Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSec Connected but can't access network

I've ASA5505 IPSec. both side one side it's behind NAT Router, When I do debug it Says Phase 1 is OK even Phase 2 is OK also.

evev when I configured it that time it was working perfect but next day i was not able to access remote network, here is my configuration:

: Saved

:

ASA Version 9.0(1)

!

hostname routerin

domain-name abc.com

enable password ************** encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd ************* encrypted

names

name 172.10.1.80 CCTV description CCTV

name 192.168.1.1 TATA

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport access vlan 72

!

interface Ethernet0/2

switchport access vlan 72

!

interface Ethernet0/3

switchport access vlan 72

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

switchport access vlan 82

!

interface Vlan1

nameif inside

security-level 100

ip address 172.10.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 192.168.1.200 255.255.255.0

!

interface Vlan5

no nameif

security-level 50

ip address dhcp

!

boot system disk0:/asa901-k8.bin

ftp mode passive

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 202.54.10.2

name-server 202.54.29.5

domain-name abc.com

object network obj-172.10.1.0

subnet 172.10.1.0 255.255.255.0

object network CCTV

host 172.10.1.80

object network CCTV-01

host 172.10.1.80

object network CCTV-02

host 172.10.1.80

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network NETWORK_OBJ_172.10.1.0_24

subnet 172.10.1.0 255.255.255.0

object network NETWORK_OBJ_192.168.10.0_24

subnet 192.168.10.0 255.255.255.0

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list inside_access_in remark Inernet

access-list inside_access_in extended permit ip any4 any4

access-list outside_cryptomap extended permit ip 172.10.1.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list outside_access_in remark Internet

access-list outside_access_in extended permit ip any4 any4

access-list outside_access_in extended permit tcp any4 object CCTV eq www

access-list outside_access_in remark Migration, ACE (line 4) expanded: permit object-group TCPUDP any4 interface outside eq 37777

access-list outside_access_in extended permit udp any4 object CCTV eq 37777

access-list outside_access_in extended permit tcp any4 object CCTV eq 37777

access-list outside_access_in remark Migration: End of expansion

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-701.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,outside) source static NETWORK_OBJ_172.10.1.0_24 NETWORK_OBJ_172.10.1.0_24 destination static NETWORK_OBJ_192.168.10.0_24 NETWORK_OBJ_192.168.10.0_24 no-proxy-arp route-lookup

!

object network CCTV

nat (inside,outside) static interface service tcp www www

object network CCTV-01

nat (inside,outside) static interface service tcp 37777 37777

object network CCTV-02

nat (inside,outside) static interface service udp 37777 37777

object network obj_any

nat (inside,outside) dynamic interface

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 TATA 1

route outside 172.10.1.0 255.255.255.0 219.64.82.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

http 172.10.1.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set EBI esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport

crypto ipsec security-association lifetime seconds 3600

crypto ipsec security-association pmtu-aging infinite

crypto map outside_map 1 match address outside_cryptomap

crypto map outside_map 1 set peer 115.85.25.21

crypto map outside_map 1 set ikev1 transform-set EBI

crypto map outside_map 1 set nat-t-disable

crypto map outside_map interface outside

crypto ca trustpool policy

no crypto isakmp nat-traversal

crypto ikev1 enable inside

crypto ikev1 enable outside

crypto ikev1 policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 172.10.1.0 255.255.255.0 inside

telnet timeout 5

ssh 172.10.1.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 172.10.1.21-172.10.1.52 inside

dhcpd dns 202.54.10.2 202.54.29.5 interface inside

dhcpd enable inside

!

no threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

group-policy 115.85.23.21 internal

group-policy 115.85.23.21 attributes

vpn-tunnel-protocol ikev1

group-policy DfltGrpPolicy attributes

vpn-idle-timeout none

vpn-tunnel-protocol ikev1

group-policy GroupPolicy_115.85.25.21 internal

group-policy GroupPolicy_115.85.25.21 attributes

vpn-tunnel-protocol ikev1

username admin password *************** encrypted privilege 15

tunnel-group DefaultL2LGroup general-attributes

default-group-policy 115.85.25.21

tunnel-group DefaultRAGroup general-attributes

default-group-policy 115.85.25.21

tunnel-group DefaultWEBVPNGroup general-attributes

default-group-policy 115.85.25.21

tunnel-group 115.85.23.21 type ipsec-l2l

tunnel-group 115.85.23.21 general-attributes

default-group-policy 115.85.25.21

tunnel-group 115.85.23.21 ipsec-attributes

ikev1 pre-shared-key *****

isakmp keepalive disable

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:9172852cb57fc343ef2a5e3cc1813139

: end

Everyone's tags (1)
527
Views
0
Helpful
0
Replies
CreatePlease to create content