Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Advice on config

Could one of you excellent experts please cast your eye over the below config please. We have a site to site from this ASA back to our ISA server. It works but every day it goes down while the SAs are renogtiated and recently users are having to ping a host on the remote network before traffic will pass throught the tunnel. The tunnel doesn't drop ever and once they ping everything is ok...

Any advice is much appreciated



New Member

Re: Advice on config

ASA Version 7.1(2)


hostname ciscoasa


enable password encrypted



interface Ethernet0/0

nameif outside

security-level 0

ip address x.x.x.x local ip


interface Ethernet0/1

nameif inside

security-level 100

ip address


interface Ethernet0/2


no nameif

no security-level

no ip address


interface Management0/0


nameif management

security-level 100

ip address



passwd encrypted

boot system disk0:/asa712-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS


same-security-traffic permit inter-interface

access-list inside_nat0_outbound extended permit ip 10.10.


access-list outside_cryptomap_20 extended permit ip 10.10.


pager lines 24

logging enable

logging timestamp

logging buffer-size 8192

logging buffered debugging

logging trap debugging

logging from-address

logging recipient-address level errors

logging host inside

logging permit-hostdown

logging message 100000 level debugging

mtu outside 1500

mtu inside 1500

mtu management 1500

asdm image disk0:/asdm-512.bin

no asdm history enable

arp timeout 14400


global (outside) 101 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 101

route outside gateway address 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http inside

http management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set pfs

crypto map outside_map 20 set peer x.x.x.x remote ip

crypto map outside_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 20 set security-association lifetime seconds 82800

crypto map outside_map 20 set security-association lifetime kilobytes 2000000000

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption 3des

isakmp policy 30 hash sha

isakmp policy 30 group 2

isakmp policy 30 lifetime 86400

tunnel-group DefaultL2LGroup ipsec-attributes

isakmp keepalive threshold 60 retry 10

tunnel-group DefaultRAGroup ipsec-attributes

isakmp keepalive threshold 60 retry 10

tunnel-group type ipsec-l2l

tunnel-group ipsec-attributes

pre-shared-key *

isakmp keepalive threshold 60 retry 10

telnet inside

telnet timeout 15

ssh timeout 5

console timeout 0

management-access management

dhcpd address inside

dhcpd address management

dhcpd dns

dhcpd wins

dhcpd lease 691200

dhcpd ping_timeout 500

dhcpd domain

dhcpd option 252 ascii xxxxxxxxx

dhcpd enable inside

dhcpd enable management


class-map inspection_default

match default-inspection-traffic



policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp


service-policy global_policy global



: end

CreatePlease login to create content