ASA 5505 to 5510 established but no traffic

Unanswered Question
Aug 9th, 2010

I've established a site-to-site connection between the devices, but cannot get any traffic.  Both ends can still reach Internet, but cannot ping any addresses either way, nor browse or other traffic.  I have no idea how to debug, can post anything for help.

Under monitoring, it shows the connection is established.

Thanks in advance

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Nagaraja Thanthry Mon, 08/09/2010 - 08:24

Hello,

Do you have appropriate nat-0 rules for the traffic to go over the tunnel?

access-list nonat permit ip

nat (inside) 0 access-list nonat

If it is not there, please configure these and try again.

Hope this helps.

Regards,

NT

manish arora Mon, 08/09/2010 - 08:26

Can you post the configurations please ? also require sh crypto iskamp sa , sh crypto ipsec sa.  also issue command sysopt connection permit-vpn.

Thanks

Manish

gene.mccullough Mon, 08/09/2010 - 08:46

ASA Version 8.3(1)
!
hostname ciscoasa
domain-name center.com
enable password JcssSZFNC1Tuf.uj encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.99 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 67.XXXX 255.255.255.128
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa831-k8.bin
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 24.116.2.50
name-server 24.116.2.34
domain-name frisco-center.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network CityHall
subnet 172.16.100.0 255.255.252.0
description City Hall Network 
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object-group network obj_any
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 object CityHall
access-list outside_1_cryptomap_1 extended permit ip 192.168.1.0 255.255.255.0 object CityHall
access-list nonat extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic any interface
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static CityHall CityHall
route outside 0.0.0.0 0.0.0.0 67.60.168.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap_1
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 24.116.132.42
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.103-192.168.1.134 inside
dhcpd auto_config outside interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy CityHallGroupPolicy internal
group-policy CityHallGroupPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
tunnel-group 24.116.132.42 type ipsec-l2l
tunnel-group 24.116.132.42 general-attributes
default-group-policy CityHallGroupPolicy
tunnel-group 24.116.132.42 ipsec-attributes
pre-shared-key *****
tunnel-group CityHallTunnelGroup type ipsec-l2l
tunnel-group CityHallTunnelGroup general-attributes
default-group-policy CityHallGroupPolicy
tunnel-group CityHallTunnelGroup ipsec-attributes
pre-shared-key *****
peer-id-validate nocheck
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email [email protected]
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:f06c269985c47fead6b865d58f60f35d
: end

gene.mccullough Mon, 08/09/2010 - 08:53

Result of the command: "sh crypto isakmp sa"

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 24.116.132.42
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE

Result of the command: "sh crypto ipsec sa"

interface: outside
    Crypto map tag: outside_map, seq num: 1, local addr: 67.60.168.34

      access-list outside_1_cryptomap_1 extended permit ip 192.168.1.0 255.255.255.0 172.16.100.0 255.255.252.0
      local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (172.16.100.0/255.255.252.0/0/0)
      current_peer: 24.116.132.42

      #pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
      #pkts decaps: 3447, #pkts decrypt: 3447, #pkts verify: 3447
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 9, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 67.60.168.34/0, remote crypto endpt.: 24.116.132.42/0
      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 7B8155A0
      current inbound spi : 77675A2C

    inbound esp sas:
      spi: 0x77675A2C (2003261996)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 1, }
         slot: 0, conn_id: 24576, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4373776/26514)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x7B8155A0 (2072073632)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 1, }
         slot: 0, conn_id: 24576, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4373999/26514)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

manish arora Mon, 08/09/2010 - 09:34

Umm.. you are using  8.3 version which comes with a new nat commands and i believe you are missing nat exempt for tunnel traffic , please try this :-

object network obj-192.168.x.x

  subnet 192.168.x.x

object network  obj-172.16.x.x

  subnet 172.16.x.x

nat (inside,any) source static obj-192.168.x.x obj-192.168.x.x destination static obj-172.16.x.x obj-172.16.x.x

any experts of 8.3 should comment on this if i am wrong.

thanks

Manish

gene.mccullough Mon, 08/09/2010 - 09:28

:

ASA Version 8.3(1)

!

hostname ciscoasa

domain-name clintonokla.org

enable password JcssSZFNC1Tuf.uj encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 192.168.1.0 FriscoCenter

dns-guard

!

interface Ethernet0/0

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/1

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/2

description First floor of city hall

nameif FirstFloor

security-level 100

ip address 172.16.100.1 255.255.252.0

!

interface Ethernet0/3

description CableOne ISP connection

nameif CableOne

security-level 0

ip address 24.116.132.42 255.255.255.248

!

interface Management0/0

description Used for management of device

nameif management

security-level 100

ip address 10.0.0.1 255.255.0.0

management-only

!

boot system disk0:/asa831-k8.bin

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns server-group DefaultDNS

domain-name clintonokla.org

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network obj-172.16.100.0

subnet 172.16.100.0 255.255.252.0

object network FriscoCenter

subnet 192.168.1.0 255.255.255.0

object network obj-172.16.101.89

host 172.16.101.89

object network obj-172.16.101.89-01

host 172.16.101.89

object network obj-172.16.102.50

host 172.16.102.50

object network obj-172.16.102.50-01

host 172.16.102.50

object network obj-172.16.102.50-02

host 172.16.102.50

object network obj-172.16.101.89-02

host 172.16.101.89

object network obj-172.16.101.89-03

host 172.16.101.89

object network obj-172.16.101.89-04

host 172.16.101.89

object network obj-172.16.101.89-05

host 172.16.101.89

object network obj-172.16.101.80

host 172.16.101.80

object network obj-172.16.101.25

host 172.16.101.25

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network obj-0.0.0.0

host 0.0.0.0

object network obj_any-01

subnet 0.0.0.0 0.0.0.0

object network AcmeBrick-network

subnet 192.168.10.0 255.255.255.0

description Acme Brick Park Network connected to CableOne

object network NETWORK_OBJ_172.16.100.0_22

subnet 172.16.100.0 255.255.252.0

object network NETWORK_OBJ_192.168.10.0_24

subnet 192.168.10.0 255.255.255.0

object-group network DM_INLINE_NETWORK_2

network-object host 24.116.132.43

network-object host 24.116.132.44

object-group service DM_INLINE_TCP_2 tcp

port-object eq 10000

port-object eq 8080

port-object eq www

port-object eq https

port-object eq ssh

object-group service DM_INLINE_TCP_1 tcp

port-object eq imap4

port-object eq pop3

port-object eq 465

port-object eq 993

port-object eq 995

object-group service DM_INLINE_TCP_3 tcp

port-object eq 5500

port-object eq 5900

object-group network DM_INLINE_NETWORK_1

network-object host 172.16.101.25

network-object host 172.16.101.89

access-list FirstFloor_nat0_outbound extended permit ip 172.16.100.0 255.255.252.0 object FriscoCenter

access-list ClintonWAN_splitTunnelAcl standard permit any

access-list 110 extended permit tcp host 192.168.1.44 any eq www inactive

access-list CableOne_1_cryptomap extended permit ip 172.16.100.0 255.255.252.0 object FriscoCenter

access-list CableOne_access_in extended permit tcp any any eq 3389

access-list CableOne_access_in remark Migration, ACE (line 2) expanded: permit tcp any object-group DM_INLINE_NETWORK_2 eq smtp

access-list CableOne_access_in extended permit tcp any host 172.16.101.25 eq smtp

access-list CableOne_access_in extended permit tcp any host 172.16.101.89 eq smtp

access-list CableOne_access_in remark Migration: End of expansion

access-list CableOne_access_in extended permit tcp any host 172.16.101.80 object-group DM_INLINE_TCP_2

access-list CableOne_access_in remark Migration, ACE (line 4) expanded: permit tcp any host 24.116.132.44 object-group DM_INLINE_TCP_1

access-list CableOne_access_in extended permit tcp any host 172.16.101.89 eq imap4

access-list CableOne_access_in extended permit tcp any host 172.16.101.89 eq pop3

access-list CableOne_access_in extended permit tcp any host 172.16.101.89 eq 465

access-list CableOne_access_in extended permit tcp any host 172.16.101.89 eq 993

access-list CableOne_access_in extended permit tcp any host 172.16.101.89 eq 995

access-list CableOne_access_in remark Migration: End of expansion

access-list CableOne_access_in extended permit tcp any any object-group DM_INLINE_TCP_3

access-list CableOne_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 any eq smtp

access-list CableOne_access_in extended deny tcp any any eq smtp

access-list CableOne_access_in remark Attempting to hack web server

access-list CableOne_access_in extended deny ip host 117.41.229.178 any

pager lines 24

logging enable

logging timestamp

logging list IP_Notification level notifications class ip

logging list VPN_DEBUG level debugging class vpdn

logging list VPN_DEBUG level debugging class vpn

logging list VPN_DEBUG level debugging class vpnc

logging list VPN_DEBUG level debugging class vpnfo

logging asdm-buffer-size 512

logging console debugging

logging monitor warnings

logging buffered errors

logging trap errors

logging asdm IP_Notification

logging mail VPN_DEBUG

logging from-address [email protected]

logging recipient-address

[email protected] level emergencies

logging host FirstFloor 172.16.101.80

logging debug-trace

logging permit-hostdown

mtu FirstFloor 1500

mtu CableOne 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit FriscoCenter 255.255.255.0 FirstFloor

icmp permit FriscoCenter 255.255.255.0 CableOne

asdm image disk0:/asdm-631.bin

no asdm history enable

arp timeout 14400

nat (FirstFloor,any) source static obj-172.16.100.0 obj-172.16.100.0 destination static FriscoCenter FriscoCenter

nat (FirstFloor,CableOne) source static NETWORK_OBJ_172.16.100.0_22 NETWORK_OBJ_172.16.100.0_22 destination static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24

!

object network obj-172.16.100.0

nat (FirstFloor,CableOne) dynamic interface

object network obj-172.16.101.89

nat (FirstFloor,CableOne) static 24.116.132.44 service tcp pop3 pop3

object network obj-172.16.101.89-01

nat (FirstFloor,CableOne) static 24.116.132.44 service tcp imap4 imap4

object network obj-172.16.102.50

nat (FirstFloor,CableOne) static 24.116.132.46 service tcp 5500 5500

object network obj-172.16.102.50-01

nat (FirstFloor,CableOne) static 24.116.132.46 service tcp 3389 3389

object network obj-172.16.102.50-02

nat (FirstFloor,CableOne) static 24.116.132.46 service tcp 5900 5900

object network obj-172.16.101.89-02

nat (FirstFloor,CableOne) static 24.116.132.44 service tcp smtp smtp

object network obj-172.16.101.89-03

nat (FirstFloor,CableOne) static 24.116.132.44 service tcp 993 993

object network obj-172.16.101.89-04

nat (FirstFloor,CableOne) static 24.116.132.44 service tcp 995 995

object network obj-172.16.101.89-05

nat (FirstFloor,CableOne) static 24.116.132.44 service tcp 465 465

object network obj-172.16.101.80

nat (FirstFloor,CableOne) static 24.116.132.45

object network obj-172.16.101.25

nat (FirstFloor,CableOne) static 24.116.132.43

object network obj_any

nat (FirstFloor,CableOne) dynamic obj-0.0.0.0

object network obj_any-01

nat (management,CableOne) dynamic obj-0.0.0.0

access-group CableOne_access_in in interface CableOne

!

route-map proxy-redirect permit 10

match ip address 110

set metric 1

!

route CableOne 0.0.0.0 0.0.0.0 24.116.132.41 10

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authorization command LOCAL

http server enable 543

http 10.0.0.52 255.255.255.255 management

http 10.0.0.0 255.255.0.0 management

http 10.0.0.44 255.255.255.255 management

http 192.168.1.44 255.255.255.255 management

http FriscoCenter 255.255.255.0 management

http 192.168.1.184 255.255.255.255 management

http 172.16.102.50 255.255.255.255 management

http 67.61.228.229 255.255.255.255 CableOne

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map CableOne_map 1 match address CableOne_1_cryptomap

crypto map CableOne_map 1 set pfs group1

crypto map CableOne_map 1 set peer 67.60.168.34

crypto map CableOne_map 1 set transform-set ESP-3DES-MD5

crypto map CableOne_map 1 set nat-t-disable

crypto map CableOne_map 1 set reverse-route

crypto map CableOne_map interface CableOne

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

email

[email protected]

subject-name CN=ciscoasa

serial-number

ip-address 24.116.132.42

proxy-ldc-issuer

crl configure

crypto ca certificate chain ASDM_TrustPoint0

certificate cbb0284c

    308202b4 3082021d a0030201 020204cb b0284c30 0d06092a 864886f7 0d010105

    0500306c 3111300f 06035504 03130863 6973636f 61736131 57301206 03550405

    130b4a4d 58313233 354c3139 33301a06 092a8648 86f70d01 0908130d 32342e31

    31362e31 33322e34 32302506 092a8648 86f70d01 09021618 63697363 6f617361

    2e636c69 6e746f6e 6f6b6c61 2e6f7267 301e170d 31303037 32323139 34353031

    5a170d32 30303731 39313934 3530315a 306c3111 300f0603 55040313 08636973

    636f6173 61315730 12060355 0405130b 4a4d5831 3233354c 31393330 1a06092a

    864886f7 0d010908 130d3234 2e313136 2e313332 2e343230 2506092a 864886f7

    0d010902 16186369 73636f61 73612e63 6c696e74 6f6e6f6b 6c612e6f 72673081

    9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100b7 8171a7d6

    86ee32f8 4bc68b40 5b8143ab ad430393 a30ca76d c47b8fb9 2b9f42aa c0941620

    4b1b8341 c9275fbe 9024f62a 1d2d663b 279fc9a3 b04bdc0d ca431089 2797ebcd

    21517879 926046fd 455fdb7f fb6c97ad d0c0f9d4 69aad3ce 8b5c6068 bfd182d2

    6edbfe92 684023e6 768abce4 ed9d75db 95aeee65 08722885 b3cb9d02 03010001

    a3633061 300f0603 551d1301 01ff0405 30030101 ff300e06 03551d0f 0101ff04

    04030201 86301f06 03551d23 04183016 80141127 b47e3e38 5f942500 7827acb4

    a82e6202 b754301d 0603551d 0e041604 141127b4 7e3e385f 94250078 27acb4a8

    2e6202b7 54300d06 092a8648 86f70d01 01050500 03818100 b34e1d2c 16b52f27

    85ea015f 359d383f aa71d264 878f3cef 457f1265 1e845c94 f82d602a 63de9b45

    adff8d47 58ee5fbf 409a5aea 4ebfc7b6 72182b01 678917a1 ffe6e3d7 ef469127

    81cf495a 9bece16b 5b4e2920 84e38afa 93518651 45d170fc 924f9dff a45595cf

    7faae1c2 62fdb73a e86f443a ba638eb8 2438cff3 b7faf1cb

  quit

crypto isakmp identity address

crypto isakmp enable CableOne

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

no crypto isakmp nat-traversal

client-update enable

telnet timeout 5

ssh 192.168.1.91 255.255.255.255 management

ssh 10.0.0.0 255.255.0.0 management

ssh timeout 15

console timeout 0

management-access management

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

svc image disk0:/sslclient-win-1.1.0.154.pkg 1

svc enable

group-policy AcmeGroupPolicy internal

group-policy AcmeGroupPolicy attributes

vpn-tunnel-protocol IPSec l2tp-ipsec

group-policy CityGroupPolicy internal

group-policy CityGroupPolicy attributes

vpn-filter none

vpn-tunnel-protocol IPSec l2tp-ipsec

username gene password TN3sFvBSa44uSGUN encrypted privilege 15

username gene attributes

vpn-group-policy DfltGrpPolicy

tunnel-group 67.60.168.34 type ipsec-l2l

tunnel-group 67.60.168.34 general-attributes

default-group-policy CityGroupPolicy

tunnel-group 67.60.168.34 ipsec-attributes

pre-shared-key *****

peer-id-validate nocheck

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns migrated_dns_map_1

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ftp

  inspect icmp

  inspect ip-options

class class-default

  csc fail-open

  inspect pptp

policy-map type inspect ftp Clinton

parameters

  mask-syst-reply

policy-map type inspect http CLINTON

parameters

  protocol-violation action log

match request header content-type violation

  log

match response header content-type violation

  log

!

service-policy global_policy global

smtp-server 172.16.101.25 172.16.101.89

privilege cmd level 3 mode exec command perfmon

privilege cmd level 3 mode exec command ping

privilege cmd level 3 mode exec command who

privilege cmd level 3 mode exec command logging

privilege cmd level 3 mode exec command failover

privilege cmd level 3 mode exec command vpn-sessiondb

privilege show level 5 mode exec command running-config

privilege show level 3 mode exec command reload

privilege show level 3 mode exec command mode

privilege show level 3 mode exec command firewall

privilege show level 3 mode exec command interface

privilege show level 3 mode exec command clock

privilege show level 3 mode exec command dns-hosts

privilege show level 3 mode exec command access-list

privilege show level 3 mode exec command logging

privilege show level 3 mode exec command ip

privilege show level 3 mode exec command failover

privilege show level 3 mode exec command asdm

privilege show level 3 mode exec command arp

privilege show level 3 mode exec command route

privilege show level 3 mode exec command ospf

privilege show level 3 mode exec command aaa-server

privilege show level 3 mode exec command aaa

privilege show level 3 mode exec command crypto

privilege show level 3 mode exec command vpn-sessiondb

privilege show level 3 mode exec command ssh

privilege show level 3 mode exec command dhcpd

privilege show level 3 mode exec command vpn

privilege show level 3 mode exec command blocks

privilege show level 3 mode exec command uauth

privilege show level 3 mode configure command interface

privilege show level 3 mode configure command clock

privilege show level 3 mode configure command access-list

privilege show level 3 mode configure command logging

privilege show level 3 mode configure command ip

privilege show level 3 mode configure command failover

privilege show level 5 mode configure command asdm

privilege show level 3 mode configure command arp

privilege show level 3 mode configure command route

privilege show level 3 mode configure command aaa-server

privilege show level 3 mode configure command aaa

privilege show level 3 mode configure command crypto

privilege show level 3 mode configure command vpn-sessiondb

privilege show level 3 mode configure command ssh

privilege show level 3 mode configure command dhcpd

privilege show level 5 mode configure command privilege

privilege clear level 3 mode exec command dns-hosts

privilege clear level 3 mode exec command logging

privilege clear level 3 mode exec command arp

privilege clear level 3 mode exec command aaa-server

privilege clear level 3 mode exec command crypto

privilege cmd level 3 mode configure command failover

privilege clear level 3 mode configure command logging

privilege clear level 3 mode configure command arp

privilege clear level 3 mode configure command crypto

privilege clear level 3 mode configure command aaa-server

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email

[email protected]

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:5e7fbe56f0b17cc8a50efe9dbde1093f

: end

gene.mccullough Mon, 08/09/2010 - 09:30


Result of the command: "sh crypto isakmp sa"

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 67.60.168.34
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE


Result of the command: "sh crypto ipsec sa"

interface: CableOne
    Crypto map tag: CableOne_map, seq num: 1, local addr: 24.116.132.42

      access-list CableOne_1_cryptomap extended permit ip 172.16.100.0 255.255.252.0 192.168.1.0 255.255.255.0
      local ident (addr/mask/prot/port): (172.16.100.0/255.255.252.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
      current_peer: 67.60.168.34

      #pkts encaps: 6752, #pkts encrypt: 6752, #pkts digest: 6752
      #pkts decaps: 18, #pkts decrypt: 18, #pkts verify: 18
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 6752, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 24.116.132.42/0, remote crypto endpt.: 67.60.168.34/0
      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 77675A2C
      current inbound spi : 7B8155A0

    inbound esp sas:
      spi: 0x7B8155A0 (2072073632)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 1, }
         slot: 0, conn_id: 3596288, crypto-map: CableOne_map
         sa timing: remaining key lifetime (kB/sec): (3914999/24255)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x0007FFFF
    outbound esp sas:
      spi: 0x77675A2C (2003261996)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 1, }
         slot: 0, conn_id: 3596288, crypto-map: CableOne_map
         sa timing: remaining key lifetime (kB/sec): (3914560/24255)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

manish arora Mon, 08/09/2010 - 09:37

Yeah , looking at the other end configuration , you are missing the nat exempt commands , check my previous reply and update that on your asa. you can see the nat exempt on your last asa config upload.

hope it helps

manish

gene.mccullough Mon, 08/09/2010 - 10:01

Thank you for looking, I've applied those commands successfully, but I still can't ping across, either direction.

I had this working with a cisco RVS4000 before replacing with the 5505

manish arora Mon, 08/09/2010 - 10:08

Can you recheck the crypto ipsec sa and see if the 5505 asa has now started to encrypt packets when you send traffic from 192.168.x.x to 172.16.x.x site ?

gene.mccullough Mon, 08/09/2010 - 11:49

To me, the untrained eye, they look the same as previous post.   Thanks, gene

Result of the command: "sho crypto ipsec sa"

interface: outside
    Crypto map tag: outside_map, seq num: 1, local addr: 67.60.168.34

      access-list outside_1_cryptomap_1 extended permit ip 192.168.1.0 255.255.255.0 172.16.100.0 255.255.252.0
      local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (172.16.100.0/255.255.252.0/0/0)
      current_peer: 24.116.132.42

      #pkts encaps: 51, #pkts encrypt: 51, #pkts digest: 51
      #pkts decaps: 18722, #pkts decrypt: 18722, #pkts verify: 18722
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 51, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 67.60.168.34/0, remote crypto endpt.: 24.116.132.42/0
      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 7B8155A0
      current inbound spi : 77675A2C

    inbound esp sas:
      spi: 0x77675A2C (2003261996)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 1, }
         slot: 0, conn_id: 24576, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4372782/16095)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x7B8155A0 (2072073632)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 1, }
         slot: 0, conn_id: 24576, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4373998/16095)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

gene.mccullough Mon, 08/09/2010 - 12:06

I see this in the log from 5505, trying to ping from the 5510 side.  Looks like it is getting into

the 5505, but not back out.

3Aug 09 201011:54:09305006172.16.102.50regular translation creation failed for icmp src inside:192.168.1.70 dst outside:172.16.102.50 (type 0, code 0)

6Aug 09 201011:54:09302020172.16.102.501192.168.1.700Built inbound ICMP connection for faddr 172.16.102.50/1 gaddr 192.168.1.70/0 laddr 192.168.1.70/0
manish arora Mon, 08/09/2010 - 12:16

On the 5510 asa, can you remove  the following :-

  crypto map CableOne_map 1 set nat-t-disable

  crypto map CableOne_map 1 set reverse-route

then remove the crypto map from both asa's outside and then reapply them

thanks

Manish

gene.mccullough Mon, 08/09/2010 - 13:08

I am able now to rdp into a machine behind th 5505, but still no ping ability.  Thanks for all of your help!

gene

manish arora Mon, 08/09/2010 - 13:18

Not able to ping but you can rdp means that the device is running some kind of firewall on it or anti virus with firewall capability.

thanks

Manish

gene.mccullough Mon, 08/09/2010 - 14:30

Unfortunately, can't ping anything, either direction.  Cannot browse windows shares, or ping, but can rdp to machines that are enabled.  Any thoughts?

Thanks again, gene

manish arora Mon, 08/09/2010 - 14:43

Issue command  sysopt connection permit-vpn  on both the firewalls. Try windows share using ip address also you might have to reduce the TCP MSS on the windows fileshare to accomodate the ipsec encapsulation on the ip packet. also, check again for any local server or machine firewall is truned off and inside access list on firewall are set on permit any any.

thanks

Manish

Actions

This Discussion