Solved

CISCO IPSEC ASA to ASA vpn

Posted on 2012-03-27
19
459 Views
Last Modified: 2012-06-22
When I set this up we see on both ASAs that we have a tunnel, but they cannot get DNS, DHCP or any data. On a tracerout it heads out to the internet.  I have two that are doing this (same setup)

I have attached the config's for the ASA's
asa5505remote1
asa5510
0
Comment
Question by:Ronald Odom
  • 12
  • 7
19 Comments
 
LVL 5

Expert Comment

by:andrewis
Comment Utility
Hi there,

I can see two things wrong here.

 Firstly when the remote Firewall is performing a DHCP relay the source of that relay is the outside interface of the Firewall, in this case 58.246.224.202 - so you need to include this IP or network into your encryption domain.  You will also need to allow bootp inbound into the 5510 on your outside ACL remembering 58.246.224.202 will be the source of this traffic.

Secondly you seem to be missing a route on the 5510. You should have a route for 10.17.4.0 /24 pointing outside.

There could also be a NAT issue here.. At a glance you seem to have some confusing stuff going on here. If the route does not fix your tunnel issue I suggest tidying up your NAT and verifying what you have configured is completely necessary.
0
 

Author Comment

by:Ronald Odom
Comment Utility
"Firstly when the remote Firewall is performing a DHCP relay the source of that relay is the outside interface of the Firewall, in this case 58.246.224.202 - so you need to include this IP or network into your encryption domain.  You will also need to allow bootp inbound into the 5510 on your outside ACL remembering 58.246.224.202 will be the source of this traffic"

I am not really sure where to do this at?
0
 
LVL 5

Expert Comment

by:andrewis
Comment Utility
Your encryption domain on both sides of the tunnel only encompasses the private subnets. Because the DHCP relay is sourced from the outside interface of the remote firewall this needs to be included in your encryption domain.

On the 5505 you will need to add the following:
access-list outside_1_cryptomap extended permit ip host 58.246.224.202 host 10.10.2.2
access-list outside_1_cryptomap extended permit ip host 58.246.224.202 host 10.10.2.1


And the 5510:
access-list outside_cryptomap_2 extended permit ip host 10.10.2.2 host 58.246.224.202
access-list outside_cryptomap_2 extended permit ip host 10.10.2.1 host 58.246.224.202

Then allow the request through the outside ACL on the 5510:
access-list outside extended permit udp host 58.246.224.202 host 10.10.2.2 eq bootp
access-list outside extended permit udp host 58.246.224.202 host 10.10.2.1 eq bootp
0
 

Author Comment

by:Ronald Odom
Comment Utility
after i issued the commands, the tunnel still does not pass dns/dhcp. i will look in to the natting.
0
 

Author Comment

by:Ronald Odom
Comment Utility
If i assign ip address and a public dns they get internet over the tunnel
0
 
LVL 5

Expert Comment

by:andrewis
Comment Utility
I realised you also going to need a nonat on the 5510 side, try adding this:

access-list nonat extended permit ip host 10.10.2.2 host 58.246.224.202
access-list nonat extended permit ip host 10.10.2.1 host 58.246.224.202
0
 

Author Comment

by:Ronald Odom
Comment Utility
i still can not get any traffice over the tunnel
0
 
LVL 5

Expert Comment

by:andrewis
Comment Utility
can you send the output of a sh crypto iskamp on the 5505?
0
 

Author Comment

by:Ronald Odom
Comment Utility
Result of the command: "sh crypto isak"

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1   IKE Peer: 12.69.103.226
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE

Global IKE Statistics
Active Tunnels: 1
Previous Tunnels: 3
In Octets: 29844
In Packets: 330
In Drop Packets: 12
In Notifys: 300
In P2 Exchanges: 1
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In P2 Sa Delete Requests: 0
Out Octets: 34436
Out Packets: 362
Out Drop Packets: 0
Out Notifys: 622
Out P2 Exchanges: 6
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 5
Initiator Tunnels: 6
Initiator Fails: 3
Responder Fails: 0
System Capacity Fails: 0
Auth Fails: 0
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 0

Global IPSec over TCP Statistics
--------------------------------
Embryonic connections: 0
Active connections: 0
Previous connections: 0
Inbound packets: 0
Inbound dropped packets: 0
Outbound packets: 0
Outbound dropped packets: 0
RST packets: 0
Recevied ACK heart-beat packets: 0
Bad headers: 0
Bad trailers: 0
Timer failures: 0
Checksum errors: 0
Internal errors: 0
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 

Author Comment

by:Ronald Odom
Comment Utility
asa 5510 runing

: Saved
:
ASA Version 8.0(3)
!
hostname STO-ASA-5510-FW
domain-name Domain.com
enable password ..Ge0JnvJlk/gAiB encrypted
names
name 192.168.255.0 BGP-Transit_Network description BGP-Transit
name 10.10.99.0 VPN
name 10.10.2.80 BB
dns-guard
!
interface Ethernet0/0
 description Inside Interface
 nameif inside
 security-level 100
 ip address 10.10.200.29 255.255.255.240
 ospf cost 10
!
interface Ethernet0/1
 description Outside Interface facing the Internet Rotuer.
 nameif outside
 security-level 0
 ip address 12.69.103.226 255.255.255.240
 ospf cost 10
!
interface Ethernet0/2
 description Physical Trunk interface - Dont use
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/2.900
 description DMZ Interface 12.69.103.0 / 26 (useable hosts .1 to .62)
 vlan 900
 nameif DMZ1-VLAN900
 security-level 50
 ip address 12.69.103.1 255.255.255.192
 ospf cost 10
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 10.10.5.250 255.255.254.0
 ospf cost 10
 management-only
!
passwd L0Wjs4eA25R/befo encrypted
banner exec **********************************************************************
banner exec                         STO-ASA-5510-FW
banner exec                         ASA5510 - 10.10.200.29
banner exec                         Configured for Data use only
banner exec **********************************************************************
banner login **********************************************************************
banner login WARNING: This system is for the use of authorized clients only.
banner login Individuals using the computer network system without authorization,
banner login or in excess of their authorization, are subject to having all their
banner login activity on this computer network system monitored and recorded by
banner login system personnel.  To protect the computer network system from
banner login unauthorized use and to ensure the computer network systems is
banner login functioning properly, system administrators monitor this system.
banner login Anyone using this computer network system expressly consents to such
banner login monitoring and is advised that if such monitoring reveals possible
banner login conduct of criminal activity, system personnel may provide the
banner login evidence of such activity to law enforcement officers.
banner login Access is restricted to authorized users only. Unauthorized access is
banner login a violation of state and federal, civil and criminal laws.
banner login **********************************************************************
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name Domain.com
same-security-traffic permit intra-interface
object-group service SAP tcp-udp
 description SAP Updates
 port-object eq 3299
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service HUMANLand tcp
 port-object eq citrix-ica
object-group service DM_INLINE_TCP_1 tcp
 port-object eq 5061
 port-object eq www
 port-object eq https
object-group service DM_INLINE_TCP_2 tcp
 port-object eq 5061
 port-object eq www
 port-object eq https
object-group service DM_INLINE_UDP_1 udp
 port-object eq snmp
 port-object eq snmptrap
object-group service DM_INLINE_SERVICE_1
 service-object icmp
 service-object tcp-udp eq www
 service-object udp eq snmp
 service-object udp eq snmptrap
 service-object udp eq syslog
 service-object tcp eq 2055
 service-object udp eq 2055
 service-object tcp eq 3389
object-group service Human tcp-udp
 port-object eq 8100
object-group service grove tcp
 port-object eq 2492
object-group service netflowTcp tcp
 port-object eq 2055
object-group service 6144 tcp-udp
 description 6144
 port-object eq 6144
object-group service 1536-ampr-inter tcp-udp
 description 1536-ampr-inter
 port-object eq 1536
object-group network DM_INLINE_NETWORK_1
 network-object 198.78.0.0 255.255.0.0
 network-object 207.152.0.0 255.255.0.0
 network-object 69.31.0.0 255.255.0.0
object-group network DM_INLINE_NETWORK_2
 network-object 198.78.0.0 255.255.0.0
 network-object 207.152.0.0 255.255.0.0
 network-object 69.31.0.0 255.255.0.0
object-group network DM_INLINE_NETWORK_3
 network-object 198.78.0.0 255.255.0.0
 network-object 207.152.0.0 255.255.0.0
 network-object 69.31.0.0 255.255.0.0
object-group network DM_INLINE_NETWORK_4
 network-object 198.78.0.0 255.255.0.0
 network-object 207.152.0.0 255.255.0.0
 network-object 69.31.0.0 255.255.0.0
object-group service rdp tcp
 description RDP
 port-object eq 3389
access-list outside extended permit ip host 207.18.56.117 any
access-list outside remark 207.152.125.136
access-list outside extended deny object-group TCPUDP object-group DM_INLINE_NETWORK_1 any log
access-list outside extended deny object-group TCPUDP object-group DM_INLINE_NETWORK_2 host 12.69.103.129
access-list outside extended deny object-group TCPUDP any object-group DM_INLINE_NETWORK_3
access-list outside extended deny object-group TCPUDP host 12.69.103.129 object-group DM_INLINE_NETWORK_4
access-list outside remark ************In Bound SAP Update Traffic  per Ron Odom***************
access-list outside extended permit tcp host 194.39.131.34 host 12.69.103.155 range 3200 3300 log
access-list outside remark *** SAP router****
access-list outside extended permit tcp host 10.10.2.110 host 194.39.131.34 range 3200 3300
access-list outside extended permit object-group DM_INLINE_SERVICE_1 any host 12.69.103.154
access-list outside remark ***** Inbound to the Mail server at 10.10.2.10 Peter K *****
access-list outside extended permit tcp any host 12.69.103.147 eq smtp
access-list outside remark ***** Inbound to the OCS EDGE on DMZ Peter K *****
access-list outside extended permit tcp any host 12.69.103.2 object-group DM_INLINE_TCP_1
access-list outside extended permit ip any host 12.69.103.6
access-list outside remark Blocked for malware activity
access-list outside extended deny ip host 77.78.247.86 any
access-list outside extended permit ip any host 12.69.103.156 inactive
access-list outside extended permit tcp any host 12.69.103.147 eq www
access-list outside extended permit tcp any host 12.69.103.147 eq https
access-list outside remark ***** Inbound to host 10.10.3.200 - Dan K *****
access-list outside extended permit tcp any host 12.69.103.145 eq www
access-list outside extended permit tcp any host 12.69.103.145 eq https
access-list outside remark ***** Inbound to host 10.10.2.30 USIFAXBACK- Dan K *****
access-list outside extended permit tcp any host 12.69.103.146 eq www
access-list outside extended permit tcp any host 12.69.103.146 eq https
access-list outside remark ***** Inbound to host 10.10.8.5 - Mitel 7100 - BOB M 4/4-2008 - BV *****
access-list outside extended permit tcp any host 12.69.103.152 eq pptp
access-list outside extended permit tcp any host 200.56.251.118 object-group HUMANLand
access-list outside extended permit tcp any host 200.56.251.121 eq 8100
access-list outside remark Allow all return ICMP traffic disabled to help hid form attacks
access-list outside extended permit icmp any any log
access-list outside extended permit ip 10.14.0.0 255.255.0.0 any log debugging
access-list outside extended permit ip 10.15.0.0 255.255.0.0 any
access-list outside extended permit ip 10.16.0.0 255.255.0.0 any
access-list outside extended permit ip 10.17.0.0 255.255.0.0 any
access-list outside extended permit ip any 10.14.0.0 255.255.0.0 log debugging
access-list outside extended permit ip any 10.15.0.0 255.255.0.0
access-list outside extended permit ip any 10.16.0.0 255.255.0.0
access-list outside extended permit ip any 10.17.0.0 255.255.0.0
access-list outside extended permit udp host 12.88.249.62 any object-group DM_INLINE_UDP_1
access-list outside remark added to pervent bocking to Human
access-list outside extended permit object-group TCPUDP host 10.12.2.250 host 200.56.251.121 object-group Human
access-list outside remark added to pervent bocking to Human
access-list outside extended permit object-group TCPUDP host 200.56.251.121 host 10.12.2.250 object-group Human
access-list outside extended permit tcp any any eq pptp log
access-list outside extended deny object-group TCPUDP any any object-group 6144
access-list outside extended permit udp host 58.246.224.202 host 10.10.2.1 eq bootps
access-list outside extended permit udp host 58.246.224.202 host 10.10.2.2 eq bootps
access-list outside extended permit udp host 58.246.224.202 host 10.10.2.1 eq bootpc
access-list outside extended permit udp host 58.246.224.202 host 10.10.2.2 eq bootpc
access-list VPN-SplitTunnel extended permit ip 10.10.0.0 255.255.0.0 VPN 255.255.255.192
access-list VPN-SplitTunnel extended permit ip 10.11.0.0 255.255.0.0 VPN 255.255.255.192
access-list VPN-SplitTunnel extended permit ip 10.12.0.0 255.255.0.0 VPN 255.255.255.192
access-list VPN-SplitTunnel extended permit ip 10.13.0.0 255.255.0.0 VPN 255.255.255.192
access-list VPN-SplitTunnel extended permit ip BGP-Transit_Network 255.255.255.0 VPN 255.255.255.192
access-list VPN-SplitTunnel extended permit ip 10.0.0.0 255.0.0.0 192.168.10.0 255.255.255.0
access-list VPN-SplitTunnel extended permit ip 10.10.0.0 255.255.0.0 10.14.4.0 255.255.254.0
access-list VPN-SplitTunnel extended permit ip 10.10.0.0 255.255.0.0 10.16.4.0 255.255.254.0
access-list VPN-SplitTunnel extended permit ip 10.10.0.0 255.255.0.0 10.15.4.0 255.255.254.0
access-list VPN-SplitTunnel extended permit ip 10.10.0.0 255.255.0.0 10.14.8.0 255.255.254.0
access-list DMZ1_in remark ***** OCS EDGE -2nd interface to inside hosts Peter K *****
access-list DMZ1_in extended permit tcp host 12.69.103.3 host 10.10.2.15 object-group DM_INLINE_TCP_2
access-list DMZ1_in remark Allow all ICMP traffic
access-list DMZ1_in extended permit icmp any any log
access-list DMZ1_in extended deny ip any 207.152.0.0 255.255.0.0
access-list DMZ1_in extended deny ip 207.152.0.0 255.255.0.0 any
access-list DMZ1_in remark ***** Explicitly block access to all inside networks *****
access-list DMZ1_in remark ***** Any needed permits to inside networks          *****
access-list DMZ1_in remark ***** Need to be done above this section             *****
access-list DMZ1_in extended deny ip any 10.0.0.0 255.0.0.0
access-list DMZ1_in extended deny ip any 172.16.0.0 255.240.0.0
access-list DMZ1_in extended deny ip any 192.168.0.0 255.255.0.0
access-list DMZ1_in remark ***** Permit IP to any - this will be the internet *****
access-list DMZ1_in extended permit ip any any log debugging
access-list ezvpn1 standard permit 10.0.0.0 255.0.0.0
access-list DMZ1-VLAN900_cryptomap extended permit ip any any
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 VPN 255.255.255.192
access-list nonat extended permit ip 10.11.0.0 255.255.0.0 VPN 255.255.255.192
access-list nonat extended permit ip 10.12.0.0 255.255.0.0 VPN 255.255.255.192
access-list nonat extended permit ip 10.13.0.0 255.255.0.0 VPN 255.255.255.192
access-list nonat extended permit ip BGP-Transit_Network 255.255.255.0 VPN 255.255.255.192
access-list nonat extended permit ip 10.0.0.0 255.0.0.0 192.168.10.0 255.255.255.0
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.14.4.0 255.255.254.0
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.14.8.0 255.255.254.0
access-list nonat extended permit ip 10.0.0.0 255.0.0.0 10.14.0.0 255.255.0.0
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.15.4.0 255.255.254.0
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.16.4.0 255.255.254.0
access-list nonat extended permit ip 10.0.0.0 255.0.0.0 10.15.0.0 255.255.0.0
access-list nonat extended permit ip 10.0.0.0 255.0.0.0 10.17.4.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.0.0.0 10.16.0.0 255.255.0.0
access-list nonat extended permit ip host 10.10.2.2 host 58.246.224.202
access-list nonat extended permit ip host 10.10.2.1 host 58.246.224.202
access-list traffic extended permit ip 10.0.0.0 255.0.0.0 10.14.0.0 255.255.0.0 inactive
access-list outside_cryptomap extended permit ip 10.0.0.0 255.0.0.0 10.15.0.0 255.255.0.0
access-list outside_nat0_outbound extended permit ip 10.14.0.0 255.255.0.0 VPN 255.255.255.192
access-list outside_nat0_outbound extended permit ip 10.15.0.0 255.255.0.0 VPN 255.255.255.192
access-list outside_nat0_outbound extended permit ip 10.17.0.0 255.255.255.0 VPN 255.255.255.192
access-list outside_nat0_outbound extended permit ip 10.16.0.0 255.255.0.0 VPN 255.255.255.192
access-list outside_cryptomap_1 extended permit ip 10.0.0.0 255.0.0.0 10.16.0.0 255.255.0.0
access-list outside_cryptomap_2 extended permit ip 10.0.0.0 255.0.0.0 10.17.4.0 255.255.255.0
access-list outside_cryptomap_2 extended permit ip host 10.10.2.2 host 58.246.224.202
access-list outside_cryptomap_2 extended permit ip host 10.10.2.1 host 58.246.224.202
pager lines 24
logging enable
logging timestamp
logging list VPN level informational class auth
logging list VPN level critical class config
logging list VPN level notifications class vpn
logging list VPN level notifications class vpnc
logging list VPN level notifications class webvpn
logging list all level alerts
logging buffer-size 256000
logging buffered all
logging trap VPN
logging asdm informational
logging host inside 10.10.2.41 format emblem
logging ftp-bufferwrap
logging ftp-server 10.10.2.41 \logs usi\administrator ****
mtu inside 1500
mtu outside 1500
mtu DMZ1-VLAN900 1500
mtu management 1500
ip local pool VPNClients 10.10.99.1-10.10.99.63 mask 255.255.255.192
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
icmp permit any DMZ1-VLAN900
asdm image disk0:/asdm-611.bin
asdm history enable
arp timeout 14400
global (inside) 1 10.10.2.4 netmask 255.0.0.0
global (outside) 10 12.69.103.129 netmask 255.255.255.255
global (outside) 11 12.69.103.130 netmask 255.255.255.255
global (outside) 12 12.69.103.131 netmask 255.255.255.255
global (outside) 13 12.69.103.132 netmask 255.255.255.255
global (outside) 14 12.69.103.133 netmask 255.0.0.0
nat (inside) 0 access-list nonat
nat (inside) 11 192.168.255.4 255.255.255.252
nat (inside) 12 192.168.255.8 255.255.255.252
nat (inside) 13 192.168.255.12 255.255.255.252
nat (inside) 10 10.10.0.0 255.255.0.0
nat (inside) 11 10.11.0.0 255.255.0.0
nat (inside) 12 10.12.0.0 255.255.0.0
nat (inside) 13 10.13.0.0 255.255.0.0
nat (inside) 10 10.14.0.0 255.255.0.0
nat (inside) 10 10.17.0.0 255.255.0.0
nat (outside) 0 access-list outside_nat0_outbound
nat (outside) 10 10.14.0.0 255.255.0.0
nat (outside) 10 10.15.0.0 255.255.0.0
nat (outside) 10 10.16.0.0 255.255.0.0
nat (outside) 10 10.17.0.0 255.255.0.0
static (DMZ1-VLAN900,outside) 12.69.103.0 12.69.103.0 netmask 255.255.255.192
static (inside,outside) 12.69.103.154 10.10.2.41 netmask 255.255.255.255
static (inside,DMZ1-VLAN900) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
static (inside,DMZ1-VLAN900) 192.168.0.0 192.168.0.0 netmask 255.255.0.0
static (inside,DMZ1-VLAN900) 172.16.0.0 172.16.0.0 netmask 255.240.0.0
static (inside,outside) 12.69.103.147 10.10.2.10 netmask 255.255.255.255
static (inside,outside) 12.69.103.152 10.10.8.5 netmask 255.255.255.255
static (inside,outside) 12.69.103.155 10.10.2.110 netmask 255.255.255.255
access-group outside in interface outside
access-group DMZ1_in in interface DMZ1-VLAN900
!
router eigrp 100
 network 10.0.0.0 255.0.0.0
!
route outside 0.0.0.0 0.0.0.0 12.69.103.225 1
route inside 10.0.0.0 255.0.0.0 10.10.200.30 1
route inside 10.10.98.0 255.255.255.0 10.10.200.30 1
route outside 10.14.0.0 255.255.0.0 12.69.103.225 1
route outside 10.15.0.0 255.255.0.0 12.69.103.225 1
route outside 10.17.0.0 255.255.255.0 12.69.103.225 1
route outside 58.246.224.202 255.255.255.255 12.69.103.225 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server Microsoft protocol radius
 accounting-mode simultaneous
 reactivation-mode depletion deadtime 30
aaa-server Microsoft host 10.10.2.1
 key cisco123
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
http server enable
http 10.10.0.0 255.255.0.0 inside
http 10.10.0.0 255.255.0.0 management
snmp-server host inside 10.10.2.41 community UNISNMP version 2c udp-port 161
snmp-server location STODATDROOM
snmp-server contact SYS Admin
snmp-server community UNISNMP
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps remote-access session-threshold-exceeded
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 115.111.107.226
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_cryptomap_1
crypto map outside_map 2 set peer 116.12.211.66
crypto map outside_map 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 3 match address outside_cryptomap_2
crypto map outside_map 3 set peer 58.246.224.202
crypto map outside_map 3 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 10 match address traffic
crypto map outside_map 10 set peer 212.185.51.242
crypto map outside_map 10 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto map DMZ1-VLAN900_map0 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto isakmp identity address
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime none
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime none
crypto isakmp nat-traversal 33
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
vpn-addr-assign local reuse-delay 10
telnet 10.10.0.0 255.255.0.0 inside
telnet 10.10.0.0 255.255.0.0 management
telnet timeout 29
ssh timeout 29
ssh version 2
console timeout 1
management-access inside
dhcprelay server 10.10.2.1 outside
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address 10.14.0.0 255.255.0.0
threat-detection scanning-threat shun except ip-address 10.15.0.0 255.255.0.0
threat-detection scanning-threat shun except ip-address 10.16.0.0 255.255.0.0
threat-detection statistics
wccp web-cache
wccp interface inside web-cache redirect in
ntp server 192.5.41.41
ntp server 192.5.41.40
ntp server 192.43.244.18
tftp-server inside 10.10.2.2 \asa
group-policy DfltGrpPolicy attributes
 banner value WARNING: This system is for the use of authorized clients only.
 wins-server value 10.10.2.1
 dns-server value 10.10.2.1 10.10.2.2
 vpn-tunnel-protocol IPSec svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPN-SplitTunnel
 default-domain value Domian.com
 msie-proxy server value 00.00.00.00
 address-pools value VPNClients
group-policy CHINAPH internal
group-policy CHINAPH attributes
 vpn-tunnel-protocol IPSec svc webvpn
 split-tunnel-policy tunnelall
 intercept-dhcp 255.255.0.0 enable
 address-pools value VPNClients
group-policy ezGROUP1 internal
group-policy ezGROUP1 attributes
 vpn-tunnel-protocol svc webvpn
 password-storage enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value ezvpn1
 nem enable
USERS
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *
tunnel-group USISplitTunnelRemoteAccess type remote-access
tunnel-group USISplitTunnelRemoteAccess general-attributes
 address-pool VPNClients
tunnel-group USISplitTunnelRemoteAccess ipsec-attributes
 pre-shared-key *
tunnel-group USISplitTunnelRADIUS type remote-access
tunnel-group USISplitTunnelRADIUS general-attributes
 address-pool VPNClients
 authentication-server-group Microsoft LOCAL
tunnel-group USISplitTunnelRADIUS ipsec-attributes
 pre-shared-key *
tunnel-group ezVPN1 type remote-access
tunnel-group ezVPN1 general-attributes
 default-group-policy ezGROUP1
tunnel-group ezVPN1 ipsec-attributes
 pre-shared-key *
tunnel-group 212.185.51.242 type ipsec-l2l
tunnel-group 212.185.51.242 ipsec-attributes
 pre-shared-key *
 peer-id-validate nocheck
tunnel-group 115.111.107.226 type ipsec-l2l
tunnel-group 115.111.107.226 ipsec-attributes
 pre-shared-key *
tunnel-group China type remote-access
tunnel-group China general-attributes
 address-pool VPNClients
 default-group-policy CHINAPH
tunnel-group 116.12.211.66 type ipsec-l2l
tunnel-group 116.12.211.66 ipsec-attributes
 pre-shared-key *
tunnel-group 58.246.224.202 type ipsec-l2l
tunnel-group 58.246.224.202 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:0655a5a9230dd2060134f5ca5d8acd4d
: end
asdm image disk0:/asdm-611.bin
asdm location VPN 255.255.255.192 inside
asdm location BGP-Transit_Network 255.255.255.0 inside
asdm location 10.10.4.60 255.255.254.255 inside
asdm location BB 255.255.255.255 inside
asdm location 10.16.0.0 255.255.0.0 inside
asdm location 69.31.0.0 255.255.0.0 inside
asdm location 198.78.0.0 255.255.0.0 inside
asdm location 10.16.0.0 255.255.255.0 inside
asdm location 10.16.4.0 255.255.254.0 inside
asdm location 10.17.0.0 255.255.0.0 inside
asdm location 10.17.4.0 255.255.255.0 inside
asdm history enable
0
 

Author Comment

by:Ronald Odom
Comment Utility
asa 5505 runing config
: Saved
:
ASA Version 7.2(3)
!
hostname siteASA
domain-name doamin.com
enable password awSQhSsotCzGWRMo encrypted
names
name 10.17.0.0 inside
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.17.4.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 58.246.224.202 255.255.255.240
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd L0Wjs4eA25R/befo encrypted
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 10.10.2.1
 domain-name domain.com
access-list outside_1_cryptomap extended permit ip 10.17.4.0 255.255.255.0 any
access-list outside_1_cryptomap extended permit ip host 58.246.224.202 host 10.10.2.2
access-list outside_1_cryptomap extended permit ip host 58.246.224.202 host 10.10.2.1
access-list inside_nat0_outbound extended permit ip 10.17.4.0 255.255.255.0 any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit ip 10.17.4.0 255.255.255.0 any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 58.246.224.201 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 0.0.0.0 0.0.0.0 outside
http 10.17.4.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 12.69.103.226
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
telnet 10.17.4.0 255.255.255.0 inside
telnet timeout 5
ssh 10.17.4.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcprelay server 10.10.2.2 outside
dhcprelay server 10.10.2.1 outside
dhcprelay enable inside
dhcprelay timeout 60

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
users
tunnel-group 12.69.103.226 type ipsec-l2l
tunnel-group 12.69.103.226 ipsec-attributes
 pre-shared-key *
prompt hostname context
Cryptochecksum:3c52af0e4c5e0a04fe2c95483771661d
: end
asdm image disk0:/asdm-523.bin
no asdm history enable
0
 
LVL 5

Expert Comment

by:andrewis
Comment Utility
I can't see too much wrong in all honesty.

Your encryption domains should be a mirror of eachother.

on the 5505 you have
access-list outside_1_cryptomap extended permit ip inside 255.255.0.0 any

and the 5510
access-list outside_cryptomap_2 extended permit ip 10.0.0.0 255.0.0.0 10.17.0.0 255.255.0.0

try changing the 5505
access-list outside_1_cryptomap extended permit ip 10.17.0.0 255.255.0.0 10.0.0.0 255.0.0.0

Can you see any encaps or decaps on either side of the tunnel?
0
 

Author Comment

by:Ronald Odom
Comment Utility
they can ping the outside interface of each other, but not any inside address.
0
 
LVL 5

Expert Comment

by:andrewis
Comment Utility
please send the output of a sh crypto ipsec sa on the 5505

and sh crypto ipsec sa peer 58.246.224.202 on the 5510
0
 
LVL 5

Expert Comment

by:andrewis
Comment Utility
please also send a sh access-list | inc 10.17.0.0 on the 5510
0
 

Author Comment

by:Ronald Odom
Comment Utility
Result of the command: "sh crypto ipsec sa"

interface: outside
    Crypto map tag: outside_map, seq num: 1, local addr: 58.246.224.202

      access-list outside_1_cryptomap permit ip host 58.246.224.202 host 10.10.2.1
      local ident (addr/mask/prot/port): (58.246.224.202/255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): (10.10.2.1/255.255.255.255/0/0)
      current_peer: 12.69.103.226

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 58.246.224.202, remote crypto endpt.: 12.69.103.226

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 5D7A033C

    inbound esp sas:
      spi: 0x2590FE9C (630259356)
         transform: esp-3des esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 1, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4275000/28368)
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x5D7A033C (1568277308)
         transform: esp-3des esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 1, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4275000/28368)
         IV size: 8 bytes
         replay detection support: Y

    Crypto map tag: outside_map, seq num: 1, local addr: 58.246.224.202

      access-list outside_1_cryptomap permit ip host 58.246.224.202 host 10.10.2.2
      local ident (addr/mask/prot/port): (58.246.224.202/255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): (10.10.2.2/255.255.255.255/0/0)
      current_peer: 12.69.103.226

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 58.246.224.202, remote crypto endpt.: 12.69.103.226

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: DD4ECB92

    inbound esp sas:
      spi: 0xCC4EFD9D (3427728797)
         transform: esp-3des esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 1, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4275000/28368)
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0xDD4ECB92 (3712928658)
         transform: esp-3des esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 1, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4275000/28368)
         IV size: 8 bytes
         replay detection support: Y

Result of the command: "sh crypto ipsec sa peer 58.246.224.202"

peer address: 58.246.224.202
    Crypto map tag: outside_map, seq num: 3, local addr: 12.69.103.226

      access-list outside_cryptomap_2 permit ip host 10.10.2.1 host 58.246.224.202
      local ident (addr/mask/prot/port): (10.10.2.1/255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): (58.246.224.202/255.255.255.255/0/0)
      current_peer: 58.246.224.202

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 12.69.103.226, remote crypto endpt.: 58.246.224.202

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 2590FE9C

    inbound esp sas:
      spi: 0x5D7A033C (1568277308)
         transform: esp-3des esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 192512, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3825000/28061)
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x2590FE9C (630259356)
         transform: esp-3des esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 192512, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3825000/28061)
         IV size: 8 bytes
         replay detection support: Y

    Crypto map tag: outside_map, seq num: 3, local addr: 12.69.103.226

      access-list outside_cryptomap_2 permit ip host 10.10.2.2 host 58.246.224.202
      local ident (addr/mask/prot/port): (10.10.2.2/255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): (58.246.224.202/255.255.255.255/0/0)
      current_peer: 58.246.224.202

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 12.69.103.226, remote crypto endpt.: 58.246.224.202

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: CC4EFD9D

    inbound esp sas:
      spi: 0xDD4ECB92 (3712928658)
         transform: esp-3des esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 192512, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3825000/28061)
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0xCC4EFD9D (3427728797)
         transform: esp-3des esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 192512, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3825000/28061)
         IV size: 8 bytes
         replay detection support: Y


Result of the command: "sh access-list | inc 10.17.0.0"

access-list outside line 37 extended permit ip 10.17.0.0 255.255.0.0 any (hitcnt=0) 0x3f453c42
access-list outside line 41 extended permit ip any 10.17.0.0 255.255.0.0 (hitcnt=6) 0xa95bc6ea
access-list outside_nat0_outbound line 3 extended permit ip 10.17.0.0 255.255.255.0 VPN 255.255.255.192 (hitcnt=0) 0x68c2f3ea
0
 

Author Comment

by:Ronald Odom
Comment Utility
this stopped traffic form other sites as well as this not not getting across. i had to revert back to the the config i start with.
0
 

Accepted Solution

by:
Ronald Odom earned 0 total points
Comment Utility
asa failed.
0
 

Author Closing Comment

by:Ronald Odom
Comment Utility
my own anwser
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
server can't ping default gateway 25 86
USB System Failing 17 59
Server Room Hardware 5 46
Windows 10 VPN? 6 40
Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now