Solved

ASA 5510 Site to Site VPN Established, ping works, nothing else

Posted on 2011-02-24
6
791 Views
Last Modified: 2012-05-11
I have established a Site to Site VPN between my two sites SITEA (10.45.0.0/16) and SITEB (10.50.50.0/24).   computers on SITEA network can ping computers on SITEB network and SITEB can ping SITEA network.

Nothing else is working just ICMP

Attached please find my config for SITEA

SITEA 5510 outside IP is: aaa.bbb.ccc.19
SITEB 5510 outside IP is: xxx.yyy.xxx.61


Any ideas?
: Saved
:
ASA Version 8.2(1) 
!
hostname SITEAASA5510
domain-name mycompany.com

names
name 10.45.45.17 Exchange description exchange server
name 10.45.45.39 ebsdev description EBS Development
name 10.45.45.37 ebsprod description EBS Production
name aaa.bbb.ccc.6 outside-guest description outsidel IP for guest network
name 10.45.45.245 LMN-gw description gw to route to LMN
name 10.45.46.0 LMN-network description inside LMN network
name aaa.bbb.ccc.1 outside-gw description outside gw to ISP
name 10.45.45.228 door-dvr description door DVR server
name aaa.bbb.ccc.23 outside-LMNDC1 description outside LMN DC1
name aaa.bbb.ccc.21 outside-door-dvr description outside door DVR server
name 10.45.45.7 order-web description Affiliate Order Entry Web server
name aaa.bbb.ccc.20 outside-order-web description outside Order Entry Web server
name 10.45.45.226 voip-router description VoIP router
name 10.45.45.0 SITEA-network description  Main Building
name aaa.bbb.ccc.9 outside-voip-card description outside VoIP card
name 10.45.45.225 voip-card description 
name aaa.bbb.ccc.19 outside-iface
name aaa.bbb.ccc.12 outside-ldap description outside ldap server for SysAid
name 10.45.45.15 pdc
name 10.45.45.16 bdc
name 10.45.45.206 acct-rm-3-copier
name 10.45.45.235 hall-copier
name 10.45.0.0 SITEA-full-network description Main bldg and LMN
name 10.50.50.0 SITEB-full-network description SITEB-
!
interface Ethernet0/0
 description Internet service
 speed 10
 duplex full
 nameif outside
 security-level 0
 ip address outside-iface 255.255.255.224 
!
interface Ethernet0/1
 description guest services - WiFi, etc.
 nameif guest
 security-level 50
 ip address 192.168.50.1 255.255.255.0 
!
interface Ethernet0/2
 description DMZ for boxes that need to be both internet and lan accessible
 nameif dmz
 security-level 75
 ip address 172.16.75.1 255.255.255.0 
!
interface Ethernet0/3
 description LAN
 nameif inside
 security-level 100
 ip address 10.45.45.2 255.255.255.0 
!
interface Management0/0
 description management
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
!
time-range guest-access
 periodic weekdays 6:00 to 17:59
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup guest
dns domain-lookup dmz
dns domain-lookup inside
dns server-group DefaultDNS
 name-server bdc
 name-server pdc
 domain-name championwndow.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service exchsvcs tcp
 description Services we expose for MS Exchange
 port-object eq www
 port-object eq https
 port-object eq imap4
 port-object eq pop3
 port-object eq smtp
 port-object eq 135
 port-object eq 3389
 port-object eq 993
 port-object eq 995
object-group service intertelsvcs
 description Ports for the Inter-Tel VoIP Phones
 service-object tcp eq 5566 
 service-object udp eq 5567 
 service-object tcp eq 5570 
 service-object udp range 5000 5070 
 service-object udp range 6004 6247 
object-group network guest-dns
 description guest network DNS servers
 network-object host pdc
 network-object host bdc
object-group network guest-printers
 description guest network printers
 network-object host acct-rm-3-copier
 network-object host hall-copier
object-group network DM_INLINE_NETWORK_3
 group-object guest-dns
 group-object guest-printers
 network-object host ebsdev
object-group service dnssvcs
 description DNS Services
 service-object tcp eq domain 
 service-object udp eq domain 
object-group service irc-ports tcp
 port-object range 6660 6669
 port-object eq 7000
 port-object eq irc
object-group service irc-udp udp
 port-object range 660 6669
 port-object eq 7000
object-group network inside-smtp-allowed
 network-object host Exchange
 network-object host ebsprod
 network-object host ebsdev
 network-object host 10.45.45.2
access-list outside_access_in remark Outside Exchange services
access-list outside_access_in extended permit tcp any any eq https 
access-list outside_access_in remark Outside Exchange services
access-list outside_access_in extended permit tcp any any eq smtp 
access-list outside_access_in remark Outside Exchange services
access-list outside_access_in extended permit tcp any any eq www 
access-list outside_access_in remark Outside Exchange services
access-list outside_access_in extended permit tcp any any eq imap4 
access-list outside_access_in remark Outside Exchange services
access-list outside_access_in extended permit tcp any any eq pop3 
access-list outside_access_in remark Outside Exchange services
access-list outside_access_in extended permit tcp any any eq 993 
access-list outside_access_in remark Outside Exchange services
access-list outside_access_in extended permit tcp any any eq 995 
access-list outside_access_in remark Outside Exchange services
access-list outside_access_in extended permit tcp any any eq 3389 
access-list outside_access_in remark Outside Exchange services
access-list outside_access_in extended permit tcp any any eq 135 
access-list outside_access_in remark Inbound ssh (ebs development)
access-list outside_access_in extended permit tcp any any eq 11221 
access-list inside_nat0_outbound extended permit ip SITEA-network 255.255.255.0 LMN-network 255.255.255.0 
access-list inside_nat0_outbound extended permit ip LMN-network 255.255.255.0 SITEA-network 255.255.255.0 
access-list inside_nat0_outbound extended permit ip SITEA-full-network 255.255.0.0 SITEB-full-network 255.255.255.0 
access-list guest_access_in extended deny tcp any any object-group irc-ports 
access-list guest_access_in extended deny udp any any object-group irc-udp 
access-list guest_access_in remark guest to ebsdev access
access-list guest_access_in extended permit tcp any host ebsdev eq ssh 
access-list guest_access_in remark guest DNS
access-list guest_access_in extended permit object-group dnssvcs any object-group guest-dns 
access-list guest_access_in remark Guest print
access-list guest_access_in extended permit ip any object-group guest-printers 
access-list guest_access_in remark Guest Exchange Services
access-list guest_access_in extended permit tcp any host Exchange object-group exchsvcs time-range guest-access 
access-list guest_access_in remark Guest ping  Exchange
access-list guest_access_in extended permit icmp any host Exchange time-range guest-access 
access-list guest_access_in remark Guest ping
access-list guest_access_in extended permit icmp any object-group DM_INLINE_NETWORK_3 
access-list guest_access_in extended deny tcp any any eq smtp 
access-list guest_access_in extended permit ip any any 
access-list outside_nat_outbound extended permit object-group dnssvcs any host outside-aff-dns1 
access-list outside_nat_outbound_1 extended permit object-group dnssvcs any host outside-aff-dns2 
access-list TCP-STATE-BYPASS extended permit ip SITEA-network 255.255.255.0 LMN-network 255.255.255.0 
access-list TCP-STATE-BYPASS extended permit ip LMN-network 255.255.255.0 SITEA-network 255.255.255.0 
access-list inside_access_in extended permit tcp object-group inside-smtp-allowed any eq smtp 
access-list inside_access_in extended deny tcp any any eq smtp log alerts interval 3 
access-list inside_access_in extended deny tcp any any object-group irc-ports 
access-list inside_access_in extended deny udp any any object-group irc-udp 
access-list inside_access_in extended deny ip host 10.45.45.96 any 
access-list inside_access_in extended deny ip host 10.45.45.127 any 
access-list inside_access_in extended deny ip host 10.45.45.130 any 
access-list inside_access_in extended deny ip host 10.45.45.148 any 
access-list inside_access_in extended deny ip host 10.45.45.153 any 
access-list inside_access_in extended deny ip host 10.45.45.155 any 
access-list inside_access_in extended permit ip any any 
access-list outside_1_cryptomap extended permit ip SITEA-full-network 255.255.0.0 SITEB-full-network 255.255.255.0 
pager lines 24
logging enable
logging list email-notifications level alerts
logging buffered informational
logging asdm informational
logging mail alerts
logging from-address helpdesk@mycompany.com
logging recipient-address helpdesk@mycompany.com level alerts
mtu outside 1500
mtu guest 1500
mtu dmz 1500
mtu inside 1500
mtu management 1500
ip verify reverse-path interface outside
ip audit name outside-attack attack action alarm drop reset
ip audit interface outside outside-attack
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any guest
icmp permit any dmz
icmp permit any inside
asdm history enable
arp timeout 14400
nat-control
global (outside) 101 interface
global (outside) 6 outside-guest netmask 255.255.255.255
global (outside) 9 outside-aff-dns2 netmask 255.255.255.255
global (outside) 8 outside-aff-dns1 netmask 255.255.255.255
nat (outside) 8 access-list outside_nat_outbound
nat (outside) 9 access-list outside_nat_outbound_1
nat (guest) 6 192.168.50.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 11221 ebsdev ssh netmask 255.255.255.255 
static (inside,outside) tcp interface 135 Exchange 135 netmask 255.255.255.255 
static (inside,outside) tcp interface 3389 Exchange 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface www Exchange www netmask 255.255.255.255 
static (inside,outside) tcp interface https Exchange https netmask 255.255.255.255 
static (inside,outside) tcp interface imap4 Exchange imap4 netmask 255.255.255.255 
static (inside,outside) tcp interface pop3 Exchange pop3 netmask 255.255.255.255 
static (inside,outside) tcp interface 993 Exchange 993 netmask 255.255.255.255 
static (inside,outside) tcp interface 995 Exchange 995 netmask 255.255.255.255 
static (inside,outside) tcp interface smtp Exchange smtp netmask 255.255.255.255 
static (inside,outside) tcp outside-ldap ldap bdc ldap netmask 255.255.255.255 
static (guest,inside) 192.168.50.0 192.168.50.0 netmask 255.255.255.0 
static (inside,guest) SITEA-network SITEA-network netmask 255.255.255.0 
access-group outside_access_in in interface outside
access-group guest_access_in in interface guest
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 outside-gw 1
route inside voip-card 255.255.255.255 voip-router 1
route inside LMN-network 255.255.255.0 LMN-gw 1
route inside 10.45.47.0 255.255.255.0 10.45.45.246 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server SITEA_KERB protocol kerberos
aaa-server SITEA_KERB (inside) host bdc
 kerberos-realm mycompany.COM
http server enable
http 192.168.1.0 255.255.255.0 management
http SITEA-full-network 255.255.0.0 inside
http 192.168.50.2 255.255.255.255 guest
snmp-server host inside pdc poll community public
snmp-server location Server Room
snmp-server contact IT Department
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp guest
sysopt noproxyarp dmz
sysopt noproxyarp inside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer xxx.yyy.zzz.61 
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns bdc pdc
dhcpd lease 86400
!
dhcpd address 192.168.50.20-192.168.50.240 guest
dhcpd dns bdc pdc interface guest
dhcpd lease 86400 interface guest
dhcpd enable guest
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection scanning-threat shun duration 3600
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 140.99.51.114 source outside
ntp server 38.117.195.101 source outside
ntp server 63.229.235.77 source outside prefer
ntp server 69.65.40.29 source outside
webvpn
username champit password MmSVbXEz/FpGEKi2 encrypted privilege 15
tunnel-group xxx.yyy.zzz.61 type ipsec-l2l
tunnel-group xxx.yyy.zzz.61 ipsec-attributes
 pre-shared-key *
!
class-map TCP-STATE-BYPASS
 match access-list TCP-STATE-BYPASS
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map inside_policy
 class TCP-STATE-BYPASS
  set connection advanced-options tcp-state-bypass
policy-map global_policy
 class inspection_default
  inspect ftp 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect xdmcp 
  inspect netbios 
  inspect tftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect http 
  inspect icmp 
  inspect dns dynamic-filter-snoop 
  inspect ipsec-pass-thru 
!
service-policy global_policy global
service-policy inside_policy interface inside
smtp-server 10.45.45.17
prompt hostname context 
Cryptochecksum:3baaf66c3ed81965319f259d97608cac
: end
asdm location Exchange 255.255.255.255 inside
asdm location ebsprod 255.255.255.255 inside
asdm location ebsdev 255.255.255.255 inside
asdm location outside-guest 255.255.255.255 inside
asdm location LMN-gw 255.255.255.255 inside
asdm location LMN-network 255.255.255.0 inside
asdm location outside-gw 255.255.255.255 inside
asdm location door-dvr 255.255.255.255 inside
asdm location outside-voip-card 255.255.255.255 inside
asdm location outside-order-web 255.255.255.255 inside
asdm location outside-door-dvr 255.255.255.255 inside
asdm location outside-LMNDC1 255.255.255.255 inside
asdm location order-web 255.255.255.255 inside
asdm location voip-router 255.255.255.255 inside
asdm location SITEA-network 255.255.255.0 inside
asdm location voip-card 255.255.255.255 inside
asdm location outside-iface 255.255.255.255 inside
asdm location outside-ldap 255.255.255.255 inside
asdm location outside-aff-dns1 255.255.255.255 inside
asdm location outside-aff-dns2 255.255.255.255 inside
asdm location opendns-server2 255.255.255.255 inside
asdm location opendns-server1 255.255.255.255 inside
asdm history enable

Open in new window

0
Comment
Question by:champIT
  • 3
6 Comments
 
LVL 18

Accepted Solution

by:
jmeggers earned 500 total points
ID: 34976446
I don't see a map name configured in the "inspect ipsec pass-thru" command.  That's disabled by default, you might try removing it to see if that makes a difference.  If you're terminating IPSec on the ASA I don't believe that command is needed, and it may be interfering with traffic flow.  Don't know for sure, but it's worth a try.
0
 

Author Comment

by:champIT
ID: 34979364
I diabled the IpSec Pass thru (it was set up for something else).  I will have to check later today to see if that was it.
0
 

Author Comment

by:champIT
ID: 34984659
OK, it is working but we see too many timeouts. Any suggestions?
0
 

Author Comment

by:champIT
ID: 35037709
We have this solved.  Thank you for the help
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37049236
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Suggested Solutions

There are many useful and sometimes not well documented or forgotten IOS or ASA/PIX commands. See IPE article here , there was also one on PacketU and on Cisco Tips & Tricks. Below are my favorites. I give also a few most often used for Cisco IPS an…
Cisco Pix/ASA hairpinning The term, hairpinning, comes from the fact that the traffic comes from one source into a router or similar device, makes a U-turn, and goes back the same way it came. Visualize this and you will see something that looks …
This tutorial demonstrates a quick way of adding group price to multiple Magento products.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now