Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

VPN get established but no traffic goes over the tunnel

I had an issue a few weeks ago that got resolved and now I need to add two more tunnels to the same location that had the issue and now these don't work. Could you have a look at my configuration and see if there is aomething that is configured wrong...

My configuration is this:

Internal LAN: 10.21.30.0/23

External NAT: 66.xx.xx.135

I have one tunnel that goes to a partner using the external nat as the ip. But now I need to add two more partners on this ip. I'm hoping that I don't need more external ips for this that I can use the nat which gives everyone behind this asa access to the tunnel.

If I clear the 65.xxx.xx.81 tunnel and ping a host on the other side I see this tunnel gets established. But there is no traffic in sh cry ips sa.

asatp# sh cry isa sa

   Active SA: 7

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 7

7   IKE Peer: 65.xxx.xx.81

    Type    : L2L             Role    : initiator

    Rekey   : no              State   : MM_ACTIVE

===============================================================

asatp# sh cry ips sa peer 65.xxx.xx.81

peer address: 65.xxx.xx.81

    Crypto map tag: Outside_map, seq num: 40, local addr: 66.xxx.xx.134

      access-list outside_cryptomap_40 extended permit ip 66.xxx.xx.128 255.255.255.192 host 65.xxx.yy.204

      local ident (addr/mask/prot/port): (66.xxx.xx.128/255.255.255.192/0/0)

      remote ident (addr/mask/prot/port): (65.xxx.yy.204/255.255.255.255/0/0)

      current_peer: 65.xxx.xx.81

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 66.xxx.xx.134, remote crypto endpt.: 65.xxx.xx.81

      path mtu 1500, ipsec overhead 58, media mtu 1500

      current outbound spi: 2088C0AA

      current inbound spi : CD5D0741

    inbound esp sas:

      spi: 0xCD5D0741 (3445425985)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 7098368, crypto-map: Outside_map

         sa timing: remaining key lifetime (kB/sec): (4374000/3532)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

    outbound esp sas:

      spi: 0x2088C0AA (545833130)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 7098368, crypto-map: Outside_map

         sa timing: remaining key lifetime (kB/sec): (4374000/3532)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

===============================================================

ASA Version 8.2(5)

!

domain-name mycorp.com

names

name 10.3.185.0 hq-office-network

name 64.xx.xx.227 partner1-smpp-gw

name 192.168.200.0 partner2-inside-network

name 172.16.1.0 partner2-dmz-network

name 10.21.30.0 partner3-inside-network

name 10.4.1.0 partner3-vpn-network

dns-guard

!

interface GigabitEthernet0/0

speed 1000

duplex full

nameif outside

security-level 0

ip address 66.xxx.xx.134 255.255.255.192 standby 66.xx.xx.133

!

interface GigabitEthernet0/1

speed 1000

duplex full

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/2

speed 1000

duplex full

nameif inside

security-level 100

ip address 10.21.31.254 255.255.254.0 standby 10.21.31.253

!

interface GigabitEthernet0/3

description LAN/STATE Failover Interface

speed 1000

duplex full

!

interface Management0/0

nameif mgmt

security-level 100

ip address 10.21.99.4 255.255.255.0 standby 10.21.99.5

!

boot system disk0:/asa825-k8.bin

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring 4 Sun Mar 2:00 2 Sun Nov 2:00

dns domain-lookup inside

dns server-group DefaultDNS

name-server 10.21.31.50

name-server 10.21.31.20

name-server 4.2.2.1

domain-name mycorp.com

same-security-traffic permit intra-interface

object-group network webservers

network-object host 66.xx.xx.149

network-object host 66.xx.xx.155

network-object host 66.xx.xx.156

network-object host 66.xx.xx.157

network-object host 66.xx.xx.158

network-object host 66.xx.xx.159

network-object host 66.xx.xx.146

network-object host 66.xx.xx.160

network-object host 66.xx.xx.143

network-object host 66.xx.xx.148

network-object host 66.xx.xx.152

object-group network partner4-chicago

network-object host 65.xxx.yy.204

network-object host 65.xxx.yy.205

object-group network partner4-boston

network-object host 65.xxx.yy.84

network-object host 65.xxx.yy.85

access-list main_acl extended permit esp any host 66.xxx.xx.134

access-list main_acl extended permit udp any host 66.xxx.xx.134 eq isakmp

access-list main_acl extended permit udp any host 66.xxx.xx.134 eq 4500

access-list main_acl extended permit tcp any host 66.xxx.xx.134 eq 4500

access-list main_acl extended permit tcp any host 66.xxx.xx.134 eq https

access-list main_acl extended permit tcp any host 66.xxx.xx.134 eq www

access-list main_acl extended permit tcp any object-group webservers eq www

access-list main_acl extended permit tcp any object-group webservers eq https

access-list main_acl extended permit icmp any any

access-list main_acl extended permit icmp any any echo

access-list main_acl extended permit icmp any any echo-reply

access-list main_acl extended permit icmp any any time-exceeded

access-list main_acl extended permit tcp any host 66.xx.xx.155 eq www

access-list main_acl extended permit tcp any host 66.xx.xx.153 eq smtp

access-list Outside_cryptomap_20 extended permit ip partner3-inside-network 255.255.254.0 hq-office-network 255.255.255.0

access-list Outside_cryptomap_10 extended permit ip partner3-inside-network 255.255.254.0 partner2-inside-network 255.255.255.0

access-list Outside_cryptomap_10 extended permit ip partner3-inside-network 255.255.254.0 10.1.1.0 255.255.255.0

access-list Outside_cryptomap_10 extended permit ip partner3-inside-network 255.255.254.0 10.2.1.0 255.255.255.0

access-list Outside_cryptomap_10 extended permit ip partner3-inside-network 255.255.254.0 partner2-dmz-network 255.255.255.0

access-list Outside_cryptomap_10 extended permit ip 10.21.99.0 255.255.255.0 partner2-inside-network 255.255.255.0

access-list Outside_cryptomap_10 extended permit ip 10.21.99.0 255.255.255.0 10.2.1.0 255.255.255.0

access-list Outside_cryptomap_10 extended permit ip 10.21.99.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list Outside_cryptomap_10 extended permit ip 10.21.99.0 255.255.255.0 partner2-dmz-network 255.255.255.0

access-list Outside_cryptomap_10 extended permit ip partner3-vpn-network 255.255.255.0 partner2-inside-network 255.255.255.0

access-list Outside_cryptomap_10 extended permit ip partner3-vpn-network 255.255.255.0 partner2-dmz-network 255.255.255.0

access-list nonat10 extended permit ip partner3-inside-network 255.255.254.0 partner2-inside-network 255.255.255.0

access-list nonat10 extended permit ip partner3-inside-network 255.255.254.0 10.1.1.0 255.255.255.0

access-list nonat10 extended permit ip partner3-inside-network 255.255.254.0 10.2.1.0 255.255.255.0

access-list nonat10 extended permit ip partner3-inside-network 255.255.254.0 hq-office-network 255.255.255.0

access-list nonat10 extended permit ip partner3-inside-network 255.255.254.0 partner2-dmz-network 255.255.255.0

access-list nonat10 extended permit ip partner3-inside-network 255.255.254.0 partner3-vpn-network 255.255.255.0

access-list nonat10 extended permit ip 10.21.99.0 255.255.255.0 partner2-inside-network 255.255.255.0

access-list nonat10 extended permit ip 10.21.99.0 255.255.255.0 10.2.1.0 255.255.255.0

access-list nonat10 extended permit ip 10.21.99.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list nonat10 extended permit ip 10.21.99.0 255.255.255.0 hq-office-network 255.255.255.0

access-list nonat10 extended permit ip 10.21.99.0 255.255.255.0 partner2-dmz-network 255.255.255.0

access-list nonat10 extended permit ip 10.21.99.0 255.255.255.0 partner3-vpn-network 255.255.255.0

access-list nonat10 extended permit ip partner3-vpn-network 255.255.255.0 partner2-inside-network 255.255.255.0

access-list nonat10 extended permit ip partner3-vpn-network 255.255.255.0 10.2.1.0 255.255.255.0

access-list nonat10 extended permit ip partner3-vpn-network 255.255.255.0 10.1.1.0 255.255.255.0

access-list nonat10 extended permit ip partner3-vpn-network 255.255.255.0 hq-office-network 255.255.255.0

access-list nonat10 extended permit ip partner3-vpn-network 255.255.255.0 partner2-dmz-network 255.255.255.0

access-list nonat10 extended permit ip partner3-vpn-network 255.255.255.0 partner3-inside-network 255.255.254.0

access-list nonat10 extended permit ip partner3-vpn-network 255.255.255.0 10.21.99.0 255.255.255.0

access-list youmailtp_splitacl standard permit partner2-inside-network 255.255.255.0

access-list youmailtp_splitacl standard permit hq-office-network 255.255.255.0

access-list youmailtp_splitacl standard permit 10.1.1.0 255.255.255.0

access-list youmailtp_splitacl standard permit partner3-inside-network 255.255.254.0

access-list youmailtp_splitacl standard permit 10.21.99.0 255.255.255.0

access-list youmailtp_splitacl standard permit partner3-vpn-network 255.255.255.0

access-list youmailtp_splitacl standard permit partner2-dmz-network 255.255.255.0

access-list youmailtp_splitacl standard permit host partner1-smpp-gw

access-list youmailtp_splitacl standard permit host 65.xxx.yy.204

access-list youmailtp_splitacl standard permit host 65.xxx.yy.205

access-list youmailtp_splitacl standard permit host 65.xxx.yy.84

access-list youmailtp_splitacl standard permit host 65.xxx.yy.85

access-list mgmt-in extended permit ip 10.0.0.0 255.0.0.0 any

access-list mgmt-in extended permit tcp 10.0.0.0 255.0.0.0 10.21.99.0 255.255.255.0

access-list policy-nat extended permit ip partner3-inside-network 255.255.254.0 host partner1-smpp-gw

access-list policy-nat extended permit ip 66.xxx.xx.128 255.255.255.192 host partner1-smpp-gw

access-list policy-nat extended permit ip partner3-inside-network 255.255.254.0 object-group partner4-chicago

access-list policy-nat extended permit ip 66.xxx.xx.128 255.255.255.192 object-group partner4-chicago

access-list policy-nat extended permit ip partner3-inside-network 255.255.254.0 object-group partner4-boston

access-list policy-nat extended permit ip 66.xxx.xx.128 255.255.255.192 object-group partner4-boston

access-list Outside_cryptomap_30 extended permit ip 66.xxx.xx.128 255.255.255.192 host partner1-smpp-gw inactive

access-list Outside_cryptomap_30 extended permit ip partner3-inside-network 255.255.254.0 host partner1-smpp-gw

access-list outside_cryptomap_40 extended permit ip partner3-inside-network 255.255.254.0 object-group partner4-chicago

access-list outside_cryptomap_40 extended permit ip 66.xxx.xx.128 255.255.255.192 object-group partner4-chicago

access-list outside_cryptomap_50 extended permit ip partner3-inside-network 255.255.254.0 object-group partner4-boston

access-list outside_cryptomap_50 extended permit ip 66.xxx.xx.128 255.255.255.192 object-group partner4-boston

pager lines 48

logging enable

logging timestamp

logging buffer-size 16000

logging buffered informational

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu mgmt 1500

ip local pool ippool 10.4.1.1-10.4.1.100 mask 255.255.255.0

failover

failover lan unit primary

failover lan interface state GigabitEthernet0/3

failover polltime unit 5 holdtime 15

failover polltime interface 6 holdtime 30

failover interface-policy 50%

failover link state GigabitEthernet0/3

failover interface ip state 192.168.99.1 255.255.255.252 standby 192.168.99.2

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-623.bin

no asdm history enable

arp timeout 14400

global (outside) 1 66.xx.xx.135 netmask 255.255.255.192

nat (inside) 0 access-list nonat10

nat (inside) 1 0.0.0.0 0.0.0.0

nat (mgmt) 0 access-list nonat10

nat (mgmt) 1 0.0.0.0 0.0.0.0

static (inside,outside) 66.xx.xx.139 10.21.31.111 netmask 255.255.255.255

static (inside,outside) 66.xx.xx.149 10.21.30.64 netmask 255.255.255.255

static (inside,outside) 66.xx.xx.155 10.21.31.101 netmask 255.255.255.255

static (inside,outside) 66.xx.xx.156 10.21.31.202 netmask 255.255.255.255

static (inside,outside) 66.xx.xx.157 10.21.31.204 netmask 255.255.255.255

static (inside,outside) 66.xx.xx.158 10.21.31.205 netmask 255.255.255.255

static (inside,outside) 66.xx.xx.159 10.21.31.200 netmask 255.255.255.255

static (inside,outside) 66.xx.xx.146 10.21.30.62 netmask 255.255.255.255

static (inside,outside) 66.xx.xx.160 10.21.31.203 netmask 255.255.255.255

static (inside,outside) 66.xx.xx.143 10.21.31.201 netmask 255.255.255.255

static (inside,outside) 66.xx.xx.148 10.21.31.207 netmask 255.255.255.255

static (inside,outside) 66.xx.xx.152 10.21.31.206 netmask 255.255.255.255

static (inside,outside) 66.xx.xx.153 10.21.31.57 netmask 255.255.255.255

access-group main_acl in interface outside

access-group mgmt-in in interface mgmt

route outside 0.0.0.0 0.0.0.0 66.xx.xx.129 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

aaa authorization command LOCAL

http server enable

http 10.21.31.0 255.255.255.0 inside

http 10.0.0.0 255.0.0.0 inside

http 10.21.31.0 255.255.255.0 mgmt

http partner3-vpn-network 255.255.255.0 inside

http partner3-vpn-network 255.255.255.0 mgmt

http authentication-certificate mgmt

http redirect outside 80

snmp-server host inside 10.21.31.103 poll community *****

snmp-server location partner3

snmp-server contact it@mycorp.com

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

service resetoutside

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set partner1_TRANSFORM_SET esp-aes-256 esp-sha-hmac

crypto ipsec transform-set partner4_TRANSFORM_SET esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map Outside_map 10 match address Outside_cryptomap_10

crypto map Outside_map 10 set pfs

crypto map Outside_map 10 set peer 74.xx.x.74

crypto map Outside_map 10 set transform-set ESP-3DES-MD5

crypto map Outside_map 20 match address Outside_cryptomap_20

crypto map Outside_map 20 set pfs

crypto map Outside_map 20 set peer 66.xxx.xx.18

crypto map Outside_map 20 set transform-set ESP-3DES-MD5

crypto map Outside_map 30 match address Outside_cryptomap_30

crypto map Outside_map 30 set peer 64.xx.xx.230

crypto map Outside_map 30 set transform-set partner1_TRANSFORM_SET

crypto map Outside_map 40 match address outside_cryptomap_40

crypto map Outside_map 40 set peer 65.xxx.xx.81

crypto map Outside_map 40 set transform-set partner4_TRANSFORM_SET

crypto map Outside_map 50 match address outside_cryptomap_50

crypto map Outside_map 50 set peer 65.xxx.yy.33

crypto map Outside_map 50 set transform-set partner4_TRANSFORM_SET

crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map Outside_map interface outside

crypto ca trustpoint ASATP

enrollment self

subject-name CN=tpasa.mycorp.com

crl configure

crypto ca certificate map tpcert 10

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption aes-256

hash sha

group 2     

lifetime 86400

crypto isakmp policy 5

authentication pre-share

encryption des

hash sha

group 1

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

vpn-addr-assign local reuse-delay 10

telnet 10.21.31.0 255.255.255.0 inside

telnet 10.21.31.0 255.255.255.0 mgmt

telnet 10.21.99.0 255.255.255.0 mgmt

telnet timeout 5

ssh 10.0.0.0 255.0.0.0 inside

ssh timeout 60

ssh version 2

console timeout 0

management-access inside

dhcpd dns 10.21.31.50 10.21.31.20

dhcpd domain mycorp.com

!

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 10.21.31.254 source inside

ssl certificate-authentication interface mgmt port 443

webvpn

enable outside

svc enable

group-policy DfltGrpPolicy attributes

vpn-filter value youmailtp_splitacl

vpn-tunnel-protocol IPSec svc

group-policy ImmixGrpPolicy internal

group-policy ImmixGrpPolicy attributes

vpn-idle-timeout none

vpn-filter value Outside_cryptomap_30

vpn-tunnel-protocol IPSec l2tp-ipsec

group-policy site2site internal

group-policy site2site attributes

vpn-idle-timeout none

vpn-filter value youmailtp_splitacl

vpn-tunnel-protocol IPSec l2tp-ipsec

group-policy NetnumberGrpPolicy internal

group-policy NetnumberGrpPolicy attributes

vpn-idle-timeout none

vpn-filter value outside_cryptomap_40

vpn-tunnel-protocol IPSec l2tp-ipsec

tunnel-group 74.xx.x.74 type ipsec-l2l

tunnel-group 74.xx.x.74 general-attributes

default-group-policy site2site

tunnel-group 74.xx.x.74 ipsec-attributes

pre-shared-key *****

tunnel-group 66.xxx.xx.18 type ipsec-l2l

tunnel-group 66.xxx.xx.18 general-attributes

default-group-policy site2site

tunnel-group 66.xxx.xx.18 ipsec-attributes

pre-shared-key *****

tunnel-group 64.xx.xx.230 type ipsec-l2l

tunnel-group 64.xx.xx.230 general-attributes

default-group-policy site2site

tunnel-group 64.xx.xx.230 ipsec-attributes

pre-shared-key *****

tunnel-group 65.xxx.xx.81 type ipsec-l2l

tunnel-group 65.xxx.xx.81 general-attributes

default-group-policy NetnumberGrpPolicy

tunnel-group 65.xxx.xx.81 ipsec-attributes

pre-shared-key *****

tunnel-group 65.xxx.yy.33 type ipsec-l2l

tunnel-group 65.xxx.yy.33 general-attributes

default-group-policy NetnumberGrpPolicy

tunnel-group 65.xxx.yy.33 ipsec-attributes

pre-shared-key *****

!

Everyone's tags (2)
459
Views
0
Helpful
0
Replies
CreatePlease to create content