Advice on config

Unanswered Question
Dec 5th, 2008
User Badges:

Could one of you excellent experts please cast your eye over the below config please. We have a site to site from this ASA back to our ISA server. It works but every day it goes down while the SAs are renogtiated and recently users are having to ping a host on the remote network before traffic will pass throught the tunnel. The tunnel doesn't drop ever and once they ping everything is ok...


Any advice is much appreciated


Thanks


Colin


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
cmgowcity Fri, 12/05/2008 - 03:04
User Badges:

ASA Version 7.1(2)

!

hostname ciscoasa

domain-name iesve.com

enable password encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address x.x.x.x local ip 255.255.255.248

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.12.1.1 255.255.0.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

passwd encrypted

boot system disk0:/asa712-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name iesve.com

same-security-traffic permit inter-interface

access-list inside_nat0_outbound extended permit ip 10.12.0.0 255.255.0.0 10.10.

0.0 255.255.0.0

access-list outside_cryptomap_20 extended permit ip 10.12.0.0 255.255.0.0 10.10.

0.0 255.255.0.0

pager lines 24

logging enable

logging timestamp

logging buffer-size 8192

logging buffered debugging

logging trap debugging

logging from-address [email protected]

logging recipient-address [email protected] level errors

logging host inside 10.12.1.3

logging permit-hostdown

logging message 100000 level debugging

mtu outside 1500

mtu inside 1500

mtu management 1500

asdm image disk0:/asdm-512.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 101 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 101 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 gateway address 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 10.12.0.0 255.255.0.0 inside

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set pfs

crypto map outside_map 20 set peer x.x.x.x remote ip

crypto map outside_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 20 set security-association lifetime seconds 82800

crypto map outside_map 20 set security-association lifetime kilobytes 2000000000

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption 3des

isakmp policy 30 hash sha

isakmp policy 30 group 2

isakmp policy 30 lifetime 86400

tunnel-group DefaultL2LGroup ipsec-attributes

isakmp keepalive threshold 60 retry 10

tunnel-group DefaultRAGroup ipsec-attributes

isakmp keepalive threshold 60 retry 10

tunnel-group 194.159.138.162 type ipsec-l2l

tunnel-group 194.159.138.162 ipsec-attributes

pre-shared-key *

isakmp keepalive threshold 60 retry 10

telnet 10.12.1.0 255.255.255.0 inside

telnet timeout 15

ssh timeout 5

console timeout 0

management-access management

dhcpd address 10.12.1.2-10.12.1.152 inside

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd dns 10.10.1.253 10.10.1.252

dhcpd wins 10.10.1.253

dhcpd lease 691200

dhcpd ping_timeout 500

dhcpd domain iesve.com

dhcpd option 252 ascii xxxxxxxxx

dhcpd enable inside

dhcpd enable management

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

smtp-server 10.10.1.4

Cryptochecksum:xxx

: end

Actions

This Discussion