Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Asa5505 Site to Site Issue

Hello, I have an Asa5505 that I am trying to configure it to be a site to site vpn. I can get to the internet behind the asa and I can connect to the VPN, so it must be an issue with just the way that I am trying to connect site to site. IP of the VPN is 1.1.1.1 and my group is test and username test1. When I try to go to http://10.241.113.194 I cannot access the page. IP is changed for security. Thanks for your help in advance.

Here is my config....ASA Version 7.2(3)

!

hostname ciscoasa

domain-name comcast.net

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.200 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!           

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd 4Wtw78CIa2UJQxhM encrypted

ftp mode passive

dns domain-lookup outside

dns server-group DefaultDNS

name-server 205.171.2.65

name-server 205.171.3.65

domain-name comcast.net

access-list Home_Users_splitTunnelAcl standard permit any

access-list inside_nat0_outbound extended deny ip any host 207.225.227.242

access-list inside_nat0_outbound extended deny ip 192.168.1.0 255.255.255.0 any

access-list inside_nat0_outbound extended permit ip any any

access-list inside_nat0_outbound extended permit ip any 192.168.1.64 255.255.255.192

access-list Home_Users_splitTunnelAcl_1 standard permit any

access-list Home_Users_splitTunnelAcl_2 standard permit any

access-list inside_nat0_outbound_1 extended permit ip 192.168.1.0 255.255.255.0 10.241.113.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.241.113.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool hoe_addressed 192.168.1.75-192.168.1.100 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set pfs

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 40 set pfs

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 60 set pfs

crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map0 1 match address outside_1_cryptomap

crypto map outside_map0 1 set pfs

crypto map outside_map0 1 set peer 1.1.1.1

crypto map outside_map0 1 set transform-set ESP-3DES-SHA

crypto map outside_map0 interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.2-192.168.1.129 inside

dhcpd enable inside

!

vpnclient server 1.1.1.1

vpnclient mode client-mode

vpnclient vpngroup test password ********

vpnclient username test1 password ********

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect icmp

  inspect icmp error

!

service-policy global_policy global

tunnel-group 1.1.1.1 type ipsec-l2l

tunnel-group 1.1.1.1 ipsec-attributes

pre-shared-key *

prompt hostname context

Cryptochecksum:98ac6f4e89af2535963c6a2de08d9132

: end

Your help in this issue is very much appreciate. Thank you!
37 REPLIES
Hall of Fame Super Blue

Re: Asa5505 Site to Site Issue

Dan

Looking at your config it looks like you are setting up a NAT exemption for the site to site VPN traffic ?

If you are there is a mistake in your config. You have used this acl for nat exemption -

access-list inside_nat0_outbound_1 extended permit ip 192.168.1.0 255.255.255.0 10.241.113.0 255.255.255.0

ie. the acl name is "inside_nat0_outbound_1"   - note the  _1 at the end

but your nat statement is not referencing this acl eg. -

nat (inside) 0 access-list inside_nat0_outbound  - note the missing _1 at the end of the acl name

Jon

New Member

Re: Asa5505 Site to Site Issue

Thank you very much for your prompt response. I really appreciate it.

So I think I have fixed what you are describing. Here is my new config, and I still cannot access 10.241.113.194, any other help that you are able to give I thank you for in advance!

ASA Version 7.2(3)

!

hostname ciscoasa

domain-name comcast.net

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.200 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!           

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd 4Wtw78CIa2UJQxhM encrypted

ftp mode passive

dns domain-lookup outside

dns server-group DefaultDNS

name-server 205.171.2.65

name-server 205.171.3.65

domain-name comcast.net

access-list Home_Users_splitTunnelAcl standard permit any

access-list inside_nat0_outbound extended deny ip any host 207.225.227.242

access-list inside_nat0_outbound extended deny ip 192.168.1.0 255.255.255.0 any

access-list inside_nat0_outbound extended permit ip any any

access-list inside_nat0_outbound extended permit ip any 192.168.1.64 255.255.255.192

access-list Home_Users_splitTunnelAcl_1 standard permit any

access-list Home_Users_splitTunnelAcl_2 standard permit any

access-list inside_nat0_outbound_1 extended permit ip 192.168.1.0 255.255.255.0 10.241.113.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.241.113.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool hoe_addressed 192.168.1.75-192.168.1.100 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound_1

nat (inside) 1 0.0.0.0 0.0.0.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set pfs

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 40 set pfs

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 60 set pfs

crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map0 1 match address outside_1_cryptomap

crypto map outside_map0 1 set pfs

crypto map outside_map0 1 set peer 173.160.193.178

crypto map outside_map0 1 set transform-set ESP-3DES-SHA

crypto map outside_map0 interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.2-192.168.1.129 inside

dhcpd enable inside

!

vpnclient server 1.1.1.1

vpnclient mode client-mode

vpnclient vpngroup test password ********

vpnclient username test1 password ********

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect icmp

  inspect icmp error

!

service-policy global_policy global

tunnel-group 1.1.1.1 type ipsec-l2l

tunnel-group 1.1.1.1 ipsec-attributes

pre-shared-key *

prompt hostname context

Cryptochecksum:98ac6f4e89af2535963c6a2de08d9132

: end

Re: Asa5505 Site to Site Issue

Hi Dan,

Can you explain a little more on what you are trying do :-

1> Do you want just the site to site to work , meaning you want to have access from internal network ( 192.168.x.x ) to access 10.x.x.x network ?

2> do you want to be able to connect to the remote vpn and have access to both 192.168.x.x. & 10.x.x.x network ?

if you want the first option then do sh crypto ipsec sa and see if the encypt/decrypt counter increases when you initiate traffic between sites. if you want the second option there some changes required to make it work.

Thanks

Manish

New Member

Re: Asa5505 Site to Site Issue

Sorry for my delayed response. My phone does not support this forum.

1. Yes that's I what I would initially like to start with.

2. I do not need to be able to connect to this remotely, seeing that the 10.241.133.0 network has a Cisco 3000 concentrator that I use.

So right now what I would like to to be able to plug in the internet into eth0, with the ip 192.168.1.200 and then plug all my other computers into the other ethernet ports and have them have ips of 192.168.1.0. Those need to be able to access 192.168.1.0 and also need to be able to access 10.241.113.0.

Eventually I would like to make it so if the ip requested is 10.241.113.0 then it goes over the vpn, everything else does not, but I was thinking for simplicity sake, I would like to get started with just being able to access 10.241.113.0 from my 192.168.1.0.

Thanks for your help!

Re: Asa5505 Site to Site Issue

Hi Dan,

Can you please make the eth1-7 part of Vlan 1 and then use you ports and try the connection ? Thats the only thing I can see as far as the configuration of this side is concerned.

If it still doesn't work :-

1> Post sh crypto iskamp sa

2>sh crypto ipsec sa ( twice with some traffic flow ).

3> Debug crupto iskamp & ipsec 128

Thanks

Manish

New Member

Re: Asa5505 Site to Site Issue

Hello Manish,

It seems as if they are already a part of that vlan, just don't say it...

ciscoasa# show switch vlan

VLAN Name                             Status    Ports

---- -------------------------------- --------- -----------------------------

1    inside                           down      Et0/1, Et0/2, Et0/3, Et0/4

                                                Et0/5, Et0/6, Et0/7

2    outside                          up        Et0/0

ciscoasa# show crypto isakmp sa
There are no isakmp sas
ciscoasa# sh crypto ipsec sa
There are no ipsec sas
and ran the debug commands.
Also, I have noticed that when I am plugged into the asa on any of the vlan1, I cannot get to any local resources on 192.168.1.0.
Thanks for your help!

Re: Asa5505 Site to Site Issue

Dan,

Please connect a device to eth0/1 and make sure you manually do :-

int eth0/1

switchport access vlan 1

no shut

Then try to ping 192.168.1.200 ( the gateway ) , if its succesful   then try to connect to 10.x.x.x network and see the output of crypto commands and see if you get any output. Are you sure the other end is configured properly ?

Manish

New Member

Re: Asa5505 Site to Site Issue

I tired that, and I still cannot access 192.168.1.0, but what I can access the web.

I am not sure if the other side is configured correctly, but the fact that I can use the cisco VPNClient and enter the same settings into the asa as I enter into the VPN Client I would assume that it is configured correctly, but I could be mistaken.

Thanks for your help Manish. I really appreciate it.

New Member

Re: Asa5505 Site to Site Issue

Here is the other information your requested...

ciscoasa# show switch vlan
VLAN Name                             Status    Ports
---- -------------------------------- --------- -----------------------------
1    inside                           up        Et0/1, Et0/2, Et0/3, Et0/4
                                                Et0/5, Et0/6, Et0/7
2    outside                          up        Et0/0
ciscoasa# show crypto ipsec sa

There are no ipsec sas
ciscoasa# show crypto isakmp sa

There are no isakmp sas
ciscoasa#

I really appreciate anyone that can help me fix this issue, beacuse it is becoming somewhat urgent. Thanks for your time!@

New Member

Re: Asa5505 Site to Site Issue

Would anyone else be able to lend a hand in helping with this. As always, I greatly appreciate your help, and thank you very much!

Super Bronze

Re: Asa5505 Site to Site Issue

Base on your latest configuration, you have 2 crypto map (one for vpn client and another one for site-to-site vpn) and only 1 is applied to an interface.

You can only have 1 crypto map with multiple sequence number, not 2 crypto map because you can only apply 1 crypto map to an interface.

Can you please share the latest output of:

sh run crypto map

And advise which is working, vpn client or site-to-site vpn?

New Member

Re: Asa5505 Site to Site Issue

Jennifer, Thank you so much for your reply.

I am only trying to make this ASA act as the hardware based client in the site to site. The VPN 3000 is up and running correctly and I can connect to it with the Cisco VPN Client. There maybe old reminants in this config from the other test it was used from, but I tried to delete all the old VPN settings.

Could you advise me on what to change in the cryptos that you were refering to perviously.

Thanks again Jennifer.

Super Bronze

Re: Asa5505 Site to Site Issue

Ahh.. makes sense now.

To trigger the tunnel, on the ASA, please enter: vpnclient enable

Here is the sample configuration for your reference:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808a61f4.shtml

Hope that helps.

New Member

Re: Asa5505 Site to Site Issue

Thanks so much for your reply again Jennifer. One thing I did not explicetly mention was, the VPN 3000 is the server, and the ASA is the harware client.

Tried that command, and I recieved this error.

ciscoasa(config)# vpnclient enable

* Remove "nat (inside) 0 inside_nat0_outbound_1"

* Detach crypto map attached to interface outside

* Remove user-defined tunnel-groups

* Remove manually configured ISA policies

Thanks Jennifer for your continued support.
Super Bronze

Re: Asa5505 Site to Site Issue

Yes, you would need to remove all the crypto map configuration as it is not needed, and also the nat (inside) 0 command.

You would like to use the sample configuration provided earlier, and configure it in the same manner. Check the ASA hardware client configuration part. All the crypto configuration should not be there if you are configuring your ASA as hardware easy vpn client.

New Member

Re: Asa5505 Site to Site Issue

Hello Jennifer,

Your link seems to have led me to some success.


Here is my config now...

ciscoasa# show run

: Saved

:

ASA Version 7.2(3)

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.199 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

shutdown

!            

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

pager lines 24

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto isakmp identity hostname

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

vpnclient server 1.1.1.1

vpnclient mode network-extension-mode

vpnclient vpngroup Danny password ********

vpnclient username Dan password ********

vpnclient enable

!

class-map inspection_default

match default-inspection-traffic

!

prompt hostname context

Cryptochecksum:672d2b1d01af4dd38b2158f6d45548af

: end

Here is the show ipsec

show crypto ipsec sa

interface: outside

    Crypto map tag: _vpnc_cm, seq num: 10, local addr: 192.168.1.111

      access-list _vpnc_acl permit ip 192.168.1.0 255.255.255.0 2.2.2.2 255.255.255.128

      local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.128/0/0)

      current_peer: 1.1.1.1, username: 1.1.1.1

      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 192.168.1.111/4500, remote crypto endpt.: 1.1.1.1/4500

      path mtu 1500, ipsec overhead 66, media mtu 1500

      current outbound spi: 6F624F5D

    inbound esp sas:

      spi: 0x474B8C4E (1196133454)

         transform: esp-3des esp-md5-hmac none

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 1, crypto-map: _vpnc_cm

         sa timing: remaining key lifetime (sec): 28162

         IV size: 8 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0x6F624F5D (1868713821)

         transform: esp-3des esp-md5-hmac none

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 1, crypto-map: _vpnc_cm

         sa timing: remaining key lifetime (sec): 28162

         IV size: 8 bytes

         replay detection support: Y

    Crypto map tag: _vpnc_cm, seq num: 10, local addr: 192.168.1.111

      access-list _vpnc_acl permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.0.0.0

      local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)

      current_peer: 1.1.1.1, username: 1.1.1.1

      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 15, #pkts encrypt: 15, #pkts digest: 15

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 15, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 192.168.1.111/4500, remote crypto endpt.: 1.1.1.1/4500

      path mtu 1500, ipsec overhead 66, media mtu 1500

      current outbound spi: 1FE08F0B

    inbound esp sas:

      spi: 0x4129BC91 (1093254289)

         transform: esp-3des esp-md5-hmac none

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 1, crypto-map: _vpnc_cm

         sa timing: remaining key lifetime (sec): 28162

         IV size: 8 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0x1FE08F0B (534810379)

         transform: esp-3des esp-md5-hmac none

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 1, crypto-map: _vpnc_cm

         sa timing: remaining key lifetime (sec): 28162

         IV size: 8 bytes

         replay detection support: Y

    Crypto map tag: _vpnc_cm, seq num: 10, local addr: 192.168.1.111

      access-list _vpnc_acl permit ip 192.168.1.0 255.255.255.0 192.110.68.0 255.255.255.0

      local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (192.110.68.0/255.255.255.0/0/0)

      current_peer: 1.1.1.1, username: 1.1.1.1

      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 192.168.1.111/4500, remote crypto endpt.: 1.1.1.1/4500

      path mtu 1500, ipsec overhead 66, media mtu 1500

      current outbound spi: 33CA67F4

    inbound esp sas:

      spi: 0xF8733CA2 (4168301730)

         transform: esp-3des esp-md5-hmac none

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 1, crypto-map: _vpnc_cm

         sa timing: remaining key lifetime (sec): 28157

         IV size: 8 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0x33CA67F4 (868902900)

         transform: esp-3des esp-md5-hmac none

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 1, crypto-map: _vpnc_cm

         sa timing: remaining key lifetime (sec): 28157

         IV size: 8 bytes

         replay detection support: Y

    Crypto map tag: _vpnc_cm, seq num: 10, local addr: 192.168.1.111

      access-list _vpnc_acl permit ip host 192.168.1.111 host 1.1.1.1

      local ident (addr/mask/prot/port): (192.168.1.111/255.255.255.255/0/0)

      remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)

      current_peer: 1.1.1.1, username: 1.1.1.1

      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5

      #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 192.168.1.111/4500, remote crypto endpt.: 1.1.1.1/4500

      path mtu 1500, ipsec overhead 66, media mtu 1500

      current outbound spi: 06F98D7F

    inbound esp sas:

      spi: 0xC42B8C7A (3291188346)

         transform: esp-3des esp-md5-hmac none

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 1, crypto-map: _vpnc_cm

         sa timing: remaining key lifetime (sec): 28152

         IV size: 8 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0x06F98D7F (117017983)

         transform: esp-3des esp-md5-hmac none

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 1, crypto-map: _vpnc_cm

         sa timing: remaining key lifetime (sec): 28152

         IV size: 8 bytes

         replay detection support: Y

  Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1   IKE Peer: 1.1.1.1
    Type    : user            Role    : initiator
    Rekey   : no              State   : AM_ACTIVE
I seem to be able to connect to my VPN But the issue is I cannot ping anything on the 10.241.113.0 subnet. Could you help me resolve that?

Super Bronze

Re: Asa5505 Site to Site Issue

Excellent, definitely a good sign so far.

I saw that you have changed the mode from Client mode to Network Extension mode on your configuration. Can you please confirm whether it should be client mode or Network Extension mode?

For Network Extension mode, 192.168.1.0/24 subnet needs to be unique from the headend perspective, ie: 192.168.1.0/24 should not exist on the headend LAN, or any other remote LAN. If it does, then you would need to change it to Client mode.

The command is the following:

Either: vpnclient mode client-mode OR/ vpnclient mode network-extension-mode

(Pls kindly configure it accordingly).

You also want to remove the following default gateway as it is not correct:

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

If you decided to use Network Extension mode as 192.168.1.0/24 is unique within your topology, then on the head end, you would need to make sure that you configured NAT exemption for traffic sourcing from Headend LAN towards 192.168.1.0/24

Hope that helps.

New Member

Re: Asa5505 Site to Site Issue

Deleted the line that you advised. I use the 10.241.113.0 subnet at headquarters, and on the sites I would like to use something differnt. In this case 192.168.1.0. That is why I changed to net-work-extension mode. Let me know if you think that I am wrong in doing so.

Unofrunately, I am limited to the web interface for the VPN 3000 and would like to see if there is a way to set this up with just that.

Is there anything else that I need to change to make this work, it still does not seem to work. Thanks for your help as always!

Super Bronze

Re: Asa5505 Site to Site Issue

Base on that output, the issue is on your VPN Concentrator, not on the ASA. You might want to check the VPN Concentrator configuration.

On the VPN Concentrator, check if you have route to 192.168.1.0/24 pointing towards the public interface, not private interface.

Can you also check the SA on the VPN Concentrator for this particular vpn tunnel? I am assuming that you will see traffic decrypt counter increasing but encrypt counter will be zero? Please double check the status on the Concentrator.

New Member

Re: Asa5505 Site to Site Issue

I think I have fixed the routing issues on the VPN. Here is my new show ipsec sa

ciscoasa# sh ipsec sa

interface: outside

    Crypto map tag: _vpnc_cm, seq num: 10, local addr: 192.168.1.110

      access-list _vpnc_acl permit ip 192.168.1.0 255.255.255.0 10.241.113.0 255.255.255.0

      local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (10.241.113.0/255.255.255.0/0/0)

      current_peer: 1.1.1.1, username: 1.1.1.1

      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 192.168.1.110/4500, remote crypto endpt.: 1.1.1.1/4500

      path mtu 1500, ipsec overhead 66, media mtu 1500

      current outbound spi: 0E64ABB5

    inbound esp sas:

      spi: 0x38CF9DA2 (953130402)

         transform: esp-3des esp-md5-hmac none

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 1, crypto-map: _vpnc_cm

         sa timing: remaining key lifetime (sec): 28788

         IV size: 8 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0x0E64ABB5 (241478581)

         transform: esp-3des esp-md5-hmac none

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 1, crypto-map: _vpnc_cm

         sa timing: remaining key lifetime (sec): 28788

         IV size: 8 bytes

         replay detection support: Y

    Crypto map tag: _vpnc_cm, seq num: 10, local addr: 192.168.1.110

      access-list _vpnc_acl permit ip 192.168.1.0 255.255.255.0 192.0.0.0 255.0.0.0

      local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (192.0.0.0/255.0.0.0/0/0)

      current_peer: 1.1.1.1, username: 1.1.1.1

      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 192.168.1.110/4500, remote crypto endpt.: 1.1.1.1/4500

      path mtu 1500, ipsec overhead 66, media mtu 1500

      current outbound spi: 6E0E3359

    inbound esp sas:

      spi: 0xBE2A9BF7 (3190463479)

         transform: esp-3des esp-md5-hmac none

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 1, crypto-map: _vpnc_cm

         sa timing: remaining key lifetime (sec): 28788

         IV size: 8 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0x6E0E3359 (1846424409)

         transform: esp-3des esp-md5-hmac none

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 1, crypto-map: _vpnc_cm

         sa timing: remaining key lifetime (sec): 28788

         IV size: 8 bytes

         replay detection support: Y

    Crypto map tag: _vpnc_cm, seq num: 10, local addr: 192.168.1.110

      access-list _vpnc_acl permit ip host 192.168.1.110 host 1.1.1.1

      local ident (addr/mask/prot/port): (192.168.1.110/255.255.255.255/0/0)

      remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)

      current_peer: 1.1.1.1, username: 1.1.1.1

      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 192.168.1.110/4500, remote crypto endpt.: 1.1.1.1/4500

      path mtu 1500, ipsec overhead 66, media mtu 1500

      current outbound spi: 12BC9395

    inbound esp sas:

      spi: 0xD3E78BC2 (3555167170)

         transform: esp-3des esp-md5-hmac none

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 1, crypto-map: _vpnc_cm

         sa timing: remaining key lifetime (sec): 28780

         IV size: 8 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0x12BC9395 (314348437)

         transform: esp-3des esp-md5-hmac none

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 1, crypto-map: _vpnc_cm

         sa timing: remaining key lifetime (sec): 28780

         IV size: 8 bytes

         replay detection support: Y

I can see that my username has 520 bytes rx and 0 bytes tx. I still cannot ping 10.241.113.194. Is there anything else that you can advise? Thank you so much! I really appreciate all of your help!

Super Bronze

Re: Asa5505 Site to Site Issue

You mentioned that you can see your username with 512 bytes rx and I assume that you are seeing that on the VPN Concentrator. Base on that information and also the output of "show ipsec sa" on the ASA, the traffic does not seem to reach the ASA. Is there any firewall or access-list in front of the ASA or VPN Concentrator that might be blocking the IPSec tunnel? You would need to allow ESP protocol or UDP/4500.

New Member

Re: Asa5505 Site to Site Issue

I do not think so. It is behind a WRT600n with DDWRT firmware. I forwarded ports 4500, 500 and 50 through 53 to the ASA at the ip of 192.168.1.109 as that is the IP that was dynamically assigned to the ASA. (But I also tried 192.168.1.199, just to make sure) Also VPN passthrough is also enabled.

Yes, my username is on the concentrator and everytime that I ping 10.241.113.194 I can se the rx on my username on the concentrator increase. The tx still remains at 0.

Here is my show IPsec sas

ciscoasa# show ipsec sa

interface: outside

    Crypto map tag: _vpnc_cm, seq num: 10, local addr: 192.168.1.109

      access-list _vpnc_acl permit ip 192.168.1.0 255.255.255.0 192.0.0.0 255.0.0.0

      local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (192.0.0.0/255.0.0.0/0/0)

      current_peer: 1.1.1.1, username: 1.1.1.1

      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 192.168.1.109/4500, remote crypto endpt.: 1.1.1.1/4500

      path mtu 1500, ipsec overhead 66, media mtu 1500

      current outbound spi: 3FC451FD

    inbound esp sas:

      spi: 0x4E878CBB (1317506235)

         transform: esp-3des esp-md5-hmac none

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 2, crypto-map: _vpnc_cm

         sa timing: remaining key lifetime (sec): 28152

         IV size: 8 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0x3FC451FD (1069830653)

         transform: esp-3des esp-md5-hmac none

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 2, crypto-map: _vpnc_cm

         sa timing: remaining key lifetime (sec): 28152

         IV size: 8 bytes

         replay detection support: Y

    Crypto map tag: _vpnc_cm, seq num: 10, local addr: 192.168.1.109

      access-list _vpnc_acl permit ip 192.168.1.0 255.255.255.0 10.241.113.0 255.255.255.0

      local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (10.241.113.0/255.255.255.0/0/0)

      current_peer: 1.1.1.1, username: 1.1.1.1

      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 10, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 192.168.1.109/4500, remote crypto endpt.: 1.1.1.1/4500

      path mtu 1500, ipsec overhead 66, media mtu 1500

      current outbound spi: 17EDE630

    inbound esp sas:

      spi: 0xCF8A99CD (3481967053)

         transform: esp-3des esp-md5-hmac none

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 2, crypto-map: _vpnc_cm

         sa timing: remaining key lifetime (sec): 28152

         IV size: 8 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0x17EDE630 (401466928)

         transform: esp-3des esp-md5-hmac none

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 2, crypto-map: _vpnc_cm

         sa timing: remaining key lifetime (sec): 28152

         IV size: 8 bytes

         replay detection support: Y

    Crypto map tag: _vpnc_cm, seq num: 10, local addr: 192.168.1.109

      access-list _vpnc_acl permit ip host 192.168.1.109 host 1.1.1.1

      local ident (addr/mask/prot/port): (192.168.1.109/255.255.255.255/0/0)

      remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)

      current_peer: 1.1.1.1, username: 1.1.1.1

      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 192.168.1.109/4500, remote crypto endpt.: 1.1.1.1/4500

      path mtu 1500, ipsec overhead 66, media mtu 1500

      current outbound spi: 2B2AF1FA

    inbound esp sas:

      spi: 0x0790ABBD (126921661)

         transform: esp-3des esp-md5-hmac none

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 2, crypto-map: _vpnc_cm

         sa timing: remaining key lifetime (sec): 28144

         IV size: 8 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0x2B2AF1FA (724234746)

         transform: esp-3des esp-md5-hmac none

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 2, crypto-map: _vpnc_cm

         sa timing: remaining key lifetime (sec): 28144

         IV size: 8 bytes

         replay detection support: Y

Here is my show run

ciscoasa# show run
: Saved
:ASA Version 7.2(3)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.199 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!            
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto isakmp identity hostname
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
vpnclient server 1.1.1.1
vpnclient mode network-extension-mode
vpnclient vpngroup Danny password ********
vpnclient username Dan password ********
vpnclient enable
!
class-map inspection_default
match default-inspection-traffic
!
prompt hostname context
Cryptochecksum:bec0415f99c134868f817aed754c6c2b
: end

Thanks so much for your help Jennifer, I greatly appreciate it. Let me know if you have any other suggestions. Have a good day!

Super Bronze

Re: Asa5505 Site to Site Issue

Hi Dan,

Based on the output on the ASA, ie: " #pkts encaps: 10" and 0 pkts decaps, and same on the VPN Concentrator, ie: encaps are increasing however decaps are still 0, that means that both ends are encrypting the traffic, however, both ends do not receive the encrypted packets therefore the decaps counter remain zero, ie: nothing to be decrypted because both end did not receive the encrypted packet.

As advised, it is definitely not the VPN end point issue (not the ASA nor the VPN Concentrator), however, the network device in between. Please check if your WRT600n are forwarding traffic out and in correct, especially on UDP port 4500. Please kindly make sure that port being forwarded has UDP being forwarded for port 4500. The rest of the other ports are OK so please don't make any changes on other ports.

New Member

Re: Asa5505 Site to Site Issue

Jennifer,

Thanks for all of your help. I was just checking to see if port 4500 was open and it is on my router, but i tried using an online port scanner to see if udp 4500 is open, and it seems to be closed. I am going to try at a different location tomorow.

Thanks for your help Jennifer, I really appreciate your help! Have a good night!

New Member

Re: Asa5505 Site to Site Issue

So I tried it at my business connection and it did the same thing. Still able to connect, the vpn light still illuminates, but still not able to ping 10.241.113.194. I can, however still connect with the vpnclient software, and still can ping 10.241.113.194 when connected with the client software. I tried forwarding port 4500 and that did not change the result. Is there a way that I could verify that port 4500 is open?

This was in the show ipsec sa, Could this have something to do with our issue?

dynamic allocated peer ip: 0.0.0.0

ciscoasa# ping 10.241.113.194

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.241.113.194, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

Thanks for your help Jennifer, I really appreciate it, hopefully we can get this resolved. Let me know as always if you can help me in any other way, or know of someone else that you could ping to help me with this. Thanks so much!
Dan

Super Bronze

Re: Asa5505 Site to Site Issue

Great, thanks for posting the ping from ASA.

You would need to ping from the inside interface on the ASA as follows:

ciscoasa# ping inside 10.241.113.194

You can't just perform: "ping 10.241.113.194" because it's sourcing the ping from the outside interface of the ASA which is not part of crypto ACL.

New Member

Re: Asa5505 Site to Site Issue

Hello Jennifer,

Thanks for your reply. Unfortunately that did not work for me.

ciscoasa# ping inside 10.241.113.194

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.241.113.194, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

ciscoasa#

I found it odd that when I ping 10.241.113.194 the  " #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4" increases, but when I go ping inside 10.241.113.194 those numbers remain the same.

I also tried to ping the concentrators internal ip with the same result.

I am adding these just incase they are of any help..

ciscoasa# sh crypto isakmp sa

   Active SA: 1

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1   IKE Peer: 1.1.1.1

    Type    : user            Role    : initiator

    Rekey   : no              State   : AM_ACTIVE

ciscoasa# show ipsec sa

interface: outside

    Crypto map tag: _vpnc_cm, seq num: 10, local addr: 192.168.1.103

      access-list _vpnc_acl permit ip 192.168.1.0 255.255.255.0 192.0.0.0 255.0.0.0

      local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (192.0.0.0/255.0.0.0/0/0)

      current_peer: 1.1.1.1, username: 1.1.1.1

      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 192.168.1.103/4500, remote crypto endpt.: 1.1.1.1/4500

      path mtu 1500, ipsec overhead 66, media mtu 1500

      current outbound spi: 2E4E764C

    inbound esp sas:

      spi: 0xCFC253FE (3485619198)

         transform: esp-3des esp-md5-hmac none

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 1, crypto-map: _vpnc_cm

         sa timing: remaining key lifetime (sec): 27728

         IV size: 8 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0x2E4E764C (776894028)

         transform: esp-3des esp-md5-hmac none

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 1, crypto-map: _vpnc_cm

         sa timing: remaining key lifetime (sec): 27728

         IV size: 8 bytes

         replay detection support: Y

    Crypto map tag: _vpnc_cm, seq num: 10, local addr: 192.168.1.103

      access-list _vpnc_acl permit ip 192.168.1.0 255.255.255.0 10.241.113.0 255.255.255.0

      local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (10.241.113.0/255.255.255.0/0/0)

      current_peer: 1.1.1.1, username: 1.1.1.1

      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 192.168.1.103/4500, remote crypto endpt.: 1.1.1.1/4500

      path mtu 1500, ipsec overhead 66, media mtu 1500

      current outbound spi: 75352F6A

    inbound esp sas:

      spi: 0x9F57847E (2673312894)

         transform: esp-3des esp-md5-hmac none

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 1, crypto-map: _vpnc_cm

         sa timing: remaining key lifetime (sec): 27786

         IV size: 8 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0x75352F6A (1966419818)

         transform: esp-3des esp-md5-hmac none

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 1, crypto-map: _vpnc_cm

         sa timing: remaining key lifetime (sec): 27786

         IV size: 8 bytes

         replay detection support: Y

ciscoasa# show vpnclient

LOCAL CONFIGURATION

vpnclient server 1.1.1.1

vpnclient mode network-extension-mode

vpnclient vpngroup Danny password ********

vpnclient username Dan password ********

vpnclient enable

DOWNLOADED DYNAMIC POLICY

Current Server                     : 1.1.1.1

Primary DNS                        : 8.8.8.8

Secondary DNS                      : 4.2.2.2

PFS Enabled                        : No

Secure Unit Authentication Enabled : No

User Authentication Enabled        : No

Split Tunnel Networks              : 10.241.113.0/255.255.255.0 192.0.0.0/255.0.0.0

Backup Servers                     : None

ciscoasa# show interface

Interface Vlan1 "inside", is up, line protocol is up

  Hardware is EtherSVI

MAC address 001e.be9e.592a, MTU 1500

IP address 192.168.1.199, subnet mask 255.255.255.0

  Traffic Statistics for "inside":

17646 packets input, 2877146 bytes

24 packets output, 2112 bytes

13850 packets dropped

      1 minute input rate 1 pkts/sec,  134 bytes/sec

      1 minute output rate 0 pkts/sec,  0 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 1 pkts/sec,  217 bytes/sec

      5 minute output rate 0 pkts/sec,  0 bytes/sec

      5 minute drop rate, 0 pkts/sec

Interface Vlan2 "outside", is up, line protocol is up

  Hardware is EtherSVI

MAC address 001e.be9e.592a, MTU 1500

IP address 192.168.1.103, subnet mask 255.255.0.0

  Traffic Statistics for "outside":

17996 packets input, 2906644 bytes

1905 packets output, 88273 bytes

16729 packets dropped

      1 minute input rate 1 pkts/sec,  136 bytes/sec

      1 minute output rate 0 pkts/sec,  18 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 1 pkts/sec,  219 bytes/sec

      5 minute output rate 0 pkts/sec,  9 bytes/sec

      5 minute drop rate, 1 pkts/sec

Interface Ethernet0/0 "", is up, line protocol is up

  Hardware is 88E6095, BW 100 Mbps

Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

Available but not configured via nameif

MAC address 001e.be9e.5922, MTU not set

IP address unassigned

18020 packets input, 3233635 bytes, 0 no buffer

Received 1672 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 L2 decode drops

9 switch ingress policy drops

1905 packets output, 151219 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

0 rate limit drops

0 switch egress policy drops

Interface Ethernet0/1 "", is up, line protocol is up

  Hardware is 88E6095, BW 100 Mbps

Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

Available but not configured via nameif

        MAC address 001e.be9e.5923, MTU not set

IP address unassigned

17661 packets input, 3196956 bytes, 0 no buffer

Received 1674 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 L2 decode drops

0 switch ingress policy drops

24 packets output, 2616 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

0 rate limit drops

0 switch egress policy drops


Do you know what I could do to fix this issue? Thanks for your help!
New Member

Re: Asa5505 Site to Site Issue

Anyone able to help me finish solving my issue? I Would greatly appreciate the help, and already greatly appreciate all the help that I have gotten! Thank you so much, this community is awesome.

New Member

Re: Asa5505 Site to Site Issue

Any able to help me solve this?

Thanks for your help, I appreciate it.

5425
Views
0
Helpful
37
Replies