Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

asa 5510 (8.4(5)) <----> asa 5520 (8.4(5)) s2s ipsec vpn trouble

Hello everyone!

Not so long ago began to make friends with the ASA on this there are a lot of questions.

There are two config.

asa5510

Header 1

asatmsk(config)# sh ru

: Saved

:

ASA Version 8.4(5)

!

hostname asatmsk

enable password 0bgfffreer0rgi0gr encrypted

passwd 2GLFfgjkt44gI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif inside

security-level 100

ip address 10.0.101.1 255.255.255.0

!

interface Ethernet0/1

nameif outside

security-level 0

ip address 103.103.103.103 255.255.255.252

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

management-only

!

ftp mode passive

same-security-traffic permit intra-interface

object network MO

subnet 10.0.101.0 255.255.255.0

object network BO

subnet 10.0.100.0 255.255.252.0

access-list l2l_list extended permit ip 10.0.101.0 255.255.255.0 10.0.100.0 255.255.252.0

access-list vpn_traffic extended permit ip object MO object BO

access-list inboard extended permit ip any host 10.0.101.1

pager lines 24

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-711-52.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,outside) source static MO MO destination static BO BO

access-group inboard in interface inside

route outside 0.0.0.0 0.0.0.0 103.103.103.104 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

http server enable

http 10.0.101.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set FS esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set 3des esp-3des esp-sha-hmac

crypto ipsec ikev2 ipsec-proposal secure

protocol esp encryption des

protocol esp integrity sha-1

crypto map MSK 1 set peer 104.104.104.104

crypto map MSK 1 set ikev1 transform-set FS 3des

crypto map MSK 1 set ikev2 ipsec-proposal secure

crypto map MSK interface outside

crypto isakmp identity address

crypto ikev2 policy 1

encryption des

integrity sha

group 2

prf sha

lifetime seconds 86400

crypto ikev1 enable outside

crypto ikev1 am-disable

crypto ikev1 policy 1

authentication pre-share

encryption des

hash sha

group 2

lifetime 43200

crypto ikev1 policy 2

authentication pre-share

encryption 3des

hash sha

group 5

lifetime 86400

telnet timeout 5

ssh 10.0.101.0 255.255.255.0 inside

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

management-access inside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl encryption des-sha1

webvpn

username admin password woVD0EbRlBnBW1dA encrypted privilege 15

tunnel-group 104.104.104.104 type ipsec-l2l

tunnel-group 104.104.104.104 ipsec-attributes

ikev1 pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

class class-default

  set connection decrement-ttl

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:hgkf5g95nmj05nmj59089589ug454

: end

asatmsk(config)#

asa5520

Header 1

asamsk(config)# sh ru

: Saved

:

ASA Version 8.4(5)

!

hostname asamsk

enable password 0r43TYvfkvm4freTG encrypted

passwd 4deFRFNI443.2KYOU encrypted

names

!

interface GigabitEthernet0/0

nameif inside

security-level 100

ip address 10.0.100.4 255.255.252.0

!

interface GigabitEthernet0/1

nameif outside

security-level 0

ip address 104.104.104.104 255.255.255.248

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

management-only

!

ftp mode passive

object network MO

subnet 10.0.101.0 255.255.255.0

object network BO

subnet 10.0.100.0 255.255.252.0

access-list l2l_list extended permit ip 10.0.100.0 255.255.252.0 10.0.101.0 255.255.255.0

access-list vpn_traffic extended permit ip object BO object MO

pager lines 24

mtu inside 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-711-52.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,outside) source static BO BO destination static MO MO

route outside 0.0.0.0 0.0.0.0 104.104.104.105 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

http server enable

http 10.0.100.0 255.255.252.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set FS esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set 3des esp-3des esp-sha-hmac

crypto ipsec ikev2 ipsec-proposal secure

protocol esp encryption des

protocol esp integrity sha-1

crypto map TMSK 1 match address vpn_traffic

crypto map TMSK 1 set peer 103.103.103.103

crypto map TMSK 1 set ikev1 transform-set FS 3des

crypto map TMSK 1 set ikev2 ipsec-proposal secure

crypto map TMSK interface outside

crypto isakmp identity address

crypto ikev2 policy 1

encryption des

integrity sha

group 2

prf sha

lifetime seconds 86400

crypto ikev1 enable outside

crypto ikev1 am-disable

crypto ikev1 policy 1

authentication pre-share

encryption des

hash sha

group 2

lifetime 43200

crypto ikev1 policy 99

authentication pre-share

encryption 3des

hash sha

group 5

lifetime 86400

telnet timeout 5

ssh 10.0.100.0 255.255.252.0 inside

ssh timeout 20

ssh key-exchange group dh-group1-sha1

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl encryption des-sha1

webvpn

username admin password woVD0EbRlBnBW1dA encrypted privilege 15

tunnel-group 103.103.103.103 type ipsec-l2l

tunnel-group 103.103.103.103 ipsec-attributes

ikev1 pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:ghuthoui5hg9039ug335tg3595ug53g

: end

asamsk(config)#

If you type

show crypto isakmp sa

There are no IKEv1 SAs

There are no IKEv2 SAs

Need help from professionals.

Thank you.

1 REPLY
New Member

asa 5510 (8.4(5)) <----> asa 5520 (8.4(5)) s2s ipsec vpn trouble

The problem is solved.
Need to generate traffic from either side and run debug icmp.


320
Views
0
Helpful
1
Replies
CreatePlease to create content