Hi,

We bought many ASA 5520 and 5510 to replace Nortel Contivitys. I wanted yesterday and today to bluild an IPSEC tunnel "l2l" between one ASA5520 and 5510 without success. Any idea why I can't establish the tunnel with ASAs and I have no problem with Nortel?

Note: OSPF also is not working, can see the neighbour. ASA version 7.2.2

Here is my configs:

ASA5510

=======

ASA Version 7.2(2)

hostname holland

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 172.18.20.13 255.255.255.252

ospf network point-to-point non-broadcast

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 14.x.87.1 255.255.255.0

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

same-security-traffic permit intra-interface

access-list outside_20_cryptomap extended permit ip 14.x.87.0 255.255.255.0 14.x.158.0 255.255.255.0

access-list outside_20_cryptomap extended permit ospf host 172.18.20.13 host 172.18.20.1

access-list inside_nat0_outbound extended permit ip 14.x.87.0 255.255.255.0 14.x.158.0 255.255.255.0

!

nat (inside) 0 access-list inside_nat0_outbound

!

!IP ADDRESS 172.18.20.14 is the IP address of the TLS cloud

!

route outside 0.0.0.0 0.0.0.x.x.20.14 1

!

router ospf 1

network 14.x.85.0 255.255.255.0 area 0

network 172.x.20.0 255.255.255.0 area 0

log-adj-changes

!

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto map outside_map 20 match address outside_20_cryptomap

crypto map outside_map 20 set peer 172.18.20.1

crypto map outside_map 20 set transform-set ESP-AES-256-SHA

crypto map outside_map 20 set nat-t-disable

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

tunnel-group 172.18.20.1 type ipsec-l2l

tunnel-group 172.18.20.1 ipsec-attributes

pre-shared-key *

AS5520

======

!

hostname France

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 172.18.20.1 255.255.255.252

ospf network point-to-point non-broadcast

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 14.20.158.5 255.255.255.0

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

same-security-traffic permit intra-interface

access-list outside_20_cryptomap extended permit ip 14.20.158.0 255.255.255.0 14.20.87.0 255.255.255.0

access-list outside_20_cryptomap extended permit ospf host 172.18.20.1 host 172.18.20.13

access-list inside_nat0_outbound extended permit ip 14.20.158.0 255.255.255.0 14.20.87.0 255.255.255.0

!

nat (inside) 0 access-list inside_nat0_outbound

!

!IP address 172.18.20.2 is the IP address of TLS Cloud

!

route outside 0.0.0.0 0.0.0.0 172.18.20.2 1

!

router ospf 1

network 14.20.158.0 255.255.255.0 area 0

network 172.18.20.0 255.255.255.0 area 0

log-adj-changes

!

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto map outside_map 20 match address outside_20_cryptomap

crypto map outside_map 20 set peer 172.18.20.13

crypto map outside_map 20 set transform-set ESP-AES-256-SHA

crypto map outside_map 20 set nat-t-disable

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

tunnel-group 172.18.20.13 type ipsec-l2l

tunnel-group 172.18.20.13 ipsec-attributes

pre-shared-key *

Thanks