Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 5505 Tunnel Up no Traffic

I am pretty new to configuring ASAs.

I have a Site-to-Site VPN setup between two ASA 5505s.

The Tunnel is up and one side is sending but not receiving while the other is receiving but not sendind under the VPN monitoring tab.

The ASA that is receiving is our Main Office and it is connected to several other ASAs that are working as expected.

The setup for this is pretty basic. Cable modem with Static IP to ASA. No switches.

This is the third day I've been looking at this trying every troubleshooting step I can follow on the cisco forums.

ANY help or direction would be greatly appreciated.

This is the running config of the new ASA

: Saved

:

ASA Version 8.2(5)

!

hostname ciscoasa

enable password jkrpsRYtu8nSWLEb encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 192.168.1.0 trinity

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.3.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address xx.xx.xx.165 255.255.255.0

!

ftp mode passive

dns domain-lookup inside

dns server-group DefaultDNS

name-server 68.105.28.16

name-server 68.105.29.16

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list outside_1_cryptomap extended permit ip 192.168.3.0 255.255.255.0 trinity 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 trinity 255.255.255.0

access-list inside_access_in extended permit ip any any

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit tcp any interface outside eq 3389

access-list outside_access_in extended permit tcp any interface outside eq ftp

access-list outside_access_in extended permit ip 192.168.3.0 255.255.255.0 trinity 255.255.255.0

access-list NO-NAT extended permit ip 192.168.3.0 255.255.255.0 trinity 255.255.255.0

access-list 111 extended permit ip 192.168.3.0 255.255.255.0 trinity 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 70.168.245.161 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.3.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer xx.xx.xx.170

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption des

hash sha

group 1

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.3.5-192.168.3.254 inside

dhcpd dns 68.105.28.16 68.105.29.16 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

tunnel-group xx.xx.xx.170 type ipsec-l2l

tunnel-group xx.xx.xx.170 ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:0813c1c5c45fef815e91cd7aebab0906

: end

asdm location trinity 255.255.255.0 inside

no asdm history enable

Let me know if I need to post the Main Office's running-config.

Thanks,

Mike

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

ASA 5505 Tunnel Up no Traffic

Hi,

I only just noticed that you had posted about this same problem on the VPN section also.

What I noticed in those configurations is that you have multiple L2L VPN configurations that use the same ACL

access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list outside_2_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list outside_7_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list outside_8_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer Network C

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set pfs group1

crypto map outside_map 2 set peer Network D Network E

crypto map outside_map 2 set transform-set ESP-3DES-SHA

crypto map outside_map 7 match address outside_7_cryptomap

crypto map outside_map 7 set pfs group1

crypto map outside_map 7 set peer Network J

crypto map outside_map 7 set transform-set ESP-3DES-SHA

crypto map outside_map 8 match address outside_8_cryptomap

crypto map outside_map 8 set pfs group1

crypto map outside_map 8 set peer Network K

crypto map outside_map 8 set transform-set ESP-3DES-SHA

Having 4x L2L VPN configurations with same parameters is something that is very strange in this configurations. I would suggest remove any useless configurations from Main Office.

It might well be the source of the problem. I have not seen any other problems in the configurations.

- Jouni

18 REPLIES
Super Bronze

ASA 5505 Tunnel Up no Traffic

Hi,

I can't see any problems with this ASA configuration so the problem is most likely on the Main Office ASA.

What you could try to do on the Main Office ASA is run the following command

packet-tracer input icmp 192.168.1.100 8 0 192.168.3.100

In the above command replace the with the actual name of the interface that has the network 192.168.1.0/24 behind it.

Run the "packet-tracer" command twice and copy/paste the second output here completely

This might be related to NAT on the Main Office ASA.

- Jouni

New Member

ASA 5505 Tunnel Up no Traffic

Thank you for the quick response Jouni!

Result of the command: "packet-tracer input inside icmp 192.168.1.100 8 0 192.168.3.100"

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_access_in in interface inside

access-list inside_access_in extended permit ip any any

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

  match ip inside any outside any

    dynamic translation to pool 1 (xx.xx.xx.170 [Interface PAT])

    translate_hits = 29541, untranslate_hits = 553

Additional Information:

Dynamic translate 192.168.1.100/0 to xx.xx.xx.170/28936 using netmask 255.255.255.255

Phase: 7

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

  match ip inside any inside any

    dynamic translation to pool 1 (No matching global)

    translate_hits = 0, untranslate_hits = 0

Additional Information:

Phase: 8

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 9

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 40508, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

Super Bronze

ASA 5505 Tunnel Up no Traffic

Hi,

You are missing NAT0 configuration atleast on the Main Office for the traffic between networks 192.168.1.0/24 and 192.168.3.0/24

So you probably have some existing NAT0 configuration on the Main Office that looks like this

nat (inside) 0 access-list

Now use the existing ACL name found in your configuration and add

access-list permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

Or confirm if there is an existing line that might have somy typo and correct it

Then you can try to test the connections again or run the "packet-tracer" again.

- Jouni

New Member

ASA 5505 Tunnel Up no Traffic

Pardon my ignorance Jouni, but I think I have that statement already entered.

Then again I did try 100 different things with NAT. I will show the part of the running config dealing with ACLs.

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit tcp any interface outside eq 3389

access-list outside_access_in extended permit tcp any interface outside eq ftp

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.6.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.7.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list outside_2_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list outside_3_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0

access-list outside_4_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list outside_5_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.6.0 255.255.255.0

access-list outside_6_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.7.0 255.255.255.0

access-list outside_7_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list outside_8_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list inside_access_in extended permit ip any any

access-list 111 extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

pager lines 24

logging enable

logging console debugging

logging monitor debugging

logging buffered debugging

logging asdm debugging

logging mail debugging

mtu inside 1500

mtu outside 1500

ip audit name IP_Attack attack action drop

ip audit name IP_Information info action alarm

ip audit interface inside IP_Information

ip audit interface inside IP_Attack

ip audit interface outside IP_Information

ip audit interface outside IP_Attack

ip audit signature 2000 disable

ip audit signature 2004 disable

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 3389 192.168.1.4 3389 netmask 255.255.255.255

static (inside,outside) tcp interface ftp 192.168.1.4 ftp netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 xx.xx.xx.169 1

Super Bronze

Re: ASA 5505 Tunnel Up no Traffic

Hi,

Since you say that the L2L VPN is up but is not passing traffic in both directions it would seem to indicate that the ACL in the "crypto map" statement is configured correct between the Main Office and the New Site.

However, in the above configurations I cant see this configuration that would configure NAT0

nat (inside) 0 access-list inside_nat0_outbound

The "packet-tracer" output that you posted (if it was from the Main Office ASA) told us that the traffic was hitting the Dynamic PAT translation on the ASA rather than a NAT0 configuration which it should have for the L2L VPN to work between the 2 sites.

This is the Phase where the traffic hits the wrong NAT rule/configuration

Phase: 6

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

  match ip inside any outside any

    dynamic translation to pool 1 (xx.xx.xx.170 [Interface PAT])

    translate_hits = 29541, untranslate_hits = 553

Additional Information:

Dynamic translate 192.168.1.100/0 to xx.xx.xx.170/28936 using netmask 255.255.255.255

- Jouni

New Member

ASA 5505 Tunnel Up no Traffic

I added  nat (inside) 0 access-list inside_nat0_outbound then re ran packet tracer from the MAIN OFFICE

Result of the command: "packet-tracer input inside icmp 192.168.1.100 8 0 192.168.3.100"

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_access_in in interface inside

access-list inside_access_in extended permit ip any any

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT-EXEMPT

Subtype:

Result: ALLOW

Config:

  match ip inside 192.168.1.0 255.255.255.0 outside 192.168.3.0 255.255.255.0

    NAT exempt

    translate_hits = 7, untranslate_hits = 7

Additional Information:

Phase: 7

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

  match ip inside any outside any

    dynamic translation to pool 1 (xx.xx.xx.170 [Interface PAT])

    translate_hits = 32370, untranslate_hits = 800

Additional Information:

Phase: 8

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

  match ip inside any inside any

    dynamic translation to pool 1 (No matching global)

    translate_hits = 0, untranslate_hits = 0

Additional Information:

Phase: 9

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 10

Type: VPN

Subtype: encrypt

Result: DROP

Config:

Additional Information:

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Super Bronze

ASA 5505 Tunnel Up no Traffic

Hi,

Did you issue the same command twice and copy/paste the second output?

But from the above output we can already see that the correct NAT rule is matched and that the traffic matches VPN configurations.

Have you tested actual traffic between the sites.

- Jouni

New Member

ASA 5505 Tunnel Up no Traffic

Yes, i actually ran it three times. Then re ran it twice after you posted with same results. I have tried pinging across the network and tried connecting to a UNC path across the network with no luck. VPN connection monitor still showing traffic leaving (TX) but not receiving (RX) on the new ASA. and vice versa receiving but not sending on the main office. Though the 3 other active connections are sending and receiving.

ASA 5505 Tunnel Up no Traffic

I would point to this bug :

CSCtd36473

Configuration speaking we are good.

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
Super Bronze

ASA 5505 Tunnel Up no Traffic

Hi,

I am not sure if the BugID that Julio mentions is the same I ran into a year ago but in that case the ASA suffering from the bug was a Failover pair and a simple change of the Active device corrected the problem.

I would imagine that reboot would have also done the trick.

So if at all possible, I would suggest rebooting the ASA or if you have a Failover changing the Active device at Main Office. Naturally this could be done at a time where there is minimal or no users on the network.

- Jouni

New Member

ASA 5505 Tunnel Up no Traffic

I just rebooted both the Main office and the new site ASA.

when the main office came back online, it instantly created 4 vpn tunnels that would receive but not send. I sent the command

nat (inside) 0 access-list inside_nat0_outbound

and they all started sending except for the new site. new site is still only receiving on the main site.

Super Bronze

ASA 5505 Tunnel Up no Traffic

Hi,

I only just noticed that you had posted about this same problem on the VPN section also.

What I noticed in those configurations is that you have multiple L2L VPN configurations that use the same ACL

access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list outside_2_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list outside_7_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list outside_8_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer Network C

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set pfs group1

crypto map outside_map 2 set peer Network D Network E

crypto map outside_map 2 set transform-set ESP-3DES-SHA

crypto map outside_map 7 match address outside_7_cryptomap

crypto map outside_map 7 set pfs group1

crypto map outside_map 7 set peer Network J

crypto map outside_map 7 set transform-set ESP-3DES-SHA

crypto map outside_map 8 match address outside_8_cryptomap

crypto map outside_map 8 set pfs group1

crypto map outside_map 8 set peer Network K

crypto map outside_map 8 set transform-set ESP-3DES-SHA

Having 4x L2L VPN configurations with same parameters is something that is very strange in this configurations. I would suggest remove any useless configurations from Main Office.

It might well be the source of the problem. I have not seen any other problems in the configurations.

- Jouni

Super Bronze

ASA 5505 Tunnel Up no Traffic

Hi,

Seems to me you could remove the VPN configurations with Priority 2, 7, 8

They seem to be identical to the one with the Priority 1 to me.

- Jouni

New Member

ASA 5505 Tunnel Up no Traffic

I didn't even notice that...

I have cleared out all other entries I believe.

This is the new running config of the Main office.

Should I reboot the ASA since clearing the other entries?

: Saved

:

ASA Version 8.2(1)

!

hostname ciscoasa

enable password jkrpsRYtu8nSWLEb encrypted

passwd jkrpsRYtu8nSWLEb encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address xx.xx.xx.170 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit tcp any interface outside eq 3389

access-list outside_access_in extended permit tcp any interface outside eq ftp

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.6.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.7.0 255.255.255.0

access-list outside_3_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0

access-list outside_4_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list outside_5_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.6.0 255.255.255.0

access-list outside_6_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.7.0 255.255.255.0

access-list outside_8_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list inside_access_in extended permit ip any any

access-list 111 extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

pager lines 24

logging enable

logging console debugging

logging monitor debugging

logging buffered debugging

logging asdm debugging

logging mail debugging

mtu inside 1500

mtu outside 1500

ip audit name IP_Information info action alarm

ip audit name IP_Attack attack action drop

ip audit interface inside IP_Information

ip audit interface inside IP_Attack

ip audit interface outside IP_Information

ip audit interface outside IP_Attack

ip audit signature 2000 disable

ip audit signature 2004 disable

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 3389 192.168.1.4 3389 netmask 255.255.255.255

static (inside,outside) tcp interface ftp 192.168.1.4 ftp netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 69.172.13.169 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 0.0.0.0 0.0.0.0 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 3 match address outside_3_cryptomap

crypto map outside_map 3 set pfs group1

crypto map outside_map 3 set peer xx.xx.xx.184

crypto map outside_map 3 set transform-set ESP-3DES-SHA

crypto map outside_map 4 match address outside_4_cryptomap

crypto map outside_map 4 set pfs group1

crypto map outside_map 4 set peer xx.xx.xx.10

crypto map outside_map 4 set transform-set ESP-3DES-SHA

crypto map outside_map 5 match address outside_5_cryptomap

crypto map outside_map 5 set pfs group1

crypto map outside_map 5 set peer xx.xx.xx.197

crypto map outside_map 5 set transform-set ESP-3DES-SHA

crypto map outside_map 6 match address outside_6_cryptomap

crypto map outside_map 6 set pfs group1

crypto map outside_map 6 set peer xx.xx.xx.106

crypto map outside_map 6 set transform-set ESP-3DES-SHA

crypto map outside_map 8 match address outside_8_cryptomap

crypto map outside_map 8 set pfs group1

crypto map outside_map 8 set peer xx.xx.xx.165

crypto map outside_map 8 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption des

hash sha

group 1

lifetime 86400

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 30

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 30

console timeout 0

management-access inside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

username sparkhound password L7SKGsuWrrh9fFyb encrypted privilege 15

username admin password ew9az97L9PJabfIp encrypted privilege 15

tunnel-group xx.xx.xx.184 type ipsec-l2l

tunnel-group xx.xx.xx.184 ipsec-attributes

pre-shared-key *

tunnel-group xx.xx.xx.10 type ipsec-l2l

tunnel-group xx.xx.xx.10 ipsec-attributes

pre-shared-key *

tunnel-group xx.xx.xx.197 type ipsec-l2l

tunnel-group xx.xx.xx.197 ipsec-attributes

pre-shared-key *

tunnel-group xx.xx.xx.106 type ipsec-l2l

tunnel-group xx.xx.xx.106 ipsec-attributes

pre-shared-key *

tunnel-group xx.xx.xx.165 type ipsec-l2l

tunnel-group xx.xx.xx.165 ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect pptp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:c791e5e7717d3f94a39f8e2e4459ba23

: end

no asdm history enable

Super Bronze

ASA 5505 Tunnel Up no Traffic

Hi,

I dont think you need to reboot.

You could make sure that there the VPN is not active by logging it out and then trying to bring it back up and testing actual connections

- Jouni

New Member

ASA 5505 Tunnel Up no Traffic

Jouni,

You were right, the multiple L2L VPN configurations using the same ACL were causing the issue.

We had set those up before the ISP gave us our static IP just to test.

After i cleared out the ones you pointed out to me and logged off then back everything came through perfectly!


Thank you so much for the help words don't even begin to explain how grateful I am!!

-Mike

Super Bronze

ASA 5505 Tunnel Up no Traffic

Hi,

Great to hear that its working now

Do remember to save the configurations on the devices. And it would also be a great time to copy the configurations as backups on your computer if you happen to run into some problematic situation in the future because of configurations changes. Then you will have something to fall back to restore the situation to normal.

- Jouni

ASA 5505 Tunnel Up no Traffic

Hello Jouni,

Great work man! Kudos to U

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
2367
Views
0
Helpful
18
Replies