Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

5585 vpn issue

i have a ASA 5585-X with ver 8.4.2 config is attached below

have a VPN to IP 216.10.115.215

remote subnet is 10.30.6.0 /24

local subnets are 10.11.34.0 /24 and 10.11.35.0/24

the tunnel establishes but neither side can ping each other

what am i missing ?

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2011.11.30 18:40:37 =~=~=~=~=~=~=~=~=~=~=~=

sh run

: Saved

:

ASA Version 8.4(2)

!

hostname ecw17fw001

enable password z9EBartb5mE1xA7Y encrypted

passwd l/6WBlFb8xG4avQC encrypted

names

!

interface GigabitEthernet0/0

nameif WAN

security-level 0

ip address 207.211.113.4 255.255.255.240 standby 207.211.113.5

!

interface GigabitEthernet0/1

nameif DMZ

security-level 50

ip address 207.211.113.17 255.255.255.240 standby 207.211.113.18

!

interface GigabitEthernet0/2

nameif Production

security-level 100

ip address 10.11.35.1 255.255.255.0 standby 10.11.35.2

!

interface GigabitEthernet0/3

nameif Mgmt

security-level 100

ip address 10.11.34.1 255.255.255.0 standby 10.11.34.2

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/6

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/7

description LAN Failover Interface

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

interface Management0/1

shutdown

no nameif

no security-level

no ip address

management-only

!

interface TenGigabitEthernet0/8

shutdown

no nameif

no security-level

no ip address

!

interface TenGigabitEthernet0/9

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet1/0

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet1/1

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet1/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet1/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet1/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet1/5

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet1/6

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet1/7

shutdown

no nameif

no security-level

no ip address

!

interface TenGigabitEthernet1/8

shutdown

no nameif

no security-level

no ip address

!

interface TenGigabitEthernet1/9

shutdown

no nameif

no security-level

no ip address

!

boot system disk0:/asa842-smp-k8.bin

boot system disk0:/asdm-645-206.bin

boot system disk0:/asa842-smp-k8

ftp mode passive

object network Mgmt_Internet

subnet 10.11.34.0 255.255.255.0

object network ASP16_Mgmt

subnet 10.11.31.0 255.255.255.0

object network ASP16_Prod

subnet 10.11.32.0 255.255.255.0

object network ASP8_Prod

subnet 10.30.6.0 255.255.255.0

object-group network ASP17_VPN

network-object 10.11.34.0 255.255.255.0

network-object 10.11.35.0 255.255.255.0

object-group network ASP16

network-object object ASP16_Mgmt

network-object object ASP16_Prod

access-list WAN_cryptomap extended permit ip object-group ASP17_VPN object-group ASP16

access-list WAN_cryptomap_1 extended permit ip object-group ASP17_VPN object ASP8_Prod

pager lines 24

logging enable

logging asdm informational

mtu WAN 1500

mtu DMZ 1500

mtu Production 1500

mtu Mgmt 1500

mtu management 1500

failover

failover lan unit primary

failover lan interface failover GigabitEthernet0/7

failover interface ip failover 10.0.0.1 255.255.255.0 standby 10.0.0.2

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-645-206.bin

no asdm history enable

arp timeout 14400

nat (Production,WAN) source static ASP17_VPN ASP17_VPN destination static ASP16 ASP16 no-proxy-arp route-lookup

nat (Production,WAN) source static ASP17_VPN ASP17_VPN destination static ASP8_Prod ASP8_Prod

!

object network Mgmt_Internet

nat (Mgmt,WAN) dynamic interface

route WAN 0.0.0.0 0.0.0.0 207.211.113.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 10.11.34.0 255.255.255.0 Mgmt

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto map WAN_map 1 match address WAN_cryptomap

crypto map WAN_map 1 set peer 75.98.35.97

crypto map WAN_map 1 set ikev1 transform-set ESP-3DES-SHA

crypto map WAN_map 2 match address WAN_cryptomap_1

crypto map WAN_map 2 set peer 216.10.115.215

crypto map WAN_map 2 set ikev1 transform-set ESP-3DES-SHA

crypto map WAN_map interface WAN

crypto ikev1 enable WAN

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet 10.11.34.0 255.255.255.0 Mgmt

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

!

tls-proxy maximum-session 1000

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy GroupPolicy_75.98.35.97 internal

group-policy GroupPolicy_75.98.35.97 attributes

vpn-tunnel-protocol ikev1

group-policy GroupPolicy_216.10.115.215 internal

group-policy GroupPolicy_216.10.115.215 attributes

vpn-tunnel-protocol ikev1

tunnel-group 75.98.35.97 type ipsec-l2l

tunnel-group 75.98.35.97 general-attributes

default-group-policy GroupPolicy_75.98.35.97

tunnel-group 75.98.35.97 ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group 216.10.115.215 type ipsec-l2l

tunnel-group 216.10.115.215 general-attributes

default-group-policy GroupPolicy_216.10.115.215

tunnel-group 216.10.115.215 ipsec-attributes

ikev1 pre-shared-key *****

ecw17fw001#

1 REPLY

5585 vpn issue

Hi,

Try by enabling 'same-security-traffic inter-interface' and same-security-traffic intra-interface.

Thx

MS

388
Views
0
Helpful
1
Replies
CreatePlease to create content