Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.
COURSE of the MONTH
13 days, 15 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
ASA 5505 to ASA 5510 only passing one way traffic
Posted on 2011-03-07
We have a cisco asa 5510 that we were able to configure lan to lan vpn tunnels to outside ASA 5505's. However we can't ping across to the remote LANs. Also, the status in ASDM shows traffic only RX not TX (see attached pic)
Any ideas?>
PMCTMPASA01# sh crypto isakmp sa
Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2
1 IKE Peer: 184.191.141.90
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
2 IKE Peer: 68.98.222.214
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Any ideas?>
PMCTMPASA01# sh crypto isakmp sa
Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2
1 IKE Peer: 184.191.141.90
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
2 IKE Peer: 68.98.222.214
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
-
4
3
7 Comments
You probably need a static route for the remote LAN that goes out your outside interface.
Alternately, you may need to exempt the traffic from any NAT rules that you have.
Can you provide the running configuration?
Alternately, you may need to exempt the traffic from any NAT rules that you have.
Can you provide the running configuration?
Have done the nat exempt. static routes don't help either
asdm image disk0:/asdm512.bin
asdm location 10.0.11.0 255.255.255.0 Reuters
asdm location 10.0.20.0 255.255.255.0 Reuters
asdm location 10.0.25.0 255.255.255.0 Reuters
asdm location 10.100.0.0 255.255.255.0 Reuters
asdm location 67.91.84.x 255.255.255.255 Reuters
asdm location 67.91.84.x 255.255.255.255 Reuters
asdm location 192.168.0.0 255.255.255.0 Reuters
asdm location 192.168.10.0 255.255.255.0 Reuters
asdm location 192.168.150.0 255.255.255.0 Reuters
asdm location 192.168.158.0 255.255.255.0 Reuters
asdm location 10.0.0.50 255.255.255.255 inside
asdm location 10.0.0.35 255.255.255.255 inside
asdm location 10.0.0.62 255.255.255.255 inside
asdm location 184.191.135.x 255.255.255.255 Reuters
asdm location 10.0.0.15 255.255.255.255 inside
asdm location 10.0.0.16 255.255.255.255 inside
asdm location 184.191.x.x 255.255.255.255 COX
asdm location 98.174.x 255.255.255.255 inside
asdm location 10.0.21.0 255.255.255.0 COX
no asdm history enable
: Saved
:
ASA Version 7.1(2)
!
hostname PMCTMPASA01
domain-name peoplesmortgage.net
enable password OsjPKXgWE5.N6im0 encrypted
no names
name 10.0.0.8 PMCTS01
name 10.0.25.0 Legacy_Gil
name 10.0.20.0 Legacy_Phx
!
interface Ethernet0/0
description Access for the Reuters computer.
nameif Reuters
security-level 100
ip address 192.168.10.1 255.255.255.224
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Ethernet0/2
description COX ISP 98.174.232.7
nameif COX
security-level 0
ip address 98.174.232.7 255.255.255.240
!
interface Management0/0
shutdown
nameif Management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd OsjPKXgWE5.N6im0 encrypted
ftp mode passive
clock timezone MST -7
dns server-group DefaultDNS
domain-name peoplesmortgage.net
object-group service MAIL tcp
port-object eq www
port-object eq https
port-object eq pop3
port-object eq smtp
access-list Outside_nat0_inbound extended permit ip 10.0.0.0 255.255.255.0 10.100.0.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.11.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 192.168.158.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 192.168.150.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.20.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.25.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.30.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.100.0.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.21.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list ipsectraffic extended permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list ipsectraffic extended permit ip 10.0.0.0 255.255.255.0 10.0.11.0 255.255.255.0
access-list ipsectraffic extended permit ip 10.0.0.0 255.255.255.0 10.0.20.0 255.255.255.0
access-list Outside_cryptomap_81 extended permit ip 10.0.0.0 255.255.255.0 10.100.0.0 255.255.255.0
access-list 101 extended permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list toSPR extended permit ip 10.0.0.0 255.255.255.0 192.168.150.0 255.255.255.0
access-list vpnlist extended permit ip 10.0.0.0 255.255.255.0 10.0.20.0 255.255.255.0
access-list Outside_cryptomap_61 extended permit ip 10.0.0.0 255.255.255.0 10.0.30.0 255.255.255.0
access-list COX_nat0_inbound extended permit ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.255.0 inactive
access-list Outside_cryptomap_121 extended permit ip 10.0.0.0 255.255.255.0 10.0.21.0 255.255.255.0
access-list COX_access_in extended permit icmp any any
access-list COX_cryptomap_141_1 extended permit ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 30
logging enable
logging buffer-size 8192
logging buffered informational
logging trap notifications
logging asdm informational
logging queue 8192
mtu Reuters 1472
mtu inside 1472
mtu COX 1500
mtu Management 1500
ip local pool swim 10.0.11.1-10.0.11.250
ip local pool pptp-pool 192.168.158.1-192.168.158.
ip verify reverse-path interface Reuters
icmp permit host 74.206.96.172 Reuters
icmp permit host 10.0.0.6 inside
icmp permit any COX
asdm image disk0:/asdm512.bin
no asdm history enable
arp timeout 14400
global (COX) 10 interface
nat (Reuters) 0 access-list Outside_nat0_inbound outside
nat (inside) 0 access-list nonat
nat (inside) 10 0.0.0.0 0.0.0.0
nat (COX) 0 access-list COX_nat0_inbound outside
nat (Management) 10 0.0.0.0 0.0.0.0
static (inside,COX) tcp 174.79.x.x www 10.0.0.6 www netmask 255.255.255.255
static (inside,COX) tcp 184.191.x.x www 10.0.0.16 www netmask 255.255.255.255
static (inside,COX) tcp 174.79.x.x smtp 10.0.0.6 smtp netmask 255.255.255.255
static (inside,COX) tcp 184.191.x.x smtp 10.0.0.16 smtp netmask 255.255.255.255
static (inside,COX) tcp 174.79.x ident 10.0.0.6 ident netmask 255.255.255.255
static (inside,COX) tcp 174.79x pop3 10.0.0.6 pop3 netmask 255.255.255.255
static (inside,COX) udp 174.79.xsnmp 10.0.0.6 snmp netmask 255.255.255.255
static (inside,COX) tcp 174.79.x 3399 10.0.0.99 3389 netmask 255.255.255.255
static (inside,COX) tcp 174.79.x 3396 10.0.0.96 3389 netmask 255.255.255.255
static (inside,COX) tcp 184.191.x 3395 10.0.0.95 3389 netmask 255.255.255.255
static (inside,COX) tcp 184.191.x 3394 10.0.0.94 3389 netmask 255.255.255.255
static (inside,COX) tcp 184.191.x 3393 10.0.0.93 3389 netmask 255.255.255.255
static (inside,COX) tcp 184.191.x 3392 10.0.0.92 3389 netmask 255.255.255.255
static (inside,COX) tcp 184.191.x 3391 10.0.0.91 3389 netmask 255.255.255.255
static (inside,COX) tcp 184.191.x 3390 10.0.0.90 3389 netmask 255.255.255.255
static (inside,COX) tcp 184.191.x 3398 10.0.0.98 3389 netmask 255.255.255.255
static (inside,COX) tcp 184.191.x 3397 10.0.0.97 3389 netmask 255.255.255.255
static (inside,COX) tcp 184.191.x 3388 10.0.0.35 3389 netmask 255.255.255.255
static (inside,COX) tcp 174.79.x 3333 10.0.0.7 3389 netmask 255.255.255.255
static (inside,COX) tcp 174.79.x https 10.0.0.6 https netmask 255.255.255.255
static (inside,COX) tcp 174.79.x 3389 10.0.0.6 3389 netmask 255.255.255.255
static (inside,COX) tcp 184.191.x https 10.0.0.15 https netmask 255.255.255.255
static (inside,COX) tcp 184.1915x www 10.0.0.15 www netmask 255.255.255.255
static (inside,COX) tcp 174.79.x 3389 10.0.0.15 3389 netmask 255.255.255.255
static (inside,COX) tcp 184.191.x 3389 10.0.0.16 3389 netmask 255.255.255.255
static (inside,COX) tcp 184.191.x https 10.0.0.16 https netmask 255.255.255.255
static (Reuters,COX) 174.79.x 192.168.10.10 netmask 255.255.255.255
access-group COX_access_in in interface COX
route COX 4.2.2.2 255.255.255.255 98.174.x
route COX 0.0.0.0 0.0.0.0 98.174.x
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server authme protocol radius
group-policy rtpvpn internal
group-policy rtpvpn attributes
vpn-idle-timeout 50
username admin password fusSSOF8zyiGyWCw encrypted privilege 15
username user1it1noc password lrTYKCzbbxVGu9u3 encrypted privilege 15
username cdsi password XeltccmFWmjatpCE encrypted
http server enable
http 10.0.0.0 255.255.0.0 inside
http 0.0.0.0 0.0.0.0 COX
snmp-server host inside 10.0.0.6 community Changer
snmp-server host inside 10.0.0.7 community Changer
snmp-server host Reuters 74.206.96.172 community Changer
snmp-server location Tempe, Arizona
no snmp-server contact
snmp-server community Changer
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set strong esp-des esp-md5-hmac
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set ciscotest esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto dynamic-map dyna 1 set transform-set strong
crypto dynamic-map dyna 1 set security-association lifetime seconds 28800
crypto map rtpmap 81 match address Outside_cryptomap_81
crypto map rtpmap 81 set peer 74.206.x.x
crypto map rtpmap 81 set transform-set ESP-DES-MD5 ESP-DES-SHA
crypto map rtpmap 121 match address Outside_cryptomap_121
crypto map rtpmap 121 set pfs group1
crypto map rtpmap 121 set peer 184.191.x.x
crypto map rtpmap 121 set transform-set ESP-DES-MD5
crypto map rtpmap 141 match address COX_cryptomap_141_1
crypto map rtpmap 141 set peer 68.98.x.x
crypto map rtpmap 141 set transform-set ESP-DES-MD5
crypto map rtpmap interface COX
isakmp identity address
isakmp enable inside
isakmp enable COX
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 28800
isakmp policy 11 authentication pre-share
isakmp policy 11 encryption des
isakmp policy 11 hash md5
isakmp policy 11 group 1
isakmp policy 11 lifetime 1000
isakmp policy 15 authentication pre-share
isakmp policy 15 encryption des
isakmp policy 15 hash md5
isakmp policy 15 group 1
isakmp policy 15 lifetime 3600
isakmp policy 16 authentication pre-share
isakmp policy 16 encryption des
isakmp policy 16 hash md5
isakmp policy 16 group 2
isakmp policy 16 lifetime 3600
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
isakmp nat-traversal 20
tunnel-group rtpvpn type ipsec-ra
tunnel-group rtpvpn general-attributes
default-group-policy rtpvpn
tunnel-group rtpvpn ipsec-attributes
pre-shared-key *
tunnel-group 74.206.x type ipsec-l2l
tunnel-group 74.206.x ipsec-attributes
pre-shared-key *
tunnel-group 68.98.x.x type ipsec-l2l
tunnel-group 68.98.x.x ipsec-attributes
pre-shared-key *
tunnel-group 184.191.x.x type ipsec-l2l
tunnel-group 184.191.x ipsec-attributes
pre-shared-key *
telnet 74.206.x 255.255.255.255 Reuters
telnet 0.0.0.0 0.0.0.0 Reuters
telnet 10.100.0.0 255.255.255.0 inside
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 15
ssh 171.68.225.x 255.255.255.255 Reuters
ssh 171.69.88.x 255.255.255.255 Reuters
ssh 0.0.0.0 0.0.0.0 Reuters
ssh 10.0.0.6 255.255.255.255 inside
ssh 10.0.0.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 COX
ssh timeout 30
console timeout 0
management-access inside
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
webvpn
enable Reuters
url-list peoples "Email" http://10.0.0.6/exchange 1
smtp-server 10.0.0.6
Cryptochecksum:db87ec641ec
: end
asdm image disk0:/asdm512.bin
asdm location 10.0.11.0 255.255.255.0 Reuters
asdm location 10.0.20.0 255.255.255.0 Reuters
asdm location 10.0.25.0 255.255.255.0 Reuters
asdm location 10.100.0.0 255.255.255.0 Reuters
asdm location 67.91.84.x 255.255.255.255 Reuters
asdm location 67.91.84.x 255.255.255.255 Reuters
asdm location 192.168.0.0 255.255.255.0 Reuters
asdm location 192.168.10.0 255.255.255.0 Reuters
asdm location 192.168.150.0 255.255.255.0 Reuters
asdm location 192.168.158.0 255.255.255.0 Reuters
asdm location 10.0.0.50 255.255.255.255 inside
asdm location 10.0.0.35 255.255.255.255 inside
asdm location 10.0.0.62 255.255.255.255 inside
asdm location 184.191.135.x 255.255.255.255 Reuters
asdm location 10.0.0.15 255.255.255.255 inside
asdm location 10.0.0.16 255.255.255.255 inside
asdm location 184.191.x.x 255.255.255.255 COX
asdm location 98.174.x 255.255.255.255 inside
asdm location 10.0.21.0 255.255.255.0 COX
no asdm history enable
: Saved
:
ASA Version 7.1(2)
!
hostname PMCTMPASA01
domain-name peoplesmortgage.net
enable password OsjPKXgWE5.N6im0 encrypted
no names
name 10.0.0.8 PMCTS01
name 10.0.25.0 Legacy_Gil
name 10.0.20.0 Legacy_Phx
!
interface Ethernet0/0
description Access for the Reuters computer.
nameif Reuters
security-level 100
ip address 192.168.10.1 255.255.255.224
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Ethernet0/2
description COX ISP 98.174.232.7
nameif COX
security-level 0
ip address 98.174.232.7 255.255.255.240
!
interface Management0/0
shutdown
nameif Management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd OsjPKXgWE5.N6im0 encrypted
ftp mode passive
clock timezone MST -7
dns server-group DefaultDNS
domain-name peoplesmortgage.net
object-group service MAIL tcp
port-object eq www
port-object eq https
port-object eq pop3
port-object eq smtp
access-list Outside_nat0_inbound extended permit ip 10.0.0.0 255.255.255.0 10.100.0.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.11.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 192.168.158.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 192.168.150.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.20.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.25.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.30.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.100.0.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.21.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list ipsectraffic extended permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list ipsectraffic extended permit ip 10.0.0.0 255.255.255.0 10.0.11.0 255.255.255.0
access-list ipsectraffic extended permit ip 10.0.0.0 255.255.255.0 10.0.20.0 255.255.255.0
access-list Outside_cryptomap_81 extended permit ip 10.0.0.0 255.255.255.0 10.100.0.0 255.255.255.0
access-list 101 extended permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list toSPR extended permit ip 10.0.0.0 255.255.255.0 192.168.150.0 255.255.255.0
access-list vpnlist extended permit ip 10.0.0.0 255.255.255.0 10.0.20.0 255.255.255.0
access-list Outside_cryptomap_61 extended permit ip 10.0.0.0 255.255.255.0 10.0.30.0 255.255.255.0
access-list COX_nat0_inbound extended permit ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.255.0 inactive
access-list Outside_cryptomap_121 extended permit ip 10.0.0.0 255.255.255.0 10.0.21.0 255.255.255.0
access-list COX_access_in extended permit icmp any any
access-list COX_cryptomap_141_1 extended permit ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 30
logging enable
logging buffer-size 8192
logging buffered informational
logging trap notifications
logging asdm informational
logging queue 8192
mtu Reuters 1472
mtu inside 1472
mtu COX 1500
mtu Management 1500
ip local pool swim 10.0.11.1-10.0.11.250
ip local pool pptp-pool 192.168.158.1-192.168.158.
ip verify reverse-path interface Reuters
icmp permit host 74.206.96.172 Reuters
icmp permit host 10.0.0.6 inside
icmp permit any COX
asdm image disk0:/asdm512.bin
no asdm history enable
arp timeout 14400
global (COX) 10 interface
nat (Reuters) 0 access-list Outside_nat0_inbound outside
nat (inside) 0 access-list nonat
nat (inside) 10 0.0.0.0 0.0.0.0
nat (COX) 0 access-list COX_nat0_inbound outside
nat (Management) 10 0.0.0.0 0.0.0.0
static (inside,COX) tcp 174.79.x.x www 10.0.0.6 www netmask 255.255.255.255
static (inside,COX) tcp 184.191.x.x www 10.0.0.16 www netmask 255.255.255.255
static (inside,COX) tcp 174.79.x.x smtp 10.0.0.6 smtp netmask 255.255.255.255
static (inside,COX) tcp 184.191.x.x smtp 10.0.0.16 smtp netmask 255.255.255.255
static (inside,COX) tcp 174.79.x ident 10.0.0.6 ident netmask 255.255.255.255
static (inside,COX) tcp 174.79x pop3 10.0.0.6 pop3 netmask 255.255.255.255
static (inside,COX) udp 174.79.xsnmp 10.0.0.6 snmp netmask 255.255.255.255
static (inside,COX) tcp 174.79.x 3399 10.0.0.99 3389 netmask 255.255.255.255
static (inside,COX) tcp 174.79.x 3396 10.0.0.96 3389 netmask 255.255.255.255
static (inside,COX) tcp 184.191.x 3395 10.0.0.95 3389 netmask 255.255.255.255
static (inside,COX) tcp 184.191.x 3394 10.0.0.94 3389 netmask 255.255.255.255
static (inside,COX) tcp 184.191.x 3393 10.0.0.93 3389 netmask 255.255.255.255
static (inside,COX) tcp 184.191.x 3392 10.0.0.92 3389 netmask 255.255.255.255
static (inside,COX) tcp 184.191.x 3391 10.0.0.91 3389 netmask 255.255.255.255
static (inside,COX) tcp 184.191.x 3390 10.0.0.90 3389 netmask 255.255.255.255
static (inside,COX) tcp 184.191.x 3398 10.0.0.98 3389 netmask 255.255.255.255
static (inside,COX) tcp 184.191.x 3397 10.0.0.97 3389 netmask 255.255.255.255
static (inside,COX) tcp 184.191.x 3388 10.0.0.35 3389 netmask 255.255.255.255
static (inside,COX) tcp 174.79.x 3333 10.0.0.7 3389 netmask 255.255.255.255
static (inside,COX) tcp 174.79.x https 10.0.0.6 https netmask 255.255.255.255
static (inside,COX) tcp 174.79.x 3389 10.0.0.6 3389 netmask 255.255.255.255
static (inside,COX) tcp 184.191.x https 10.0.0.15 https netmask 255.255.255.255
static (inside,COX) tcp 184.1915x www 10.0.0.15 www netmask 255.255.255.255
static (inside,COX) tcp 174.79.x 3389 10.0.0.15 3389 netmask 255.255.255.255
static (inside,COX) tcp 184.191.x 3389 10.0.0.16 3389 netmask 255.255.255.255
static (inside,COX) tcp 184.191.x https 10.0.0.16 https netmask 255.255.255.255
static (Reuters,COX) 174.79.x 192.168.10.10 netmask 255.255.255.255
access-group COX_access_in in interface COX
route COX 4.2.2.2 255.255.255.255 98.174.x
route COX 0.0.0.0 0.0.0.0 98.174.x
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server authme protocol radius
group-policy rtpvpn internal
group-policy rtpvpn attributes
vpn-idle-timeout 50
username admin password fusSSOF8zyiGyWCw encrypted privilege 15
username user1it1noc password lrTYKCzbbxVGu9u3 encrypted privilege 15
username cdsi password XeltccmFWmjatpCE encrypted
http server enable
http 10.0.0.0 255.255.0.0 inside
http 0.0.0.0 0.0.0.0 COX
snmp-server host inside 10.0.0.6 community Changer
snmp-server host inside 10.0.0.7 community Changer
snmp-server host Reuters 74.206.96.172 community Changer
snmp-server location Tempe, Arizona
no snmp-server contact
snmp-server community Changer
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set strong esp-des esp-md5-hmac
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set ciscotest esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto dynamic-map dyna 1 set transform-set strong
crypto dynamic-map dyna 1 set security-association lifetime seconds 28800
crypto map rtpmap 81 match address Outside_cryptomap_81
crypto map rtpmap 81 set peer 74.206.x.x
crypto map rtpmap 81 set transform-set ESP-DES-MD5 ESP-DES-SHA
crypto map rtpmap 121 match address Outside_cryptomap_121
crypto map rtpmap 121 set pfs group1
crypto map rtpmap 121 set peer 184.191.x.x
crypto map rtpmap 121 set transform-set ESP-DES-MD5
crypto map rtpmap 141 match address COX_cryptomap_141_1
crypto map rtpmap 141 set peer 68.98.x.x
crypto map rtpmap 141 set transform-set ESP-DES-MD5
crypto map rtpmap interface COX
isakmp identity address
isakmp enable inside
isakmp enable COX
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 28800
isakmp policy 11 authentication pre-share
isakmp policy 11 encryption des
isakmp policy 11 hash md5
isakmp policy 11 group 1
isakmp policy 11 lifetime 1000
isakmp policy 15 authentication pre-share
isakmp policy 15 encryption des
isakmp policy 15 hash md5
isakmp policy 15 group 1
isakmp policy 15 lifetime 3600
isakmp policy 16 authentication pre-share
isakmp policy 16 encryption des
isakmp policy 16 hash md5
isakmp policy 16 group 2
isakmp policy 16 lifetime 3600
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
isakmp nat-traversal 20
tunnel-group rtpvpn type ipsec-ra
tunnel-group rtpvpn general-attributes
default-group-policy rtpvpn
tunnel-group rtpvpn ipsec-attributes
pre-shared-key *
tunnel-group 74.206.x type ipsec-l2l
tunnel-group 74.206.x ipsec-attributes
pre-shared-key *
tunnel-group 68.98.x.x type ipsec-l2l
tunnel-group 68.98.x.x ipsec-attributes
pre-shared-key *
tunnel-group 184.191.x.x type ipsec-l2l
tunnel-group 184.191.x ipsec-attributes
pre-shared-key *
telnet 74.206.x 255.255.255.255 Reuters
telnet 0.0.0.0 0.0.0.0 Reuters
telnet 10.100.0.0 255.255.255.0 inside
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 15
ssh 171.68.225.x 255.255.255.255 Reuters
ssh 171.69.88.x 255.255.255.255 Reuters
ssh 0.0.0.0 0.0.0.0 Reuters
ssh 10.0.0.6 255.255.255.255 inside
ssh 10.0.0.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 COX
ssh timeout 30
console timeout 0
management-access inside
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
webvpn
enable Reuters
url-list peoples "Email" http://10.0.0.6/exchange 1
smtp-server 10.0.0.6
Cryptochecksum:db87ec641ec
: end
What about internal routing? Do your internal machines use this device as the next-hop for the 192.168.0.0/24 network?
Try this command in a command prompt on a Windows machine:
route add 192.168.0.0 mask 255.255.255.0 10.0.0.1
(On Windows 7 or 2008 you will need to elevate privileges before this will run successfully.)
Try this command in a command prompt on a Windows machine:
route add 192.168.0.0 mask 255.255.255.0 10.0.0.1
(On Windows 7 or 2008 you will need to elevate privileges before this will run successfully.)
Tried that. But it still can't get to the other side... i know .205 is a live host (pingable)
Z:\>route add 192.168.0.0 mask 255.255.255.0 10.0.0.1
Z:\>ping 192.168.0.205
Pinging 192.168.0.205 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 192.168.0.205:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Z:\>tracert 192.168.0.205
Tracing route to 192.168.0.205 over a maximum of 30 hops
1 * * * Request timed out.
2 *
Z:\>route add 192.168.0.0 mask 255.255.255.0 10.0.0.1
Z:\>ping 192.168.0.205
Pinging 192.168.0.205 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 192.168.0.205:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Z:\>tracert 192.168.0.205
Tracing route to 192.168.0.205 over a maximum of 30 hops
1 * * * Request timed out.
2 *
also, i noticed when i ping one of the remote sites ie 192.168.0.205 the logs show 106010: Deny inbound protocol 50src Remote IP x.x.x.x dst Local int ip xx.x..x
Yes, ICMP filtering is handled kind of funny on the ASA. If there is some service that's available on the remote end, you should try just connecting to it.
ASA/PIX/FWSM: Handling ICMP Pings and Traceroute
Follow the link for detailed instructions on allowing ICMP to work through the ASA.
ASA/PIX/FWSM: Handling ICMP Pings and Traceroute
Internet Control Message Protocol (ICMP) pings and traceroute on the PIX Firewall are handled differently based on the version of PIX and ASA code.
Inbound ICMP through the PIX/ASA is denied by default. Outbound ICMP is permitted, but the incoming reply is denied by default.
Follow the link for detailed instructions on allowing ICMP to work through the ASA.
Featured Post
We value your feedback.
Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market. Every year, Cisco displays cutting-edge technol…
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’
As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:
• Key questions to ask when considering a partnership to accelerate your business into the cloud
• Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month13 days, 15 hours left to enroll
800 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.