We have a cisco asa 5510 that we were able to configure lan to lan vpn tunnels to outside ASA 5505's. However we can't ping across to the remote LANs. Also, the status in ASDM shows traffic only RX not TX (see attached pic)
Any ideas?>
PMCTMPASA01# sh crypto isakmp sa
Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2
1 IKE Peer: 184.191.141.90
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
2 IKE Peer: 68.98.222.214
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
asdm image disk0:/asdm512.bin
asdm location 10.0.11.0 255.255.255.0 Reuters
asdm location 10.0.20.0 255.255.255.0 Reuters
asdm location 10.0.25.0 255.255.255.0 Reuters
asdm location 10.100.0.0 255.255.255.0 Reuters
asdm location 67.91.84.x 255.255.255.255 Reuters
asdm location 67.91.84.x 255.255.255.255 Reuters
asdm location 192.168.0.0 255.255.255.0 Reuters
asdm location 192.168.10.0 255.255.255.0 Reuters
asdm location 192.168.150.0 255.255.255.0 Reuters
asdm location 192.168.158.0 255.255.255.0 Reuters
asdm location 10.0.0.50 255.255.255.255 inside
asdm location 10.0.0.35 255.255.255.255 inside
asdm location 10.0.0.62 255.255.255.255 inside
asdm location 184.191.135.x 255.255.255.255 Reuters
asdm location 10.0.0.15 255.255.255.255 inside
asdm location 10.0.0.16 255.255.255.255 inside
asdm location 184.191.x.x 255.255.255.255 COX
asdm location 98.174.x 255.255.255.255 inside
asdm location 10.0.21.0 255.255.255.0 COX
no asdm history enable
: Saved
:
ASA Version 7.1(2)
!
hostname PMCTMPASA01
domain-name peoplesmortgage.net
enable password OsjPKXgWE5.N6im0 encrypted
no names
name 10.0.0.8 PMCTS01
name 10.0.25.0 Legacy_Gil
name 10.0.20.0 Legacy_Phx
!
interface Ethernet0/0
description Access for the Reuters computer.
nameif Reuters
security-level 100
ip address 192.168.10.1 255.255.255.224
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Ethernet0/2
description COX ISP 98.174.232.7
nameif COX
security-level 0
ip address 98.174.232.7 255.255.255.240
!
interface Management0/0
shutdown
nameif Management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd OsjPKXgWE5.N6im0 encrypted
ftp mode passive
clock timezone MST -7
dns server-group DefaultDNS
domain-name peoplesmortgage.net
object-group service MAIL tcp
port-object eq www
port-object eq https
port-object eq pop3
port-object eq smtp
access-list Outside_nat0_inbound extended permit ip 10.0.0.0 255.255.255.0 10.100.0.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.11.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 192.168.158.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 192.168.150.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.20.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.25.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.30.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.100.0.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.21.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list ipsectraffic extended permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list ipsectraffic extended permit ip 10.0.0.0 255.255.255.0 10.0.11.0 255.255.255.0
access-list ipsectraffic extended permit ip 10.0.0.0 255.255.255.0 10.0.20.0 255.255.255.0
access-list Outside_cryptomap_81 extended permit ip 10.0.0.0 255.255.255.0 10.100.0.0 255.255.255.0
access-list 101 extended permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list toSPR extended permit ip 10.0.0.0 255.255.255.0 192.168.150.0 255.255.255.0
access-list vpnlist extended permit ip 10.0.0.0 255.255.255.0 10.0.20.0 255.255.255.0
access-list Outside_cryptomap_61 extended permit ip 10.0.0.0 255.255.255.0 10.0.30.0 255.255.255.0
access-list COX_nat0_inbound extended permit ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.255.0 inactive
access-list Outside_cryptomap_121 extended permit ip 10.0.0.0 255.255.255.0 10.0.21.0 255.255.255.0
access-list COX_access_in extended permit icmp any any
access-list COX_cryptomap_141_1 extended permit ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 30
logging enable
logging buffer-size 8192
logging buffered informational
logging trap notifications
logging asdm informational
logging queue 8192
mtu Reuters 1472
mtu inside 1472
mtu COX 1500
mtu Management 1500
ip local pool swim 10.0.11.1-10.0.11.250
ip local pool pptp-pool 192.168.158.1-192.168.158.
ip verify reverse-path interface Reuters
icmp permit host 74.206.96.172 Reuters
icmp permit host 10.0.0.6 inside
icmp permit any COX
asdm image disk0:/asdm512.bin
no asdm history enable
arp timeout 14400
global (COX) 10 interface
nat (Reuters) 0 access-list Outside_nat0_inbound outside
nat (inside) 0 access-list nonat
nat (inside) 10 0.0.0.0 0.0.0.0
nat (COX) 0 access-list COX_nat0_inbound outside
nat (Management) 10 0.0.0.0 0.0.0.0
static (inside,COX) tcp 174.79.x.x www 10.0.0.6 www netmask 255.255.255.255
static (inside,COX) tcp 184.191.x.x www 10.0.0.16 www netmask 255.255.255.255
static (inside,COX) tcp 174.79.x.x smtp 10.0.0.6 smtp netmask 255.255.255.255
static (inside,COX) tcp 184.191.x.x smtp 10.0.0.16 smtp netmask 255.255.255.255
static (inside,COX) tcp 174.79.x ident 10.0.0.6 ident netmask 255.255.255.255
static (inside,COX) tcp 174.79x pop3 10.0.0.6 pop3 netmask 255.255.255.255
static (inside,COX) udp 174.79.xsnmp 10.0.0.6 snmp netmask 255.255.255.255
static (inside,COX) tcp 174.79.x 3399 10.0.0.99 3389 netmask 255.255.255.255
static (inside,COX) tcp 174.79.x 3396 10.0.0.96 3389 netmask 255.255.255.255
static (inside,COX) tcp 184.191.x 3395 10.0.0.95 3389 netmask 255.255.255.255
static (inside,COX) tcp 184.191.x 3394 10.0.0.94 3389 netmask 255.255.255.255
static (inside,COX) tcp 184.191.x 3393 10.0.0.93 3389 netmask 255.255.255.255
static (inside,COX) tcp 184.191.x 3392 10.0.0.92 3389 netmask 255.255.255.255
static (inside,COX) tcp 184.191.x 3391 10.0.0.91 3389 netmask 255.255.255.255
static (inside,COX) tcp 184.191.x 3390 10.0.0.90 3389 netmask 255.255.255.255
static (inside,COX) tcp 184.191.x 3398 10.0.0.98 3389 netmask 255.255.255.255
static (inside,COX) tcp 184.191.x 3397 10.0.0.97 3389 netmask 255.255.255.255
static (inside,COX) tcp 184.191.x 3388 10.0.0.35 3389 netmask 255.255.255.255
static (inside,COX) tcp 174.79.x 3333 10.0.0.7 3389 netmask 255.255.255.255
static (inside,COX) tcp 174.79.x https 10.0.0.6 https netmask 255.255.255.255
static (inside,COX) tcp 174.79.x 3389 10.0.0.6 3389 netmask 255.255.255.255
static (inside,COX) tcp 184.191.x https 10.0.0.15 https netmask 255.255.255.255
static (inside,COX) tcp 184.1915x www 10.0.0.15 www netmask 255.255.255.255
static (inside,COX) tcp 174.79.x 3389 10.0.0.15 3389 netmask 255.255.255.255
static (inside,COX) tcp 184.191.x 3389 10.0.0.16 3389 netmask 255.255.255.255
static (inside,COX) tcp 184.191.x https 10.0.0.16 https netmask 255.255.255.255
static (Reuters,COX) 174.79.x 192.168.10.10 netmask 255.255.255.255
access-group COX_access_in in interface COX
route COX 4.2.2.2 255.255.255.255 98.174.x
route COX 0.0.0.0 0.0.0.0 98.174.x
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server authme protocol radius
group-policy rtpvpn internal
group-policy rtpvpn attributes
vpn-idle-timeout 50
username admin password fusSSOF8zyiGyWCw encrypted privilege 15
username user1it1noc password lrTYKCzbbxVGu9u3 encrypted privilege 15
username cdsi password XeltccmFWmjatpCE encrypted
http server enable
http 10.0.0.0 255.255.0.0 inside
http 0.0.0.0 0.0.0.0 COX
snmp-server host inside 10.0.0.6 community Changer
snmp-server host inside 10.0.0.7 community Changer
snmp-server host Reuters 74.206.96.172 community Changer
snmp-server location Tempe, Arizona
no snmp-server contact
snmp-server community Changer
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set strong esp-des esp-md5-hmac
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set ciscotest esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto dynamic-map dyna 1 set transform-set strong
crypto dynamic-map dyna 1 set security-association lifetime seconds 28800
crypto map rtpmap 81 match address Outside_cryptomap_81
crypto map rtpmap 81 set peer 74.206.x.x
crypto map rtpmap 81 set transform-set ESP-DES-MD5 ESP-DES-SHA
crypto map rtpmap 121 match address Outside_cryptomap_121
crypto map rtpmap 121 set pfs group1
crypto map rtpmap 121 set peer 184.191.x.x
crypto map rtpmap 121 set transform-set ESP-DES-MD5
crypto map rtpmap 141 match address COX_cryptomap_141_1
crypto map rtpmap 141 set peer 68.98.x.x
crypto map rtpmap 141 set transform-set ESP-DES-MD5
crypto map rtpmap interface COX
isakmp identity address
isakmp enable inside
isakmp enable COX
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 28800
isakmp policy 11 authentication pre-share
isakmp policy 11 encryption des
isakmp policy 11 hash md5
isakmp policy 11 group 1
isakmp policy 11 lifetime 1000
isakmp policy 15 authentication pre-share
isakmp policy 15 encryption des
isakmp policy 15 hash md5
isakmp policy 15 group 1
isakmp policy 15 lifetime 3600
isakmp policy 16 authentication pre-share
isakmp policy 16 encryption des
isakmp policy 16 hash md5
isakmp policy 16 group 2
isakmp policy 16 lifetime 3600
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
isakmp nat-traversal 20
tunnel-group rtpvpn type ipsec-ra
tunnel-group rtpvpn general-attributes
default-group-policy rtpvpn
tunnel-group rtpvpn ipsec-attributes
pre-shared-key *
tunnel-group 74.206.x type ipsec-l2l
tunnel-group 74.206.x ipsec-attributes
pre-shared-key *
tunnel-group 68.98.x.x type ipsec-l2l
tunnel-group 68.98.x.x ipsec-attributes
pre-shared-key *
tunnel-group 184.191.x.x type ipsec-l2l
tunnel-group 184.191.x ipsec-attributes
pre-shared-key *
telnet 74.206.x 255.255.255.255 Reuters
telnet 0.0.0.0 0.0.0.0 Reuters
telnet 10.100.0.0 255.255.255.0 inside
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 15
ssh 171.68.225.x 255.255.255.255 Reuters
ssh 171.69.88.x 255.255.255.255 Reuters
ssh 0.0.0.0 0.0.0.0 Reuters
ssh 10.0.0.6 255.255.255.255 inside
ssh 10.0.0.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 COX
ssh timeout 30
console timeout 0
management-access inside
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
webvpn
enable Reuters
url-list peoples "Email" http://10.0.0.6/exchange 1
smtp-server 10.0.0.6
Cryptochecksum:db87ec641ec
: end