Hi,
We bought many ASA 5520 and 5510 to replace Nortel Contivitys. I wanted yesterday and today to bluild an IPSEC tunnel "l2l" between one ASA5520 and 5510 without success. Any idea why I can't establish the tunnel with ASAs and I have no problem with Nortel?
Note: OSPF also is not working, can see the neighbour. ASA version 7.2.2
Here is my configs:
ASA5510
=======
ASA Version 7.2(2)
hostname holland
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 172.18.20.13 255.255.255.252
ospf network point-to-point non-broadcast
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 14.x.87.1 255.255.255.0
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
same-security-traffic permit intra-interface
access-list outside_20_cryptomap extended permit ip 14.x.87.0 255.255.255.0 14.x.158.0 255.255.255.0
access-list outside_20_cryptomap extended permit ospf host 172.18.20.13 host 172.18.20.1
access-list inside_nat0_outbound extended permit ip 14.x.87.0 255.255.255.0 14.x.158.0 255.255.255.0
!
nat (inside) 0 access-list inside_nat0_outbound
!
!IP ADDRESS 172.18.20.14 is the IP address of the TLS cloud
!
route outside 0.0.0.0 0.0.0.x.x.20.14 1
!
router ospf 1
network 14.x.85.0 255.255.255.0 area 0
network 172.x.20.0 255.255.255.0 area 0
log-adj-changes
!
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set peer 172.18.20.1
crypto map outside_map 20 set transform-set ESP-AES-256-SHA
crypto map outside_map 20 set nat-t-disable
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
tunnel-group 172.18.20.1 type ipsec-l2l
tunnel-group 172.18.20.1 ipsec-attributes
pre-shared-key *
AS5520
======
!
hostname France
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 172.18.20.1 255.255.255.252
ospf network point-to-point non-broadcast
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 14.20.158.5 255.255.255.0
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
same-security-traffic permit intra-interface
access-list outside_20_cryptomap extended permit ip 14.20.158.0 255.255.255.0 14.20.87.0 255.255.255.0
access-list outside_20_cryptomap extended permit ospf host 172.18.20.1 host 172.18.20.13
access-list inside_nat0_outbound extended permit ip 14.20.158.0 255.255.255.0 14.20.87.0 255.255.255.0
!
nat (inside) 0 access-list inside_nat0_outbound
!
!IP address 172.18.20.2 is the IP address of TLS Cloud
!
route outside 0.0.0.0 0.0.0.0 172.18.20.2 1
!
router ospf 1
network 14.20.158.0 255.255.255.0 area 0
network 172.18.20.0 255.255.255.0 area 0
log-adj-changes
!
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set peer 172.18.20.13
crypto map outside_map 20 set transform-set ESP-AES-256-SHA
crypto map outside_map 20 set nat-t-disable
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
tunnel-group 172.18.20.13 type ipsec-l2l
tunnel-group 172.18.20.13 ipsec-attributes
pre-shared-key *
Thanks
.jpg "Cisco Employee"){kind=icon}
