Did you configure tunnel-group, can you reach the remote peer? So much to ask with out the configuration

Please use this guide for configuration example:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/site2sit.pdf

OK, below is a sanitized config.  Publicly routable IPs have been changed.  In the example the TSI tunnel works fine but the Forestville tunnel won't come up.

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.11.05 14:00:23 =~=~=~=~=~=~=~=~=~=~=~=

DASS-VPN#

DASS-VPN# show runt

: Saved

:

ASA Version 8.2(1)

!

hostname DASS-VPN

domain-name dass

enable password xxxxxxxxxxxx encrypted

passwd xxxxxxxxxxxxxxxxxx encrypted

names

name 192.168.6.115 Forestville_FTP1

name 192.168.6.116 Forestville_FTP2

name 192.168.4.160 Forestville-FTP

name 15.16.17.18 Forestville_PEER

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.28.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 172.16.189.157 255.255.254.0

!

interface Vlan3

no forward interface Vlan1

nameif DMZ

security-level 50

ip address 192.168.1.2 255.255.255.0

!

interface Vlan4

nameif LEO-GEO

security-level 80

ip address 192.168.29.1 255.255.255.0

!

interface Vlan5

nameif EXT-FTP

security-level 70

ip address 192.168.27.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

switchport access vlan 4

!

interface Ethernet0/5

switchport access vlan 3

speed 100

duplex full

!

interface Ethernet0/6

switchport access vlan 5

!

interface Ethernet0/7

!

banner login ....................

banner login ................

banner login ...............

!

banner motd ...............

banner motd ...............

banner motd ...............

ftp mode passive

dns server-group DefaultDNS

domain-name dass

access-list toTSI extended permit ip 192.168.28.0 255.255.255.128 10.25.0.0 255.255.255.0

access-list exclude_from_nat extended permit ip 192.168.28.0 255.255.255.128 10.25.0.0 255.255.255.0

access-list exclude_from_nat extended permit ip 192.168.28.0 255.255.255.0 192.168.29.0 255.255.255.0

access-list exclude_from_nat extended permit ip host 192.168.28.72 host Forestville_FTP1

access-list exclude_from_nat extended permit ip host 192.168.28.72 host Forestville_FTP2

access-list toForestville extended permit ip host 182.168.28.74 host Forestville-FTP

access-list toForestville extended permit ip host 192.168.28.72 host Forestville_FTP1

access-list toForestville extended permit ip host 192.168.28.72 host Forestville_FTP2

access-list tsi_policy extended permit tcp 10.25.0.0 255.255.255.0 192.168.28.0 255.255.255.128 eq pcanywhere-data

access-list tsi_policy extended permit udp 10.25.0.0 255.255.255.0 192.168.28.0 255.255.255.128 eq pcanywhere-status

access-list tsi_policy extended permit tcp 10.25.0.0 255.255.255.0 192.168.28.0 255.255.255.0 eq 3389

access-list tsi_policy extended permit tcp 10.25.0.0 255.255.255.0 host 192.168.28.71 eq 1433

access-list tsi_policy extended permit icmp 10.25.0.0 255.255.255.0 192.168.28.0 255.255.255.128 echo-reply

access-list tsi_policy extended permit icmp 10.25.0.0 255.255.255.0 192.168.28.0 255.255.255.128 echo

access-list Forestville_vpn_filter extended permit tcp host Forestville-FTP host 192.168.28.74 eq ftp

access-list Forestville_vpn_filter extended permit tcp host Forestville_FTP2 host 192.168.28.72 eq ftp

access-list Forestville_vpn_filter extended permit tcp host Forestville_FTP2 eq ftp host 192.168.28.72

access-list Forestville_vpn_filter extended permit tcp host Forestville_FTP1 host 192.168.28.72 eq ftp

access-list Forestville_vpn_filter extended permit tcp host Forestville_FTP1 eq ftp host 192.168.28.72

access-list outside_access_in remark Allow HTTPS access to Packet Data Server (SRV3)

access-list outside_access_in extended permit tcp any host 172.16.189.157 eq https log

access-list DMZ_access_in remark Allows traffic inbound from frame-relay

access-list DMZ_access_in extended permit tcp host Forestville-FTP host 192.168.28.74 eq ftp

access-list DMZ_access_in extended permit ip 192.168.29.0 255.255.255.0 192.168.28.0 255.255.255.0

access-list DMZ_access_in extended permit icmp any any

access-list DMZ_access_in extended permit ip any any

access-list inside_access_in remark Allows traffic into ASA from Inside

access-list inside_access_in extended permit tcp host 192.168.28.74 host Forestville-FTP eq ftp

access-list inside_access_in extended permit tcp host 192.168.28.74 192.168.29.0 255.255.255.0 eq ftp

access-list inside_access_in extended permit icmp any any

access-list inside_access_in extended permit ip any any

access-list FTP-test remark For testing FTP packets

access-list FTP-test extended permit tcp host 192.168.28.72 host Forestville-FTP

access-list NEO-GEO-in remark allows traffic out of NEO-GEO net

access-list NEO-GEO-in extended permit udp any host 172.16.244.173 eq domain

access-list NEO-GEO-in extended permit udp any host 172.16.50.17 eq domain

access-list NEO-GEO-in extended permit udp any host 172.16.10.134 eq domain

access-list NEO-GEO-in extended permit tcp host 192.168.29.13 host 192.168.28.74 eq ftp

access-list NEO-GEO-in extended permit tcp host 192.168.29.11 host 192.168.28.74 eq ftp

access-list NEO-GEO-in extended permit tcp host 192.168.29.23 host 192.168.28.74 eq ftp

access-list NEO-GEO-in extended permit tcp host 192.168.29.21 host 192.168.28.74 eq ftp

access-list NEO-GEO-in extended deny ip any 192.168.28.0 255.255.255.0

access-list NEO-GEO-in extended permit ip any any

access-list EXT-FTP-in remark allows traffic out of EXT-FTP network

access-list EXT-FTP-in extended permit ip any any

access-list SAR-no-nat extended permit ip 192.168.28.0 255.255.255.0 192.168.29.0 255.255.255.0

access-list LUT-no-nat extended permit ip 192.168.29.0 255.255.255.0 192.168.28.0 255.255.255.0

pager lines 24

logging enable

logging timestamp

logging monitor debugging

logging trap informational

logging history notifications

logging asdm informational

logging facility 16

logging device-id hostname

logging host outside 172.16.195.171

logging host outside 172.16.167.138

mtu inside 1500

mtu outside 1500

mtu DMZ 1500

mtu LEO-GEO 1500

mtu EXT-FTP 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any unreachable outside

asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list exclude_from_nat

nat (inside) 1 0.0.0.0 0.0.0.0

nat (LEO-GEO) 0 access-list LUT-no-nat

nat (LEO-GEO) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface https 192.168.28.72 https netmask 255.255.255.255  dns

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

access-group DMZ_access_in in interface DMZ

access-group NEO-GEO-in in interface LEO-GEO

access-group EXT-FTP-in in interface EXT-FTP

route outside 0.0.0.0 0.0.0.0 172.16.188.1 1

route DMZ Forestville-FTP 255.255.255.255 192.168.1.1 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

http server enable 65000

http 192.168.28.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map DassVPN 500 match address toForestville

crypto map DassVPN 500 set pfs

crypto map DassVPN 500 set peer Forestville_PEER

crypto map DassVPN 500 set transform-set ESP-3DES-MD5

crypto map DassVPN 1000 match address toTSI

crypto map DassVPN 1000 set pfs

crypto map DassVPN 1000 set peer 12.13.14.15 <>

crypto map DassVPN 1000 set transform-set ESP-DES-MD5

crypto map DassVPN interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 1000

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

crypto isakmp nat-traversal 1000

telnet timeout 60

ssh 192.168.28.0 255.255.255.0 inside

ssh Comcast-IP 255.255.255.255 outside

ssh 172.16.166.209 255.255.255.255 outside

ssh 172.16.167.110 255.255.255.255 outside

ssh timeout 60

console timeout 60

dhcpd ping_timeout 750

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 192.168.28.50 source inside prefer

tftp-server inside 192.168.28.72 DASS-ASA-Config_yyyy-mm-dd.txt

webvpn

group-policy ForestvillePolicy internal

group-policy ForestvillePolicy attributes

vpn-filter value Forestville_vpn_filter

vpn-tunnel-protocol IPSec

group-policy TSIPolicy internal

group-policy TSIPolicy attributes

vpn-filter value tsi_policy

vpn-tunnel-protocol IPSec

username admin password .ti4neGRW24q84lH encrypted privilege 15

tunnel-group 12.13.14.15 type ipsec-l2l

tunnel-group 12.13.14.15 general-attributes

default-group-policy TSIPolicy

tunnel-group 12.13.14.15 ipsec-attributes

pre-shared-key ********

tunnel-group Forestville_PEER type ipsec-l2l

tunnel-group Forestville_PEER general-attributes

default-group-policy ForestvillePolicy

tunnel-group Forestville_PEER ipsec-attributes

pre-shared-key ********

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

  inspect http

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:b8ac13d60ba239ace8a3653930959ed8

: end

DASS-VPN#  

Could you post the output of show crypto isakmp.

Do you have administrative rights at the remote end of VPN 11? if not did they give you the phase 1 and 2 configurations?  If so could you post the required configurations for the remote end.

Do you still need assistance?

Please rate the assistance.

I'll post "show crypto isakmp" on Thurs.  I don't have any access to the remote-end unfortunatly.

Output of show crypto isakmp sa:

DASS-VPN# show crypto isakmp sa

   Active SA: 1

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1   IKE Peer: 12.13.14.15

    Type    : L2L             Role    : initiator

    Rekey   : no              State   : MM_ACTIVE

DASS-VPN#

=====output from debug crypto isakmp 200============

The only output I saw on IKE, was keepalives back and forth, involving the TSI VPN remote peer,  12.13.14.15.  I didn't see any entries for the Forestville VPN peer, 15.16.17.18 at all.

=================================

Could you contact the remote site and ask them to send you the phase1 and phase2 settings (if you don't already have them).

Also if you could post a full sanitized configuration please.

Here's something meaningfull...

The config line:

crypto map DassVPN 500 match address toForestville

refers to an ACL, "toForestville", which allow traffic from the inside network to pass into the IPSEC tunnel.  Now the next complication..  Apparently static routes 'trump' this ACL, because I have a static route that's directing the traffic over a frame-relay connection that's connected on interface "DMZ" right now, and I know it's working.  SO.... It looks like the static-route is grabbing the traffic.  So, one thing at a time -- let's see if we can get the tunnel to come up. --shall I just temporarily delete the static-route in order for traffic to be 'sucked into' the tunnel by virtue of the "toForestville"  ACL?

Too bad I can't refer to the IPSEC tunnel as a sub-interface & include it in different-cost routing statements, like I can on Juniper SRX....

The static route will most definately affect the flow of traffic.  The crypto ACL defines what traffic to encrypt that leaves an interface. So if there is a static route pointing in a different direction, that traffic will never enter and leave the interface with the crypto configuration.  your only option in this situation is to either add a more specific route pointing out the crypto interface, or if there is no other more specific route that you can add you will need to remove that static route.

How to I enter  a route that points down an IPSEC tunnel?  Do I use the IP of the remote-peer as the 'destination gateway'?  Here's the syntax of the routes I use below.  This might be OK...  I can have one lower-cost route that points down the IPSEC tunnel, and a higher-cost route that points down the frame-relay.  When the tunnel goes away, the route will drop, and the higher-cost route wins.  ....Right?

route         

Higher cost route never wins..it is always the lower cost route which takes preference.

Your syntax looks good and DST interface being the interface that the remote network is reachable through.  The destination gateway would be the next hop allong the path not the remote end.  so if your ISPs IP address is 192.168.1.1 then and that is the next hop in the path to the remote network then that is your destination GW.

route outside 255.255.255.0 192.168.1.1 1

route DMZ 255.255.255.0 192.168.2.1 5

In the above config scenario the configuration with a cost of 1 will always win over the cost of 5.  So traffic will never be sent out the DMZ interface in this scenario.

Using info from my config I pasted in,  I propose the following statements:

route   DMZ    Forestville-FTP    255.255.255.255   192.168.1.1    5     (route that points down frame-relay)

route outside   Forestville-FTP   255.255.255.255    15.16.17.18  1    (route that points down ipsec tunnel)

I read an article that showed someone routing traffic thru an IPSEC tunnel by using the remote-peer as the destination gateway.  And the remote-peer IP was not part of any layer-3 network that was connected to the firewall.  From a routing-statement standpoint, the next hop gateway was not on a connected-network.