beardog1113
asked on
site-to-site VPN between ASA5510 and PIX525, Problem
hello experts
i am trying to build up VPN between ASA and PIX, after configure on both side, each LAN could not go to the other, i have check on ASA and PIX, isakmp and ipsec sa was established, not sure whats wrong in my configuration, need your help on this then. i will post the configurations on other pages.
thanks
i am trying to build up VPN between ASA and PIX, after configure on both side, each LAN could not go to the other, i have check on ASA and PIX, isakmp and ipsec sa was established, not sure whats wrong in my configuration, need your help on this then. i will post the configurations on other pages.
thanks
ASKER
ASA# sh run
: Saved
:
ASA Version 8.4(2)
!
hostname ASA
enable password piOrULOo5tMFpYSX encrypted
passwd piOrULOo5tMFpYSX encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 203.196.0.106 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.137.254.3 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa842-k8.bin
ftp mode passive
clock timezone GMT 8
object network obj-10.137.254.21
host 10.137.254.21
object network obj-10.137.253.0
subnet 10.137.253.0 255.255.255.0
object network obj-10.137.254.0
subnet 10.137.254.0 255.255.255.0
object network obj-10.137.254.11
host 10.137.254.11
object network obj-10.137.18.0
subnet 10.137.18.0 255.255.255.0
object network 10.137.254.0
subnet 10.137.254.0 255.255.255.0
object network 10.137.18.0
subnet 10.137.18.0 255.255.255.0
access-list VPN_REMOTE_ACL standard permit 10.137.254.0 255.255.255.0
access-list outside-acl extended permit ip host 202.106.1.138 host 10.137.254.11
access-list outside-acl extended permit ip 202.106.0.64 255.255.255.224 host 10.137.254.11
access-list outside-acl extended permit ip 122.248.141.0 255.255.255.224 host 10.137.254.11
access-list outside-acl extended permit ip host 122.248.139.148 host 10.137.254.11
access-list outside-acl extended permit ip host 59.151.58.58 host 10.137.254.11
access-list outside-acl extended permit tcp any host 10.137.254.11 eq www
access-list outside-acl extended permit tcp host 114.80.70.26 host 10.137.254.11 eq 1688
access-list map11 extended permit ip object 10.137.254.0 object 10.137.18.0
access-list map11 extended permit ip host 203.196.0.106 host 202.106.1.138
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool Dellcom-IPPool 10.137.253.2-10.137.253.25 4 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static 10.137.254.0 10.137.254.0 destination static 10.137.18.0 10.137.18.0
nat (inside,any) source static any any destination static obj-10.137.253.0 obj-10.137.253.0 no-proxy-arp
!
object network obj-10.137.254.21
nat (inside,outside) static 203.196.0.108 service tcp https https
object network obj-10.137.254.0
nat (inside,outside) dynamic interface
object network obj-10.137.254.11
nat (inside,outside) static 203.196.0.107
access-group outside-acl in interface outside
route outside 0.0.0.0 0.0.0.0 203.196.0.105 10
route inside 10.0.0.0 255.0.0.0 10.137.254.1 5
route outside 10.137.18.0 255.255.255.0 203.196.0.105 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco rd DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set Dellcom esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set CHINA1 esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec df-bit clear-df outside
crypto ipsec df-bit clear-df inside
crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set Dellcom
crypto dynamic-map dyn_map 20 set reverse-route
crypto map outside-map 11 match address map11
crypto map outside-map 11 set pfs
crypto map outside-map 11 set connection-type originate-only
crypto map outside-map 11 set peer 202.106.1.138
crypto map outside-map 11 set ikev1 transform-set CHINA1
crypto map outside-map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside-map interface outside
crypto isakmp nat-traversal 32
crypto ikev1 enable outside
crypto ikev1 enable inside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 11
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 20
ssh version 2
console timeout 20
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy Dellcom internal
group-policy Dellcom attributes
banner value You have connected to a Private Network.
banner value
banner value Authorized users only.
banner value
banner value Unauthorized access may be subject to civil and criminal legal action.
dns-server value 10.137.8.26
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_REMOTE_ACL
default-domain value td.domain
address-pools value Dellcom-IPPool
ipv6-address-pools none
username bbzzadm password vkhRWfGCFuoFiQ7i encrypted
username pclt password 5qkNCZMjFfsn0bWE encrypted
username admin password yptIuiz0fZRas6PY encrypted privilege 15
tunnel-group Dellcom type remote-access
tunnel-group Dellcom general-attributes
address-pool Dellcom-IPPool
default-group-policy Dellcom
tunnel-group Dellcom ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 202.106.1.138 type ipsec-l2l
tunnel-group 202.106.1.138 ipsec-attributes
ikev1 pre-shared-key *****
peer-id-validate nocheck
!
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:31250533f46 c96b797c4b 884ae9e053 a
: end
ASA#
ASA#
ASA# exit
Logoff
: Saved
:
ASA Version 8.4(2)
!
hostname ASA
enable password piOrULOo5tMFpYSX encrypted
passwd piOrULOo5tMFpYSX encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 203.196.0.106 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.137.254.3 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa842-k8.bin
ftp mode passive
clock timezone GMT 8
object network obj-10.137.254.21
host 10.137.254.21
object network obj-10.137.253.0
subnet 10.137.253.0 255.255.255.0
object network obj-10.137.254.0
subnet 10.137.254.0 255.255.255.0
object network obj-10.137.254.11
host 10.137.254.11
object network obj-10.137.18.0
subnet 10.137.18.0 255.255.255.0
object network 10.137.254.0
subnet 10.137.254.0 255.255.255.0
object network 10.137.18.0
subnet 10.137.18.0 255.255.255.0
access-list VPN_REMOTE_ACL standard permit 10.137.254.0 255.255.255.0
access-list outside-acl extended permit ip host 202.106.1.138 host 10.137.254.11
access-list outside-acl extended permit ip 202.106.0.64 255.255.255.224 host 10.137.254.11
access-list outside-acl extended permit ip 122.248.141.0 255.255.255.224 host 10.137.254.11
access-list outside-acl extended permit ip host 122.248.139.148 host 10.137.254.11
access-list outside-acl extended permit ip host 59.151.58.58 host 10.137.254.11
access-list outside-acl extended permit tcp any host 10.137.254.11 eq www
access-list outside-acl extended permit tcp host 114.80.70.26 host 10.137.254.11 eq 1688
access-list map11 extended permit ip object 10.137.254.0 object 10.137.18.0
access-list map11 extended permit ip host 203.196.0.106 host 202.106.1.138
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool Dellcom-IPPool 10.137.253.2-10.137.253.25
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static 10.137.254.0 10.137.254.0 destination static 10.137.18.0 10.137.18.0
nat (inside,any) source static any any destination static obj-10.137.253.0 obj-10.137.253.0 no-proxy-arp
!
object network obj-10.137.254.21
nat (inside,outside) static 203.196.0.108 service tcp https https
object network obj-10.137.254.0
nat (inside,outside) dynamic interface
object network obj-10.137.254.11
nat (inside,outside) static 203.196.0.107
access-group outside-acl in interface outside
route outside 0.0.0.0 0.0.0.0 203.196.0.105 10
route inside 10.0.0.0 255.0.0.0 10.137.254.1 5
route outside 10.137.18.0 255.255.255.0 203.196.0.105 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set Dellcom esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set CHINA1 esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec df-bit clear-df outside
crypto ipsec df-bit clear-df inside
crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set Dellcom
crypto dynamic-map dyn_map 20 set reverse-route
crypto map outside-map 11 match address map11
crypto map outside-map 11 set pfs
crypto map outside-map 11 set connection-type originate-only
crypto map outside-map 11 set peer 202.106.1.138
crypto map outside-map 11 set ikev1 transform-set CHINA1
crypto map outside-map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside-map interface outside
crypto isakmp nat-traversal 32
crypto ikev1 enable outside
crypto ikev1 enable inside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 11
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 20
ssh version 2
console timeout 20
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy Dellcom internal
group-policy Dellcom attributes
banner value You have connected to a Private Network.
banner value
banner value Authorized users only.
banner value
banner value Unauthorized access may be subject to civil and criminal legal action.
dns-server value 10.137.8.26
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_REMOTE_ACL
default-domain value td.domain
address-pools value Dellcom-IPPool
ipv6-address-pools none
username bbzzadm password vkhRWfGCFuoFiQ7i encrypted
username pclt password 5qkNCZMjFfsn0bWE encrypted
username admin password yptIuiz0fZRas6PY encrypted privilege 15
tunnel-group Dellcom type remote-access
tunnel-group Dellcom general-attributes
address-pool Dellcom-IPPool
default-group-policy Dellcom
tunnel-group Dellcom ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 202.106.1.138 type ipsec-l2l
tunnel-group 202.106.1.138 ipsec-attributes
ikev1 pre-shared-key *****
peer-id-validate nocheck
!
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:31250533f46
: end
ASA#
ASA#
ASA# exit
Logoff
You would need an access-list on both devices to allow your internal subnets, for example on PIX
access-list outside-acl extended permit ip 10.137.254.0 255.255.255.0 10.137.18.0 255.255.255.0
And on ASA
access-list outside-acl extended permit ip 10.137.18.0 255.255.255.0 10.137.254.0 255.255.255.0
access-list outside-acl extended permit ip 10.137.254.0 255.255.255.0 10.137.18.0 255.255.255.0
And on ASA
access-list outside-acl extended permit ip 10.137.18.0 255.255.255.0 10.137.254.0 255.255.255.0
ASKER
hello
just try it, but did help, any other solutions?
thanks
just try it, but did help, any other solutions?
thanks
Can you issue the following command on ASA and post result here?
packet-tracer input outside tcp 10.137.18.4 80 10.137.254.4 80 detailed
packet-tracer input outside tcp 10.137.18.4 80 10.137.254.4 80 detailed
ASKER
and following is the isakmp and ipsec sa information from both side
PIX# sh cry ip sa
interface: outside
Crypto map tag: outside-map, seq num: 11, local addr: 202.106.1.138
access-list map11 permit ip host 202.106.1.138 host 203.196.0.106
local ident (addr/mask/prot/port): (202.106.1.138/255.255.255 .255/0/0)
remote ident (addr/mask/prot/port): (203.196.0.106/255.255.255 .255/0/0)
current_peer: 203.196.0.106
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 202.106.1.138, remote crypto endpt.: 203.196.0.106
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 09886135
inbound esp sas:
spi: 0xC7EF5B99 (3354352537)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
PIX# sh cry is sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 203.196.0.106
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
PIX#
ASA# sh cry ip sa
interface: outside
Crypto map tag: outside-map, seq num: 11, local addr: 203.196.0.106
access-list OO_temp_outside-map11 extended permit ip host 203.196.0.106 host 202.106.1.138
local ident (addr/mask/prot/port): (203.196.0.106/255.255.255 .255/0/0)
remote ident (addr/mask/prot/port): (202.106.1.138/255.255.255 .255/0/0)
current_peer: 202.106.1.138
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 203.196.0.106/0, remote crypto endpt.: 202.106.1.138/0
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: C7EF5B99
current inbound spi : 09886135
inbound esp sas:
spi: 0x09886135 (159932725)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
ASA# sh cry is sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 202.106.1.138
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
There are no IKEv2 SAs
ASA#
PIX# sh cry ip sa
interface: outside
Crypto map tag: outside-map, seq num: 11, local addr: 202.106.1.138
access-list map11 permit ip host 202.106.1.138 host 203.196.0.106
local ident (addr/mask/prot/port): (202.106.1.138/255.255.255
remote ident (addr/mask/prot/port): (203.196.0.106/255.255.255
current_peer: 203.196.0.106
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 202.106.1.138, remote crypto endpt.: 203.196.0.106
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 09886135
inbound esp sas:
spi: 0xC7EF5B99 (3354352537)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
PIX# sh cry is sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 203.196.0.106
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
PIX#
ASA# sh cry ip sa
interface: outside
Crypto map tag: outside-map, seq num: 11, local addr: 203.196.0.106
access-list OO_temp_outside-map11 extended permit ip host 203.196.0.106 host 202.106.1.138
local ident (addr/mask/prot/port): (203.196.0.106/255.255.255
remote ident (addr/mask/prot/port): (202.106.1.138/255.255.255
current_peer: 202.106.1.138
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 203.196.0.106/0, remote crypto endpt.: 202.106.1.138/0
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: C7EF5B99
current inbound spi : 09886135
inbound esp sas:
spi: 0x09886135 (159932725)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
ASA# sh cry is sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 202.106.1.138
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
There are no IKEv2 SAs
ASA#
ASKER
hello, here is the result you need, on phase 8 is deny, but i am not sure which acl should put it in.
thanks
ASA# packet-tracer input outside tcp 10.137.18.4 80 10.137.254.4$
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad76afc8, priority=1, domain=permit, deny=false
hits=719862, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=outside, output_ifc=any
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static 10.137.254.0 10.137.254.0 destination static 10.137.18.0 10.137.18.0
Additional Information:
NAT divert to egress interface inside
Untranslate 10.137.254.4/80 to 10.137.254.4/80
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside-acl in interface outside
access-list outside-acl extended permit ip 10.137.18.0 255.255.255.0 10.137.254.0 255.255.255.0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xae220fd8, priority=13, domain=permit, deny=false
hits=0, user_data=0xaa86a880, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=10.137.18.0, mask=255.255.255.0, port=0
dst ip/id=10.137.254.0, mask=255.255.255.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad76ecd0, priority=0, domain=inspect-ip-options, deny=true
hits=13740, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xadffef10, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=13319, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static 10.137.254.0 10.137.254.0 destination static 10.137.18.0 10.137.18.0
Additional Information:
Forward Flow based lookup yields rule:
out id=0xae21bb80, priority=6, domain=nat-reverse, deny=false
hits=1, user_data=0xad38c898, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=10.137.18.0, mask=255.255.255.0, port=0
dst ip/id=10.137.254.0, mask=255.255.255.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=inside
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xad792aa8, priority=0, domain=inspect-ip-options, deny=true
hits=11526, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 8
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Reverse Flow based lookup yields rule:
out id=0xae2bf290, priority=70, domain=encrypt, deny=false
hits=1, user_data=0x0, cs_id=0xae215768, reverse, flags=0x0, protocol=0
src ip/id=10.137.254.0, mask=255.255.255.0, port=0
dst ip/id=10.137.18.0, mask=255.255.255.0, port=0, dscp=0x0
input_ifc=any, output_ifc=outside
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
ASA#
thanks
ASA# packet-tracer input outside tcp 10.137.18.4 80 10.137.254.4$
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad76afc8, priority=1, domain=permit, deny=false
hits=719862, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=outside, output_ifc=any
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static 10.137.254.0 10.137.254.0 destination static 10.137.18.0 10.137.18.0
Additional Information:
NAT divert to egress interface inside
Untranslate 10.137.254.4/80 to 10.137.254.4/80
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside-acl in interface outside
access-list outside-acl extended permit ip 10.137.18.0 255.255.255.0 10.137.254.0 255.255.255.0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xae220fd8, priority=13, domain=permit, deny=false
hits=0, user_data=0xaa86a880, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=10.137.18.0, mask=255.255.255.0, port=0
dst ip/id=10.137.254.0, mask=255.255.255.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad76ecd0, priority=0, domain=inspect-ip-options,
hits=13740, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xadffef10, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=13319, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static 10.137.254.0 10.137.254.0 destination static 10.137.18.0 10.137.18.0
Additional Information:
Forward Flow based lookup yields rule:
out id=0xae21bb80, priority=6, domain=nat-reverse, deny=false
hits=1, user_data=0xad38c898, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=10.137.18.0, mask=255.255.255.0, port=0
dst ip/id=10.137.254.0, mask=255.255.255.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=inside
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xad792aa8, priority=0, domain=inspect-ip-options,
hits=11526, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 8
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Reverse Flow based lookup yields rule:
out id=0xae2bf290, priority=70, domain=encrypt, deny=false
hits=1, user_data=0x0, cs_id=0xae215768, reverse, flags=0x0, protocol=0
src ip/id=10.137.254.0, mask=255.255.255.0, port=0
dst ip/id=10.137.18.0, mask=255.255.255.0, port=0, dscp=0x0
input_ifc=any, output_ifc=outside
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
ASA#
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thank you info me check internal routing, that is a stupid issue, the testing laptop does have multiple nic and some routes on it is wrong, after i change another laptop, then i can ping each other.
ASKER
: Saved
:
PIX Version 8.0(4)28
!
hostname PIX
domain-name ciscopix.com
enable password piOrULOo5tMFpYSX encrypted
passwd piOrULOo5tMFpYSX encrypted
names
dns-guard
!
interface Ethernet0
duplex full
nameif outside
security-level 0
ip address 202.106.1.138 255.255.255.252
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.137.18.3 255.255.255.0
!
interface Ethernet2
nameif dmz1
security-level 10
ip address 202.106.0.93 255.255.255.252
!
interface Ethernet3
shutdown
nameif dmz2
security-level 20
no ip address
!
interface Ethernet4
shutdown
nameif dmz3
security-level 30
no ip address
!
interface Ethernet5
duplex full
nameif 3511
security-level 0
pppoe client vpdn group 3511
ip address pppoe setroute
!
boot system flash:/pix804-28.bin
ftp mode passive
clock timezone gmt 8
dns server-group DefaultDNS
domain-name ciscopix.com
access-list outside-acl extended permit ip host 61.144.17.117 host 202.106.0.94
access-list outside-acl extended permit ip host 218.1.103.170 host 202.106.0.94
access-list outside-acl extended permit ip host 217.167.252.35 host 202.106.0.94
access-list outside-acl extended permit ip host 62.23.36.201 host 202.106.0.94
access-list outside-acl extended permit ip host 80.5.89.189 host 202.106.0.94
access-list outside-acl extended permit ip host 217.206.137.210 host 202.106.0.94
access-list outside-acl extended permit tcp any host 202.106.0.94 eq pptp
access-list outside-acl extended permit ip host 210.77.128.38 host 202.106.0.94
access-list outside-acl extended permit ip host 12.45.14.18 host 202.106.0.94
access-list outside-acl extended permit ip host 218.107.48.148 host 202.106.0.94
access-list outside-acl extended permit icmp host 221.128.75.161 host 202.106.0.94
access-list outside-acl extended permit icmp host 221.128.85.50 host 202.106.0.94
access-list outside-acl extended permit ip host 221.10.51.254 host 202.106.0.94
access-list outside-acl extended permit ip host 61.219.20.201 host 202.106.0.94
access-list outside-acl extended permit ip host 221.128.85.50 host 202.106.0.94
access-list outside-acl extended permit ip host 12.45.14.19 host 202.106.0.94
access-list outside-acl extended permit ip host 12.151.115.234 host 202.106.0.94
access-list outside-acl extended permit ip host 125.215.234.209 host 202.106.0.94
access-list outside-acl extended permit tcp any host 202.106.0.69 eq https
access-list outside-acl extended permit tcp any host 202.106.0.69 eq smtp
access-list outside-acl extended permit ip host 203.94.134.30 host 202.106.0.94
access-list outside-acl extended permit ip host 89.234.16.39 host 202.106.0.94
access-list outside-acl extended permit ip host 74.205.84.38 host 202.106.0.94
access-list outside-acl extended permit ip host 210.13.87.170 host 202.106.0.94
access-list outside-acl extended permit ip host 116.120.80.4 host 202.106.0.94
access-list outside-acl extended permit ip host 210.174.104.114 host 202.106.0.94
access-list outside-acl extended permit ip host 122.248.141.2 host 202.106.0.94
access-list outside-acl extended permit tcp any host 202.106.0.66 eq www
access-list outside-acl extended permit tcp any host 202.106.0.67 eq www
access-list outside-acl extended permit tcp any host 202.106.0.68 eq www
access-list outside-acl extended permit tcp any host 202.106.0.69 eq www
access-list outside-acl extended permit ip host 210.13.72.226 host 202.106.0.94
access-list outside-acl extended permit ip host 118.122.114.15 host 202.106.0.94
access-list outside-acl extended permit tcp any host 202.106.0.69 eq 8888
access-list outside-acl extended permit ip host 203.82.42.138 host 202.106.0.94
access-list outside-acl extended permit ip host 94.236.5.84 host 202.106.0.94
access-list outside-acl extended permit ip host 58.185.45.180 host 202.106.0.94
access-list outside-acl extended permit tcp any host 202.106.0.65 eq www
access-list outside-acl extended permit ip host 119.6.23.178 host 202.106.0.94
access-list outside-acl extended permit ip any host 202.106.0.72
access-list outside-acl extended permit tcp any host 202.106.0.69 eq 8080
access-list outside-acl extended permit tcp any host 202.106.0.73 eq 3389
access-list outside-acl extended permit tcp any host 202.106.0.73 eq www
access-list outside-acl extended permit tcp any host 202.106.0.73 eq ftp-data
access-list outside-acl extended permit tcp any host 202.106.0.73 eq ftp
access-list outside-acl extended permit tcp any host 202.106.0.74 eq www
access-list outside-acl extended permit tcp any host 202.106.0.74 eq 8090
access-list outside-acl extended permit tcp any host 202.106.0.70 eq ftp-data
access-list outside-acl extended permit tcp any host 202.106.0.70 eq ftp
access-list outside-acl extended permit ip host 222.128.17.51 host 202.106.0.94
access-list outside-acl extended permit tcp any host 202.106.0.70 eq www
access-list outside-acl extended permit tcp any host 202.106.0.70 eq https
access-list outside-acl extended permit tcp any host 202.106.0.73 eq ssh
access-list outside-acl extended permit icmp any any
access-list outside-acl extended permit tcp any host 202.106.0.75 eq www
access-list outside-acl extended permit tcp any host 202.106.0.75 eq ssh
access-list outside-acl extended permit tcp any host 202.106.0.70 eq 3389
access-list outside-acl extended permit tcp any host 202.106.0.69 eq 8081
access-list outside-acl extended permit ip host 124.74.129.38 host 202.106.0.70
access-list outside-acl extended permit tcp any host 202.106.0.71 eq www
access-list test extended permit ip any any
access-list dmz_access_in extended permit icmp any any
access-list inside-acl extended permit ip any any
access-list inside-acl extended permit icmp any any
access-list dmz1-acl extended permit ip any any
access-list dmz1-acl extended permit icmp any any
access-list ADSL3511 extended permit ip 10.137.30.0 255.255.255.128 any
access-list VPN_REMOTE_ACL standard permit 10.0.0.0 255.0.0.0
access-list VPN_REMOTE_ACL standard permit 172.16.0.0 255.240.0.0
access-list VPN_REMOTE_ACL standard permit 192.168.0.0 255.255.0.0
access-list VPN_REMOTE_ACL standard permit host 119.225.56.146
access-list VPN_REMOTE_ACL standard permit host 119.225.55.254
access-list nonat extended permit ip 10.137.18.0 255.255.255.0 10.137.254.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.0.0.0 10.137.19.224 255.255.255.224
access-list nonat extended permit ip 192.168.0.0 255.255.0.0 10.137.19.224 255.255.255.224
access-list nonat extended permit ip 172.16.0.0 255.240.0.0 10.137.19.224 255.255.255.224
access-list vlan22 extended permit ip 10.137.18.0 255.255.255.0 any
access-list vlan22 extended permit ip 10.137.17.128 255.255.255.192 any
access-list vlan22 extended permit ip 10.137.16.0 255.255.255.192 any
access-list vlan22 extended permit ip 10.137.17.0 255.255.255.128 any
access-list vlan22 extended permit ip 10.137.16.128 255.255.255.192 any
access-list vlan22 extended permit ip 10.137.16.192 255.255.255.192 any
access-list vlan22 extended permit ip 10.137.30.0 255.255.255.128 any
access-list vlan22 extended permit ip 10.137.30.192 255.255.255.192 any
access-list vlan22 extended permit ip 10.137.31.0 255.255.255.224 any
access-list vlan22 extended permit ip 10.137.31.128 255.255.255.128 any
access-list vlan22 extended permit ip 10.137.14.0 255.255.255.0 any
access-list vlan22 extended permit ip 10.137.19.0 255.255.255.128 any
access-list map11 extended permit ip 10.137.18.0 255.255.255.0 10.137.254.0 255.255.255.0
access-list map11 extended permit ip host 202.106.1.138 host 203.196.0.106
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz1 1500
mtu dmz2 1500
mtu dmz3 1500
mtu 3511 1500
ip local pool Dellcom-IPPool 10.137.19.230-10.137.19.25
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-603.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 202.106.0.80-202.106.0.90 netmask 255.255.255.224
global (outside) 1 202.106.0.79
global (outside) 1 interface
nat (outside) 1 10.137.19.224 255.255.255.224
nat (inside) 0 access-list nonat
nat (inside) 1 access-list vlan22
nat (dmz1) 0 202.106.0.93 255.255.255.255
nat (dmz1) 0 202.106.0.94 255.255.255.255
nat (dmz1) 0 202.106.0.92 255.255.255.252
static (inside,dmz1) 10.137.16.0 10.137.16.0 netmask 255.255.240.0
static (inside,outside) 202.106.0.69 10.137.18.100 netmask 255.255.255.255
static (inside,outside) 202.106.0.70 10.137.18.111 netmask 255.255.255.255
static (inside,outside) 202.106.0.66 10.137.18.18 netmask 255.255.255.255
static (inside,outside) 202.106.0.67 10.137.18.126 netmask 255.255.255.255
static (inside,outside) 202.106.0.68 10.137.18.250 netmask 255.255.255.255
static (inside,outside) 202.106.0.72 10.137.17.190 netmask 255.255.255.255
static (inside,outside) 202.106.0.65 10.137.18.252 netmask 255.255.255.255
static (inside,outside) 202.106.0.74 10.137.18.253 netmask 255.255.255.255
static (inside,outside) 202.106.0.75 10.137.18.116 netmask 255.255.255.255
static (inside,outside) 202.106.0.71 10.137.18.11 netmask 255.255.255.255
access-group outside-acl in interface outside
access-group inside-acl in interface inside
route outside 0.0.0.0 0.0.0.0 202.106.1.137 1
route inside 10.0.0.0 255.0.0.0 10.137.18.1 55
route outside 10.137.254.0 255.255.255.0 202.106.1.137 1
route inside 172.16.0.0 255.240.0.0 10.137.18.1 1
route inside 192.168.0.0 255.255.0.0 10.137.18.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server ACS-Group protocol radius
aaa-server ACS-Group (inside) host 10.11.2.33
timeout 15
key *****
radius-common-pw *****
aaa-server ACS-Group (inside) host 192.168.1.240
timeout 15
key *****
radius-common-pw *****
http server enable
http 10.0.0.0 255.0.0.0 inside
snmp-server host inside 10.137.18.111 community ipsosbj
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set Dellcom esp-3des esp-sha-hmac
crypto ipsec transform-set CHINA1 esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec df-bit clear-df outside
crypto ipsec df-bit clear-df inside
crypto dynamic-map dyn_map 20 set reverse-route
crypto dynamic-map outside_dyn_map 20 set transform-set Dellcom
crypto map outside-map 11 match address map11
crypto map outside-map 11 set pfs
crypto map outside-map 11 set connection-type answer-only
crypto map outside-map 11 set peer 203.196.0.106
crypto map outside-map 11 set transform-set CHINA1
crypto map outside-map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside-map interface outside
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 11
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
crypto isakmp nat-traversal 32
vpn-addr-assign local reuse-delay 60
telnet 10.0.0.0 255.0.0.0 inside
telnet 192.168.0.0 255.255.0.0 inside
telnet 172.16.0.0 255.240.0.0 inside
telnet timeout 60
ssh timeout 5
ssh version 1
console timeout 0
vpdn group 3511 request dialout pppoe
vpdn group 3511 localname 300000029838
vpdn group 3511 ppp authentication pap
vpdn username 300000029838 password *********
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.11.1.33
group-policy Dellcom internal
group-policy Dellcom attributes
banner value You have connected to a Private Network.
banner value
banner value Authorized users only.
banner value
banner value Unauthorized access may be subject to civil and criminal legal action.
dns-server value 10.137.8.26
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_REMOTE_ACL
default-domain value td.domain
address-pools value Dellcom-IPPool
ipv6-address-pools none
username admin password yptIuiz0fZRas6PY encrypted privilege 15
tunnel-group Dellcom type remote-access
tunnel-group Dellcom general-attributes
address-pool Dellcom-IPPool
default-group-policy Dellcom
tunnel-group Dellcom ipsec-attributes
pre-shared-key *
tunnel-group 203.196.0.106 type ipsec-l2l
tunnel-group 203.196.0.106 general-attributes
tunnel-group 203.196.0.106 ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
inspect pptp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:d9df79ecdf7
: end
PIX#
PIX# exit
Logoff