i have a ASA 5585-X with ver 8.4.2 config is attached below
have a VPN to IP 216.10.115.215
remote subnet is 10.30.6.0 /24
local subnets are 10.11.34.0 /24 and 10.11.35.0/24
the tunnel establishes but neither side can ping each other
what am i missing ?
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2011.11.30 18:40:37 =~=~=~=~=~=~=~=~=~=~=~=
sh run
: Saved
:
ASA Version 8.4(2)
!
hostname ecw17fw001
enable password z9EBartb5mE1xA7Y encrypted
passwd l/6WBlFb8xG4avQC encrypted
names
!
interface GigabitEthernet0/0
nameif WAN
security-level 0
ip address 207.211.113.4 255.255.255.240 standby 207.211.113.5
!
interface GigabitEthernet0/1
nameif DMZ
security-level 50
ip address 207.211.113.17 255.255.255.240 standby 207.211.113.18
!
interface GigabitEthernet0/2
nameif Production
security-level 100
ip address 10.11.35.1 255.255.255.0 standby 10.11.35.2
!
interface GigabitEthernet0/3
nameif Mgmt
security-level 100
ip address 10.11.34.1 255.255.255.0 standby 10.11.34.2
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/7
description LAN Failover Interface
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
interface Management0/1
shutdown
no nameif
no security-level
no ip address
management-only
!
interface TenGigabitEthernet0/8
shutdown
no nameif
no security-level
no ip address
!
interface TenGigabitEthernet0/9
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/0
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface TenGigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface TenGigabitEthernet1/9
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa842-smp-k8.bin
boot system disk0:/asdm-645-206.bin
boot system disk0:/asa842-smp-k8
ftp mode passive
object network Mgmt_Internet
subnet 10.11.34.0 255.255.255.0
object network ASP16_Mgmt
subnet 10.11.31.0 255.255.255.0
object network ASP16_Prod
subnet 10.11.32.0 255.255.255.0
object network ASP8_Prod
subnet 10.30.6.0 255.255.255.0
object-group network ASP17_VPN
network-object 10.11.34.0 255.255.255.0
network-object 10.11.35.0 255.255.255.0
object-group network ASP16
network-object object ASP16_Mgmt
network-object object ASP16_Prod
access-list WAN_cryptomap extended permit ip object-group ASP17_VPN object-group ASP16
access-list WAN_cryptomap_1 extended permit ip object-group ASP17_VPN object ASP8_Prod
pager lines 24
logging enable
logging asdm informational
mtu WAN 1500
mtu DMZ 1500
mtu Production 1500
mtu Mgmt 1500
mtu management 1500
failover
failover lan unit primary
failover lan interface failover GigabitEthernet0/7
failover interface ip failover 10.0.0.1 255.255.255.0 standby 10.0.0.2
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645-206.bin
no asdm history enable
arp timeout 14400
nat (Production,WAN) source static ASP17_VPN ASP17_VPN destination static ASP16 ASP16 no-proxy-arp route-lookup
nat (Production,WAN) source static ASP17_VPN ASP17_VPN destination static ASP8_Prod ASP8_Prod
!
object network Mgmt_Internet
nat (Mgmt,WAN) dynamic interface
route WAN 0.0.0.0 0.0.0.0 207.211.113.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.11.34.0 255.255.255.0 Mgmt
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map WAN_map 1 match address WAN_cryptomap
crypto map WAN_map 1 set peer 75.98.35.97
crypto map WAN_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map WAN_map 2 match address WAN_cryptomap_1
crypto map WAN_map 2 set peer 216.10.115.215
crypto map WAN_map 2 set ikev1 transform-set ESP-3DES-SHA
crypto map WAN_map interface WAN
crypto ikev1 enable WAN
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 10.11.34.0 255.255.255.0 Mgmt
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
tls-proxy maximum-session 1000
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy GroupPolicy_75.98.35.97 internal
group-policy GroupPolicy_75.98.35.97 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_216.10.115.215 internal
group-policy GroupPolicy_216.10.115.215 attributes
vpn-tunnel-protocol ikev1
tunnel-group 75.98.35.97 type ipsec-l2l
tunnel-group 75.98.35.97 general-attributes
default-group-policy GroupPolicy_75.98.35.97
tunnel-group 75.98.35.97 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 216.10.115.215 type ipsec-l2l
tunnel-group 216.10.115.215 general-attributes
default-group-policy GroupPolicy_216.10.115.215
tunnel-group 216.10.115.215 ipsec-attributes
ikev1 pre-shared-key *****
ecw17fw001#
