
enable password zWKz5LEv5u2PzDdj encrypted
passwd zWKz5LEv5u2PzDdj encrypted
names
name 192.168.100.0 tampa-network
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 64.0.98.196 255.255.255.224
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name www.dawnmist.com
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 tampa-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 tampa-network 255.255.255.0
access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 tampa-network 255.255.255.0
access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 any
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit tcp any any
access-list inside_access_in extended permit udp any any
access-list inside_access_in extended permit esp any any
access-list inside_access_in extended permit ospf any any
access-list outside_access_in remark Clean Up Rule with logging.
access-list outside_access_in extended permit ip tampa-network 255.255.255.0 any
access-list standard standard permit any
pager lines 24
logging enable
logging console emergencies
logging monitor debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 64.0.98.193 1
route outside tampa-network 255.255.255.0 64.0.98.195 1
!
router ospf 2
network 192.168.1.0 255.255.255.0 area 2
network tampa-network 255.255.255.0 area 1
log-adj-changes
!
router rip
network 192.168.1.0
network tampa-network
version 2
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http 75.67.243.143 255.255.255.255 outside
http 75.68.243.143 255.255.255.255 outside
http 192.168.1.0 255.255.255.0 inside
http 216.251.225.55 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 64.0.98.195
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set reverse-route
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption aes
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 20
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 5
ssh 75.67.243.143 255.255.255.255 outside
ssh 173.65.65.197 255.255.255.255 outside
ssh 216.251.225.55 255.255.255.255 outside
ssh timeout 5
console timeout 0
management-access outside
dhcpd dns 65.106.1.196 192.168.100.2
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd enable inside
!
username pcconection password EmomzQnne30VORPA encrypted privilege 15
username admin password 31Nzf4.jOv71JR3g encrypted
username erik password bujbE/OOQ/F8OzY/ encrypted privilege 15
tunnel-group 64.0.98.195 type ipsec-l2l
tunnel-group 64.0.98.195 ipsec-attributes
pre-shared-key *
!
class-map global-class
match default-inspection-traffic
!
!
policy-map global-policy
class global-class
inspect ftp
inspect icmp
!
service-policy global-policy global
prompt hostname context
Cryptochecksum:393b21c6f4a432f888b064f51b6d92bc
: end
ASKER
I have been unable to resolve this issue - just letting everyone know - I have an open case now with Cisco and should get some attention from one of their techs today. I sent the current configs over to the tech yesterday and he said that everything appears to be correct from the configurations. I'll let everyone know what we discover once I get some time to work on the issue live with the tech at Cisco.
ASKER
Ok I solved the issues finally after many different configuration changes and options - it appears that most of the tunnelling was configured correctly after some final changes done on 9/3/2010 but the internal network in the Tampa office is using a Astaro Firewall system running on Linux and I had to define a static route to the network based on the local ip address of the Cisco VPN 3000 Concentrator instead of the public IP address. So requests from the External network were getting to the appropriate locations but when information would get returned it got lost in the default Tampa network because the local router in the Tampa network didn't have the right gateway address for the next hop for the remote network. I am not sure why the VPN debugging was giving me errors before saying something was amis in the VPN configurations - but its all working perfectly now. Thank you everyone for your assistance. I will be spreading the points among those who have offered various pieces of this puzzle!
ASKER
It appears that this was the primary reason for the errors in the VPN configs for the tunneling but if you look at my last post you'll see there were some additional configuration changes that I needed to make in my primary router in my home office network. They're using a very piecemeal setup here that I've inherited with several different VPNs routers etc... so it's been very difficult to setup something like this - that should be pretty straight forward! Anyway I got it working - thanks for sticking with this and helping me figure out what was going on!