Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN from ASA 5510 to ASA 5505

Good Morning All,

We have been having some troubles connecting our two ASA's for a VPN site to site connection. To me, the config's look okay and after about 10 tries of failing to connect, I have to be missing something and was wondering if I can get any suggestions of what I may be missing. The versions are pretty different, but I didn't think that mattered with this. Here is the error we are getting which seems to be completing Phase 1 and our config:

Fail.png

(SITE 1)

Result of the command: "sho run"

: Saved

:

ASA Version 7.0(8)

!

hostname ciscoasa

domain-name ucpwpa.org

enable password A.kJbBcI4T7MiHrL encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

dns-guard

!

interface Ethernet0/0

nameif OutsideIP

security-level 0

ip address 50.XXX.XXX.90 255.255.255.248

!

interface Ethernet0/1

nameif InsideIP

security-level 100

ip address 192.168.42.4 255.255.255.0

!

interface Ethernet0/2

shutdown

nameif Comcast

security-level 0

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.2.1 255.255.255.0

management-only

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring 1 Sun Apr 2:00 last Sun Oct 2:00

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list outside_in extended permit icmp any any

access-list outside_in extended permit tcp host 66.XXX.XXX.130 eq 1718 any

access-list outside_in extended permit tcp host 66.XXX.XXX.130 eq 1719 any

access-list outside_in extended permit tcp host 66.XXX.XXX.130 eq h323 any

access-list outside_in extended permit tcp host 66.XXX.XXX.130 eq 1731 any

access-list outside_in extended permit tcp host 66.XXX.XXX.130 eq 1300 any

access-list outside_in extended permit tcp host 66.XXX.XXX.130 eq 1503 any

access-list outside_in extended permit tcp host 66.XXX.XXX.130 eq 2979 any

access-list outside_in extended permit tcp host 66.XXX.XXX.130 eq 11720 any

access-list outside_in extended permit udp host 66.XXX.XXX.130 eq 1718 any

access-list outside_in extended permit udp host 66.XXX.XXX.130 eq 1719 any

access-list outside_in extended permit udp host 66.XXX.XXX.130 eq 1720 any

access-list outside_in extended permit udp host 66.XXX.XXX.130 eq 1503 any

access-list outside_in extended permit udp host 66.XXX.XXX.130 eq 2979 any

access-list outside_in extended permit udp host 66.XXX.XXX.130 eq 11720 any

access-list outside_in extended permit tcp host 66.XXX.XXX.130 eq 3230 any

access-list outside_in extended permit udp host 66.XXX.XXX.130 eq 3230 any

access-list outside_in extended permit tcp host 66.XXX.XXX.130 eq 3231 any

access-list outside_in extended permit udp host 66.XXX.XXX.130 eq 3231 any

access-list outside_in extended permit tcp host 66.XXX.XXX.130 eq 3232 any

access-list outside_in extended permit udp host 66.XXX.XXX.130 eq 3232 any

access-list outside_in extended permit tcp host 66.XXX.XXX.130 eq 3233 any

access-list outside_in extended permit udp host 66.XXX.XXX.130 eq 3233 any

access-list outside_in extended permit tcp host 66.XXX.XXX.130 eq 3234 any

access-list outside_in extended permit udp host 66.XXX.XXX.130 eq 3234 any

access-list outside_in extended permit tcp host 66.XXX.XXX.130 eq 3235 any

access-list outside_in extended permit udp host 66.XXX.XXX.130 eq 3235 any

access-list outside_in extended permit tcp host 66.XXX.XXX.130 eq 3236 any

access-list outside_in extended permit udp host 66.XXX.XXX.130 eq 3236 any

access-list outside_in extended permit tcp host 66.XXX.XXX.130 eq 3237 any

access-list outside_in extended permit udp host 66.XXX.XXX.130 eq 3237 any

access-list outside_in extended permit tcp host 66.XXX.XXX.130 eq 3238 any

access-list outside_in extended permit udp host 66.XXX.XXX.130 eq 3238 any

access-list outside_in extended permit tcp host 66.XXX.XXX.130 eq 3239 any

access-list outside_in extended permit udp host 66.XXX.XXX.130 eq 3239 any

access-list outside_in extended permit tcp host 66.XXX.XXX.130 eq 3240 any

access-list outside_in extended permit udp host 66.XXX.XXX.130 eq 3240 any

access-list outside_in extended permit tcp host 66.XXX.XXX.130 eq 3241 any

access-list outside_in extended permit udp host 66.XXX.XXX.130 eq 3241 any

access-list outside_in extended permit tcp host 66.XXX.XXX.130 eq 3242 any

access-list outside_in extended permit udp host 66.XXX.XXX.130 eq 3242 any

access-list outside_in extended permit tcp host 66.XXX.XXX.130 eq 3243 any

access-list outside_in extended permit udp host 66.XXX.XXX.130 eq 3243 any

access-list outside_in extended permit tcp host 66.XXX.XXX.130 eq 3244 any

access-list outside_in extended permit udp host 66.XXX.XXX.130 eq 3244 any

access-list outside_in extended permit tcp host 66.XXX.XXX.130 eq 3245 any

access-list outside_in extended permit udp host 66.XXX.XXX.130 eq 3245 any

access-list outside_in extended permit tcp host 66.XXX.XXX.130 eq 3246 any

access-list outside_in extended permit udp host 66.XXX.XXX.130 eq 3246 any

access-list outside_in extended permit tcp host 66.XXX.XXX.130 eq 3247 any

access-list outside_in extended permit udp host 66.XXX.XXX.130 eq 3247 any

access-list outside_in extended permit tcp host 66.XXX.XXX.130 eq 3248 any

access-list outside_in extended permit tcp host 66.XXX.XXX.130 eq 3249 any

access-list outside_in extended permit tcp host 66.XXX.XXX.130 eq 3250 any

access-list outside_in extended permit tcp host 66.XXX.XXX.130 eq 3251 any

access-list outside_in extended permit tcp host 66.XXX.XXX.130 eq 3252 any

access-list outside_in extended permit tcp host 66.XXX.XXX.130 eq 3253 any

access-list outside_in extended permit tcp interface OutsideIP eq https host 192.168.42.6

access-list outside_in extended permit tcp host 50.XXX.XXX.90 eq https any

access-list outside_in extended permit tcp host 50.XXX.XXX.90 eq smtp any

access-list outside_in extended permit tcp host 50.XXX.XXX.90 eq www any

access-list outside_in extended permit tcp any host 50.XXX.XXX.90 eq smtp

access-list outside_in extended permit tcp any host 50.XXX.XXX.90 eq www

access-list outside_in extended permit tcp any host 50.XXX.XXX.90 eq https

access-list outside_in extended permit tcp any host 50.XXX.XXX.90 eq ldap

access-list outside_in extended permit tcp any host 50.XXX.XXX.90 eq telnet

access-list outside_in extended permit ip host 50.XXX.XXX.90 host 75.XXX.XXX.97

access-list outside_in extended permit ip host 75.XXX.XXX.97 host 50.XXX.XXX.90

access-list InsideIP_nat0_outbound extended permit ip 192.168.42.0 255.255.255.0 192.168.43.0 255.255.255.0

access-list InsideIP_nat0_outbound extended permit ip host 50.XXX.XXX.90 host 75.XXX.XXX.97

access-list OutsideIP_cryptomap_20 extended permit ip 192.168.42.0 255.255.255.0 192.168.43.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu OutsideIP 1500

mtu InsideIP 1500

mtu Comcast 1500

mtu management 1500

asdm image disk0:/asdm-508.bin

no asdm history enable

arp timeout 14400

global (OutsideIP) 1 interface

global (Comcast) 1 interface

nat (InsideIP) 0 access-list InsideIP_nat0_outbound

nat (InsideIP) 1 0.0.0.0 0.0.0.0

nat (Comcast) 1 0.0.0.0 0.0.0.0

nat (management) 10 0.0.0.0 0.0.0.0

static (InsideIP,OutsideIP) tcp interface smtp 192.168.42.8 smtp netmask 255.255.255.255

static (InsideIP,OutsideIP) tcp interface 3101 192.168.42.8 3101 netmask 255.255.255.255

static (InsideIP,OutsideIP) tcp interface www 192.168.42.6 www netmask 255.255.255.255

static (InsideIP,OutsideIP) tcp interface 1718 192.168.42.140 1718 netmask 255.255.255.255

static (InsideIP,OutsideIP) udp interface 1718 192.168.42.140 1718 netmask 255.255.255.255

static (InsideIP,OutsideIP) tcp interface 1719 192.168.42.140 1719 netmask 255.255.255.255

static (InsideIP,OutsideIP) udp interface 1719 192.168.42.140 1719 netmask 255.255.255.255

static (InsideIP,OutsideIP) tcp interface h323 192.168.42.140 h323 netmask 255.255.255.255

static (InsideIP,OutsideIP) udp interface 1720 192.168.42.140 1720 netmask 255.255.255.255

static (InsideIP,OutsideIP) tcp interface 1731 192.168.42.140 1731 netmask 255.255.255.255

static (InsideIP,OutsideIP) udp interface 1731 192.168.42.140 1731 netmask 255.255.255.255

static (InsideIP,OutsideIP) tcp interface 1300 192.168.42.140 1300 netmask 255.255.255.255

static (InsideIP,OutsideIP) udp interface 1300 192.168.42.140 1300 netmask 255.255.255.255

static (InsideIP,OutsideIP) tcp interface 2979 192.168.42.140 2979 netmask 255.255.255.255

static (InsideIP,OutsideIP) udp interface 2979 192.168.42.140 2979 netmask 255.255.255.255

static (InsideIP,OutsideIP) tcp interface 1503 192.168.42.140 1503 netmask 255.255.255.255

static (InsideIP,OutsideIP) udp interface 1503 192.168.42.140 1503 netmask 255.255.255.255

static (InsideIP,OutsideIP) tcp interface 11720 192.168.42.140 11720 netmask 255.255.255.255

static (InsideIP,OutsideIP) tcp interface telnet 192.168.42.140 telnet netmask 255.255.255.255

static (InsideIP,OutsideIP) tcp interface ldap 192.168.42.140 ldap netmask 255.255.255.255

static (InsideIP,OutsideIP) tcp interface 3230 192.168.42.140 3230 netmask 255.255.255.255

static (InsideIP,OutsideIP) udp interface 3230 192.168.42.140 3230 netmask 255.255.255.255

static (InsideIP,OutsideIP) tcp interface 3231 192.168.42.140 3231 netmask 255.255.255.255

static (InsideIP,OutsideIP) udp interface 3231 192.168.42.140 3231 netmask 255.255.255.255

static (InsideIP,OutsideIP) tcp interface 3232 192.168.42.140 3232 netmask 255.255.255.255

static (InsideIP,OutsideIP) udp interface 3232 192.168.42.140 3232 netmask 255.255.255.255

static (InsideIP,OutsideIP) tcp interface 3233 192.168.42.140 3233 netmask 255.255.255.255

static (InsideIP,OutsideIP) udp interface 3233 192.168.42.140 3233 netmask 255.255.255.255

static (InsideIP,OutsideIP) tcp interface 3234 192.168.42.140 3234 netmask 255.255.255.255

static (InsideIP,OutsideIP) udp interface 3234 192.168.42.140 3234 netmask 255.255.255.255

static (InsideIP,OutsideIP) tcp interface 3235 192.168.42.140 3235 netmask 255.255.255.255

static (InsideIP,OutsideIP) udp interface 3235 192.168.42.140 3235 netmask 255.255.255.255

static (InsideIP,OutsideIP) tcp interface 3236 192.168.42.140 3236 netmask 255.255.255.255

static (InsideIP,OutsideIP) udp interface 3236 192.168.42.140 3236 netmask 255.255.255.255

static (InsideIP,OutsideIP) tcp interface 3237 192.168.42.140 3237 netmask 255.255.255.255

static (InsideIP,OutsideIP) udp interface 3237 192.168.42.140 3237 netmask 255.255.255.255

static (InsideIP,OutsideIP) tcp interface 3238 192.168.42.140 3238 netmask 255.255.255.255

static (InsideIP,OutsideIP) udp interface 3238 192.168.42.140 3238 netmask 255.255.255.255

static (InsideIP,OutsideIP) tcp interface 3239 192.168.42.140 3239 netmask 255.255.255.255

static (InsideIP,OutsideIP) udp interface 3239 192.168.42.140 3239 netmask 255.255.255.255

static (InsideIP,OutsideIP) tcp interface 3240 192.168.42.140 3240 netmask 255.255.255.255

static (InsideIP,OutsideIP) udp interface 3240 192.168.42.140 3240 netmask 255.255.255.255

static (InsideIP,OutsideIP) tcp interface 3241 192.168.42.140 3241 netmask 255.255.255.255

static (InsideIP,OutsideIP) udp interface 3241 192.168.42.140 3241 netmask 255.255.255.255

static (InsideIP,OutsideIP) tcp interface 3242 192.168.42.140 3242 netmask 255.255.255.255

static (InsideIP,OutsideIP) udp interface 3242 192.168.42.140 3242 netmask 255.255.255.255

static (InsideIP,OutsideIP) tcp interface 3243 192.168.42.140 3243 netmask 255.255.255.255

static (InsideIP,OutsideIP) udp interface 3243 192.168.42.140 3243 netmask 255.255.255.255

static (InsideIP,OutsideIP) tcp interface 3244 192.168.42.140 3244 netmask 255.255.255.255

static (InsideIP,OutsideIP) udp interface 3244 192.168.42.140 3244 netmask 255.255.255.255

static (InsideIP,OutsideIP) tcp interface 3245 192.168.42.140 3245 netmask 255.255.255.255

static (InsideIP,OutsideIP) udp interface 3245 192.168.42.140 3245 netmask 255.255.255.255

static (InsideIP,OutsideIP) tcp interface 3246 192.168.42.140 3246 netmask 255.255.255.255

static (InsideIP,OutsideIP) udp interface 3246 192.168.42.140 3246 netmask 255.255.255.255

static (InsideIP,OutsideIP) tcp interface 3247 192.168.42.140 3247 netmask 255.255.255.255

static (InsideIP,OutsideIP) udp interface 3247 192.168.42.140 3247 netmask 255.255.255.255

static (InsideIP,OutsideIP) tcp interface 3248 192.168.42.140 3248 netmask 255.255.255.255

static (InsideIP,OutsideIP) tcp interface 3249 192.168.42.140 3249 netmask 255.255.255.255

static (InsideIP,OutsideIP) tcp interface 3250 192.168.42.140 3250 netmask 255.255.255.255

static (InsideIP,OutsideIP) tcp interface 3251 192.168.42.140 3251 netmask 255.255.255.255

static (InsideIP,OutsideIP) tcp interface 3252 192.168.42.140 3252 netmask 255.255.255.255

static (InsideIP,OutsideIP) tcp interface 3253 192.168.42.140 3253 netmask 255.255.255.255

static (InsideIP,OutsideIP) tcp interface ftp 192.168.42.140 ftp netmask 255.255.255.255

static (InsideIP,Comcast) tcp interface 3389 192.168.42.2 3389 netmask 255.255.255.255

static (InsideIP,OutsideIP) tcp interface https 192.168.42.6 https netmask 255.255.255.255

static (InsideIP,OutsideIP) 192.168.42.6 0.0.0.80 netmask 255.255.255.255

access-group outside_in in interface OutsideIP

access-group outside_in in interface Comcast

route OutsideIP 0.0.0.0 0.0.0.0 50.XXX.XXX.94 1

route InsideIP 192.168.43.0 255.255.255.0 192.168.42.4 1

route InsideIP 192.168.0.0 255.255.255.0 192.168.42.4 1

route InsideIP 192.168.1.0 255.255.255.0 192.168.42.9 1

route InsideIP 192.168.45.0 255.255.255.0 192.168.42.9 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http 192.168.1.0 255.255.255.0 management

http 192.168.42.10 255.255.255.255 management

http 192.168.42.0 255.255.255.0 management

http 192.168.1.2 255.255.255.255 management

http 192.168.2.2 255.255.255.255 management

http 192.168.2.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server community public

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map OutsideIP_map 20 match address OutsideIP_cryptomap_20

crypto map OutsideIP_map 20 set peer 75.XXX.XXX.97

crypto map OutsideIP_map 20 set transform-set ESP-3DES-SHA

crypto map OutsideIP_map 20 set security-association lifetime seconds 28800

crypto map OutsideIP_map 20 set security-association lifetime kilobytes 4608000

crypto map OutsideIP_map interface OutsideIP

isakmp enable OutsideIP

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

tunnel-group 75.XXX.XXX.97 type ipsec-l2l

tunnel-group 75.XXX.XXX.97 ipsec-attributes

pre-shared-key *

peer-id-validate nocheck

telnet 192.168.42.4 255.255.255.255 InsideIP

telnet 192.168.1.2 255.255.255.255 management

telnet 192.168.2.2 255.255.255.255 management

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 OutsideIP

ssh 0.0.0.0 0.0.0.0 InsideIP

ssh timeout 5

console timeout 0

dhcpd lease 3600

dhcpd ping_timeout 50

!

class-map class_h323_h2251

match port tcp eq 11720

class-map class_h323_h2252

match port tcp eq 1300

class-map class_http

match port tcp eq https

class-map class_h323_h225

match port tcp eq 1731

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect http

inspect ils

inspect dns maximum-length 1500

inspect ipsec-pass-thru

class class_http

inspect http

class class_h323_h225

inspect h323 h225

class class_h323_h2251

inspect h323 h225

class class_h323_h2252

inspect h323 h225

!

service-policy global_policy global

smtp-server 192.168.42.6

Cryptochecksum:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

(SITE 2)

Result of the command: "sho run"

: Saved

:

ASA Version 8.2(1)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

dns-guard

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.43.20 255.255.255.0

ospf cost 10

!

interface Vlan2

nameif outside

security-level 0

ip address 75.XXX.XXX.97 255.255.255.252

ospf cost 10

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name default.domain.invalid

same-security-traffic permit inter-interface

access-list inbound extended permit tcp host 75.XXX.XXX.97 eq 3389 any

access-list inbound extended permit tcp any host 75.XXX.XXX.97 eq 3389

access-list inbound extended permit tcp interface outside eq 3389 host 192.168.43.219

access-list inbound extended permit tcp host 75.XXX.XXX.97 eq www any

access-list inbound extended permit icmp any any

access-list inbound extended permit tcp any host 75.XXX.XXX.97 eq www

access-list inbound extended permit tcp host 75.XXX.XXX.97 eq https any

access-list inbound extended permit tcp any host 75.XXX.XXX.97 eq https

access-list inbound extended permit tcp interface outside eq 39000 host 192.168.43.254

access-list inbound extended permit tcp interface outside eq 39001 host 192.168.43.254

access-list inbound extended permit tcp interface outside eq 39002 host 192.168.43.254

access-list inbound extended permit udp interface outside eq 39000 host 192.168.43.254

access-list inbound extended permit udp interface outside eq 39001 host 192.168.43.254

access-list inbound extended permit udp interface outside eq 39002 host 192.168.43.254

access-list inbound extended permit tcp host 75.XXX.XXX.97 eq 39000 any

access-list inbound extended permit tcp any host 75.XXX.XXX.97 eq 39000

access-list inbound extended permit tcp host 75.XXX.XXX.97 eq 16450 any

access-list inbound extended permit tcp any host 75.XXX.XXX.97 eq 16450

access-list inbound extended permit tcp interface outside eq 16450 host 192.168.43.254

access-list inbound extended permit tcp host 75.XXX.XXX.97 eq 1718 any

access-list inbound extended permit tcp host 75.XXX.XXX.97 eq 1719 any

access-list inbound extended permit tcp host 75.XXX.XXX.97 eq 1731 any

access-list inbound extended permit tcp host 75.XXX.XXX.97 eq 1300 any

access-list inbound extended permit tcp host 75.XXX.XXX.97 eq 1503 any

access-list inbound extended permit tcp host 75.XXX.XXX.97 eq 2979 any

access-list inbound extended permit tcp host 75.XXX.XXX.97 eq 11720 any

access-list inbound extended permit udp host 75.XXX.XXX.97 eq 1718 any

access-list inbound extended permit udp host 75.XXX.XXX.97 eq 1719 any

access-list inbound extended permit udp host 75.XXX.XXX.97 eq 1503 any

access-list inbound extended permit udp host 75.XXX.XXX.97 eq 2979 any

access-list inbound extended permit udp host 75.XXX.XXX.97 eq 11720 any

access-list inbound extended permit tcp host 75.XXX.XXX.97 eq 3230 any

access-list inbound extended permit udp host 75.XXX.XXX.97 eq 3230 any

access-list inbound extended permit tcp host 75.XXX.XXX.97 eq 3231 any

access-list inbound extended permit udp host 75.XXX.XXX.97 eq 3231 any

access-list inbound extended permit tcp host 75.XXX.XXX.97 eq 3232 any

access-list inbound extended permit udp host 75.XXX.XXX.97 eq 3232 any

access-list inbound extended permit tcp host 75.XXX.XXX.97 eq 3233 any

access-list inbound extended permit udp host 75.XXX.XXX.97 eq 3233 any

access-list inbound extended permit tcp host 75.XXX.XXX.97 eq 3234 any

access-list inbound extended permit udp host 75.XXX.XXX.97 eq 3234 any

access-list inbound extended permit tcp host 75.XXX.XXX.97 eq 3235 any

access-list inbound extended permit udp host 75.XXX.XXX.97 eq 3235 any

access-list inbound extended permit tcp host 75.XXX.XXX.97 eq 3236 any

access-list inbound extended permit udp host 75.XXX.XXX.97 eq 3236 any

access-list inbound extended permit tcp host 75.XXX.XXX.97 eq 3237 any

access-list inbound extended permit udp host 75.XXX.XXX.97 eq 3237 any

access-list inbound extended permit tcp host 75.XXX.XXX.97 eq 3238 any

access-list inbound extended permit udp host 75.XXX.XXX.97 eq 3238 any

access-list inbound extended permit tcp host 75.XXX.XXX.97 eq 3239 any

access-list inbound extended permit udp host 75.XXX.XXX.97 eq 3239 any

access-list inbound extended permit tcp host 75.XXX.XXX.97 eq 3240 any

access-list inbound extended permit udp host 75.XXX.XXX.97 eq 3240 any

access-list inbound extended permit tcp host 75.XXX.XXX.97 eq 3241 any

access-list inbound extended permit udp host 75.XXX.XXX.97 eq 3241 any

access-list inbound extended permit tcp host 75.XXX.XXX.97 eq 3242 any

access-list inbound extended permit udp host 75.XXX.XXX.97 eq 3242 any

access-list inbound extended permit tcp host 75.XXX.XXX.97 eq 3243 any

access-list inbound extended permit udp host 75.XXX.XXX.97 eq 3243 any

access-list inbound extended permit tcp host 75.XXX.XXX.97 eq 3244 any

access-list inbound extended permit udp host 75.XXX.XXX.97 eq 3244 any

access-list inbound extended permit tcp host 75.XXX.XXX.97 eq 3245 any

access-list inbound extended permit udp host 75.XXX.XXX.97 eq 3245 any

access-list inbound extended permit tcp host 75.XXX.XXX.97 eq 3246 any

access-list inbound extended permit udp host 75.XXX.XXX.97 eq 3246 any

access-list inbound extended permit tcp host 75.XXX.XXX.97 eq 3247 any

access-list inbound extended permit udp host 75.XXX.XXX.97 eq 3247 any

access-list inbound extended permit tcp host 75.XXX.XXX.97 eq 3248 any

access-list inbound extended permit tcp host 75.XXX.XXX.97 eq 3249 any

access-list inbound extended permit tcp host 75.XXX.XXX.97 eq 3250 any

access-list inbound extended permit tcp host 75.XXX.XXX.97 eq 3251 any

access-list inbound extended permit tcp host 75.XXX.XXX.97 eq 3252 any

access-list inbound extended permit tcp host 75.XXX.XXX.97 eq 3253 any

access-list inbound extended permit tcp host 75.XXX.XXX.97 eq sip any

access-list inbound extended permit udp host 75.XXX.XXX.97 eq sip any

access-list inbound extended permit tcp host 75.XXX.XXX.97 eq h323 any

access-list inbound extended permit udp host 75.XXX.XXX.97 eq 1720 any

access-list inbound extended permit tcp any host 75.XXX.XXX.97 eq 1718

access-list inbound extended permit tcp any host 75.XXX.XXX.97 eq 1719

access-list inbound extended permit tcp any host 75.XXX.XXX.97 eq h323

access-list inbound extended permit tcp any host 75.XXX.XXX.97 eq 1731

access-list inbound extended permit tcp any host 75.XXX.XXX.97 eq 1300

access-list inbound extended permit tcp any host 75.XXX.XXX.97 eq 1503

access-list inbound extended permit tcp any host 75.XXX.XXX.97 eq 2979

access-list inbound extended permit tcp any host 75.XXX.XXX.97 eq 11720

access-list inbound extended permit tcp any host 75.XXX.XXX.97 eq ldap

access-list inbound extended permit tcp any host 75.XXX.XXX.97 eq telnet

access-list inbound extended permit tcp any host 75.XXX.XXX.97 eq 3230

access-list inbound extended permit tcp any host 75.XXX.XXX.97 eq 3231

access-list inbound extended permit tcp any host 75.XXX.XXX.97 eq 3232

access-list inbound extended permit tcp any host 75.XXX.XXX.97 eq 3233

access-list inbound extended permit tcp any host 75.XXX.XXX.97 eq 3234

access-list inbound extended permit tcp any host 75.XXX.XXX.97 eq 3235

access-list inbound extended permit tcp any host 75.XXX.XXX.97 eq 3236

access-list inbound extended permit tcp any host 75.XXX.XXX.97 eq 3237

access-list inbound extended permit tcp any host 75.XXX.XXX.97 eq 3238

access-list inbound extended permit tcp any host 75.XXX.XXX.97 eq 3239

access-list inbound extended permit tcp any host 75.XXX.XXX.97 eq 3240

access-list inbound extended permit tcp any host 75.XXX.XXX.97 eq 3241

access-list inbound extended permit tcp any host 75.XXX.XXX.97 eq 3242

access-list inbound extended permit tcp any host 75.XXX.XXX.97 eq 3243

access-list inbound extended permit tcp any host 75.XXX.XXX.97 eq 3244

access-list inbound extended permit tcp any host 75.XXX.XXX.97 eq 3245

access-list inbound extended permit tcp any host 75.XXX.XXX.97 eq 3246

access-list inbound extended permit tcp any host 75.XXX.XXX.97 eq 3247

access-list inbound extended permit tcp any host 75.XXX.XXX.97 eq 3248

access-list inbound extended permit tcp any host 75.XXX.XXX.97 eq 3249

access-list inbound extended permit tcp any host 75.XXX.XXX.97 eq 3250

access-list inbound extended permit tcp any host 75.XXX.XXX.97 eq 3251

access-list inbound extended permit tcp any host 75.XXX.XXX.97 eq 3252

access-list inbound extended permit tcp any host 75.XXX.XXX.97 eq 3253

access-list inbound extended permit udp any host 75.XXX.XXX.97 eq 1718

access-list inbound extended permit udp any host 75.XXX.XXX.97 eq 1719

access-list inbound extended permit udp any host 75.XXX.XXX.97 eq 1720

access-list inbound extended permit udp any host 75.XXX.XXX.97 eq 1731

access-list inbound extended permit udp any host 75.XXX.XXX.97 eq 1300

access-list inbound extended permit udp any host 75.XXX.XXX.97 eq 1503

access-list inbound extended permit udp any host 75.XXX.XXX.97 eq 2979

access-list inbound extended permit udp any host 75.XXX.XXX.97 eq 11720

access-list inbound extended permit udp any host 75.XXX.XXX.97 eq 3230

access-list inbound extended permit udp any host 75.XXX.XXX.97 eq 3231

access-list inbound extended permit udp any host 75.XXX.XXX.97 eq 3232

access-list inbound extended permit udp any host 75.XXX.XXX.97 eq 3233

access-list inbound extended permit udp any host 75.XXX.XXX.97 eq 3234

access-list inbound extended permit udp any host 75.XXX.XXX.97 eq 3235

access-list inbound extended permit udp any host 75.XXX.XXX.97 eq 3236

access-list inbound extended permit udp any host 75.XXX.XXX.97 eq 3237

access-list inbound extended permit udp any host 75.XXX.XXX.97 eq 3238

access-list inbound extended permit udp any host 75.XXX.XXX.97 eq 3239

access-list inbound extended permit udp any host 75.XXX.XXX.97 eq 3240

access-list inbound extended permit udp any host 75.XXX.XXX.97 eq 3241

access-list inbound extended permit udp any host 75.XXX.XXX.97 eq 3242

access-list inbound extended permit udp any host 75.XXX.XXX.97 eq 3243

access-list inbound extended permit udp any host 75.XXX.XXX.97 eq 3244

access-list inbound extended permit udp any host 75.XXX.XXX.97 eq 3245

access-list inbound extended permit udp any host 75.XXX.XXX.97 eq 3246

access-list inbound extended permit udp any host 75.XXX.XXX.97 eq 3247

access-list inbound extended permit udp any host 75.XXX.XXX.97 eq 3248

access-list inbound extended permit udp any host 75.XXX.XXX.97 eq 3249

access-list inbound extended permit udp any host 75.XXX.XXX.97 eq 3250

access-list inbound extended permit ip host 75.XXX.XXX.97 host 50.XXX.XXX.90

access-list inbound extended permit ip host 50.XXX.XXX.90 host 75.XXX.XXX.97

access-list outside_20_cryptomap extended permit ip 192.168.43.0 255.255.255.0 192.168.42.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.43.0 255.255.255.0 192.168.42.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip host 75.XXX.XXX.97 host 50.XXX.XXX.90

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

asdm image disk0:/asdm-621.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 3389 192.168.43.219 3389 netmask 255.255.255.255

static (inside,outside) tcp interface 39000 192.168.43.254 39000 netmask 255.255.255.255

static (inside,outside) udp interface 39000 192.168.43.254 39000 netmask 255.255.255.255

static (inside,outside) tcp interface 39001 192.168.43.254 39001 netmask 255.255.255.255

static (inside,outside) udp interface 39001 192.168.43.254 39001 netmask 255.255.255.255

static (inside,outside) tcp interface 39002 192.168.43.254 39002 netmask 255.255.255.255

static (inside,outside) udp interface 39002 192.168.43.254 39002 netmask 255.255.255.255

static (inside,outside) tcp interface 16450 192.168.43.254 16450 netmask 255.255.255.255

static (inside,outside) tcp interface 1718 192.168.43.140 1718 netmask 255.255.255.255

static (inside,outside) udp interface 1718 192.168.43.140 1718 netmask 255.255.255.255

static (inside,outside) tcp interface 1719 192.168.43.140 1719 netmask 255.255.255.255

static (inside,outside) udp interface 1719 192.168.43.140 1719 netmask 255.255.255.255

static (inside,outside) udp interface 1720 192.168.43.140 1720 netmask 255.255.255.255

static (inside,outside) tcp interface 1731 192.168.43.140 1731 netmask 255.255.255.255

static (inside,outside) udp interface 1731 192.168.43.140 1731 netmask 255.255.255.255

static (inside,outside) tcp interface 1300 192.168.43.140 1300 netmask 255.255.255.255

static (inside,outside) udp interface 1300 192.168.43.140 1300 netmask 255.255.255.255

static (inside,outside) tcp interface 2979 192.168.43.140 2979 netmask 255.255.255.255

static (inside,outside) udp interface 2979 192.168.43.140 2979 netmask 255.255.255.255

static (inside,outside) tcp interface 1503 192.168.43.140 1503 netmask 255.255.255.255

static (inside,outside) udp interface 1503 192.168.43.140 1503 netmask 255.255.255.255

static (inside,outside) tcp interface 11720 192.168.43.140 11720 netmask 255.255.255.255

static (inside,outside) tcp interface telnet 192.168.43.140 telnet netmask 255.255.255.255

static (inside,outside) tcp interface ldap 192.168.43.140 ldap netmask 255.255.255.255

static (inside,outside) tcp interface 3230 192.168.43.140 3230 netmask 255.255.255.255

static (inside,outside) udp interface 3230 192.168.43.140 3230 netmask 255.255.255.255

static (inside,outside) tcp interface 3231 192.168.43.140 3231 netmask 255.255.255.255

static (inside,outside) udp interface 3231 192.168.43.140 3231 netmask 255.255.255.255

static (inside,outside) tcp interface 3232 192.168.43.140 3232 netmask 255.255.255.255

static (inside,outside) udp interface 3232 192.168.43.140 3232 netmask 255.255.255.255

static (inside,outside) tcp interface 3233 192.168.43.140 3233 netmask 255.255.255.255

static (inside,outside) udp interface 3233 192.168.43.140 3233 netmask 255.255.255.255

static (inside,outside) tcp interface 3234 192.168.43.140 3234 netmask 255.255.255.255

static (inside,outside) udp interface 3234 192.168.43.140 3234 netmask 255.255.255.255

static (inside,outside) tcp interface 3235 192.168.43.140 3235 netmask 255.255.255.255

static (inside,outside) udp interface 3235 192.168.43.140 3235 netmask 255.255.255.255

static (inside,outside) tcp interface 3236 192.168.43.140 3236 netmask 255.255.255.255

static (inside,outside) udp interface 3236 192.168.43.140 3236 netmask 255.255.255.255

static (inside,outside) tcp interface 3237 192.168.43.140 3237 netmask 255.255.255.255

static (inside,outside) udp interface 3237 192.168.43.140 3237 netmask 255.255.255.255

static (inside,outside) tcp interface 3238 192.168.43.140 3238 netmask 255.255.255.255

static (inside,outside) udp interface 3238 192.168.43.140 3238 netmask 255.255.255.255

static (inside,outside) tcp interface 3239 192.168.43.140 3239 netmask 255.255.255.255

static (inside,outside) udp interface 3239 192.168.43.140 3239 netmask 255.255.255.255

static (inside,outside) tcp interface 3240 192.168.43.140 3240 netmask 255.255.255.255

static (inside,outside) udp interface 3240 192.168.43.140 3240 netmask 255.255.255.255

static (inside,outside) tcp interface 3241 192.168.43.140 3241 netmask 255.255.255.255

static (inside,outside) udp interface 3241 192.168.43.140 3241 netmask 255.255.255.255

static (inside,outside) tcp interface 3242 192.168.43.140 3242 netmask 255.255.255.255

static (inside,outside) udp interface 3242 192.168.43.140 3242 netmask 255.255.255.255

static (inside,outside) tcp interface 3243 192.168.43.140 3243 netmask 255.255.255.255

static (inside,outside) udp interface 3243 192.168.43.140 3243 netmask 255.255.255.255

static (inside,outside) tcp interface 3244 192.168.43.140 3244 netmask 255.255.255.255

static (inside,outside) udp interface 3244 192.168.43.140 3244 netmask 255.255.255.255

static (inside,outside) tcp interface 3245 192.168.43.140 3245 netmask 255.255.255.255

static (inside,outside) udp interface 3245 192.168.43.140 3245 netmask 255.255.255.255

static (inside,outside) tcp interface 3246 192.168.43.140 3246 netmask 255.255.255.255

static (inside,outside) udp interface 3246 192.168.43.140 3246 netmask 255.255.255.255

static (inside,outside) tcp interface 3247 192.168.43.140 3247 netmask 255.255.255.255

static (inside,outside) udp interface 3247 192.168.43.140 3247 netmask 255.255.255.255

static (inside,outside) tcp interface 3248 192.168.43.140 3248 netmask 255.255.255.255

static (inside,outside) tcp interface 3249 192.168.43.140 3249 netmask 255.255.255.255

static (inside,outside) tcp interface 3250 192.168.43.140 3250 netmask 255.255.255.255

static (inside,outside) tcp interface 3251 192.168.43.140 3251 netmask 255.255.255.255

static (inside,outside) tcp interface 3252 192.168.43.140 3252 netmask 255.255.255.255

static (inside,outside) tcp interface 3253 192.168.43.140 3253 netmask 255.255.255.255

static (inside,outside) tcp interface ftp 192.168.43.140 ftp netmask 255.255.255.255

static (inside,outside) tcp interface h323 192.168.43.140 h323 netmask 255.255.255.255

static (inside,outside) tcp interface www 192.168.43.140 www netmask 255.255.255.255

static (inside,outside) tcp interface https 192.168.43.140 https netmask 255.255.255.255

access-group inbound in interface outside

route outside 0.0.0.0 0.0.0.0 75.XXX.XXX.98 1

route inside 192.168.0.0 255.255.255.0 192.168.43.20 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:05:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http 192.168.43.0 255.255.255.0 inside

http 192.168.42.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 20 match address outside_20_cryptomap

crypto map outside_map 20 set peer 50.XXX.XXX.90

crypto map outside_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable inside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 192.168.42.0 255.255.255.0 inside

telnet 192.168.43.0 255.255.255.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

dhcpd dns 192.168.42.20 68.87.75.194

dhcpd lease 300

dhcpd auto_config outside

!

dhcpd address 192.168.43.23-192.168.43.52 inside

!

no threat-detection basic-threat

no threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

anyconnect-essentials

tunnel-group 50.XXX.XXX.90 type ipsec-l2l

tunnel-group 50.XXX.XXX.90 ipsec-attributes

pre-shared-key *

peer-id-validate nocheck

!

class-map class_h323_h2251

match port tcp eq 11720

class-map class_h323_h2252

match port tcp eq 1300

class-map class_h323_h225

match port tcp eq 1731

class-map class_http

match port tcp eq https

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 1500

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

inspect http

inspect ils

class class_h323_h225

inspect h323 h225

class class_h323_h2251

inspect h323 h225

class class_h323_h2252

inspect h323 h225

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:XXXXXXXXXXXXXXXXXXXXXXXXXXXX

: end

Thank you all for your help as it is much appreciated!

Scott

7 REPLIES

Re: VPN from ASA 5510 to ASA 5505

Site 1 has an ip route of 192.168.43.0 via 192.168.42.4. If 192.168.43.0 is the remote end of the VPN, it needs to be routed out the outside interface

Sent from Cisco Technical Support iPad App

New Member

VPN from ASA 5510 to ASA 5505

Thank you Andrew for your reply but no luck. 192.168.43.0 is the remote end or site 2 and I tried to change that and also remove it with the same results.

Re: VPN from ASA 5510 to ASA 5505

provide output of the below commands from both devices

Show crypto isakmp sa

Show crypto IPSec sa

Sent from Cisco Technical Support iPad App

New Member

Re: VPN from ASA 5510 to ASA 5505

The only response I could get was out of site two with the isakmp. It also did take a few trys because at first it was like the rest (There is no isakmp sas).


Site 1

Result of the command: "sho crypto isakmp sa"

There are no isakmp sas


Result of the command: "sho crypto ipsec sa"

There are no ipsec sas

Site 2

Result of the command: "sho crypto isakmp sa"

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 50.XXX.XXX.90
    Type    : user            Role    : initiator
    Rekey   : no              State   : MM_WAIT_MSG2


Result of the command: "sho crypto ipsec sa"

There are no ipsec sas

Just a side note, the screen shot of my original post was from site one. On site two, this is the errors I am getting:

Re: VPN from ASA 5510 to ASA 5505

check your isakmp settings on both side...mm-wait-2 is an isakmp mis-match.

Also site 2 config has " crypto isakmp enable inside" why ??

Sent from Cisco Technical Support iPad App

New Member

Re: VPN from ASA 5510 to ASA 5505

MM_WAIT_2, to my understanding, is for one of the three reasons:

* eirther UDP 500 traffic from initior cannot reach responder.

* responders response doesnt reach initiator.

* or ISAKMP policies do not match.

Please check routing and NATing in the intermediate devices for UDP 500 reachability with remote peering device.

One more thing I dont see any other crypto map entry. However if there is any other crypto map entry besides what is there in config, please make sure that traffic not reaching hitting any other incomplete or complete crypto map entry with smaller instance number then, one we want.

Please try to initiate tunnel from remote site and see what happens?

try to collect logs for debug crypto isakmp 127 from ASA.

New Member

Re: VPN from ASA 5510 to ASA 5505

Thank you again for your responses. I checked and rechecked the ISAKMP policies along with my IT supervisor and both sites seem to be idendicatical in ASDM and in the config as well as long as the wording doesnt have to match due to what seems like difference ASA versions. IE:

ver 7.0

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vs.

ver 8.2

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

As far as devices, we only have a simple SMC modem/router that is setup to pass all traffic on both ends to the firewall so nothing should be stoping it. What you see in our config above is exactly whats in the firewall with no additional Cryptomaps on those ASA's.

Thank you again for all of your help. I am going to try and get the debug info here soon and I will post.

558
Views
0
Helpful
7
Replies
CreatePlease to create content