VPN tunnel (L2L) between sites will not allow traffic.

bambam915
bambam915 used Ask the Experts™
on
I have two ASA 5505's that had a tunnel setup. The tunnels are not working at this time. Below is the config from the  responder.
ASA Version 7.2(2)
!
hostname PLaza
enable password 9cu5gIgot.fybJlF encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.0.254 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 111.111.111.111 255.255.255.252
!
interface Vlan3
 no forward interface Vlan1
 nameif wifi
 security-level 50
 ip address 10.3.2.1 255.255.255.0
!
interface Vlan4
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
 description connected to Packet Shaper LAN
 switchport access vlan 3
!
interface Ethernet0/6
 description connected to Packet Shaper WAN
 switchport access vlan 4
!
interface Ethernet0/7
 description connected AP near color bar
 switchport access vlan 4
!
passwd wOMgC3pVlAPkiYGf encrypted
ftp mode passive
access-list SP_to_Lovers extended permit ip 10.0.0.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list SP_to_Lovers extended permit icmp 10.0.0.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 172.16.254.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list VPN_SPLIT standard permit 10.0.0.0 255.255.255.0
access-list SP_to_Knox extended permit ip 10.0.0.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list SP_to_Knox extended permit icmp 10.0.0.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list INBOUND extended permit tcp any any eq ssh
access-list INBOUND extended permit tcp host 61.82.114.165 interface outside eq 161
access-list INBOUND extended permit udp host 61.82.114.165 interface outside eq snmp
access-list INBOUND extended permit tcp interface outside any eq 8081
access-list INBOUND extended permit udp interface outside any eq 8081
access-list INBOUND extended permit tcp any interface outside eq 8081
access-list INBOUND extended permit udp any interface outside eq 8081
access-list INBOUND extended permit tcp any interface outside eq 9100
access-list INBOUND extended permit tcp any interface outside eq 9101
access-list INBOUND extended permit tcp any interface outside eq 9102
pager lines 24
logging enable
logging trap errors
logging host inside 10.0.0.1
mtu inside 1500
mtu outside 1500
mtu wifi 1500
ip local pool VPN 172.16.254.100-172.16.254.199 mask 255.255.255.0
ip verify reverse-path interface outside
ip audit attack action drop
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (wifi) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 8081 10.0.0.17 8081 netmask 255.255.255.255
static (inside,outside) udp interface 8081 10.0.0.17 8081 netmask 255.255.255.255
static (inside,outside) tcp interface 9100 10.0.0.253 9100 netmask 255.255.255.255
static (inside,outside) tcp interface 9101 10.0.0.251 9100 netmask 255.255.255.255
static (inside,outside) tcp interface 9102 10.0.0.252 9100 netmask 255.255.255.255
access-group INBOUND in interface outside
route outside 0.0.0.0 0.0.0.0 72.16.238.77 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy VPN internal
group-policy VPN attributes
 password-storage enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPN_SPLIT
crypto ipsec transform-set set esp-aes-256 esp-sha-hmac
crypto ipsec transform-set OsgoodSet esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 10 set transform-set OzzySet
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 288000
crypto map OsgoodMap 1 match address SP_to_Knox
crypto map OsgoodMap 1 set peer 222.222.222.222
crypto map OsgoodMap 1 set transform-set OzzySet
crypto map OsgoodMap 2 match address SP_to_Lovers
crypto map OsgoodMap 2 set peer 71.12.233.74 <---Knox
crypto map OsgoodMap 2 set transform-set OsgoodSet
crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 43200
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
tunnel-group 71.12.233.74 <---Knox type ipsec-l2l
tunnel-group 71.12.233.74 <---Knox ipsec-attributes
 pre-shared-key *
tunnel-group 71.12.233.94 type ipsec-l2l
tunnel-group 71.12.233.94 ipsec-attributes
 pre-shared-key *
tunnel-group GOODVPN type ipsec-ra
tunnel-group GOODVPN general-attributes
 address-pool GOODVPN
 default-group-policy GOODVPN
tunnel-group GOODVPN ipsec-attributes
 pre-shared-key *
tunnel-group 211.212.103.254 type ipsec-l2l
tunnel-group 211.212.103.254 ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh 10.0.0.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
console timeout 0
dhcpd dns 8.8.8.8 4.2.2.2
dhcpd domain osgoodoneil.local
!
dhcpd address 10.0.0.100-10.0.0.150 inside
dhcpd enable inside
!
dhcpd address 10.3.2.100-10.3.2.200 wifi
dhcpd enable wifi
!

!
class-map SP2Lovers_CM
 match access-list SP_to_Lovers
class-map SP2Knox_CM
 match access-list SP_to_Knox
class-map SP2VPN_CM
 match access-list nonat
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
policy-map outside-policies
 class SP2VPN_CM
  priority
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:bc1f4904e2e8c917e4c3e85d4aff0a96
: end
Plaza#
!!!! Here is the config from the initiator.
ASA Version 7.2(2)
!
hostname Lover
domain-name default.domain.invalid
enable password XXXXXXXXXXX
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.2.2.254 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 222.222.222.222 255.255.255.252
!
interface Vlan3
 no forward interface Vlan1
 nameif wifi
 security-level 50
 ip address 10.4.2.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 description Wifi Access Point
 switchport access vlan 3
!
passwd wOMgC3pVlAPkiYGf encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list Lovers_to_SP extended permit ip 10.2.2.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list INBOUND extended permit icmp any any
access-list INBOUND extended permit tcp any interface outside eq 9100
access-list INBOUND extended permit tcp any interface outside eq 9101
access-list INBOUND extended permit tcp any interface outside eq 8081
access-list INBOUND extended deny ip any any
access-list nonat extended permit ip 10.2.2.0 255.255.255.0 10.0.0.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu wifi 1500
ip verify reverse-path interface outside
ip audit attack action drop
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (wifi) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 9101 10.2.2.200 9100 netmask 255.255.255.255
static (inside,outside) tcp interface 9100 10.2.2.100 9100 netmask 255.255.255.255
static (inside,outside) tcp interface 8081 10.2.2.250 8081 netmask 255.255.255.255
access-group INBOUND in interface outside
route outside 0.0.0.0 0.0.0.0 222.222.222.223 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute

aaa authentication ssh console LOCAL
http server enable

no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set set esp-aes-256 esp-sha-hmac
crypto ipsec transform-set OsgoodSet esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map OsgoodMap 1 match address Lovers_to_SP
crypto map OsgoodMap 1 set peer 111.111.111.111
crypto map OsgoodMap 1 set transform-set OsgoodSet
crypto map OsgoodMap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 43200
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
tunnel-group 111.111.111.111 type ipsec-l2l
tunnel-group 111.111.111.111 ipsec-attributes
 pre-shared-key *


ssh timeout 30
console timeout 0
dhcpd dns 66.666.666.66 66.66.66.67
dhcpd domain local.local
!
dhcpd address 10.2.2.100-10.2.2.131 inside
dhcpd enable inside
!
dhcpd address 10.4.2.100-10.4.2.131 wifi
dhcpd enable wifi
!

!
class-map Lovers2SP_CM
 match flow ip destination-address
 match tunnel-group 216.215.100.250
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
policy-map outside-policies
 class Lovers2SP_CM
  priority
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:04ee7c94a51fb1e4607e28f3e6429046
: end
LOVER#
************** Why cant traffic traverse at it should.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Well, I'm not sure if this is an editing issue or a configuration issue, but on the Plaza device, your crypto map entries appear to be off.

crypto map OsgoodMap 1 match address SP_to_Knox
crypto map OsgoodMap 1 set peer 222.222.222.222
crypto map OsgoodMap 1 set transform-set OzzySet

crypto map OsgoodMap 2 match address SP_to_Lovers
crypto map OsgoodMap 2 set peer 71.12.233.74 <---Knox
crypto map OsgoodMap 2 set transform-set OsgoodSet

Is this just a case of you replaced the wrong IP address before posting your config, or are the access lists actually reversed?

Author

Commented:
I think i might have entered the wrong information. Thank you for your help that makes more sense.

Author

Commented:
Thank you for your time and support

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial