NotSoKlear
asked on
Cisco ASA 5505 to 5505 VPN
Hi all.
Having a hard time troubleshooting why I cant get my VPN to work between two sites. Both have Cisco 5505 ASA's and I used the VPN wizard on both sides. I went to the Cisco helpsite and followed their directions to the T (or so I think) and it still doesnt work.
This isnt the first time I've set up a VPN, just after looking at the code and ACL's everything looks right.
Would someone mind taking a look at the below config and tell me what I may be doing wrong?
Thanks in advance.
Bob
: Saved
:
ASA Version 7.2(4)
!
hostname fw
domain-name hostvpn.com
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.1.10 NETSORT
name 192.168.1.2 MAINSERVER
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group DSL
ip address 78.39.160.135 255.255.255.255 pppoe setroute
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name hostvpn.com
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit tcp any interface outside eq 9833
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any interface outside eq 10443
access-list outside_access_in extended permit udp any interface outside eq 10443
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 host 67.199.237.101
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.254.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 MAINSERVER 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 10443 NETSORT 10443 netmask 255.255.255.255
static (inside,outside) udp interface 10443 NETSORT 10443 netmask 255.255.255.255
static (inside,outside) tcp interface 9833 192.168.1.3 9833 netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.1.3 smtp netmask 255.255.255.255
static (inside,outside) tcp interface https NETSORT https netmask 255.255.255.255
static (inside,outside) tcp interface www MAINSERVER www netmask 255.255.255.255
access-group outside_access_in in interface outside
route inside 192.168.200.0 255.255.255.0 NETSORT 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 67.199.237.101
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set nat-t-disable
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group DSL request dialout pppoe
vpdn group DSL localname ervices1001@qwest.net
vpdn group DSL ppp authentication pap
vpdn username ervices1001@qwest.net password *********
dhcpd auto_config outside
!
dhcpd address MAINSERVER-192.168.1.33 inside
!
tunnel-group 67.199.237.101 type ipsec-l2l
tunnel-group 67.199.237.101 ipsec-attributes
pre-shared-key *
!
!
prompt hostname context
Cryptochecksum:41dbc212a4b
: end
asdm image disk0:/asdm-524.bin
asdm location MAINSERVER 255.255.255.255 inside
asdm location NETSORT 255.255.255.255 inside
no asdm history enable
Having a hard time troubleshooting why I cant get my VPN to work between two sites. Both have Cisco 5505 ASA's and I used the VPN wizard on both sides. I went to the Cisco helpsite and followed their directions to the T (or so I think) and it still doesnt work.
This isnt the first time I've set up a VPN, just after looking at the code and ACL's everything looks right.
Would someone mind taking a look at the below config and tell me what I may be doing wrong?
Thanks in advance.
Bob
: Saved
:
ASA Version 7.2(4)
!
hostname fw
domain-name hostvpn.com
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.1.10 NETSORT
name 192.168.1.2 MAINSERVER
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group DSL
ip address 78.39.160.135 255.255.255.255 pppoe setroute
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name hostvpn.com
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit tcp any interface outside eq 9833
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any interface outside eq 10443
access-list outside_access_in extended permit udp any interface outside eq 10443
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 host 67.199.237.101
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.254.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 MAINSERVER 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 10443 NETSORT 10443 netmask 255.255.255.255
static (inside,outside) udp interface 10443 NETSORT 10443 netmask 255.255.255.255
static (inside,outside) tcp interface 9833 192.168.1.3 9833 netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.1.3 smtp netmask 255.255.255.255
static (inside,outside) tcp interface https NETSORT https netmask 255.255.255.255
static (inside,outside) tcp interface www MAINSERVER www netmask 255.255.255.255
access-group outside_access_in in interface outside
route inside 192.168.200.0 255.255.255.0 NETSORT 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 67.199.237.101
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set nat-t-disable
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group DSL request dialout pppoe
vpdn group DSL localname ervices1001@qwest.net
vpdn group DSL ppp authentication pap
vpdn username ervices1001@qwest.net password *********
dhcpd auto_config outside
!
dhcpd address MAINSERVER-192.168.1.33 inside
!
tunnel-group 67.199.237.101 type ipsec-l2l
tunnel-group 67.199.237.101 ipsec-attributes
pre-shared-key *
!
!
prompt hostname context
Cryptochecksum:41dbc212a4b
: end
asdm image disk0:/asdm-524.bin
asdm location MAINSERVER 255.255.255.255 inside
asdm location NETSORT 255.255.255.255 inside
no asdm history enable
ASKER
Thanks ShareefHuddle,
Did as you recommended above and compared both local and remote ASA's (to ensure I have the exact configuration on both sides -with the exception of the ACL's and PEER's IP addresses being the exact opposite no connection unfortunately.
Id like to post both configs, but would like to post them in different 'scrolling' windows within the post. Do you know the code to do that?
Did as you recommended above and compared both local and remote ASA's (to ensure I have the exact configuration on both sides -with the exception of the ACL's and PEER's IP addresses being the exact opposite no connection unfortunately.
Id like to post both configs, but would like to post them in different 'scrolling' windows within the post. Do you know the code to do that?
Did you remove the pfs line? You can also remove the nat-t-disable.
Are you sure that the tunnel isn't coming up or just not passing traffic?
show crypto ipsec sa
show crypto isakmp sa
Are you sure that the tunnel isn't coming up or just not passing traffic?
show crypto ipsec sa
show crypto isakmp sa
No I don't know how to add the scrolling thing-a-ma-jig :)
Each site has different subnets, correct? 192.168.1.0 and 192.168.254.0
Also you may want to upgrade your firmware and asdm (shouldn't have any affect but always a good best-practice)
Also you may want to upgrade your firmware and asdm (shouldn't have any affect but always a good best-practice)
ASKER
hey -
yeah, i removed both of those lines....
the show commands:
ciscoasa# show crypto ipsec sa
There are no ipsec sas
ciscoasa# show crypto isakmp sa
There are no isakmp sas
ciscoasa#
and both internal cards are on different networks 192.168.1.0/24;192.168.254
I'll work on getting you the code then and just paste it.... should be in the next 30 mins to an hour.
Thanks again for your help..
oh... i removed the disable nat-t :)
yeah, i removed both of those lines....
the show commands:
ciscoasa# show crypto ipsec sa
There are no ipsec sas
ciscoasa# show crypto isakmp sa
There are no isakmp sas
ciscoasa#
and both internal cards are on different networks 192.168.1.0/24;192.168.254
I'll work on getting you the code then and just paste it.... should be in the next 30 mins to an hour.
Thanks again for your help..
oh... i removed the disable nat-t :)
ASKER
Ok, here are the configs:
____________________
Local:
##LOCAL
: Saved
:
ASA Version 7.2(4)
!
hostname fw
domain-name default1.domain.com
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.1.10 NETSORT
name 192.168.1.2 MAINSERVER1
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group DSL
ip address 105.39.160.137 255.255.255.255 pppoe setroute
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name default1.domain.com
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit tcp any interface outside eq 9833
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any interface outside eq 10443
access-list outside_access_in extended permit udp any interface outside eq 10443
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 host 192.168.254.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.254.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 MAINSERVER1 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 10443 NETSORT 10443 netmask 255.255.255.255
static (inside,outside) udp interface 10443 NETSORT 10443 netmask 255.255.255.255
static (inside,outside) tcp interface 9833 192.168.1.3 9833 netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.1.3 smtp netmask 255.255.255.255
static (inside,outside) tcp interface https NETSORT https netmask 255.255.255.255
static (inside,outside) tcp interface www MAINSERVER1 www netmask 255.255.255.255
access-group outside_access_in in interface outside
route inside 192.168.200.0 255.255.255.0 NETSORT 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 75.199.237.98
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group DSL request dialout pppoe
vpdn group DSL localname dsl1001@qwest.net
vpdn group DSL ppp authentication pap
vpdn username dsl1001@qwest.net password *********
dhcpd auto_config outside
!
dhcpd address MAINSERVER1-192.168.1.33 inside
!
tunnel-group 75.199.237.98 type ipsec-l2l
tunnel-group 75.199.237.98 ipsec-attributes
pre-shared-key *
!
!
prompt hostname context
Cryptochecksum:9dd362ec74e
: end
asdm image disk0:/asdm-524.bin
asdm location MAINSERVER1 255.255.255.255 inside
asdm location NETSORT 255.255.255.255 inside
no asdm history enable
________________
AND Remote:
# - REMOTE CONFIGURATION
: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.254.200 NETSORT
name 192.168.254.10 MAINSERVER
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.254.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 75.199.237.98 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit tcp any interface outside eq 10443
access-list outside_access_in extended permit udp any interface outside eq 10443
access-list inside_nat0_outbound extended permit ip 192.168.254.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_cryptomap_1 extended permit ip 192.168.254.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 MAINSERVER 3389 netmask 255.255.255.255
static (inside,outside) tcp interface https NETSORT https netmask 255.255.255.255
static (inside,outside) tcp interface 10443 NETSORT 10443 netmask 255.255.255.255
static (inside,outside) udp interface 10443 NETSORT 10443 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 75.199.237.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.254.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set peer 105.39.160.37
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
tunnel-group 105.39.160.37 type ipsec-l2l
tunnel-group 105.39.160.37 ipsec-attributes
pre-shared-key *
!
!
prompt hostname context
Cryptochecksum:e7c4db7c7b5
: end
asdm image disk0:/asdm-524.bin
asdm location NETSORT 255.255.255.255 inside
asdm location MAINSERVER 255.255.255.255 inside
no asdm history enable
Ive looked again and cant find anything. Thanks again for your help.
:(
Thanks!
Bob
____________________
Local:
##LOCAL
: Saved
:
ASA Version 7.2(4)
!
hostname fw
domain-name default1.domain.com
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.1.10 NETSORT
name 192.168.1.2 MAINSERVER1
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group DSL
ip address 105.39.160.137 255.255.255.255 pppoe setroute
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name default1.domain.com
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit tcp any interface outside eq 9833
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any interface outside eq 10443
access-list outside_access_in extended permit udp any interface outside eq 10443
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 host 192.168.254.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.254.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 MAINSERVER1 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 10443 NETSORT 10443 netmask 255.255.255.255
static (inside,outside) udp interface 10443 NETSORT 10443 netmask 255.255.255.255
static (inside,outside) tcp interface 9833 192.168.1.3 9833 netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.1.3 smtp netmask 255.255.255.255
static (inside,outside) tcp interface https NETSORT https netmask 255.255.255.255
static (inside,outside) tcp interface www MAINSERVER1 www netmask 255.255.255.255
access-group outside_access_in in interface outside
route inside 192.168.200.0 255.255.255.0 NETSORT 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 75.199.237.98
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group DSL request dialout pppoe
vpdn group DSL localname dsl1001@qwest.net
vpdn group DSL ppp authentication pap
vpdn username dsl1001@qwest.net password *********
dhcpd auto_config outside
!
dhcpd address MAINSERVER1-192.168.1.33 inside
!
tunnel-group 75.199.237.98 type ipsec-l2l
tunnel-group 75.199.237.98 ipsec-attributes
pre-shared-key *
!
!
prompt hostname context
Cryptochecksum:9dd362ec74e
: end
asdm image disk0:/asdm-524.bin
asdm location MAINSERVER1 255.255.255.255 inside
asdm location NETSORT 255.255.255.255 inside
no asdm history enable
________________
AND Remote:
# - REMOTE CONFIGURATION
: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.254.200 NETSORT
name 192.168.254.10 MAINSERVER
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.254.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 75.199.237.98 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit tcp any interface outside eq 10443
access-list outside_access_in extended permit udp any interface outside eq 10443
access-list inside_nat0_outbound extended permit ip 192.168.254.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_cryptomap_1 extended permit ip 192.168.254.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 MAINSERVER 3389 netmask 255.255.255.255
static (inside,outside) tcp interface https NETSORT https netmask 255.255.255.255
static (inside,outside) tcp interface 10443 NETSORT 10443 netmask 255.255.255.255
static (inside,outside) udp interface 10443 NETSORT 10443 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 75.199.237.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.254.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set peer 105.39.160.37
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
tunnel-group 105.39.160.37 type ipsec-l2l
tunnel-group 105.39.160.37 ipsec-attributes
pre-shared-key *
!
!
prompt hostname context
Cryptochecksum:e7c4db7c7b5
: end
asdm image disk0:/asdm-524.bin
asdm location NETSORT 255.255.255.255 inside
asdm location MAINSERVER 255.255.255.255 inside
no asdm history enable
Ive looked again and cant find anything. Thanks again for your help.
:(
Thanks!
Bob
ASKER
Also, where do I get the firmware updates and asa updates? I just bought these like a month in a half ago and have been looking everywhere for them.
-Bob
-Bob
You have to have a contract with cisco but if you got them in the last 90 days I think you can probably call support and they will set you up with the download. maybe?
On first config:
this:
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 host 192.168.254.0
should be:
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.254.0 255.255.255.0
On first config:
this:
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 host 192.168.254.0
should be:
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.254.0 255.255.255.0
ASKER
Ill call Cisco, but in the mean time, going to wipe out the vpn configs on both sides and start over.
Will keep you all updated (soon).
:)
Bob
Will keep you all updated (soon).
:)
Bob
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Resolved the issue with Cisco, see post.
crypto map outside_map 1 set pfs group1
Is one LAN 192.168.1.0 255.255.255.0 and the other 192.168.254.0 255.255.255.0
If so then change:
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 host 67.199.237.101
to:
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.254.0 255.255.255.0