Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA L2L not sending encryted traffic

I currently have an issue passing traffic from an ASA 5520 to a 877W.  The traffic is being encrypted from the router to the ASA (as shown below) however the ASA is not sending any encrypted traffic.  I have tried upgrading from 8.4(7) to 9.1(5), wiping the config and starting fresh, configuring the VPN's via CLI and using the ASDM wizard.  I've also tried a 1841 and experience the same issue.

Any ideas before I log a TAC case?  Pulling my hair out with this one!

 

877W Config:

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key psk address ASA-EXTERNAL

crypto ipsec transform-set TS esp-3des esp-sha-hmac

crypto map CMAP 10 ipsec-isakmp
 set peer ASA-EXTERNAL
 set security-association lifetime seconds 28800
 set transform-set TS
 match address VPN-TRAFFIC

interface Dialer0
 crypto map CMAP

ip route 0.0.0.0 0.0.0.0 Dialer0

ip nat inside source list 100 interface Dialer0 overload

ip access-list extended VPN-TRAFFIC
 permit ip 192.168.20.0 0.0.0.255 172.16.250.0 0.0.0.255

access-list 100 remark Define NAT
access-list 100 deny   ip 192.168.20.0 0.0.0.255 172.16.250.0 0.0.0.255
access-list 100 remark
access-list 100 deny   ip 192.168.20.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 100 permit ip 192.168.20.0 0.0.0.255 any

ASA:

interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address ASA-EXTERNAL-IP
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 172.16.250.247 255.255.255.0
!
same-security-traffic permit inter-interface
object network VPNLocal
 subnet 172.16.250.0 255.255.255.0
object network VPNRemote
 subnet 192.168.20.0 255.255.255.0
 
access-list outside_cryptomap extended permit ip 172.16.250.0 255.255.255.0 object VPNRemote
access-list outside_access_in extended permit ip object VPNRemote 172.16.250.0 255.255.255.0 log disable
access-list inside_access_in extended permit ip 172.16.250.0 255.255.255.0 object VPNRemote

icmp permit any outside
icmp permit any inside

nat (inside,outside) source static VPNLocal VPNLocal destination static VPNRemote VPNRemote no-proxy-arp route-lookup
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 ISP-GATEWAY-IP 1
route inside 10.0.0.0 255.0.0.0 CORE-ROUTER 1

sysopt connection preserve-vpn-flows
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite

crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 877W-IP
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 1 set reverse-route
crypto map outside_map interface outside
crypto ikev1 enable outside

crypto ikev1 policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
 
threat-detection statistics access-list
no threat-detection statistics tcp-intercept

group-policy GroupPolicy_877W-IP internal
group-policy GroupPolicy_877W-IP attributes
 vpn-tunnel-protocol ikev1

tunnel-group 877W-IP type ipsec-l2l
tunnel-group 877W-IP general-attributes
 default-group-policy GroupPolicy_81.133.227.150
tunnel-group 877W-IP ipsec-attributes
 ikev1 pre-shared-key *****
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
!
class-map global-class
 match default-inspection-traffic
!
!
policy-map global_policy
policy-map global-policy
 class global-class
  inspect icmp
  inspect icmp error
!
service-policy global-policy global
prompt hostname context

 

877W sh crypto ipsec sa

interface: Dialer0
    Crypto map tag: CMAP, local addr 877W-IP

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (172.16.250.0/255.255.255.0/0/0)
   current_peer ASA-EXTERNAL port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 1771, #pkts encrypt: 1771, #pkts digest: 1771
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 17, #recv errors 0

     local crypto endpt.: 877W-IP, remote crypto endpt.: ASA-EXTERNAL
     path mtu 1500, ip mtu 1500, ip mtu idb Dialer0
     current outbound spi: 0xD82FD3CE(3627013070)

     inbound esp sas:
      spi: 0x31F9F14C(838463820)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 29, flow_id: Motorola SEC 1.0:29, crypto map: CMAP
        sa timing: remaining key lifetime (k/sec): (4544227/24786)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xD82FD3CE(3627013070)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 30, flow_id: Motorola SEC 1.0:30, crypto map: CMAP
        sa timing: remaining key lifetime (k/sec): (4544168/24786)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

interface: Virtual-Access2
    Crypto map tag: CMAP, local addr 0.0.0.0

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (172.16.250.0/255.255.255.0/0/0)
   current_peer ASA-EXTERNAL port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 0.0.0.0, remote crypto endpt.: ASA-EXTERNAL
     path mtu 1500, ip mtu 1500, ip mtu idb Virtual-Access2
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

 

ASA sh crypto ipsec sa

peer address: 877W-IP
    Crypto map tag: outside_map, seq num: 1, local addr: ASA-EXERNAL

      access-list outside_cryptomap extended permit ip 172.16.250.0 255.255.255.0 192.168.20.0 255.255.255.0
      local ident (addr/mask/prot/port): (172.16.250.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0)
      current_peer: 877W-IP


      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 539, #pkts decrypt: 539, #pkts verify: 539
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: ASA-EXERNAL/0, remote crypto endpt.: 877W-IP/0
      path mtu 1500, ipsec overhead 58(36), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: 31F9F14C
      current inbound spi : D82FD3CE

    inbound esp sas:
      spi: 0xD82FD3CE (3627013070)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 81920, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4373968/24993)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x31F9F14C (838463820)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 81920, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4374000/24993)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Green

Glad you got it sorted :-)-

Glad you got it sorted :-)

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
13 REPLIES
VIP Green

If you do a packet capture on

If you do a packet capture on the ASA for the VPN traffic between the inside and outside interface and then send traffic from the 877W side do you see traffic leaving the inside interface and return traffic entering the inside interface? (you wont see anything on the outside interface as it is encrypted).

If you do not see the return traffic, then I would assume you have a routing issue behind the ASA and that return traffic is being routed in a wrong direction.

refer to this document if you need help setting up a packet capture:

https://supportforums.cisco.com/document/69281/asa-using-packet-capture-troubleshoot-asa-firewall-configuration-and-scenarios

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
New Member

Hi Marius,I couldn't use the

Hi Marius,

I couldn't use the 877W but tested with my 1841(it's identical to the 877W).

 

 

sh route
Gateway of last resort is ISP-GATEWAY to network 0.0.0.0

C    172.16.250.0 255.255.255.0 is directly connected, inside
C    EXTERNAL-SUBNET 255.255.255.240 is directly connected, outside
S    192.168.20.0 255.255.255.0 [1/0] via ISP-GATEWAY, outside
S    10.0.0.0 255.0.0.0 [1/0] via CORE, inside
S    192.168.3.0 255.255.255.0 [1/0] via ISP-GATEWAY, outside
S*   0.0.0.0 0.0.0.0 [1/0] via ISP-GATEWAY, outside

VIP Green

Is 192.168.3.0/24 and 10.2.1

Is 192.168.3.0/24 and 10.2.1.1 defined in the crypto ACL? and also exempt from NAT?

Because from your the configuration you posted it is 192.168.20.0/24 and 172.16.250.0/24 that is going over that tunnel.

If you could post a full (sanitized) running config of your ASA and the 1841 that could help in pinpointing where the issue could be.  Also If you could posts a network diagram of how the 877W, 1841, and ASA are located in relation to eachother and to the 10.0.0.0 network.

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
New Member

Sorry I think I confused

Sorry I think I confused matters running that test from the 1841 as I stripped out that part of the config I posted above.
I have rerun the test on the 877W as below.

The 172.16.250.0 network is directly connected (via a managed switch).  I can ping everything I need to from the ASA.

 

Again from the 877W:

 #pkts encaps: 13, #pkts encrypt: 13, #pkts digest: 13
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

ASA:

 #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 13, #pkts decrypt: 13, #pkts verify: 13

 

 

VIP Green

Is the 172.16.250.0/24

Is the 172.16.250.0/24 network directly connected to the ASA or is it routed within your network? 

Also, if 172.16.250.211 has a firewall installed on it such as windows firewall, or any other software firewall, make sure you disable it when testing as it can block ICMP and provide a false result.

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
New Member

The network is directly

The network is directly connected, all there is between the server and the ASA is a switch.  The firewall is off and I can ping the device from other sites etc.

VIP Green

Do  you have an access list

Do  you have an access list configured on the inside interface?

Would you be able to post a full (sanitized) running config of the ASA?

Are there any statically configured routes on the server that could be sending traffic in the wrong direction?

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
New Member

I currently have an access

I currently have an access list configured however before I did this it still didn't work.

There are no routes set on the server, the default gateway is the core layer 3 switch on site.

Here is the full config:

ASA Version 9.1(5)
!
hostname TestASA
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address EXTERNAL-IP 255.255.255.240
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 172.16.250.247 255.255.255.0
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
same-security-traffic permit inter-interface
object network obj-172.16.250.0
 subnet 172.16.250.0 255.255.255.0
object network Remote_VPN
 subnet 192.168.20.0 255.255.255.0
object network Home_VPN
 subnet 192.168.3.0 255.255.255.0
object network obj-10.0.0.0-8
 subnet 10.0.0.0 255.0.0.0
object network obj-172.0.0.0-8
 subnet 172.0.0.0 255.0.0.0
object-group network DM_INLINE_NETWORK_1
 network-object object obj-10.0.0.0-8
 network-object object obj-172.0.0.0-8
access-list outside_cryptomap extended permit ip object obj-172.16.250.0 object Remote_VPN
access-list outside_cryptomap_1 extended permit ip object-group DM_INLINE_NETWORK_1 object Home_VPN
access-list outside_access_in extended permit ip object Remote_VPN object obj-172.16.250.0
access-list inside_access_in extended permit ip object obj-172.16.250.0 object Remote_VPN
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-722.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static Home_VPN Home_VPN no-proxy-arp route-lookup
nat (inside,outside) source static obj-172.16.250.0 obj-172.16.250.0 destination static Remote_VPN Remote_VPN no-proxy-arp route-lookup
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 ISP-GATEWAY 1
route inside 10.0.0.0 255.0.0.0 172.16.250.250 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
http server enable
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
sysopt connection preserve-vpn-flows
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer Remote_VPN_EXTERNAL
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set reverse-route
crypto map outside_map 2 match address outside_cryptomap_1
crypto map outside_map 2 set peer Home_VPN_EXTERNAL
crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 2 set reverse-route
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication crack
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 40
 authentication crack
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 70
 authentication crack
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 100
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 130
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 30
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 178.18.118.13 source outside
group-policy GroupPolicy_Home_VPN_EXTERNAL internal
group-policy GroupPolicy_Home_VPN_EXTERNAL attributes
 vpn-tunnel-protocol ikev1
group-policy GroupPolicy_Remote_VPN_EXTERNAL internal
group-policy GroupPolicy_Remote_VPN_EXTERNAL attributes
 vpn-tunnel-protocol ikev1
username shaneb password 7p1BKZwVg2vqgROA encrypted privilege 15
tunnel-group Remote_VPN_EXTERNAL type ipsec-l2l
tunnel-group Remote_VPN_EXTERNAL general-attributes
 default-group-policy GroupPolicy_Remote_VPN_EXTERNAL
tunnel-group Remote_VPN_EXTERNAL ipsec-attributes
 ikev1 pre-shared-key *****
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
tunnel-group Home_VPN_EXTERNAL type ipsec-l2l
tunnel-group Home_VPN_EXTERNAL general-attributes
 default-group-policy GroupPolicy_Home_VPN_EXTERNAL
tunnel-group Home_VPN_EXTERNAL ipsec-attributes
 ikev1 pre-shared-key *****
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
!
class-map global-class
 match default-inspection-traffic
!
!
policy-map global_policy
policy-map global-policy
 class global-class
  inspect icmp
  inspect icmp error
!
service-policy global-policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:dca165a7b4aee9e9dc0afe22f91bc9ce
: end

 

 

VIP Green

first I suggest changing the

first I suggest changing the ACL to:

access-list inside_access_in extended permit ip object obj-172.16.250.0 any

The following statement is not needed since VPN is not checked against an interface ACL by default.

access-list outside_access_in extended permit ip object Remote_VPN object obj-172.16.250.0

Does the home_vpn connection work?  If so, and it is not a very important connection that NEEDS to be up, could you issue the clear crypto isakmp and then try to connect over the remote_vpn VPN.  I have seen, though not often, that when I have added a new s2s VPN I need to issue the clear crypto command and have all the other connections rebuilt as well.  I have not really understood why this happens, but luckily it doesn't happen all that often.

I don't see anything that really stands out as wrong in your configuration.  I will have a look over it again just to be sure.

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
VIP Green

By the way, have you turned

By the way, have you turned off the windows firewall / software firewall installed on the machine you are trying to ping?

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
New Member

I created that as a test when

I created that as a test when removing the settings "bypass ACL for VPN connections", just haven't removed it yet.  I have run the clear crypto command several times when testing and rebooted the ASA to see if it was related to that ASA bug.  The home vpn doesn't work either.

The firewall is disabled on the server

New Member

Sorry forgot to update this,

Sorry forgot to update this, the issue turned out to be some odd routing.  Thanks for your help Marius

VIP Green

Glad you got it sorted :-)-

Glad you got it sorted :-)

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
216
Views
0
Helpful
13
Replies
CreatePlease login to create content