08-19-2013 02:30 AM - edited 02-21-2020 07:06 PM
Hello everyone!
Not so long ago began to make friends with the ASA on this there are a lot of questions.
There are two config.
asa5510
Header 1 |
---|
asatmsk(config)# sh ru : Saved : ASA Version 8.4(5) ! hostname asatmsk enable password 0bgfffreer0rgi0gr encrypted passwd 2GLFfgjkt44gI.2KYOU encrypted names ! interface Ethernet0/0 nameif inside security-level 100 ip address 10.0.101.1 255.255.255.0 ! interface Ethernet0/1 nameif outside security-level 0 ip address 103.103.103.103 255.255.255.252 ! interface Ethernet0/2 shutdown no nameif no security-level no ip address ! interface Ethernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 shutdown no nameif no security-level no ip address management-only ! ftp mode passive same-security-traffic permit intra-interface object network MO subnet 10.0.101.0 255.255.255.0 object network BO subnet 10.0.100.0 255.255.252.0 access-list l2l_list extended permit ip 10.0.101.0 255.255.255.0 10.0.100.0 255.255.252.0 access-list vpn_traffic extended permit ip object MO object BO access-list inboard extended permit ip any host 10.0.101.1 pager lines 24 mtu inside 1500 mtu outside 1500 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-711-52.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected nat (inside,outside) source static MO MO destination static BO BO access-group inboard in interface inside route outside 0.0.0.0 0.0.0.0 103.103.103.104 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL aaa authentication ssh console LOCAL aaa authentication http console LOCAL http server enable http 10.0.101.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart crypto ipsec ikev1 transform-set FS esp-des esp-sha-hmac crypto ipsec ikev1 transform-set 3des esp-3des esp-sha-hmac crypto ipsec ikev2 ipsec-proposal secure protocol esp encryption des protocol esp integrity sha-1 crypto map MSK 1 set peer 104.104.104.104 crypto map MSK 1 set ikev1 transform-set FS 3des crypto map MSK 1 set ikev2 ipsec-proposal secure crypto map MSK interface outside crypto isakmp identity address crypto ikev2 policy 1 encryption des integrity sha group 2 prf sha lifetime seconds 86400 crypto ikev1 enable outside crypto ikev1 am-disable crypto ikev1 policy 1 authentication pre-share encryption des hash sha group 2 lifetime 43200 crypto ikev1 policy 2 authentication pre-share encryption 3des hash sha group 5 lifetime 86400 telnet timeout 5 ssh 10.0.101.0 255.255.255.0 inside ssh timeout 5 ssh key-exchange group dh-group1-sha1 console timeout 0 management-access inside threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ssl encryption des-sha1 webvpn username admin password woVD0EbRlBnBW1dA encrypted privilege 15 tunnel-group 104.104.104.104 type ipsec-l2l tunnel-group 104.104.104.104 ipsec-attributes ikev1 pre-shared-key ***** ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options class class-default set connection decrement-ttl ! service-policy global_policy global prompt hostname context Cryptochecksum:hgkf5g95nmj05nmj59089589ug454 : end asatmsk(config)# |
asa5520
Header 1 |
---|
asamsk(config)# sh ru : Saved : ASA Version 8.4(5) ! hostname asamsk enable password 0r43TYvfkvm4freTG encrypted passwd 4deFRFNI443.2KYOU encrypted names ! interface GigabitEthernet0/0 nameif inside security-level 100 ip address 10.0.100.4 255.255.252.0 ! interface GigabitEthernet0/1 nameif outside security-level 0 ip address 104.104.104.104 255.255.255.248 ! interface GigabitEthernet0/2 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 shutdown no nameif no security-level no ip address management-only ! ftp mode passive object network MO subnet 10.0.101.0 255.255.255.0 object network BO subnet 10.0.100.0 255.255.252.0 access-list l2l_list extended permit ip 10.0.100.0 255.255.252.0 10.0.101.0 255.255.255.0 access-list vpn_traffic extended permit ip object BO object MO pager lines 24 mtu inside 1500 mtu outside 1500 no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-711-52.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected nat (inside,outside) source static BO BO destination static MO MO route outside 0.0.0.0 0.0.0.0 104.104.104.105 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL aaa authentication http console LOCAL aaa authentication ssh console LOCAL http server enable http 10.0.100.0 255.255.252.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart crypto ipsec ikev1 transform-set FS esp-des esp-sha-hmac crypto ipsec ikev1 transform-set 3des esp-3des esp-sha-hmac crypto ipsec ikev2 ipsec-proposal secure protocol esp encryption des protocol esp integrity sha-1 crypto map TMSK 1 match address vpn_traffic crypto map TMSK 1 set peer 103.103.103.103 crypto map TMSK 1 set ikev1 transform-set FS 3des crypto map TMSK 1 set ikev2 ipsec-proposal secure crypto map TMSK interface outside crypto isakmp identity address crypto ikev2 policy 1 encryption des integrity sha group 2 prf sha lifetime seconds 86400 crypto ikev1 enable outside crypto ikev1 am-disable crypto ikev1 policy 1 authentication pre-share encryption des hash sha group 2 lifetime 43200 crypto ikev1 policy 99 authentication pre-share encryption 3des hash sha group 5 lifetime 86400 telnet timeout 5 ssh 10.0.100.0 255.255.252.0 inside ssh timeout 20 ssh key-exchange group dh-group1-sha1 console timeout 0 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ssl encryption des-sha1 webvpn username admin password woVD0EbRlBnBW1dA encrypted privilege 15 tunnel-group 103.103.103.103 type ipsec-l2l tunnel-group 103.103.103.103 ipsec-attributes ikev1 pre-shared-key ***** ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:ghuthoui5hg9039ug335tg3595ug53g : end asamsk(config)# |
If you type
show crypto isakmp sa
There are no IKEv1 SAs
There are no IKEv2 SAs
Need help from professionals.
Thank you.
08-28-2013 04:04 AM
The problem is solved.
Need to generate traffic from either side and run debug icmp.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: