02-15-2007 05:15 PM - edited 02-21-2020 02:52 PM
Hi,
We bought many ASA 5520 and 5510 to replace Nortel Contivitys. I wanted yesterday and today to bluild an IPSEC tunnel "l2l" between one ASA5520 and 5510 without success. Any idea why I can't establish the tunnel with ASAs and I have no problem with Nortel?
Note: OSPF also is not working, can see the neighbour. ASA version 7.2.2
Here is my configs:
ASA5510
=======
ASA Version 7.2(2)
hostname holland
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 172.18.20.13 255.255.255.252
ospf network point-to-point non-broadcast
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 14.x.87.1 255.255.255.0
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
same-security-traffic permit intra-interface
access-list outside_20_cryptomap extended permit ip 14.x.87.0 255.255.255.0 14.x.158.0 255.255.255.0
access-list outside_20_cryptomap extended permit ospf host 172.18.20.13 host 172.18.20.1
access-list inside_nat0_outbound extended permit ip 14.x.87.0 255.255.255.0 14.x.158.0 255.255.255.0
!
nat (inside) 0 access-list inside_nat0_outbound
!
!IP ADDRESS 172.18.20.14 is the IP address of the TLS cloud
!
route outside 0.0.0.0 0.0.0.x.x.20.14 1
!
router ospf 1
network 14.x.85.0 255.255.255.0 area 0
network 172.x.20.0 255.255.255.0 area 0
log-adj-changes
!
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set peer 172.18.20.1
crypto map outside_map 20 set transform-set ESP-AES-256-SHA
crypto map outside_map 20 set nat-t-disable
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
tunnel-group 172.18.20.1 type ipsec-l2l
tunnel-group 172.18.20.1 ipsec-attributes
pre-shared-key *
AS5520
======
!
hostname France
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 172.18.20.1 255.255.255.252
ospf network point-to-point non-broadcast
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 14.20.158.5 255.255.255.0
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
same-security-traffic permit intra-interface
access-list outside_20_cryptomap extended permit ip 14.20.158.0 255.255.255.0 14.20.87.0 255.255.255.0
access-list outside_20_cryptomap extended permit ospf host 172.18.20.1 host 172.18.20.13
access-list inside_nat0_outbound extended permit ip 14.20.158.0 255.255.255.0 14.20.87.0 255.255.255.0
!
nat (inside) 0 access-list inside_nat0_outbound
!
!IP address 172.18.20.2 is the IP address of TLS Cloud
!
route outside 0.0.0.0 0.0.0.0 172.18.20.2 1
!
router ospf 1
network 14.20.158.0 255.255.255.0 area 0
network 172.18.20.0 255.255.255.0 area 0
log-adj-changes
!
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set peer 172.18.20.13
crypto map outside_map 20 set transform-set ESP-AES-256-SHA
crypto map outside_map 20 set nat-t-disable
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
tunnel-group 172.18.20.13 type ipsec-l2l
tunnel-group 172.18.20.13 ipsec-attributes
pre-shared-key *
Thanks
02-18-2007 07:44 PM
Hi
U said that OSPF is not running. How the remote end ASA IP is reachable?
The ACL outside_20_cryptomap is permitting the OSPF traffic through the tunnel. I dont find any problem with the crypto configuration.
U can do one thing.... issue the command on both the ASAs.....
"route outside 0.0.0.0 0.0.0.0 172.18.20.14 tunnelled"
"Sysopt connection permit-ipsec"
Why u are using this command? I guess the NAT traffic is having some problem.
Remove the command......
"same-security traffic permit inta-interface"
02-18-2007 10:48 PM
Hi,
If it does not work the I would suggest obtaining the 'debug cry isak' and 'debug cry ipsec' outputs.
Regards,
Kamal
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide