Acces for remote access user to site-to-site tunnels

Unanswered Question
Jun 17th, 2010

I have 3 site-to-site tunnels up and working and a remote access vpn working. Only problem i am having is that i cannot seem to get the remote access users to the site-to-site tunnels. for instance they cannot get to the sf network. Not sure what i am missing. here are configs of asa and 1 site.

asa5510

: Saved
: Written by enable_15 at 14:49:51.488 EDT Thu Jun 17 2010
!
ASA Version 8.2(1)
!
hostname ASA-GW1
domain-name

encrypted
names
name 10.0.31.0 A-10.0.31.0 description NYC
!
interface Ethernet0/0
description Outside Interface
speed 100
duplex full
nameif Outside
security-level 50
ip address outsideaddress 255.255.255.252
!
interface Ethernet0/1
description Inside Interface
speed 100
duplex full
nameif Inside
security-level 100
ip address 10.0.10.5 255.255.255.0
!
interface Ethernet0/2
description Remote Access to VPN
speed 100
duplex full
nameif VPN
security-level 100
ip address 10.0.23.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
banner motd Do you miss the SRX?
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
same-security-traffic permit intra-interface
object-group service IPSecNat udp
port-object eq 10000
access-list Outside_1_cryptomap extended permit ip 10.0.10.0 255.255.255.0 10.0.30.0 255.255.255.0
access-list Outside_1_cryptomap extended permit ip 10.0.37.0 255.255.255.0 10.0.30.0 255.255.255.0
access-list Outside_access_in extended permit udp any any object-group IPSecNat
access-list Outside_access_in extended permit tcp any host webserver eq www
access-list Outside_access_in extended permit tcp any host webserver eq https
access-list Outside_access_in extended permit tcp 74.125.148.0 255.255.252.0 host webserver eq smtp
access-list Outside_access_in extended permit esp any host oldconcentrator
access-list Outside_2_cryptomap extended permit ip 10.0.10.0 255.255.255.0 A-10.0.31.0 255.255.255.0
access-list SplitTunnels standard permit 10.0.10.0 255.255.255.0
access-list SplitTunnels standard permit A-10.0.31.0 255.255.255.0
access-list SplitTunnels standard permit 10.0.30.0 255.255.255.0
access-list SplitTunnels standard permit webnet 255.255.255.0
access-list SplitTunnels standard permit drwebnet 255.255.255.224
access-list SplitTunnels standard permit 10.0.0.0 255.255.255.0
access-list SplitTunnels standard permit 10.0.9.0 255.255.255.0
access-list SplitTunnels standard permit 10.0.40.0 255.255.255.0
access-list SplitTunnels standard permit 10.0.1.0 255.255.255.0
access-list SplitTunnels standard permit 10.0.2.0 255.255.255.0
access-list SplitTunnels standard permit 10.0.41.0 255.255.255.0
access-list SplitTunnels standard permit 10.0.42.0 255.255.255.0
access-list SplitTunnels standard permit host sfrtrIF1
access-list SplitTunnels standard permit host sfrtrIF2
access-list SplitTunnels standard permit host NYCRTRIF1
access-list SplitTunnels standard permit host NYCRTRIF2
access-list SplitTunnels standard permit 205.178.188.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 10.0.10.0 255.255.255.0 A-10.0.31.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 10.0.10.0 255.255.255.0 10.0.30.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 10.0.10.0 255.255.255.0 10.0.20.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip A-10.0.31.0 255.255.255.0 10.0.37.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 10.0.30.0 255.255.255.0 10.0.37.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 10.0.37.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip webnet 255.255.255.0 10.0.37.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip drwebnet 255.255.255.224 10.0.37.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 10.0.9.0 255.255.255.0 10.0.37.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 10.0.10.0 255.255.255.0 10.0.37.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 10.0.37.0 255.255.255.0 10.0.30.0 255.255.255.0
access-list Outside_3_cryptomap extended permit ip 10.0.10.0 255.255.255.0 A-10.0.31.0 255.255.255.0
access-list Outside_5_cryptomap extended permit ip 10.0.10.0 255.255.255.0 10.0.20.0 255.255.255.0
access-list Outside_4_cryptomap extended permit ip 10.0.10.0 255.255.255.0 10.0.30.0 255.255.255.0
access-list Outside_4_cryptomap extended permit ip 10.0.37.0 255.255.255.0 10.0.30.0 255.255.255.0
pager lines 24
logging buffer-size 10000
logging asdm-buffer-size 512
logging asdm debugging
mtu Outside 1500
mtu Inside 1500
mtu VPN 1500
mtu management 1500
ip local pool 37Pool 10.0.37.50-10.0.37.200 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Inside
icmp permit any VPN
no asdm history enable
arp timeout 14400
global (Outside) 1 outsideNAT
nat (Outside) 1 10.0.37.0 255.255.255.0
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 1 10.0.10.0 255.255.255.0
static (Inside,Outside) webserver 10.0.10.110 netmask 255.255.255.255
static (VPN,Outside) oldconcentrator 10.0.23.6 netmask 255.255.255.255
access-group Outside_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 65.51.223.77 1
route Inside 10.0.0.0 255.255.255.0 10.0.10.245 1
route Inside 10.0.9.0 255.255.255.0 10.0.10.245 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server AD protocol nt
aaa-server AD (Inside) host 10.0.10.75
timeout 5
nt-auth-domain-controller ixdc2

http server enable
http 192.168.1.0 255.255.255.0 management
http 10.0.10.0 255.255.255.0 Inside
snmp-server host Inside 10.0.10.38 community insight
no snmp-server location
no snmp-server contact
snmp-server community ro
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA E
SP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map3 1 match address Outside_1_cryptomap
crypto map Outside_map3 1 set peer sfrtrIF1
crypto map Outside_map3 1 set transform-set ESP-DES-MD5
crypto map Outside_map3 2 match address Outside_2_cryptomap
crypto map Outside_map3 2 set peer NYCRTRIF1
crypto map Outside_map3 2 set transform-set ESP-DES-MD5
crypto map Outside_map3 3 match address Outside_3_cryptomap
crypto map Outside_map3 3 set peer NYCRTRIF2
crypto map Outside_map3 3 set transform-set ESP-DES-MD5
crypto map Outside_map3 4 match address Outside_4_cryptomap
crypto map Outside_map3 4 set peer sfrtrIF2
crypto map Outside_map3 4 set transform-set ESP-DES-MD5
crypto map Outside_map3 5 match address Outside_5_cryptomap
crypto map Outside_map3 5 set peer jodyFW
crypto map Outside_map3 5 set transform-set ESP-DES-MD5
crypto map Outside_map3 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map3 interface Outside
crypto isakmp enable Outside
crypto isakmp enable Inside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption des
hash md5
group 1
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.0.10.0 255.255.255.0 Inside
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 30
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy Group1 internal
group-policy Group1 attributes
wins-server value 10.0.10.75 10.0.10.99
dns-server value 10.0.10.75 10.0.10.99
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SplitTunnels
default-domain value insight.com
tunnel-group sfrtrIF1 type ipsec-l2l
tunnel-group sfrtrIF1 ipsec-attributes
pre-shared-key *
tunnel-group NYCRTRIF1 type ipsec-l2l
tunnel-group NYCRTRIF1 ipsec-attributes
pre-shared-key *
tunnel-group sfrtrIF2 type ipsec-l2l
tunnel-group sfrtrIF2 ipsec-attributes
pre-shared-key *
tunnel-group NYCRTRIF2 type ipsec-l2l
tunnel-group NYCRTRIF2 ipsec-attributes
pre-shared-key *
tunnel-group jodyFW type ipsec-l2l
tunnel-group jodyFW ipsec-attributes
pre-shared-key *
tunnel-group Group1 type remote-access
tunnel-group Group1 general-attributes
address-pool 37Pool
authentication-server-group AD
default-group-policy Group1
tunnel-group Group1 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:86965cdb2372248dc2536495f9ce51c0

1700config

Using 7997 out of 29688 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec localtime
service password-encryption
!
hostname SF-RT1
!
boot-start-marker
boot-end-marker
!
no logging buffered
no logging console
no logging monitor
!
username admin password

clock timezone EST -5
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
!
!
ip dhcp excluded-address 10.0.30.1 10.0.30.99
ip dhcp excluded-address 10.0.30.151 10.0.30.254
!
ip dhcp pool sdm-pool1
   network 10.0.30.0 255.255.255.0
   default-router 10.0.30.1
   dns-server 10.0.30.31 206.13.28.12 10.0.10.99
   lease 5
!
!
ip cef
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip inspect name SDM_LOW tcp
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
crypto isakmp policy 11
hash md5
authentication pre-share
crypto isakmp key key address otherpeer
crypto isakmp key key address VidConfPeer
crypto isakmp key key address ASA5510
crypto isakmp key key address L3Peer
!
!
crypto ipsec transform-set sharks esp-des esp-md5-hmac
!
crypto map NOLAN 11 ipsec-isakmp
set peer ASA5510
set transform-set sharks
match address 101
crypto map NOLAN 12 ipsec-isakmp
set peer otherpeer
set transform-set sharks
match address 102
crypto map NOLAN 13 ipsec-isakmp
set peer L3Peer
set transform-set sharks
match address 103
crypto map NOLAN 14 ipsec-isakmp
set peer VidConfPeer
set transform-set sharks
match address 107
!
!
!
interface Loopback0
ip address 1.1.1.3 255.255.255.0
!
interface FastEthernet0
ip address 10.0.30.1 255.255.255.0
ip access-group 106 in
ip nat inside
ip virtual-reassembly
speed auto
!
interface Serial0
ip address sfIF1 255.255.255.252
ip access-group 104 in
ip load-sharing per-packet
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
encapsulation ppp
service-module t1 timeslots 1-24
crypto map NOLAN
!
interface Serial1
ip address sfIF2 255.255.255.252
ip access-group 104 in
ip load-sharing per-packet
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
encapsulation ppp
service-module t1 timeslots 1-24
crypto map NOLAN
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
ip route 0.0.0.0 0.0.0.0 Serial1
ip http server
ip http secure-server
ip nat pool sfpool pool1 poolendl netmask 255.255.255.248
ip nat pool sfpool1 pool2 poolend netmask 255.255.255.248
ip nat inside source route-map NONAT pool sfpool overload
ip nat inside source route-map NONAT1 pool sfpool1 overload

!
!
logging trap warnings
logging facility syslog
logging 10.0.30.31
access-list 25 permit hq2 0.0.0.255
access-list 25 permit 10.0.10.0 0.0.0.255
access-list 25 permit 10.0.30.0 0.0.0.255
access-list 25 permit asa5510net 0.0.0.31
access-list 25 permit 10.0.9.0 0.0.0.255
access-list 101 permit ip 10.0.30.0 0.0.0.255 10.0.10.0 0.0.0.255
access-list 101 permit ip 10.0.30.0 0.0.0.255 10.0.37.0 0.0.0.255
access-list 102 permit ip 10.0.30.0 0.0.0.255 10.0.11.0 0.0.0.255
access-list 103 permit ip 10.0.30.0 0.0.0.255 10.0.9.0 0.0.0.255
access-list 104 permit ip 10.0.13.0 0.0.0.255 10.0.30.0 0.0.0.255
access-list 104 permit esp host L3Peer host sfIF1
access-list 104 permit udp host L3Peer host sfIF1 eq isakmp
access-list 104 permit udp host L3Peer host sfIF1 eq non500-isakmp
access-list 104 permit esp host L3Peer host sfIF2
access-list 104 permit udp host L3Peer host sfIF2 eq isakmp
access-list 104 permit udp host L3Peer host sfIF2 eq non500-isakmp
access-list 104 permit ip 10.0.9.0 0.0.0.255 10.0.30.0 0.0.0.255
access-list 104 permit ip 10.0.37.0 0.0.0.255 10.0.30.0 0.0.0.255
access-list 104 permit ip 10.0.10.0 0.0.0.255 10.0.30.0 0.0.0.255
access-list 104 permit ahp host ASA5510 host sfIF1
access-list 104 permit esp host ASA5510 host sfIF1
access-list 104 permit udp host ASA5510 host sfIF1 eq isakmp
access-list 104 permit udp host ASA5510 host sfIF1 eq non500-isakmp
access-list 104 permit ahp host ASA5510 host sfIF2
access-list 104 permit esp host ASA5510 host sfIF2
access-list 104 permit udp host ASA5510 host sfIF2 eq isakmp
access-list 104 permit udp host ASA5510 host sfIF2 eq non500-isakmp
access-list 104 permit ahp host otherpeer host sfIF1
access-list 104 permit esp host otherpeer host sfIF1
access-list 104 permit udp host otherpeer host sfIF1 eq isakmp
access-list 104 permit udp host otherpeer host sfIF1 eq non500-isakmp
access-list 104 permit ip 10.0.11.0 0.0.0.255 10.0.30.0 0.0.0.255
access-list 104 permit ip asa5510net 0.0.0.31 any
access-list 104 permit ip 157.130.2.0 0.0.0.255 any
access-list 104 deny   icmp any any
access-list 104 deny   ip 10.0.0.0 0.255.255.255 any
access-list 104 deny   ip any host subnet
access-list 104 deny   ip 172.16.0.0 0.15.255.255 any
access-list 104 deny   ip 192.168.0.0 0.0.255.255 any
access-list 104 deny   ip 127.0.0.0 0.255.255.255 any
access-list 104 deny   ip host 255.255.255.255 any
access-list 104 deny   ip host 0.0.0.0 any
access-list 106 deny   ip subnet 0.0.0.3 any
access-list 106 deny   ip subnet 0.0.0.3 any
access-list 106 deny   ip host 255.255.255.255 any
access-list 106 deny   ip 127.0.0.0 0.255.255.255 any
access-list 106 permit ip any any
access-list 107 permit ip 10.0.30.0 0.0.0.255 10.0.13.0 0.0.0.255
access-list 120 permit ip 10.0.30.0 0.0.0.255 10.0.10.0 0.0.0.255
access-list 120 permit ip 10.0.30.0 0.0.0.255 10.0.11.0 0.0.0.255
access-list 120 permit ip 10.0.30.0 0.0.0.255 10.0.37.0 0.0.0.255
access-list 120 permit ip 10.0.30.0 0.0.0.255 10.0.9.0 0.0.0.255
access-list 120 permit ip 10.0.30.0 0.0.0.255 10.0.13.0 0.0.0.255
access-list 130 deny   ip 10.0.30.0 0.0.0.255 10.0.10.0 0.0.0.255
access-list 130 deny   ip 10.0.30.0 0.0.0.255 10.0.13.0 0.0.0.255
access-list 130 deny   ip 10.0.30.0 0.0.0.255 10.0.37.0 0.0.0.255
access-list 130 deny   ip 10.0.30.0 0.0.0.255 10.0.11.0 0.0.0.255
access-list 130 deny   ip 10.0.30.0 0.0.0.255 10.0.9.0 0.0.0.255
access-list 130 permit ip 10.0.30.0 0.0.0.255 any
snmp-server community RO
snmp-server enable traps tty
snmp-server host 10.0.30.30 ro

!
route-map NONAT permit 10
match ip address 130
!
route-map NONAT1 permit 10
match ip address 130
!
route-map ipsec permit 10
match ip address 120
set ip next-hop 1.1.1.2
!
!
control-plane
!
^C
alias exec s sh run
alias exec sc sh conf
!
line con 0
exec-timeout 0 0
logging synchronous
login local
line aux 0
line vty 0 4
access-class 25 in
exec-timeout 15 0
privilege level 15
  login local
!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Fri, 06/18/2010 - 05:24

I assume that the remote access vpn client does not use the ASA internet connection for normal internet browsing since you have split tunnel configured, hence you do not need to configure the following:

nat (Outside) 1 10.0.37.0 255.255.255.0

If remote access vpn client is using split tunnelling then the above NAT statement is not required.

The reason why remote access vpn can't access the site-to-site tunnel is because the ip pool subnet is PATed to the outside interface ip address, hence it no longer matches the crypto ACL specified.

After removing the above, please "clear xlate" and test the access.

Hope that helps.

insightexpress Fri, 06/18/2010 - 06:02

We need to have the nat there because some of our client sites and our own internal portal needs to come from certain ip ranges so we do have some split tunnels that go to the internet. Also removing the nat did not help. Was still not able to hit the 10.0.30.0/24 network. So basically we need to tunnel them out to internet as well as have them get to site-to-site tunnels. I do not see why we cannot hit tunnels even when nat is removed.

Jennifer Halim Fri, 06/18/2010 - 06:09

There is no reason why it would not connect after removing the NAT, and clearing the xlate.

When remote access is connected, and after you test accessing the other LAN-to-LAN site, can you please share the output of:

show crypto ipsec sa

from both sites.

Please also make sure that the other sites have routes for the ip pool subnet pointing towards the router.

insightexpress Fri, 06/18/2010 - 07:37

Here is output of show crypto ipsec sa for 10.0.30.0 remote site and asa5510. I dont s

ee the .37 as remote or local indentity anywhere which may be the or at least part of the problem

asa

StamASA-GW1(config)#show crypto ipsec sa
interface: Outside
    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: asa5510

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.0.37.51/255.255.255.255/0/0)
      current_peer: vpnuser, username: mbandanza
      dynamic allocated peer ip: 10.0.37.51

      #pkts encaps: 8, #pkts encrypt: 8, #pkts digest: 8
      #pkts decaps: 12, #pkts decrypt: 12, #pkts verify: 12
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 8, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: asa5510/4500, remote crypto endpt.: vpnuser/14467
      path mtu 1500, ipsec overhead 82, media mtu 1500
      current outbound spi: B1C51FFB

    inbound esp sas:
      spi: 0xAE2165DC (2921424348)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 274432, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (sec): 28775
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00001FFF
    outbound esp sas:
      spi: 0xB1C51FFB (2982486011)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 274432, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (sec): 28775
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

    Crypto map tag: Outside_map3, seq num: 5, local addr: asa5510

      access-list Outside_5_cryptomap permit ip 10.0.10.0 255.255.255.0 10.0.20.0 255.255.255.0
      local ident (addr/mask/prot/port): (10.0.10.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.0.20.0/255.255.255.0/0/0)
      current_peer: jodyFW

      #pkts encaps: 186900, #pkts encrypt: 186900, #pkts digest: 186900
      #pkts decaps: 172204, #pkts decrypt: 172204, #pkts verify: 172204
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 186900, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: asa5510, remote crypto endpt.: jodyFW

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 31C44B71

    inbound esp sas:
      spi: 0x5246CC1B (1380371483)
         transform: esp-des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 163840, crypto-map: Outside_map3
         sa timing: remaining key lifetime (kB/sec): (4370959/7650)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x31C44B71 (834947953)
         transform: esp-des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 163840, crypto-map: Outside_map3
         sa timing: remaining key lifetime (kB/sec): (4372989/7650)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

    Crypto map tag: Outside_map3, seq num: 2, local addr: asa5510

      access-list Outside_2_cryptomap permit ip 10.0.10.0 255.255.255.0 A-10.0.31.0 255.255.255.0
      local ident (addr/mask/prot/port): (10.0.10.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (A-10.0.31.0/255.255.255.0/0/0)
      current_peer: nycIF1

      #pkts encaps: 473056, #pkts encrypt: 473056, #pkts digest: 473056
      #pkts decaps: 199732, #pkts decrypt: 199732, #pkts verify: 199732
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 473056, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: asa5510, remote crypto endpt.: nycIF1

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 3DCD50AF

    inbound esp sas:
      spi: 0x454216A6 (1161959078)
         transform: esp-des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 221184, crypto-map: Outside_map3
         sa timing: remaining key lifetime (kB/sec): (4372999/2614)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x3DCD50AF (1036865711)
         transform: esp-des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 221184, crypto-map: Outside_map3
         sa timing: remaining key lifetime (kB/sec): (4369803/2614)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

    Crypto map tag: Outside_map3, seq num: 3, local addr: asa5510

      access-list Outside_3_cryptomap permit ip 10.0.10.0 255.255.255.0 A-10.0.31.0 255.255.255.0
      local ident (addr/mask/prot/port): (10.0.10.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (A-10.0.31.0/255.255.255.0/0/0)
      current_peer: nycIF2

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 200144, #pkts decrypt: 200144, #pkts verify: 200144
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: asa5510, remote crypto endpt.: nycIF2

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 50DA2B54

    inbound esp sas:
      spi: 0x389FD19D (949997981)
         transform: esp-des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 196608, crypto-map: Outside_map3
         sa timing: remaining key lifetime (kB/sec): (4371453/2145)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x7FFFFFFF 0xFFFFFFFB
    outbound esp sas:
      spi: 0x50DA2B54 (1356475220)
         transform: esp-des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 196608, crypto-map: Outside_map3
         sa timing: remaining key lifetime (kB/sec): (4374000/2145)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

    Crypto map tag: Outside_map3, seq num: 1, local addr: asa5510

      access-list Outside_1_cryptomap permit ip 10.0.10.0 255.255.255.0 10.0.30.0 255.255.255.0
      local ident (addr/mask/prot/port): (10.0.10.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.0.30.0/255.255.255.0/0/0)
      current_peer: SFIF1

      #pkts encaps: 12121, #pkts encrypt: 12121, #pkts digest: 12121
      #pkts decaps: 5948, #pkts decrypt: 5948, #pkts verify: 5948
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 12121, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: asa5510, remote crypto endpt.: SFIF1

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 0C387AF5

    inbound esp sas:
      spi: 0xA1A19C99 (2711723161)
         transform: esp-des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 258048, crypto-map: Outside_map3
         sa timing: remaining key lifetime (kB/sec): (4373875/2326)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFBFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x0C387AF5 (205028085)
         transform: esp-des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 258048, crypto-map: Outside_map3
         sa timing: remaining key lifetime (kB/sec): (4373693/2325)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

    Crypto map tag: Outside_map3, seq num: 4, local addr: asa5510

      access-list Outside_4_cryptomap permit ip 10.0.10.0 255.255.255.0 10.0.30.0 255.255.255.0
      local ident (addr/mask/prot/port): (10.0.10.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.0.30.0/255.255.255.0/0/0)
      current_peer: SFIF2

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 6021, #pkts decrypt: 6021, #pkts verify: 6021
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: asa5510, remote crypto endpt.: SFIF2

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 7C158B79

    inbound esp sas:
      spi: 0xB4D333B6 (3033740214)
         transform: esp-des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 253952, crypto-map: Outside_map3
         sa timing: remaining key lifetime (kB/sec): (4373857/2144)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFEFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x7C158B79 (2081786745)
         transform: esp-des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 253952, crypto-map: Outside_map3
         sa timing: remaining key lifetime (kB/sec): (4374000/2144)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

Remote site

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2010.06.18 10:28:05 =~=~=~=~=~=~=~=~=~=~=~=
show crypto ipsec sa

interface: Serial0
    Crypto map tag: NOLAN, local addr. sfint1

   protected vrf:
   local  ident (addr/mask/prot/port): (10.0.30.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.0.9.0/255.255.255.0/0/0)
   current_peer: l3backup:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 4597, #pkts encrypt: 4597, #pkts digest: 4597
    #pkts decaps: 1311, #pkts decrypt: 1311, #pkts verify: 1311
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: sfint1, remote crypto endpt.: l3backup
     path mtu 1500, media mtu 1500
     current outbound spi: 4E960AA3

     inbound esp sas:
      spi: 0x664D5D90(1716346256)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 444, flow_id: 245, crypto map: NOLAN
        crypto engine type: Hardware, engine_id: 2
        sa timing: remaining key lifetime (k/sec): (4568402/1795)
        ike_cookies: 1A6A296A 21659AA1 C0D97555 B9B1F39E
        IV size: 8 bytes
        replay detection support: Y

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x4E960AA3(1318455971)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 445, flow_id: 246, crypto map: NOLAN
        crypto engine type: Hardware, engine_id: 2
        sa timing: remaining key lifetime (k/sec): (4568403/1795)
        ike_cookies: 1A6A296A 21659AA1 C0D97555 B9B1F39E
        IV size: 8 bytes
        replay detection support: Y

     outbound ah sas:

     outbound pcp sas:

   protected vrf:
   local  ident (addr/mask/prot/port): (10.0.30.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.0.10.0/255.255.255.0/0/0)
   current_peer: ASA5510:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 152044, #pkts encrypt: 152044, #pkts digest: 152044
   #pkts decaps: 311487, #pkts decrypt: 311487, #pkts verify: 311487
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 14, #recv errors 0

     local crypto endpt.: sfint1, remote crypto endpt.: ASA5510
     path mtu 1500, media mtu 1500
     current outbound spi: A1A19C99

     inbound esp sas:
      spi: 0xC387AF5(205028085)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 446, flow_id: 247, crypto map: NOLAN
        crypto engine type: Hardware, engine_id: 2
        sa timing: remaining key lifetime (k/sec): (4557962/1804)
        ike_cookies: 47F22051 CE838D04 5E944FAE 40EB0545
        IV size: 8 bytes
        replay detection support: Y

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xA1A19C99(2711723161)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 447, flow_id: 248, crypto map: NOLAN
        crypto engine type: Hardware, engine_id: 2
        sa timing: remaining key lifetime (k/sec): (4558224/1804)
        ike_cookies: 47F22051 CE838D04 5E944FAE 40EB0545
        IV size: 8 bytes
        replay detection support: Y

     outbound ah sas:

     outbound pcp sas:

   protected vrf:
   local  ident (addr/mask/prot/port): (10.0.30.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.0.11.0/255.255.255.0/0/0)
   current_peer: voip:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 104450, #pkts encrypt: 104450, #pkts digest: 104450
    #pkts decaps: 105280, #pkts decrypt: 105280, #pkts verify: 105280
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 15, #recv errors 0

     local crypto endpt.: sfint1, remote crypto endpt.: voip
     path mtu 1500, media mtu 1500
     current outbound spi: AFB7B8E7

    inbound esp sas:
      spi: 0xB7058470(3070592112)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 450, flow_id: 251, crypto map: NOLAN
        crypto engine type: Hardware, engine_id: 2
        sa timing: remaining key lifetime (k/sec): (4470272/2123)
        ike_cookies: 5FC8A9C9 AEEFA3F0 9D534E94 963B6AC5
        IV size: 8 bytes
        replay detection support: Y

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xAFB7B8E7(2948053223)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 451, flow_id: 252, crypto map: NOLAN
        crypto engine type: Hardware, engine_id: 2
        sa timing: remaining key lifetime (k/sec): (4470270/2123)
        ike_cookies: 5FC8A9C9 AEEFA3F0 9D534E94 963B6AC5
        IV size: 8 bytes
        replay detection support: Y

     outbound ah sas:

     outbound pcp sas:

   protected vrf:
   local  ident (addr/mask/prot/port): (10.0.30.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.0.13.0/255.255.255.0/0/0)
   current_peer: VidConf:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: sfint1, remote crypto endpt.: VidConf
     path mtu 1500, media mtu 1500
     current outbound spi: 0

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

    outbound pcp sas:

   protected vrf:
   local  ident (addr/mask/prot/port): (10.0.30.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.0.37.0/255.255.255.0/0/0)
   current_peer: ASA5510:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: sfint1, remote crypto endpt.: ASA5510
     path mtu 1500, media mtu 1500
     current outbound spi: 0

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:


interface: Serial1
    Crypto map tag: NOLAN, local addr. sfint2

   protected vrf:
   local  ident (addr/mask/prot/port): (10.0.30.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.0.9.0/255.255.255.0/0/0)
   current_peer: l3backup:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 4626, #pkts encrypt: 4626, #pkts digest: 4626
    #pkts decaps: 9669, #pkts decrypt: 9669, #pkts verify: 9669
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: sfint2, remote crypto endpt.: l3backup
     path mtu 1500, media mtu 1500
     current outbound spi: BEC5EBA4

     inbound esp sas:
      spi: 0x5880B0D1(1484828881)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 452, flow_id: 253, crypto map: NOLAN
        crypto engine type: Hardware, engine_id: 2
      sa timing: remaining key lifetime (k/sec): (4444266/2392)
        ike_cookies: 1CE42F8A 460D36C0 D3415DC4 646EE2FB
        IV size: 8 bytes
        replay detection support: Y

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xBEC5EBA4(3200641956)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 453, flow_id: 254, crypto map: NOLAN
        crypto engine type: Hardware, engine_id: 2
        sa timing: remaining key lifetime (k/sec): (4444285/2391)
        ike_cookies: 1CE42F8A 460D36C0 D3415DC4 646EE2FB
        IV size: 8 bytes
        replay detection support: Y

     outbound ah sas:

     outbound pcp sas:

   protected vrf:
   local  ident (addr/mask/prot/port): (10.0.30.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.0.10.0/255.255.255.0/0/0)
   current_peer: ASA5510:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 152173, #pkts encrypt: 152173, #pkts digest: 152173
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 4, #recv errors 0

     local crypto endpt.: sfint2, remote crypto endpt.: ASA5510
     path mtu 1500, media mtu 1500
     current outbound spi: B4D333B6

     inbound esp sas:
      spi: 0x7C158B79(2081786745)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 442, flow_id: 243, crypto map: NOLAN
        crypto engine type: Hardware, engine_id: 2
        sa timing: remaining key lifetime (k/sec): (4556858/1620)
        ike_cookies: E04017A5 0D0AB8EE 64FF598D F9FC4838
        IV size: 8 bytes
        replay detection support: Y

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
  spi: 0xB4D333B6(3033740214)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 443, flow_id: 244, crypto map: NOLAN
        crypto engine type: Hardware, engine_id: 2
        sa timing: remaining key lifetime (k/sec): (4556633/1620)
        ike_cookies: E04017A5 0D0AB8EE 64FF598D F9FC4838
        IV size: 8 bytes
        replay detection support: Y

     outbound ah sas:

     outbound pcp sas:

   protected vrf:
   local  ident (addr/mask/prot/port): (10.0.30.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.0.11.0/255.255.255.0/0/0)
   current_peer: voip:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 104548, #pkts encrypt: 104548, #pkts digest: 104548
    #pkts decaps: 105026, #pkts decrypt: 105026, #pkts verify: 105026
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 15, #recv errors 0

     local crypto endpt.: sfint2, remote crypto endpt.: voip
     path mtu 1500, media mtu 1500
     current outbound spi: 511E3117

     inbound esp sas:
      spi: 0xFB5FB05E(4217352286)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 448, flow_id: 249, crypto map: NOLAN
        crypto engine type: Hardware, engine_id: 2
        sa timing: remaining key lifetime (k/sec): (4526852/1946)
        ike_cookies: 0D5C98D8 1AC515DC 9182A944 BC6C5B79
        IV size: 8 bytes
        replay detection support: Y

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x511E3117(1360933143)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 449, flow_id: 250, crypto map: NOLAN
        crypto engine type: Hardware, engine_id: 2
        sa timing: remaining key lifetime (k/sec): (4526857/1946)
        ike_cookies: 0D5C98D8 1AC515DC 9182A944 BC6C5B79
        IV size: 8 bytes
        replay detection support: Y

outbound ah sas:

     outbound pcp sas:

   protected vrf:
   local  ident (addr/mask/prot/port): (10.0.30.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.0.13.0/255.255.255.0/0/0)
   current_peer: VidConf:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: sfint2, remote crypto endpt.: VidConf
     path mtu 1500, media mtu 1500
     current outbound spi: 0

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf:
   local  ident (addr/mask/prot/port): (10.0.30.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.0.37.0/255.255.255.0/0/0)
   current_peer: ASA5510:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: sfint2, remote crypto endpt.: ASA5510
     path mtu 1500, media mtu 1500
     current outbound spi: 0

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

  outbound ah sas:

     outbound pcp sas:

SF-RT1#

insightexpress Fri, 06/18/2010 - 07:58

so i made these changes on the asa to add the local ident and still no 10.0.37.0 in local ident even after clear crypto isakmp sa on both ends. i do see remote iden of 37 on other site - posted afater asa output.

object-group network DM_INLINE_NETWORK_1
network-object 10.0.10.0 255.255.255.0
network-object 10.0.37.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
network-object 10.0.10.0 255.255.255.0
network-object 10.0.37.0 255.255.255.0
access-list Outside_1_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 10.0.30.0 255.255.255.0

access-list Outside_4_cryptomap extended permit ip object-group DM_INLINE_NETWORK_2 10.0.30.0 255.255.255.0

asa5510

StamASA-GW1# show crypto ipsec sa
interface: Outside
    Crypto map tag: Outside_map3, seq num: 5, local addr: asa5510

      access-list Outside_5_cryptomap permit ip 10.0.10.0 255.255.255.0 10.0.20.0 255.255.255.0
      local ident (addr/mask/prot/port): (10.0.10.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.0.20.0/255.255.255.0/0/0)
      current_peer: jodyFW

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: asa5510, remote crypto endpt.: jodyFW

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 73EEC8B3

    inbound esp sas:
      spi: 0xBFA9D832 (3215579186)
         transform: esp-des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 331776, crypto-map: Outside_map3
         sa timing: remaining key lifetime (kB/sec): (4374000/28579)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0x73EEC8B3 (1945028787)
         transform: esp-des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 331776, crypto-map: Outside_map3
         sa timing: remaining key lifetime (kB/sec): (4374000/28579)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

    Crypto map tag: Outside_map3, seq num: 2, local addr: asa5510

      access-list Outside_2_cryptomap permit ip 10.0.10.0 255.255.255.0 A-10.0.31.0 255.255.255.0
      local ident (addr/mask/prot/port): (10.0.10.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (A-10.0.31.0/255.255.255.0/0/0)
      current_peer: nycIF1

      #pkts encaps: 20091, #pkts encrypt: 20661, #pkts digest: 20661
      #pkts decaps: 9257, #pkts decrypt: 9257, #pkts verify: 9257
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 20661, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: asa5510, remote crypto endpt.: nycIF1

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 8DFF158F

    inbound esp sas:
      spi: 0xC6FA76B2 (3338303154)
         transform: esp-des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 327680, crypto-map: Outside_map3
         sa timing: remaining key lifetime (kB/sec): (4369239/3357)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x8DFF158F (2382304655)
         transform: esp-des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 327680, crypto-map: Outside_map3
         sa timing: remaining key lifetime (kB/sec): (4361438/3357)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

    Crypto map tag: Outside_map3, seq num: 3, local addr: asa5510

      access-list Outside_3_cryptomap permit ip 10.0.10.0 255.255.255.0 A-10.0.31.0 255.255.255.0
      local ident (addr/mask/prot/port): (10.0.10.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (A-10.0.31.0/255.255.255.0/0/0)
      current_peer: nycIF2

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 9288, #pkts decrypt: 9288, #pkts verify: 9288
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: asa5510, remote crypto endpt.: nycIF2

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 15E7AEB4

    inbound esp sas:
      spi: 0x5DE4643A (1575248954)
         transform: esp-des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 319488, crypto-map: Outside_map3
         sa timing: remaining key lifetime (kB/sec): (4369234/3350)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x15E7AEB4 (367505076)
         transform: esp-des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 319488, crypto-map: Outside_map3
         sa timing: remaining key lifetime (kB/sec): (4374000/3350)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

    Crypto map tag: Outside_map3, seq num: 1, local addr: asa5510

      access-list Outside_1_cryptomap permit ip 10.0.10.0 255.255.255.0 10.0.30.0 255.255.255.0
      local ident (addr/mask/prot/port): (10.0.10.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.0.30.0/255.255.255.0/0/0)
      current_peer: sfIF1

      #pkts encaps: 195, #pkts encrypt: 195, #pkts digest: 195
      #pkts decaps: 97, #pkts decrypt: 97, #pkts verify: 97
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 195, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: asa5510, remote crypto endpt.: sfIF1

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: DDF6C895

    inbound esp sas:
      spi: 0x7E94F9D7 (2123692503)
         transform: esp-des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 344064, crypto-map: Outside_map3
         sa timing: remaining key lifetime (kB/sec): (4373987/3400)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0xDDF6C895 (3723937941)
         transform: esp-des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 344064, crypto-map: Outside_map3
         sa timing: remaining key lifetime (kB/sec): (4373967/3400)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

    Crypto map tag: Outside_map3, seq num: 4, local addr: asa5510

      access-list Outside_4_cryptomap permit ip 10.0.10.0 255.255.255.0 10.0.30.0 255.255.255.0
      local ident (addr/mask/prot/port): (10.0.10.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.0.30.0/255.255.255.0/0/0)
      current_peer: sfIF2

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 101, #pkts decrypt: 101, #pkts verify: 101
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: asa5510, remote crypto endpt.: sfIF2

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 908610B3

    inbound esp sas:
      spi: 0xDA884B25 (3666365221)
         transform: esp-des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 339968, crypto-map: Outside_map3
         sa timing: remaining key lifetime (kB/sec): (4373986/3399)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFDFFFFFF
    outbound esp sas:
      spi: 0x908610B3 (2424705203)
         transform: esp-des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 339968, crypto-map: Outside_map3
         sa timing: remaining key lifetime (kB/sec): (4374000/3399)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

StamASA-GW1#

remote site

protected vrf:
local  ident (addr/mask/prot/port): (10.0.30.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.0.37.0/255.255.255.0/0/0)
current_peer: asa5510:500
   PERMIT, flags={origin_is_acl,}
  #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
  #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
  #pkts compressed: 0, #pkts decompressed: 0
  #pkts not compressed: 0, #pkts compr. failed: 0
  #pkts not decompressed: 0, #pkts decompress failed: 0
  #send errors 0, #recv errors 0

   local crypto endpt.: sfif1, remote crypto endpt.: 65.51.223.78
   path mtu 1500, media mtu 1500
   current outbound spi: 0

   inbound esp sas:

   inbound ah sas:

   inbound pcp sas:

   outbound esp sas:

   outbound ah sas:

   outbound pcp sas:

protected vrf:
local  ident (addr/mask/prot/port): (10.0.30.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.0.37.0/255.255.255.0/0/0)
current_peer: asa5510:500
   PERMIT, flags={origin_is_acl,}
  #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
  #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
  #pkts compressed: 0, #pkts decompressed: 0
  #pkts not compressed: 0, #pkts compr. failed: 0
  #pkts not decompressed: 0, #pkts decompress failed: 0
  #send errors 0, #recv errors 0

   local crypto endpt.: sfif2, remote crypto endpt.: 65.51.223.78
   path mtu 1500, media mtu 1500
   current outbound spi: 0

   inbound esp sas:

   inbound ah sas:

   inbound pcp sas:

   outbound esp sas:

   outbound ah sas:

Jennifer Halim Fri, 06/18/2010 - 10:26

Please add the following on the ASA:

policy-map global_policy
  class inspection_default

     inspect icmp

From the VPN Client, please try to ping 10.0.30.1.

Pls also share the latest configuration as the initial posted config does not have object-group DM_INLINE_NETWORK_1, etc. but the latest post has object-group configuration.

Pls also be advised that you can't have 2 exactly the same content of crypto ACL configured to 2 different remote peers. If you are configuring backup tunnel with the second ISP on the router site, you should just configure 1 crypto map with 2 peers.

Example:

crypto map Outside_map3 1 match address Outside_1_cryptomap
crypto  map Outside_map3 1 set peer sfrtrIF1 sfrtrIF2
crypto map Outside_map3 1 set  transform-set ESP-DES-MD5

Actions

This Discussion