Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cant establish Tunnel over ASA 5505 Vlan please help!!!

I cannot get a tunnel to establish from (see config). I dont think I am getting phase 1. Am I missing something simple? Please help

 

 
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
 
names
!
interface Ethernet0/0
 description inet
!
interface Ethernet0/1
 shutdown
!
interface Ethernet0/2
 shutdown
!            
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 switchport access vlan 8
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 switchport access vlan 155
!
interface Vlan1
 description inet
 nameif outside
 security-level 0
 ip address xxxxxxxxx
!
interface Vlan8
 no forward interface Vlan155
 nameif iwdn 
 security-level 100
 ip address 10.8.18.6 255.255.255.248
!
interface Vlan155
 description private
 nameif inside
 security-level 50
 ip address 192.168.200.254 255.255.255.0
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
object network inside-net
 subnet 192.168.200.0 255.255.255.0
object network LocalLAN
 subnet 10.8.18.0 255.255.255.248
object-group network RemoteVPNObjects
 network-object 10.0.0.0 255.0.0.0
 network-object host xxxxxxxxx
access-list acl_iwdn extended permit ip 10.8.18.0 255.255.255.248 10.0.0.0 255.0.0.0
access-list acl_iwdn extended permit ip 10.8.18.0 255.255.255.248 host xxxxxxxx
access-list acl_outside extended permit icmp any any echo-reply
access-list acl_outside extended permit icmp any any time-exceeded
access-list acl_inside extended permit ip 10.8.18.0 255.255.255.248 10.0.0.0 255.0.0.0
access-list acl_inside extended permit ip 10.8.18.0 255.255.255.248 host xxxxxxxx
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu iwdn 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source dynamic inside-net interface
nat (iwdn,any) source static LocalLAN LocalLAN destination static RemoteVPNObjects RemoteVPNObjects
nat (iwdn,outside) source dynamic any interface
!
object network inside-net
 nat (inside,outside) dynamic interface
access-group acl_inside in interface iwdn
route outside 0.0.0.0 0.0.0.0 public
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set P2PVPNSet esp-3des esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map DynamicMap 10 match address acl_iwdn
crypto map DynamicMap 10 set peer xxxxxxxxxx
crypto map DynamicMap 10 set ikev1 transform-set P2PVPNSet
crypto map DynamicMap interface outside
crypto ca trustpool policy
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
 
 
console timeout 0
management-access inside
 
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 132.163.4.103 source outside prefer
ntp server 192.43.244.18 source outside prefer
 
tunnel-group xxxxxxxxx type ipsec-l2l
tunnel-group xxxxxxxxx ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip 
  inspect xdmcp
  inspect icmp
!
Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Remove this;no nat (inside

Remove this;

no nat (inside,outside) source dynamic inside-net interface

Add this;

object network OBJ-NAT-ALL
subnet 0.0.0.0 0.0.0.0 
nat (inside,outside) dynamic interface

Try again, post the results of

 

show cry isa

 

Pete

 

4 REPLIES
New Member

Remove this;no nat (inside

Remove this;

no nat (inside,outside) source dynamic inside-net interface

Add this;

object network OBJ-NAT-ALL
subnet 0.0.0.0 0.0.0.0 
nat (inside,outside) dynamic interface

Try again, post the results of

 

show cry isa

 

Pete

 

New Member

This did it! Thank you so

This did it! Thank you so much

New Member

:) Bit me yesterday too here

:) Bit me yesterday too here

 

Glad to hlep

Hi,Apart from NAT suggestions

Hi,

Apart from NAT suggestions....

Your crypto acl seems to be having a overlapping subnets @ both ends... if so then it requires a special treatment at both ends.

access-list acl_iwdn extended permit ip 10.8.18.0 255.255.255.248 10.0.0.0 255.0.0.0
access-list acl_iwdn extended permit ip 10.8.18.0 255.255.255.248 host xxxxxxxx

Regards

Karthik

37
Views
0
Helpful
4
Replies
CreatePlease to create content