Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ASA 5505 Tunnel up No Traffic

Hello all,

I am new to the forums and configuring ASA's.

I have two 5505's we currently have setup using the ipsec wizard.

One of them is our main office and is able to communicate with the other ASA's configured to it.

The tunnel is up, but we are not able to communicate across local networks.

I've been battling this for two days now and have run out of ideas.

Network A(Main): 192.168.1.0/24

Network B: 192.168.3.0/24

Network A running config

: Saved

:

ASA Version 8.2(1)

!

hostname ciscoasa

enable password

passwd

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address Static from ISP 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit tcp any interface outside eq 3389

access-list outside_access_in extended permit tcp any interface outside eq ftp

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.6.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.7.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list outside_2_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list outside_3_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0

access-list outside_4_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list outside_5_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.6.0 255.255.255.0

access-list outside_6_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.7.0 255.255.255.0

access-list outside_7_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list outside_8_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list NO-NAT extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list inside_access_in extended permit ip any any

access-list 111 extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

pager lines 24

logging enable

logging console debugging

logging monitor debugging

logging buffered debugging

logging asdm debugging

logging mail debugging

mtu inside 1500

mtu outside 1500

ip audit name IP_Attack attack action drop

ip audit name IP_Information info action alarm

ip audit interface inside IP_Information

ip audit interface inside IP_Attack

ip audit interface outside IP_Information

ip audit interface outside IP_Attack

ip audit signature 2000 disable

ip audit signature 2004 disable

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 111

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 3389 192.168.1.4 3389 netmask 255.255.255.255

static (inside,outside) tcp interface ftp 192.168.1.4 ftp netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 (ISP gateway)

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 0.0.0.0 0.0.0.0 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer Network C

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set pfs group1

crypto map outside_map 2 set peer Network D Network E

crypto map outside_map 2 set transform-set ESP-3DES-SHA

crypto map outside_map 3 match address outside_3_cryptomap

crypto map outside_map 3 set pfs group1

crypto map outside_map 3 set peer Network F

crypto map outside_map 3 set transform-set ESP-3DES-SHA

crypto map outside_map 4 match address outside_4_cryptomap

crypto map outside_map 4 set pfs group1

crypto map outside_map 4 set peer network G

crypto map outside_map 4 set transform-set ESP-3DES-SHA

crypto map outside_map 5 match address outside_5_cryptomap

crypto map outside_map 5 set pfs group1

crypto map outside_map 5 set peer Network H

crypto map outside_map 5 set transform-set ESP-3DES-SHA

crypto map outside_map 6 match address outside_6_cryptomap

crypto map outside_map 6 set pfs group1

crypto map outside_map 6 set peer Network I

crypto map outside_map 6 set transform-set ESP-3DES-SHA

crypto map outside_map 7 match address outside_7_cryptomap

crypto map outside_map 7 set pfs group1

crypto map outside_map 7 set peer Network J

crypto map outside_map 7 set transform-set ESP-3DES-SHA

crypto map outside_map 8 match address outside_8_cryptomap

crypto map outside_map 8 set pfs group1

crypto map outside_map 8 set peer Network K

crypto map outside_map 8 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption des

hash sha

group 1

lifetime 86400

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 30

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 30

console timeout 0

management-access inside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy DfltGrpPolicy attributes

vpn-filter value 111

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

omitted

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect pptp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:2b13e2781cf6be80bd5d7c2998d78bdf

: end

no asdm history enable

and this is Network B running config:

: Saved

:

ASA Version 8.2(5)

!

hostname ciscoasa

enable password

names

name 192.168.1.0 trinity

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.3.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address Static from ISP 255.255.255.0

!

ftp mode passive

dns domain-lookup inside

dns server-group DefaultDNS

name-server 68.105.28.16

name-server 68.105.29.16

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list outside_1_cryptomap extended permit ip 192.168.3.0 255.255.255.0 trinity 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 trinity 255.255.255.0

access-list inside_access_in extended permit ip any any

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit tcp any interface outside eq 3389

access-list outside_access_in extended permit tcp any interface outside eq ftp

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 111

nat (inside) 1 0.0.0.0 0.0.0.0

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 70.168.245.161 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.3.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer Main Office

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption des

hash sha

group 1

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.3.5-192.168.3.254 inside

dhcpd dns 68.105.28.16 68.105.29.16 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

tunnel-group Main Office type ipsec-l2l

tunnel-group Main Office ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:cd079382c64a4046125089b766c0334f

: end

asdm location trinity 255.255.255.0 inside

no asdm history enable

Thanks,

Mike

1 ACCEPTED SOLUTION

Accepted Solutions

ASA 5505 Tunnel up No Traffic

Hello Mike,

      access-list outside_1_cryptomap extended permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0

      local ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (trinity/255.255.255.0/0/0)

      current_peer:xx.xx.xx.170

      #pkts encaps: 106, #pkts encrypt: 106, #pkts digest: 106

     #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

So no packets being received!!

Main site not encrypting or send the traffic via another Crypto map (Jounni saw it )

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 101, #pkts decrypt: 101, #pkts verify: 101

Great job from Jounni,

mark the question as answered so future users can learn from this

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
7 REPLIES

ASA 5505 Tunnel up No Traffic

Hello Mike,

Hopefully you just needed an extra couple of eyes

On Site B

nat (inside) 0 access-list 111

but there is no such access-list 111

It should be:

access-list inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 trinity 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

ASA 5505 Tunnel up No Traffic

Thank you for the responde Julio,

i applied the change via cli but still cannot communicate between devices.

I am going to post the updated running config of both.

I created acl 111 just trying to figure this out.

Main network:

: Saved

:

ASA Version 8.2(1)

!

hostname ciscoasa

enable password jkrpsRYtu8nSWLEb encrypted

passwd jkrpsRYtu8nSWLEb encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address from ISP 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit tcp any interface outside eq 3389

access-list outside_access_in extended permit tcp any interface outside eq ftp

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.6.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.7.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list outside_2_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list outside_3_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0

access-list outside_4_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list outside_5_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.6.0 255.255.255.0

access-list outside_6_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.7.0 255.255.255.0

access-list outside_7_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list outside_8_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list inside_access_in extended permit ip any any

access-list 111 extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

pager lines 24

logging enable

logging console debugging

logging monitor debugging

logging buffered debugging

logging asdm debugging

logging mail debugging

mtu inside 1500

mtu outside 1500

ip audit name IP_Attack attack action drop

ip audit name IP_Information info action alarm

ip audit interface inside IP_Information

ip audit interface inside IP_Attack

ip audit interface outside IP_Information

ip audit interface outside IP_Attack

ip audit signature 2000 disable

ip audit signature 2004 disable

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 3389 192.168.1.4 3389 netmask 255.255.255.255

static (inside,outside) tcp interface ftp 192.168.1.4 ftp netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 Main network

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 0.0.0.0 0.0.0.0 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

omitted

crypto map outside_map 8 match address outside_8_cryptomap

crypto map outside_map 8 set pfs group1

crypto map outside_map 8 set peer Network B

crypto map outside_map 8 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption des

hash sha

group 1

lifetime 86400

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 30

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 30

console timeout 0

management-access inside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

ommitted

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect pptp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:2b13e2781cf6be80bd5d7c2998d78bdf

: end

no asdm history enable

Network B

: Saved

:

ASA Version 8.2(5)

!

hostname ciscoasa

enable password

names

name 192.168.1.0 trinity

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.3.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address ISP 255.255.255.0

!

ftp mode passive

dns domain-lookup inside

dns server-group DefaultDNS

name-server 68.105.28.16

name-server 68.105.29.16

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list outside_1_cryptomap extended permit ip 192.168.3.0 255.255.255.0 trinity 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 trinity 255.255.255.0

access-list inside_access_in extended permit ip any any

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit tcp any interface outside eq 3389

access-list outside_access_in extended permit tcp any interface outside eq ftp

access-list NO-NAT extended permit ip 192.168.3.0 255.255.255.0 trinity 255.255.255.0

access-list 111 extended permit ip 192.168.3.0 255.255.255.0 trinity 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 ISP Gateway 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.3.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer Network A

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption des

hash sha

group 1

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.3.5-192.168.3.254 inside

dhcpd dns 68.105.28.16 68.105.29.16 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

tunnel-group Network A type ipsec-l2l

tunnel-group Network A ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:1c343ae955acc6f3bb0132664b465809

: end

asdm location trinity 255.255.255.0 inside

no asdm history enable

ASA 5505 Tunnel up No Traffic

Hello Mike,

On site A we are now missing the NAT 0 rule

nat (inside) 0 access-list 111

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

ASA 5505 Tunnel up No Traffic

Thank you for the reply Julio.

Unfortunately that did not do the trick. I can still only send from new site and receive on main site.

Re: ASA 5505 Tunnel up No Traffic

Hello Mike,

Share the following

Show crypto ipsec sa  (From both sides)

Note: Without the output and based on the information provided so far: CSCtd36473

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

ASA 5505 Tunnel up No Traffic

Main Site:

Result of the command: "show crypto ipsec sa"

interface: outside

    Crypto map tag: outside_map, seq num: 6, local addr: xx.xx.xx.170

      access-list outside_6_cryptomap permit ip 192.168.1.0 255.255.255.0 192.168.7.0 255.255.255.0

      local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.7.0/255.255.255.0/0/0)

      current_peer:xx.xx.xx.106

      #pkts encaps: 126, #pkts encrypt: 126, #pkts digest: 126

      #pkts decaps: 2419, #pkts decrypt: 2419, #pkts verify: 2419

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 126, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: xx.xx.xx.170, remote crypto endpt.: xx.xx.xx.106

      path mtu 1500, ipsec overhead 58, media mtu 1500

      current outbound spi: 61358A78

    inbound esp sas:

      spi: 0x419D3AC6 (1100823238)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, PFS Group 1, }

         slot: 0, conn_id: 20480, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (4373778/10373)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0xFFFFFFFF 0xFFFFFFFF

    outbound esp sas:

      spi: 0x61358A78 (1630898808)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, PFS Group 1, }

         slot: 0, conn_id: 20480, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (4373977/10373)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

    Crypto map tag: outside_map, seq num: 5, local addr: xx.xx.xx.170

      access-list outside_5_cryptomap permit ip 192.168.1.0 255.255.255.0 192.168.6.0 255.255.255.0

      local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.6.0/255.255.255.0/0/0)

      current_peer: xx.xx.xx.197

      #pkts encaps: 151, #pkts encrypt: 151, #pkts digest: 151

      #pkts decaps: 7013, #pkts decrypt: 7013, #pkts verify: 7013

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 151, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: xx.xx.xx.170, remote crypto endpt.: xx.xx.xx.197

      path mtu 1500, ipsec overhead 58, media mtu 1500

      current outbound spi: 3B994A76

    inbound esp sas:

      spi: 0x76248B9D (1982106525)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, PFS Group 1, }

         slot: 0, conn_id: 4096, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (3914867/22239)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0xFFFFFFFF 0xFFFFFFFF

    outbound esp sas:

      spi: 0x3B994A76 (999901814)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, PFS Group 1, }

         slot: 0, conn_id: 4096, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (3914990/22239)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

    Crypto map tag: outside_map, seq num: 3, local addr: xx.xx.xx.170

      access-list outside_3_cryptomap permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0

      local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)

      current_peer: xx.xx.xx.184

      #pkts encaps: 109, #pkts encrypt: 109, #pkts digest: 109

      #pkts decaps: 2415, #pkts decrypt: 2415, #pkts verify: 2415

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 109, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.:xx.xx.xx.170, remote crypto endpt.: xx.xx.xx.184

      path mtu 1500, ipsec overhead 58, media mtu 1500

      current outbound spi: 81658035

    inbound esp sas:

      spi: 0x9C3C2B08 (2621188872)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, PFS Group 1, }

         slot: 0, conn_id: 24576, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (3914781/13398)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0xFFFFFFFF 0xEFFFFFFF

    outbound esp sas:

      spi: 0x81658035 (2170912821)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, PFS Group 1, }

         slot: 0, conn_id: 24576, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (3914977/13398)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

    Crypto map tag: outside_map, seq num: 8, local addr: xx.xx.xx.170

      access-list outside_8_cryptomap permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

      local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)

      current_peer: xx.xx.xx.165

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 101, #pkts decrypt: 101, #pkts verify: 101

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: xx.xx.xx.170, remote crypto endpt.: xx.xx.xx.165

      path mtu 1500, ipsec overhead 58, media mtu 1500

      current outbound spi: F766A5C9

    inbound esp sas:

      spi: 0x5F549142 (1599377730)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, PFS Group 1, }

         slot: 0, conn_id: 28672, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (3914995/19905)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0xFFFFFFFF 0xFFFFFFFF

    outbound esp sas:

      spi: 0xF766A5C9 (4150699465)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, PFS Group 1, }

         slot: 0, conn_id: 28672, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (3915000/19905)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

New Site:

Result of the command: "show crypto ipsec sa"

interface: outside

    Crypto map tag: outside_map, seq num: 1, local addr: xx.xx.xx.165

      access-list outside_1_cryptomap extended permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0

      local ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (trinity/255.255.255.0/0/0)

      current_peer:xx.xx.xx.170

      #pkts encaps: 106, #pkts encrypt: 106, #pkts digest: 106

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 106, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: xx.xx.xx.165, remote crypto endpt.: xx.xx.xx.170

      path mtu 1500, ipsec overhead 58, media mtu 1500

      current outbound spi: 5F549142

      current inbound spi : F766A5C9

    inbound esp sas:

      spi: 0xF766A5C9 (4150699465)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, PFS Group 1, }

         slot: 0, conn_id: 20480, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (4374000/19662)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

    outbound esp sas:

      spi: 0x5F549142 (1599377730)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, PFS Group 1, }

         slot: 0, conn_id: 20480, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (4373994/19662)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

ASA 5505 Tunnel up No Traffic

Hello Mike,

      access-list outside_1_cryptomap extended permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0

      local ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (trinity/255.255.255.0/0/0)

      current_peer:xx.xx.xx.170

      #pkts encaps: 106, #pkts encrypt: 106, #pkts digest: 106

     #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

So no packets being received!!

Main site not encrypting or send the traffic via another Crypto map (Jounni saw it )

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 101, #pkts decrypt: 101, #pkts verify: 101

Great job from Jounni,

mark the question as answered so future users can learn from this

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
508
Views
0
Helpful
7
Replies
CreatePlease to create content