ctagle
asked on
Site to Site VPN Between Two ASA 5505's Up But Not Passing Traffic
hello experts,
i am setting up a site to site vpn between two asa 5505's. the tunnel is up but i cannot get it to pass traffic and i have run out of ideas at this point. i am on site as i am posting this question and only have about 4 hours left to figure this out, so any help asap is greatly appreciated. i'll post the configs below along with the output of sh crypto isakmp sa and sh ipsec sa.
Note: 1.1.1.1 = public ip for Site A 2.2.2.2 = public ip for site B
Site A running config:
Result of the command: "sh run"
: Saved
:
ASA Version 8.2(2)
!
hostname csol-asa
enable password WI19w3dXj6ANP8c6 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.1.0 san_antonio_inside
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
name-server 24.93.41.125
name-server 24.93.41.126
object-group network NETWORK_OBJ_192.168.2.0_24
access-list inside_access_out extended permit ip any any
access-list outside_access_out extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in_1 extended permit icmp any interface outside
access-list outside_access_in_1 extended permit tcp any interface outside eq pop3
access-list outside_access_in_1 extended permit tcp any interface outside eq 8100
access-list outside_access_in_1 extended permit udp any interface outside eq 8100
access-list outside_access_in_1 extended permit udp any interface outside eq 1025
access-list outside_access_in_1 extended permit tcp any interface outside eq 1025
access-list outside_access_in_1 extended permit tcp any interface outside eq 5020
access-list outside_access_in_1 extended permit tcp any interface outside eq 8080
access-list outside_access_in_1 extended permit tcp any interface outside eq www
access-list outside_access_in_1 extended permit ip san_antonio_inside 255.255.255.0 any
access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 host san_antonio_inside
access-list outside_1_cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 san_antonio_inside 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 san_antonio_inside 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (inside) 2 interface
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface pop3 192.168.2.249 pop3 netmask 255.255.255.255
static (inside,outside) tcp interface 8100 192.168.2.161 8100 netmask 255.255.255.255
static (inside,outside) udp interface 8100 192.168.2.161 8100 netmask 255.255.255.255
static (inside,outside) udp interface 1025 192.168.2.161 1025 netmask 255.255.255.255
static (inside,outside) tcp interface 5020 192.168.2.8 5020 netmask 255.255.255.255
static (inside,outside) tcp interface 8080 192.168.2.251 8080 netmask 255.255.255.255
static (inside,inside) tcp interface www 192.168.2.8 www netmask 255.255.255.255
static (inside,outside) tcp interface 1025 192.168.2.161 1025 netmask 255.255.255.255
access-group inside_access_out out interface inside
access-group outside_access_in_1 in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco rd DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 inside
http 2.2.2.2 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map1 1 match address outside_1_cryptomap_1
crypto map outside_map1 1 set peer 2.2.2.2
crypto map outside_map1 1 set transform-set ESP-3DES-SHA
crypto map outside_map1 interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.2.30-192.168.2.155 inside
dhcpd dns 24.93.41.125 24.93.41.126 interface inside
dhcpd domain corporatesolutionsfw.local interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
group-policy DfltGrpPolicy attributes
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key *****
!
!
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:021cf43a421 1a99232849 372c380dda 2
: end
Site A sh crypto isakmp sa:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 2.2.2.2
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Site A sh ipsec sa:
Result of the command: "sh ipsec sa"
interface: outside
Crypto map tag: outside_map1, seq num: 1, local addr: 1.1.1.1
access-list outside_1_cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0 /0/0)
remote ident (addr/mask/prot/port): (san_antonio_inside/255.25 5.255.0/0/ 0)
current_peer: 2.2.2.2
#pkts encaps: 1, #pkts encrypt: 1, #pkts digest: 1
#pkts decaps: 239, #pkts decrypt: 239, #pkts verify: 239
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 71.40.110.179
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: C1074C40
current inbound spi : B21273A9
inbound esp sas:
spi: 0xB21273A9 (2987553705)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1691648, crypto-map: outside_map1
sa timing: remaining key lifetime (kB/sec): (3914989/27694)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xC1074C40 (3238480960)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1691648, crypto-map: outside_map1
sa timing: remaining key lifetime (kB/sec): (3914999/27694)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Site B running config:
Result of the command: "sh run"
: Saved
:
: Serial Number: JMX184640WY
: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
:
ASA Version 9.2(2)4
!
hostname CSOLSAASA
enable password WI19w3dXj6ANP8c6 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 2.2.2.2 255.255.255.248
!
ftp mode passive
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object network mcallen_network
subnet 192.168.2.0 255.255.255.0
access-list outside_cryptomap extended permit ip object NETWORK_OBJ_192.168.1.0_24 object mcallen_network
access-list outside_access_in extended permit ip object mcallen_network 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-731-101.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static mcallen_network mcallen_network no-proxy-arp route-lookup
!
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 2.2.2.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco rd DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map3 1 match address outside_cryptomap
crypto map outside_map3 1 set peer 1.1.1.1
crypto map outside_map3 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map3 interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.200-192.168.1.25 0 inside
dhcpd dns 24.93.41.125 24.93.41.126 interface inside
dhcpd domain CSOLSA.LOCAL interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key *****
!
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:4e058021a6e 84ac7956dc a0e5a143b8 d
: end
Site B sh crypto isakmp sa:
Result of the command: "sh crypto isakmp sa"
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 1.1.1.1
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
There are no IKEv2 SAs
Site B sh ipsec sa:
Result of the command: "sh ipsec sa"
interface: outside
Crypto map tag: outside_map3, seq num: 1, local addr: 71.40.110.179
access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0 /0/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0 /0/0)
current_peer: 1.1.1.1
#pkts encaps: 286, #pkts encrypt: 286, #pkts digest: 286
#pkts decaps: 1, #pkts decrypt: 1, #pkts verify: 1
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 286, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.2/0, remote crypto endpt.: 1.1.1.1/0
path mtu 1500, ipsec overhead 58(36), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: B21273A9
current inbound spi : C1074C40
inbound esp sas:
spi: 0xC1074C40 (3238480960)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 28672, crypto-map: outside_map3
sa timing: remaining key lifetime (kB/sec): (4373999/27456)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000003
outbound esp sas:
spi: 0xB21273A9 (2987553705)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 28672, crypto-map: outside_map3
sa timing: remaining key lifetime (kB/sec): (4373987/27456)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
i am setting up a site to site vpn between two asa 5505's. the tunnel is up but i cannot get it to pass traffic and i have run out of ideas at this point. i am on site as i am posting this question and only have about 4 hours left to figure this out, so any help asap is greatly appreciated. i'll post the configs below along with the output of sh crypto isakmp sa and sh ipsec sa.
Note: 1.1.1.1 = public ip for Site A 2.2.2.2 = public ip for site B
Site A running config:
Result of the command: "sh run"
: Saved
:
ASA Version 8.2(2)
!
hostname csol-asa
enable password WI19w3dXj6ANP8c6 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.1.0 san_antonio_inside
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
name-server 24.93.41.125
name-server 24.93.41.126
object-group network NETWORK_OBJ_192.168.2.0_24
access-list inside_access_out extended permit ip any any
access-list outside_access_out extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in_1 extended permit icmp any interface outside
access-list outside_access_in_1 extended permit tcp any interface outside eq pop3
access-list outside_access_in_1 extended permit tcp any interface outside eq 8100
access-list outside_access_in_1 extended permit udp any interface outside eq 8100
access-list outside_access_in_1 extended permit udp any interface outside eq 1025
access-list outside_access_in_1 extended permit tcp any interface outside eq 1025
access-list outside_access_in_1 extended permit tcp any interface outside eq 5020
access-list outside_access_in_1 extended permit tcp any interface outside eq 8080
access-list outside_access_in_1 extended permit tcp any interface outside eq www
access-list outside_access_in_1 extended permit ip san_antonio_inside 255.255.255.0 any
access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 host san_antonio_inside
access-list outside_1_cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 san_antonio_inside 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 san_antonio_inside 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (inside) 2 interface
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface pop3 192.168.2.249 pop3 netmask 255.255.255.255
static (inside,outside) tcp interface 8100 192.168.2.161 8100 netmask 255.255.255.255
static (inside,outside) udp interface 8100 192.168.2.161 8100 netmask 255.255.255.255
static (inside,outside) udp interface 1025 192.168.2.161 1025 netmask 255.255.255.255
static (inside,outside) tcp interface 5020 192.168.2.8 5020 netmask 255.255.255.255
static (inside,outside) tcp interface 8080 192.168.2.251 8080 netmask 255.255.255.255
static (inside,inside) tcp interface www 192.168.2.8 www netmask 255.255.255.255
static (inside,outside) tcp interface 1025 192.168.2.161 1025 netmask 255.255.255.255
access-group inside_access_out out interface inside
access-group outside_access_in_1 in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
http server enable
http 192.168.2.0 255.255.255.0 inside
http 2.2.2.2 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map1 1 match address outside_1_cryptomap_1
crypto map outside_map1 1 set peer 2.2.2.2
crypto map outside_map1 1 set transform-set ESP-3DES-SHA
crypto map outside_map1 interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.2.30-192.168.2.155
dhcpd dns 24.93.41.125 24.93.41.126 interface inside
dhcpd domain corporatesolutionsfw.local
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
group-policy DfltGrpPolicy attributes
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key *****
!
!
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:021cf43a421
: end
Site A sh crypto isakmp sa:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 2.2.2.2
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Site A sh ipsec sa:
Result of the command: "sh ipsec sa"
interface: outside
Crypto map tag: outside_map1, seq num: 1, local addr: 1.1.1.1
access-list outside_1_cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0
remote ident (addr/mask/prot/port): (san_antonio_inside/255.25
current_peer: 2.2.2.2
#pkts encaps: 1, #pkts encrypt: 1, #pkts digest: 1
#pkts decaps: 239, #pkts decrypt: 239, #pkts verify: 239
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 71.40.110.179
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: C1074C40
current inbound spi : B21273A9
inbound esp sas:
spi: 0xB21273A9 (2987553705)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1691648, crypto-map: outside_map1
sa timing: remaining key lifetime (kB/sec): (3914989/27694)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xC1074C40 (3238480960)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1691648, crypto-map: outside_map1
sa timing: remaining key lifetime (kB/sec): (3914999/27694)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Site B running config:
Result of the command: "sh run"
: Saved
:
: Serial Number: JMX184640WY
: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
:
ASA Version 9.2(2)4
!
hostname CSOLSAASA
enable password WI19w3dXj6ANP8c6 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 2.2.2.2 255.255.255.248
!
ftp mode passive
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object network mcallen_network
subnet 192.168.2.0 255.255.255.0
access-list outside_cryptomap extended permit ip object NETWORK_OBJ_192.168.1.0_24
access-list outside_access_in extended permit ip object mcallen_network 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-731-101.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24
!
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 2.2.2.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map3 1 match address outside_cryptomap
crypto map outside_map3 1 set peer 1.1.1.1
crypto map outside_map3 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map3 interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.200-192.168.1.25
dhcpd dns 24.93.41.125 24.93.41.126 interface inside
dhcpd domain CSOLSA.LOCAL interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key *****
!
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:4e058021a6e
: end
Site B sh crypto isakmp sa:
Result of the command: "sh crypto isakmp sa"
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 1.1.1.1
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
There are no IKEv2 SAs
Site B sh ipsec sa:
Result of the command: "sh ipsec sa"
interface: outside
Crypto map tag: outside_map3, seq num: 1, local addr: 71.40.110.179
access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0
current_peer: 1.1.1.1
#pkts encaps: 286, #pkts encrypt: 286, #pkts digest: 286
#pkts decaps: 1, #pkts decrypt: 1, #pkts verify: 1
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 286, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.2/0, remote crypto endpt.: 1.1.1.1/0
path mtu 1500, ipsec overhead 58(36), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: B21273A9
current inbound spi : C1074C40
inbound esp sas:
spi: 0xC1074C40 (3238480960)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 28672, crypto-map: outside_map3
sa timing: remaining key lifetime (kB/sec): (4373999/27456)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000003
outbound esp sas:
spi: 0xB21273A9 (2987553705)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 28672, crypto-map: outside_map3
sa timing: remaining key lifetime (kB/sec): (4373987/27456)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Are you doing NAT exemption for the two networks at both ends?
ASKER
Yes
packet-tracer input inside tcp 192.168.1.1 65535 192.168.2.1 25 detail
on the 192.168.1.x ASA and invert the IPs to do it on the other ASA.
on the 192.168.1.x ASA and invert the IPs to do it on the other ASA.
ASKER
i'm not sure if this has anything to do with it or not, but i have been running packet traces and have noticed that the traffic can flow in all directions but into site B. it looks like this when i run it:
Result of the command: "packet-tracer input outside icmp 192.168.2.11 0 1 192.168.1.11"
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 192.168.1.0 255.255.255.0 inside
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static mcallen_network mcallen_network no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface inside
Untranslate 192.168.1.11/0 to 192.168.1.11/0
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit ip object mcallen_network any
Additional Information:
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static mcallen_network mcallen_network no-proxy-arp route-lookup
Additional Information:
Static translate 192.168.2.11/0 to 192.168.2.11/0
Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Result of the command: "packet-tracer input outside icmp 192.168.2.11 0 1 192.168.1.11"
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 192.168.1.0 255.255.255.0 inside
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24
Additional Information:
NAT divert to egress interface inside
Untranslate 192.168.1.11/0 to 192.168.1.11/0
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit ip object mcallen_network any
Additional Information:
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24
Additional Information:
Static translate 192.168.2.11/0 to 192.168.2.11/0
Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
ASKER
sorry posted that last one to quickly, let my try your traces
And also, pull all statements that have anything to do with NAT from each of the configs.
With both phase I and phase II up, it has to be this (unless the destination server has a firewall of its own blocking the traffic).
With both phase I and phase II up, it has to be this (unless the destination server has a firewall of its own blocking the traffic).
ASKER
site b packet-tracer input inside tcp 192.168.1.1 65535 192.168.2.1 25 detail:
Result of the command: "packet-tracer input inside tcp 192.168.1.1 65535 192.168.2.1 25 detail"
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 via 2.2.2.2, outside
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcc83c9c8, priority=500, domain=permit, deny=true
hits=6, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=192.168.1.1, mask=255.255.255.255, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
site b packet-tracer input outside tcp 192.168.2.1 65535 192.168.1.1 25 detail:
Result of the command: "packet-tracer input outside tcp 192.168.2.1 65535 192.168.1.1 25 detail"
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 192.168.1.1 255.255.255.255 identity
Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc8ba01b8, priority=1, domain=nat-per-session, deny=true
hits=81063, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcc85c080, priority=0, domain=permit, deny=true
hits=8701, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
site a packet-tracer input inside tcp 192.168.2.1 65535 192.168.1.1 25 detail
Result of the command: "packet-tracer input inside tcp 192.168.2.1 65535 192.168.1.1 25 detail"
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd8232c48, priority=500, domain=permit, deny=true
hits=6, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=192.168.2.1, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
site a
Result of the command: "packet-tracer input outside tcp 192.168.1.1 65535 192.168.2.1 25 detail"
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.2.1 255.255.255.255 identity
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd827bd28, priority=0, domain=permit, deny=true
hits=298359, user_data=0x9, cs_id=0x0, flags=0x1000, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Result of the command: "packet-tracer input inside tcp 192.168.1.1 65535 192.168.2.1 25 detail"
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 via 2.2.2.2, outside
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcc83c9c8, priority=500, domain=permit, deny=true
hits=6, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=192.168.1.1, mask=255.255.255.255, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
site b packet-tracer input outside tcp 192.168.2.1 65535 192.168.1.1 25 detail:
Result of the command: "packet-tracer input outside tcp 192.168.2.1 65535 192.168.1.1 25 detail"
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 192.168.1.1 255.255.255.255 identity
Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc8ba01b8, priority=1, domain=nat-per-session, deny=true
hits=81063, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcc85c080, priority=0, domain=permit, deny=true
hits=8701, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
site a packet-tracer input inside tcp 192.168.2.1 65535 192.168.1.1 25 detail
Result of the command: "packet-tracer input inside tcp 192.168.2.1 65535 192.168.1.1 25 detail"
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd8232c48, priority=500, domain=permit, deny=true
hits=6, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=192.168.2.1, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
site a
Result of the command: "packet-tracer input outside tcp 192.168.1.1 65535 192.168.2.1 25 detail"
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.2.1 255.255.255.255 identity
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd827bd28, priority=0, domain=permit, deny=true
hits=298359, user_data=0x9, cs_id=0x0, flags=0x1000, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
it looks like site b might not have a nat exemption statement for traffic between 192.168.2.0/24 and 192.168.1.0/24.
ASKER
on the NAT statements are you referring to the sh xlate command or something different?
ASKER
thats kind of what i figured, but i cna't figure out how to add it, 9.2 is way different than 8.2.
hold on, i'll put it together for you.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
that doesn't seem to have worked, i did modify the commands slightly though because i already have those network objects on the asa, see below what i put
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static mcallen_network mcallen_network
nat (outside,inside) source static mcallen_network mcallen_network destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24
local for site b is 192.168.1.0 remote for site b is 192.168.2.0
if the above command won't i'll remove it and create the objects you specified.
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24
nat (outside,inside) source static mcallen_network mcallen_network destination static NETWORK_OBJ_192.168.1.0_24
local for site b is 192.168.1.0 remote for site b is 192.168.2.0
if the above command won't i'll remove it and create the objects you specified.
on b run:
packet-tracer input inside tcp 192.168.1.1 65535 192.168.2.1 25 detail
packet-tracer input inside tcp 192.168.1.1 65535 192.168.2.1 25 detail
ASKER
Result of the command: "packet-tracer input inside tcp 192.168.1.1 65535 192.168.2.1 25 detail"
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static mcallen_network mcallen_network
Additional Information:
NAT divert to egress interface outside
Untranslate 192.168.2.1/25 to 192.168.2.1/25
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcc83c9c8, priority=500, domain=permit, deny=true
hits=7, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=192.168.1.1, mask=255.255.255.255, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24
Additional Information:
NAT divert to egress interface outside
Untranslate 192.168.2.1/25 to 192.168.2.1/25
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcc83c9c8, priority=500, domain=permit, deny=true
hits=7, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=192.168.1.1, mask=255.255.255.255, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
on b:
sh log | i 192.168.2
and if there's nothing obvious:
debug crypto isakmp 25
debug crypto ipsec 25
term mon
do a test and see if there is anything interesting in the debug.
sh log | i 192.168.2
and if there's nothing obvious:
debug crypto isakmp 25
debug crypto ipsec 25
term mon
do a test and see if there is anything interesting in the debug.
ASKER
hmmm, ok let me see if i can find a way to get into the console, telnet doesn't work because have no idea what the password is, which is weird because its never been set since this thing was freshly wiped and setup.
if you can get into console, you can always do a password recovery.
power cycle
on startup, hit ESC
confreg (answer "no" and get the config register)
confreg 0x41
boot
ena
copy start run
config t
enable password PUT_SOMETHING_HERE
config-register 0x01
end
wr mem
reload
power cycle
on startup, hit ESC
confreg (answer "no" and get the config register)
confreg 0x41
boot
ena
copy start run
config t
enable password PUT_SOMETHING_HERE
config-register 0x01
end
wr mem
reload
ASKER
the first command doesn't do anything
i'll post the output from debig crypto isakmp 25 below
debug ipsec didn't show anything
term mon said its not supported
output of debug crypto isakmp 25:
Jan 23 13:14:11 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 1.1.1.1, S ending keep-alive of type DPD R-U-THERE (seq number 0x76004143)
Jan 23 13:14:11 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 1.1.1.1, constructing blank hash payload
Jan 23 13:14:11 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 1.1.1.1, constructing qm hash payload
Jan 23 13:14:11 [IKEv1]IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=8056a f3b) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 23 13:14:11 [IKEv1]IKE Receiver: Packet received on 71.40.110.179:500 from 6 7.79.60.58:500
Jan 23 13:14:11 [IKEv1]IP = 1.1.1.1, IKE_DECODE RECEIVED Message (msgid=827b 14c5) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 23 13:14:11 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 1.1.1.1, processing h ash payload
Jan 23 13:14:11 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 1.1.1.1, processing n otify payload
Jan 23 13:14:11 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 1.1.1.1, Received kee p-alive of type DPD R-U-THERE-ACK (seq number 0x76004143)
term mon
Monitor option not supported for the console.
CSOLSAASA# Jan 23 13:14:21 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 1.1.1.1, S ending keep-alive of type DPD R-U-THERE (seq number 0x76004144)
Jan 23 13:14:21 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 1.1.1.1, constructing blank hash payload
Jan 23 13:14:21 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 1.1.1.1, constructing qm hash payload
Jan 23 13:14:21 [IKEv1]IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=11549 df8) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 23 13:14:21 [IKEv1]IKE Receiver: Packet received on 71.40.110.179:500 from 6 7.79.60.58:500
Jan 23 13:14:21 [IKEv1]IP = 1.1.1.1, IKE_DECODE RECEIVED Message (msgid=6351 ec94) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 23 13:14:21 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 1.1.1.1, processing h ash payload
Jan 23 13:14:21 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 1.1.1.1, processing n otify payload
Jan 23 13:14:21 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 1.1.1.1, Received kee p-alive of type DPD R-U-THERE-ACK (seq number 0x76004144)
Jan 23 13:14:31 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 1.1.1.1, Sending keep -alive of type DPD R-U-THERE (seq number 0x76004145)
Jan 23 13:14:31 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 1.1.1.1, constructing blank hash payload
Jan 23 13:14:31 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 1.1.1.1, constructing qm hash payload
Jan 23 13:14:31 [IKEv1]IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=899de 487) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 23 13:14:31 [IKEv1]IKE Receiver: Packet received on 71.40.110.179:500 from 6 7.79.60.58:500
Jan 23 13:14:31 [IKEv1]IP = 1.1.1.1, IKE_DECODE RECEIVED Message (msgid=4aca 325c) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 23 13:14:31 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 1.1.1.1, processing h ash payload
Jan 23 13:14:31 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 1.1.1.1, processing n otify payload
Jan 23 13:14:31 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 1.1.1.1, Received kee p-alive of type DPD R-U-THERE-ACK (seq number 0x76004145)
debug crypto isakmp 2Jan 23 13:14:41 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 67.7 9.60.58, Sending keep-alive of type DPD R-U-THERE (seq number 0x76004146)
Jan 23 13:14:41 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 1.1.1.1, constructing blank hash payload
Jan 23 13:14:41 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 1.1.1.1, constructing qm hash payload
Jan 23 13:14:41 [IKEv1]IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=d7fdc bf1) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 23 13:14:41 [IKEv1]IKE Receiver: Packet received on 71.40.110.179:500 from 6 7.79.60.58:500
Jan 23 13:14:41 [IKEv1]IP = 1.1.1.1, IKE_DECODE RECEIVED Message (msgid=f6f7 499b) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 23 13:14:41 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 1.1.1.1, processing h ash payload
Jan 23 13:14:41 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 1.1.1.1, processing n otify payload
Jan 23 13:14:41 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 1.1.1.1, Received kee p-alive of type DPD R-U-THERE-ACK (seq number 0x76004146) no debug crypto isakm
i'll post the output from debig crypto isakmp 25 below
debug ipsec didn't show anything
term mon said its not supported
output of debug crypto isakmp 25:
Jan 23 13:14:11 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 1.1.1.1, S ending keep-alive of type DPD R-U-THERE (seq number 0x76004143)
Jan 23 13:14:11 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 1.1.1.1, constructing blank hash payload
Jan 23 13:14:11 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 1.1.1.1, constructing qm hash payload
Jan 23 13:14:11 [IKEv1]IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=8056a f3b) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 23 13:14:11 [IKEv1]IKE Receiver: Packet received on 71.40.110.179:500 from 6 7.79.60.58:500
Jan 23 13:14:11 [IKEv1]IP = 1.1.1.1, IKE_DECODE RECEIVED Message (msgid=827b 14c5) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 23 13:14:11 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 1.1.1.1, processing h ash payload
Jan 23 13:14:11 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 1.1.1.1, processing n otify payload
Jan 23 13:14:11 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 1.1.1.1, Received kee p-alive of type DPD R-U-THERE-ACK (seq number 0x76004143)
term mon
Monitor option not supported for the console.
CSOLSAASA# Jan 23 13:14:21 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 1.1.1.1, S ending keep-alive of type DPD R-U-THERE (seq number 0x76004144)
Jan 23 13:14:21 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 1.1.1.1, constructing blank hash payload
Jan 23 13:14:21 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 1.1.1.1, constructing qm hash payload
Jan 23 13:14:21 [IKEv1]IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=11549 df8) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 23 13:14:21 [IKEv1]IKE Receiver: Packet received on 71.40.110.179:500 from 6 7.79.60.58:500
Jan 23 13:14:21 [IKEv1]IP = 1.1.1.1, IKE_DECODE RECEIVED Message (msgid=6351 ec94) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 23 13:14:21 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 1.1.1.1, processing h ash payload
Jan 23 13:14:21 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 1.1.1.1, processing n otify payload
Jan 23 13:14:21 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 1.1.1.1, Received kee p-alive of type DPD R-U-THERE-ACK (seq number 0x76004144)
Jan 23 13:14:31 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 1.1.1.1, Sending keep -alive of type DPD R-U-THERE (seq number 0x76004145)
Jan 23 13:14:31 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 1.1.1.1, constructing blank hash payload
Jan 23 13:14:31 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 1.1.1.1, constructing qm hash payload
Jan 23 13:14:31 [IKEv1]IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=899de 487) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 23 13:14:31 [IKEv1]IKE Receiver: Packet received on 71.40.110.179:500 from 6 7.79.60.58:500
Jan 23 13:14:31 [IKEv1]IP = 1.1.1.1, IKE_DECODE RECEIVED Message (msgid=4aca 325c) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 23 13:14:31 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 1.1.1.1, processing h ash payload
Jan 23 13:14:31 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 1.1.1.1, processing n otify payload
Jan 23 13:14:31 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 1.1.1.1, Received kee p-alive of type DPD R-U-THERE-ACK (seq number 0x76004145)
debug crypto isakmp 2Jan 23 13:14:41 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 67.7 9.60.58, Sending keep-alive of type DPD R-U-THERE (seq number 0x76004146)
Jan 23 13:14:41 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 1.1.1.1, constructing blank hash payload
Jan 23 13:14:41 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 1.1.1.1, constructing qm hash payload
Jan 23 13:14:41 [IKEv1]IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=d7fdc bf1) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 23 13:14:41 [IKEv1]IKE Receiver: Packet received on 71.40.110.179:500 from 6 7.79.60.58:500
Jan 23 13:14:41 [IKEv1]IP = 1.1.1.1, IKE_DECODE RECEIVED Message (msgid=f6f7 499b) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 23 13:14:41 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 1.1.1.1, processing h ash payload
Jan 23 13:14:41 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 1.1.1.1, processing n otify payload
Jan 23 13:14:41 [IKEv1 DEBUG]Group = 1.1.1.1, IP = 1.1.1.1, Received kee p-alive of type DPD R-U-THERE-ACK (seq number 0x76004146) no debug crypto isakm
ASKER
nothing in that really pops out at me, but i could be missing something.
ASKER
no matter what i do when i put the below trace command on the site b router it fails every time. on the site a it succeeds with no problem (the ip's are reversed of course)
Result of the command: "packet-tracer input outside tcp 192.168.2.11 65535 192.168.1.11 25 detailed"
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (outside,inside) source static mcallen_network mcallen_network destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24
Additional Information:
NAT divert to egress interface inside
Untranslate 192.168.1.11/25 to 192.168.1.11/25
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit ip object mcallen_network any
Additional Information:
Forward Flow based lookup yields rule:
in id=0xccdb7620, priority=13, domain=permit, deny=false
hits=1, user_data=0xca797fd0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.2.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (outside,inside) source static mcallen_network mcallen_network destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24
Additional Information:
Static translate 192.168.2.11/65535 to 192.168.2.11/65535
Forward Flow based lookup yields rule:
in id=0xcd079c20, priority=6, domain=nat, deny=false
hits=66, user_data=0xcceb8560, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.2.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=192.168.1.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=inside
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc8ba01b8, priority=1, domain=nat-per-session, deny=true
hits=130766, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcc8614d0, priority=0, domain=inspect-ip-options, deny=true
hits=81231, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xccf2eaa8, priority=70, domain=ipsec-tunnel-flow, deny=false
hits=1031, user_data=0x721c4, cs_id=0xcc891238, reverse, flags=0x0, protocol=0
src ip/id=192.168.2.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=192.168.1.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Result of the command: "packet-tracer input outside tcp 192.168.2.11 65535 192.168.1.11 25 detailed"
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (outside,inside) source static mcallen_network mcallen_network destination static NETWORK_OBJ_192.168.1.0_24
Additional Information:
NAT divert to egress interface inside
Untranslate 192.168.1.11/25 to 192.168.1.11/25
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit ip object mcallen_network any
Additional Information:
Forward Flow based lookup yields rule:
in id=0xccdb7620, priority=13, domain=permit, deny=false
hits=1, user_data=0xca797fd0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.2.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (outside,inside) source static mcallen_network mcallen_network destination static NETWORK_OBJ_192.168.1.0_24
Additional Information:
Static translate 192.168.2.11/65535 to 192.168.2.11/65535
Forward Flow based lookup yields rule:
in id=0xcd079c20, priority=6, domain=nat, deny=false
hits=66, user_data=0xcceb8560, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.2.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=192.168.1.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=inside
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc8ba01b8, priority=1, domain=nat-per-session, deny=true
hits=130766, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcc8614d0, priority=0, domain=inspect-ip-options,
hits=81231, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xccf2eaa8, priority=70, domain=ipsec-tunnel-flow, deny=false
hits=1031, user_data=0x721c4, cs_id=0xcc891238, reverse, flags=0x0, protocol=0
src ip/id=192.168.2.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=192.168.1.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
the trace on b should look like this:
packet-tracer input inside tcp 192.168.1.1 65535 192.168.2.1 25 detail
packet-tracer input inside tcp 192.168.1.1 65535 192.168.2.1 25 detail
ASKER
that trace fails everytime, i'll put the results below.
Result of the command: "packet-tracer input inside tcp 192.168.1.1 65535 192.168.2.1 25 detail"
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 via 1.1.1.1, outside
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static mcallen_network mcallen_network no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 192.168.2.1/25 to 192.168.2.1/25
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcc83c9c8, priority=500, domain=permit, deny=true
hits=12, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=192.168.1.1, mask=255.255.255.255, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Result of the command: "packet-tracer input inside tcp 192.168.1.1 65535 192.168.2.1 25 detail"
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 via 1.1.1.1, outside
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24
Additional Information:
NAT divert to egress interface outside
Untranslate 192.168.2.1/25 to 192.168.2.1/25
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcc83c9c8, priority=500, domain=permit, deny=true
hits=12, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=192.168.1.1, mask=255.255.255.255, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
do you have:
same-security-traffic permit inter-interface
?
same-security-traffic permit inter-interface
?
ASKER
i didn't before, but i just added it right now, still the same result though
without debug, i'm shooting in the dark. let's do some cleanup.
1) on b remove from the nat statement:
no-proxy-arp route-lookup
2) set the transform-set on b to exact match a
3) on b, do a show access-list for the cryptomap and nat
1) on b remove from the nat statement:
no-proxy-arp route-lookup
2) set the transform-set on b to exact match a
3) on b, do a show access-list for the cryptomap and nat
ASKER
ipsec debug showed some stuff just now, i'll post it right now.
IPSEC: Deleted outbound encrypt rule, SPI 0xCEC7C1AD
Rule ID: 0xcc23f628
IPSEC: Deleted outbound permit rule, SPI 0xCEC7C1AD
Rule ID: 0xcc0ae3a0
IPSEC: Deleted outbound VPN context, SPI 0xCEC7C1AD
VPN handle: 0x0006d864
IPSEC: Deleted inbound decrypt rule, SPI 0x1365DF65
Rule ID: 0xccfaf720
IPSEC: Deleted inbound permit rule, SPI 0x1365DF65
Rule ID: 0xccda9b00
IPSEC: Deleted inbound tunnel flow rule, SPI 0x1365DF65
Rule ID: 0xccf2eaa8
IPSEC: Deleted inbound VPN context, SPI 0x1365DF65
VPN handle: 0x000721c4
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=192.168.1.200, sport=19246, daddr=192.168.2.205, dport=47110
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=192.168.1.200, sport=19246, daddr=192.168.2.205, dport=47110
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.
IPSEC: New embryonic SA created @ 0xcd077720,
SCB: 0xCD09F800,
Direction: inbound
SPI : 0x2F1CB7A9
Session ID: 0x0000A000
VPIF num : 0x00000003
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC: New embryonic SA created @ 0xccdbe508,
SCB: 0xCD127378,
Direction: inbound
SPI : 0x125F9589
Session ID: 0x0000A000
VPIF num : 0x00000003
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC: New embryonic SA created @ 0xcd07c580,
SCB: 0xCD077478,
Direction: inbound
SPI : 0x27E95D47
Session ID: 0x0000A000
VPIF num : 0x00000003
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC: New embryonic SA created @ 0xcd07ccb0,
SCB: 0xCCDB4F50,
Direction: inbound
SPI : 0x7E9A43E0
Session ID: 0x0000A000
VPIF num : 0x00000003
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC: New embryonic SA created @ 0xcd0760d8,
SCB: 0xCCF2D450,
Direction: inbound
SPI : 0x979C7F7B
Session ID: 0x0000A000
VPIF num : 0x00000003
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=192.168.1.200, sport=19246, daddr=192.168.2.205, dport=47110
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=192.168.1.200, sport=19502, daddr=192.168.2.205, dport=47110
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=192.168.1.200, sport=19502, daddr=192.168.2.205, dport=47110
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=192.168.1.200, sport=19758, daddr=192.168.2.205, dport=47110
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=192.168.1.200, sport=19758, daddr=192.168.2.205, dport=47110
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=192.168.1.200, sport=20014, daddr=192.168.2.205, dport=47110
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=192.168.1.200, sport=20014, daddr=192.168.2.205, dport=47110
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=192.168.1.200, sport=20270, daddr=192.168.2.205, dport=47110
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=192.168.1.200, sport=20270, daddr=192.168.2.205, dport=47110
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=192.168.1.200, sport=20526, daddr=192.168.2.205, dport=47110
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=192.168.1.200, sport=20526, daddr=192.168.2.205, dport=47110
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=192.168.1.200, sport=20782, daddr=192.168.2.205, dport=47110
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=192.168.1.200, sport=20782, daddr=192.168.2.205, dport=47110
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=192.168.1.200, sport=19246, daddr=192.168.2.205, dport=47110
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.
IPSEC: New embryonic SA created @ 0xcd07c580,
SCB: 0xCD076E20,
Direction: inbound
SPI : 0x88FD5679
Session ID: 0x0000B000
VPIF num : 0x00000003
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC: New embryonic SA created @ 0xcd07ccb0,
SCB: 0xCCFA3F50,
Direction: inbound
SPI : 0x033EA9A9
Session ID: 0x0000B000
VPIF num : 0x00000003
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC: New embryonic SA created @ 0xcd0760d8,
SCB: 0xCCF24320,
Direction: inbound
SPI : 0xF2E27BAB
Session ID: 0x0000B000
VPIF num : 0x00000003
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC: New embryonic SA created @ 0xccdbec28,
SCB: 0xCD077478,
Direction: inbound
SPI : 0x4F9B4EBF
Session ID: 0x0000B000
VPIF num : 0x00000003
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC: New embryonic SA created @ 0xccdbf160,
SCB: 0xCCF37FB0,
Direction: inbound
SPI : 0x842EB49C
Session ID: 0x0000B000
VPIF num : 0x00000003
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC: New embryonic SA created @ 0xccdac348,
SCB: 0xCC7A1B70,
Direction: inbound
SPI : 0x874FB32E
Session ID: 0x0000B000
VPIF num : 0x00000003
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC: New embryonic SA created @ 0xccdac880,
SCB: 0xCCF39560,
Direction: inbound
SPI : 0xDDA0977E
Session ID: 0x0000B000
VPIF num : 0x00000003
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC: New embryonic SA created @ 0xcc85cb40,
SCB: 0xCCF23888,
Direction: inbound
SPI : 0xA7AE32C5
Session ID: 0x0000B000
VPIF num : 0x00000003
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC: New embryonic SA created @ 0xcc85d078,
SCB: 0xCCFA4198,
Direction: inbound
SPI : 0x15752DCF
Session ID: 0x0000B000
VPIF num : 0x00000003
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC: New embryonic SA created @ 0xcd079498,
SCB: 0xCC158868,
Direction: inbound
SPI : 0xEEE26CBF
Session ID: 0x0000B000
VPIF num : 0x00000003
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC: New embryonic SA created @ 0xccdac348,
SCB: 0xCD076E20,
Direction: outbound
SPI : 0x67E84CFB
Session ID: 0x0000B000
VPIF num : 0x00000003
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC: Completed host OBSA update, SPI 0x67E84CFB
IPSEC: Creating outbound VPN context, SPI 0x67E84CFB
Flags: 0x00000005
SA : 0xccdac348
SPI : 0x67E84CFB
MTU : 1500 bytes
VCID : 0x00000000
Peer : 0x00000000
SCB : 0x51E51835
Channel: 0xc8c234e0
IPSEC: Completed outbound VPN context, SPI 0x67E84CFB
VPN handle: 0x0007d95c
IPSEC: New outbound encrypt rule, SPI 0x67E84CFB
Src addr: 192.168.1.0
Src mask: 255.255.255.0
Dst addr: 192.168.2.0
Dst mask: 255.255.255.0
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 0
Use protocol: false
SPI: 0x00000000
Use SPI: false
IPSEC: Completed outbound encrypt rule, SPI 0x67E84CFB
Rule ID: 0xccda9c28
IPSEC: New outbound permit rule, SPI 0x67E84CFB
Src addr: 2.2.2.2
Src mask: 255.255.255.255
Dst addr: 1.1.1.1
Dst mask: 255.255.255.255
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 50
Use protocol: true
SPI: 0x67E84CFB
Use SPI: true
IPSEC: Completed outbound permit rule, SPI 0x67E84CFB
Rule ID: 0xcd077478
IPSEC: New embryonic SA created @ 0xccdac880,
SCB: 0xCCF39560,
Direction: inbound
SPI : 0xDDA0977E
Session ID: 0x0000B000
VPIF num : 0x00000003
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC: Completed host IBSA update, SPI 0xDDA0977E
IPSEC: Creating inbound VPN context, SPI 0xDDA0977E
Flags: 0x00000006
SA : 0xccdac880
SPI : 0xDDA0977E
MTU : 0 bytes
VCID : 0x00000000
Peer : 0x0007D95C
SCB : 0x51DCCB89
Channel: 0xc8c234e0
IPSEC: Completed inbound VPN context, SPI 0xDDA0977E
VPN handle: 0x00081b5c
IPSEC: Updating outbound VPN context 0x0007D95C, SPI 0x67E84CFB
Flags: 0x00000005
SA : 0xccdac348
SPI : 0x67E84CFB
MTU : 1500 bytes
VCID : 0x00000000
Peer : 0x00081B5C
SCB : 0x51E51835
Channel: 0xc8c234e0
IPSEC: Completed outbound VPN context, SPI 0x67E84CFB
VPN handle: 0x0007d95c
IPSEC: Completed outbound inner rule, SPI 0x67E84CFB
Rule ID: 0xccda9c28
IPSEC: Completed outbound outer SPD rule, SPI 0x67E84CFB
Rule ID: 0xcd077478
IPSEC: New inbound tunnel flow rule, SPI 0xDDA0977E
Src addr: 192.168.2.0
Src mask: 255.255.255.0
Dst addr: 192.168.1.0
Dst mask: 255.255.255.0
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 0
Use protocol: false
SPI: 0x00000000
Use SPI: false
IPSEC: Completed inbound tunnel flow rule, SPI 0xDDA0977E
Rule ID: 0xccf37fb0
IPSEC: New inbound decrypt rule, SPI 0xDDA0977E
Src addr: 1.1.1.1
Src mask: 255.255.255.255
Dst addr: 2.2.2.2
Dst mask: 255.255.255.255
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 50
Use protocol: true
SPI: 0xDDA0977E
Use SPI: true
IPSEC: Completed inbound decrypt rule, SPI 0xDDA0977E
Rule ID: 0xccf23888
IPSEC: New inbound permit rule, SPI 0xDDA0977E
Src addr: 1.1.1.1
Src mask: 255.255.255.255
Dst addr: 2.2.2.2
Dst mask: 255.255.255.255
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 50
Use protocol: true
SPI: 0xDDA0977E
Use SPI: true
IPSEC: Completed inbound permit rule, SPI 0xDDA0977E
Rule ID: 0xccfa4198
IPSEC: Deleted outbound encrypt rule, SPI 0xCEC7C1AD
Rule ID: 0xcc23f628
IPSEC: Deleted outbound permit rule, SPI 0xCEC7C1AD
Rule ID: 0xcc0ae3a0
IPSEC: Deleted outbound VPN context, SPI 0xCEC7C1AD
VPN handle: 0x0006d864
IPSEC: Deleted inbound decrypt rule, SPI 0x1365DF65
Rule ID: 0xccfaf720
IPSEC: Deleted inbound permit rule, SPI 0x1365DF65
Rule ID: 0xccda9b00
IPSEC: Deleted inbound tunnel flow rule, SPI 0x1365DF65
Rule ID: 0xccf2eaa8
IPSEC: Deleted inbound VPN context, SPI 0x1365DF65
VPN handle: 0x000721c4
IPSEC(crypto_map_check)-3:
IPSEC(crypto_map_check)-3:
IPSEC(crypto_map_check)-3:
IPSEC(crypto_map_check)-3:
IPSEC: New embryonic SA created @ 0xcd077720,
SCB: 0xCD09F800,
Direction: inbound
SPI : 0x2F1CB7A9
Session ID: 0x0000A000
VPIF num : 0x00000003
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC: New embryonic SA created @ 0xccdbe508,
SCB: 0xCD127378,
Direction: inbound
SPI : 0x125F9589
Session ID: 0x0000A000
VPIF num : 0x00000003
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC: New embryonic SA created @ 0xcd07c580,
SCB: 0xCD077478,
Direction: inbound
SPI : 0x27E95D47
Session ID: 0x0000A000
VPIF num : 0x00000003
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC: New embryonic SA created @ 0xcd07ccb0,
SCB: 0xCCDB4F50,
Direction: inbound
SPI : 0x7E9A43E0
Session ID: 0x0000A000
VPIF num : 0x00000003
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC: New embryonic SA created @ 0xcd0760d8,
SCB: 0xCCF2D450,
Direction: inbound
SPI : 0x979C7F7B
Session ID: 0x0000A000
VPIF num : 0x00000003
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC(crypto_map_check)-3:
IPSEC(crypto_map_check)-3:
IPSEC(crypto_map_check)-3:
IPSEC(crypto_map_check)-3:
IPSEC(crypto_map_check)-3:
IPSEC(crypto_map_check)-3:
IPSEC(crypto_map_check)-3:
IPSEC(crypto_map_check)-3:
IPSEC(crypto_map_check)-3:
IPSEC(crypto_map_check)-3:
IPSEC(crypto_map_check)-3:
IPSEC(crypto_map_check)-3:
IPSEC(crypto_map_check)-3:
IPSEC(crypto_map_check)-3:
IPSEC(crypto_map_check)-3:
IPSEC(crypto_map_check)-3:
IPSEC(crypto_map_check)-3:
IPSEC(crypto_map_check)-3:
IPSEC(crypto_map_check)-3:
IPSEC(crypto_map_check)-3:
IPSEC(crypto_map_check)-3:
IPSEC(crypto_map_check)-3:
IPSEC(crypto_map_check)-3:
IPSEC(crypto_map_check)-3:
IPSEC(crypto_map_check)-3:
IPSEC(crypto_map_check)-3:
IPSEC(crypto_map_check)-3:
IPSEC(crypto_map_check)-3:
IPSEC: New embryonic SA created @ 0xcd07c580,
SCB: 0xCD076E20,
Direction: inbound
SPI : 0x88FD5679
Session ID: 0x0000B000
VPIF num : 0x00000003
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC: New embryonic SA created @ 0xcd07ccb0,
SCB: 0xCCFA3F50,
Direction: inbound
SPI : 0x033EA9A9
Session ID: 0x0000B000
VPIF num : 0x00000003
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC: New embryonic SA created @ 0xcd0760d8,
SCB: 0xCCF24320,
Direction: inbound
SPI : 0xF2E27BAB
Session ID: 0x0000B000
VPIF num : 0x00000003
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC: New embryonic SA created @ 0xccdbec28,
SCB: 0xCD077478,
Direction: inbound
SPI : 0x4F9B4EBF
Session ID: 0x0000B000
VPIF num : 0x00000003
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC: New embryonic SA created @ 0xccdbf160,
SCB: 0xCCF37FB0,
Direction: inbound
SPI : 0x842EB49C
Session ID: 0x0000B000
VPIF num : 0x00000003
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC: New embryonic SA created @ 0xccdac348,
SCB: 0xCC7A1B70,
Direction: inbound
SPI : 0x874FB32E
Session ID: 0x0000B000
VPIF num : 0x00000003
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC: New embryonic SA created @ 0xccdac880,
SCB: 0xCCF39560,
Direction: inbound
SPI : 0xDDA0977E
Session ID: 0x0000B000
VPIF num : 0x00000003
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC: New embryonic SA created @ 0xcc85cb40,
SCB: 0xCCF23888,
Direction: inbound
SPI : 0xA7AE32C5
Session ID: 0x0000B000
VPIF num : 0x00000003
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC: New embryonic SA created @ 0xcc85d078,
SCB: 0xCCFA4198,
Direction: inbound
SPI : 0x15752DCF
Session ID: 0x0000B000
VPIF num : 0x00000003
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC: New embryonic SA created @ 0xcd079498,
SCB: 0xCC158868,
Direction: inbound
SPI : 0xEEE26CBF
Session ID: 0x0000B000
VPIF num : 0x00000003
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC: New embryonic SA created @ 0xccdac348,
SCB: 0xCD076E20,
Direction: outbound
SPI : 0x67E84CFB
Session ID: 0x0000B000
VPIF num : 0x00000003
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC: Completed host OBSA update, SPI 0x67E84CFB
IPSEC: Creating outbound VPN context, SPI 0x67E84CFB
Flags: 0x00000005
SA : 0xccdac348
SPI : 0x67E84CFB
MTU : 1500 bytes
VCID : 0x00000000
Peer : 0x00000000
SCB : 0x51E51835
Channel: 0xc8c234e0
IPSEC: Completed outbound VPN context, SPI 0x67E84CFB
VPN handle: 0x0007d95c
IPSEC: New outbound encrypt rule, SPI 0x67E84CFB
Src addr: 192.168.1.0
Src mask: 255.255.255.0
Dst addr: 192.168.2.0
Dst mask: 255.255.255.0
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 0
Use protocol: false
SPI: 0x00000000
Use SPI: false
IPSEC: Completed outbound encrypt rule, SPI 0x67E84CFB
Rule ID: 0xccda9c28
IPSEC: New outbound permit rule, SPI 0x67E84CFB
Src addr: 2.2.2.2
Src mask: 255.255.255.255
Dst addr: 1.1.1.1
Dst mask: 255.255.255.255
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 50
Use protocol: true
SPI: 0x67E84CFB
Use SPI: true
IPSEC: Completed outbound permit rule, SPI 0x67E84CFB
Rule ID: 0xcd077478
IPSEC: New embryonic SA created @ 0xccdac880,
SCB: 0xCCF39560,
Direction: inbound
SPI : 0xDDA0977E
Session ID: 0x0000B000
VPIF num : 0x00000003
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC: Completed host IBSA update, SPI 0xDDA0977E
IPSEC: Creating inbound VPN context, SPI 0xDDA0977E
Flags: 0x00000006
SA : 0xccdac880
SPI : 0xDDA0977E
MTU : 0 bytes
VCID : 0x00000000
Peer : 0x0007D95C
SCB : 0x51DCCB89
Channel: 0xc8c234e0
IPSEC: Completed inbound VPN context, SPI 0xDDA0977E
VPN handle: 0x00081b5c
IPSEC: Updating outbound VPN context 0x0007D95C, SPI 0x67E84CFB
Flags: 0x00000005
SA : 0xccdac348
SPI : 0x67E84CFB
MTU : 1500 bytes
VCID : 0x00000000
Peer : 0x00081B5C
SCB : 0x51E51835
Channel: 0xc8c234e0
IPSEC: Completed outbound VPN context, SPI 0x67E84CFB
VPN handle: 0x0007d95c
IPSEC: Completed outbound inner rule, SPI 0x67E84CFB
Rule ID: 0xccda9c28
IPSEC: Completed outbound outer SPD rule, SPI 0x67E84CFB
Rule ID: 0xcd077478
IPSEC: New inbound tunnel flow rule, SPI 0xDDA0977E
Src addr: 192.168.2.0
Src mask: 255.255.255.0
Dst addr: 192.168.1.0
Dst mask: 255.255.255.0
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 0
Use protocol: false
SPI: 0x00000000
Use SPI: false
IPSEC: Completed inbound tunnel flow rule, SPI 0xDDA0977E
Rule ID: 0xccf37fb0
IPSEC: New inbound decrypt rule, SPI 0xDDA0977E
Src addr: 1.1.1.1
Src mask: 255.255.255.255
Dst addr: 2.2.2.2
Dst mask: 255.255.255.255
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 50
Use protocol: true
SPI: 0xDDA0977E
Use SPI: true
IPSEC: Completed inbound decrypt rule, SPI 0xDDA0977E
Rule ID: 0xccf23888
IPSEC: New inbound permit rule, SPI 0xDDA0977E
Src addr: 1.1.1.1
Src mask: 255.255.255.255
Dst addr: 2.2.2.2
Dst mask: 255.255.255.255
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 50
Use protocol: true
SPI: 0xDDA0977E
Use SPI: true
IPSEC: Completed inbound permit rule, SPI 0xDDA0977E
Rule ID: 0xccfa4198
i hate to do this, but i have to step away. unless someone else can pick this up, i will be back tomorrow morning.
one other thing that i wanted to change for consistency, set the group to either 2 or 5 at both ends -- not both.
one other thing that i wanted to change for consistency, set the group to either 2 or 5 at both ends -- not both.
ASKER
did everything but no change, thank you for the help.
ASKER
There was some issues on the other end caused by the client that were skewing my testing, but this basically resolved the issue in the end. Thanks for your help.