05-31-2012 08:06 PM
Hi,
I had a pix that had two working tunnels going to one 5510 and one 5520. Today the VPN tunnel to our 5520 stopped working but if I do sh cry isa sa both tunnels have QM_IDLE as the state. (both ends) I tried to debug crypto isakmp 255 but all I get is PEER_REAPER_TIMER and no other output on the pix side.
I'm looking for commands or something to try that could help ...
Solved! Go to Solution.
06-07-2012 11:42 AM
I think you might be correct... Its not fixed yet but this is what I have done so far...
- rebooted asa5020
- upgraded asa5020 to 8.2.5
- upgraded pix to asa5005
After all these changes everything came back up but I'm still getting encaps/decaps issues on the same tunnel which is now 5005 <--> 5020.
I think I'll have some time to do more tracing on for routing issues today...
(btw I didnt get the 5005 for this issue that was a upgrade that was needed... )
06-07-2012 01:13 PM
asa5005-inside: 10.3.85.0
asa5020-inside: 10.21.31.0
When I do a debug icmp trace on both asa I get this:
From asa5020-inside:
asa5020: ICMP echo request from inside:10.21.31.103 to outside:10.3.185.200 ID=21447 seq=0 len=56
asa5005: nothing
From asa5005-inside:
asa5005: ICMP echo request from inside:10.3.185.106 to outside:10.21.31.56 ID=12206 seq=0 len=56
asa5020: ICMP echo request from outside:10.3.185.106 to inside:10.21.31.56 ID=12209 seq=3 len=56
asa5020: ICMP echo reply from inside:10.21.31.56 to outside:10.3.185.106 ID=12209 seq=3 len=56
so I guess there is something in my asa5020 config that is not routing the asa5005-inside network through vpn...
06-07-2012 06:13 PM
Do you mind sharing config from both ends? we might be able to spot something
NAT exemption perhaps?
06-07-2012 07:37 PM
ASA 5520 Side:
hostname asatp
domain-name mycorp.com
names
name 10.3.185.0 hq-office-network
name 64.xx.xx.227 company-smpp-gw
name 192.168.200.0 datacenter2-inside-network
name 172.16.1.0 datacenter2-dmz-network
name 10.21.30.0 datacenter-inside-network
name 10.4.1.0 datacenter-vpn-network
dns-guard
!
interface GigabitEthernet0/0
speed 1000
duplex full
nameif outside
security-level 0
ip address 66.xx.xx.134 255.255.255.192 standby 66.xx.xx.133
!
interface GigabitEthernet0/1
speed 1000
duplex full
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
speed 1000
duplex full
nameif inside
security-level 100
ip address 10.21.31.254 255.255.254.0 standby 10.21.31.253
!
interface GigabitEthernet0/3
description LAN/STATE Failover Interface
speed 1000
duplex full
!
interface Management0/0
nameif mgmt
security-level 100
ip address 10.21.99.4 255.255.255.0 standby 10.21.99.5
!
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring 4 Sun Mar 2:00 2 Sun Nov 2:00
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.21.31.20
name-server 192.168.200.16
name-server 4.2.2.1
domain-name mycorp.com
same-security-traffic permit intra-interface
object-group network webservers
network-object host 66.xx.xx.149
network-object host 66.xx.xx.155
network-object host 66.xx.xx.156
network-object host 66.xx.xx.157
network-object host 66.xx.xx.158
network-object host 66.xx.xx.159
network-object host 66.xx.xx.146
network-object host 66.xx.xx.160
network-object host 66.xx.xx.143
network-object host 66.xx.xx.148
network-object host 66.xx.xx.152
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
access-list main_acl extended permit tcp host 74.xx.y.148 host 66.xx.xx.139 eq ssh inactive
access-list main_acl extended permit udp host 74.xx.x.74 any
access-list main_acl extended permit tcp host 74.xx.x.77 host 66.xx.xx.139 eq ssh inactive
access-list main_acl extended permit tcp host 74.xx.x.77 host 66.xx.xx.140 eq ssh inactive
access-list main_acl extended permit tcp host 74.xx.y.148 host 66.xx.xx.140 eq ssh inactive
access-list main_acl extended permit tcp 63.yyy.yy.0 255.255.255.248 host 66.xx.xx.139 eq ssh inactive
access-list main_acl extended permit tcp 63.yyy.yy.0 255.255.255.248 host 66.xx.xx.140 eq ssh inactive
access-list main_acl extended permit tcp any host 66.xx.xx.139 eq ssh inactive
access-list main_acl extended permit esp any host 66.xx.xx.134
access-list main_acl extended permit udp any host 66.xx.xx.134 eq isakmp
access-list main_acl extended permit udp any host 66.xx.xx.134 eq 4500
access-list main_acl extended permit tcp any host 66.xx.xx.134 eq 4500
access-list main_acl extended permit tcp any host 66.xx.xx.134 eq https
access-list main_acl extended permit tcp any host 66.xx.xx.134 eq www
access-list main_acl extended permit tcp host 74.10.37.114 host 66.xx.xx.139 eq ssh inactive
access-list main_acl extended permit tcp any object-group webservers eq www
access-list main_acl extended permit tcp any object-group webservers eq https
access-list main_acl extended permit icmp any any
access-list main_acl extended permit icmp any any echo
access-list main_acl extended permit icmp any any echo-reply
access-list main_acl extended permit icmp any any time-exceeded
access-list main_acl extended permit tcp any host 66.xx.xx.155 eq www
access-list main_acl extended permit tcp any host 66.xx.xx.155 object-group DM_INLINE_TCP_1
access-list main_acl extended permit tcp any host 66.xx.xx.156 object-group DM_INLINE_TCP_2
access-list main_acl extended permit tcp any host 66.xx.xx.153 eq smtp
access-list Outside_cryptomap_20 extended permit ip datacenter-inside-network 255.255.254.0 hq-office-network 255.255.255.0
access-list Outside_cryptomap_10 extended permit ip datacenter-inside-network 255.255.254.0 datacenter2-inside-network 255.255.255.0
access-list Outside_cryptomap_10 extended permit ip datacenter-inside-network 255.255.254.0 10.1.1.0 255.255.255.0
access-list Outside_cryptomap_10 extended permit ip datacenter-inside-network 255.255.254.0 10.2.1.0 255.255.255.0
access-list Outside_cryptomap_10 extended permit ip datacenter-inside-network 255.255.254.0 datacenter2-dmz-network 255.255.255.0
access-list Outside_cryptomap_10 extended permit ip 10.21.99.0 255.255.255.0 datacenter2-inside-network 255.255.255.0
access-list Outside_cryptomap_10 extended permit ip 10.21.99.0 255.255.255.0 10.2.1.0 255.255.255.0
access-list Outside_cryptomap_10 extended permit ip 10.21.99.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list Outside_cryptomap_10 extended permit ip 10.21.99.0 255.255.255.0 datacenter2-dmz-network 255.255.255.0
access-list Outside_cryptomap_10 extended permit ip datacenter-vpn-network 255.255.255.0 datacenter2-inside-network 255.255.255.0
access-list Outside_cryptomap_10 extended permit ip datacenter-vpn-network 255.255.255.0 datacenter2-dmz-network 255.255.255.0
access-list Outside_cryptomap_10 extended permit ip datacenter-inside-network 255.255.254.0 hq-office-network 255.255.255.0
access-list nonat10 extended permit ip datacenter-inside-network 255.255.254.0 datacenter2-inside-network 255.255.255.0
access-list nonat10 extended permit ip datacenter-inside-network 255.255.254.0 10.1.1.0 255.255.255.0
access-list nonat10 extended permit ip datacenter-inside-network 255.255.254.0 10.2.1.0 255.255.255.0
access-list nonat10 extended permit ip datacenter-inside-network 255.255.254.0 hq-office-network 255.255.255.0
access-list nonat10 extended permit ip datacenter-inside-network 255.255.254.0 datacenter2-dmz-network 255.255.255.0
access-list nonat10 extended permit ip datacenter-inside-network 255.255.254.0 datacenter-vpn-network 255.255.255.0
access-list nonat10 extended permit ip 10.21.99.0 255.255.255.0 datacenter2-inside-network 255.255.255.0
access-list nonat10 extended permit ip 10.21.99.0 255.255.255.0 10.2.1.0 255.255.255.0
access-list nonat10 extended permit ip 10.21.99.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list nonat10 extended permit ip 10.21.99.0 255.255.255.0 hq-office-network 255.255.255.0
access-list nonat10 extended permit ip 10.21.99.0 255.255.255.0 datacenter2-dmz-network 255.255.255.0
access-list nonat10 extended permit ip 10.21.99.0 255.255.255.0 datacenter-vpn-network 255.255.255.0
access-list nonat10 extended permit ip datacenter-vpn-network 255.255.255.0 datacenter2-inside-network 255.255.255.0
access-list nonat10 extended permit ip datacenter-vpn-network 255.255.255.0 10.2.1.0 255.255.255.0
access-list nonat10 extended permit ip datacenter-vpn-network 255.255.255.0 10.1.1.0 255.255.255.0
access-list nonat10 extended permit ip datacenter-vpn-network 255.255.255.0 hq-office-network 255.255.255.0
access-list nonat10 extended permit ip datacenter-vpn-network 255.255.255.0 datacenter2-dmz-network 255.255.255.0
access-list nonat10 extended permit ip datacenter-vpn-network 255.255.255.0 datacenter-inside-network 255.255.254.0
access-list nonat10 extended permit ip datacenter-vpn-network 255.255.255.0 10.21.99.0 255.255.255.0
access-list mycorptp_splitacl standard permit datacenter2-inside-network 255.255.255.0
access-list mycorptp_splitacl standard permit hq-office-network 255.255.255.0
access-list mycorptp_splitacl standard permit 10.1.1.0 255.255.255.0
access-list mycorptp_splitacl standard permit datacenter-inside-network 255.255.254.0
access-list mycorptp_splitacl standard permit 10.21.99.0 255.255.255.0
access-list mycorptp_splitacl standard permit datacenter-vpn-network 255.255.255.0
access-list mycorptp_splitacl standard permit datacenter2-dmz-network 255.255.255.0
access-list mycorptp_splitacl standard permit host company-smpp-gw
access-list mgmt-in extended permit ip 10.0.0.0 255.0.0.0 any
access-list mgmt-in extended permit tcp 10.0.0.0 255.0.0.0 10.21.99.0 255.255.255.0
access-list policy-nat extended permit ip datacenter-inside-network 255.255.254.0 host company-smpp-gw
access-list policy-nat extended permit ip 66.xx.xx.128 255.255.255.192 host company-smpp-gw
access-list Outside_cryptomap_30 extended permit ip 66.xx.xx.128 255.255.255.192 host company-smpp-gw inactive
access-list Outside_cryptomap_30 extended permit ip datacenter-inside-network 255.255.254.0 host company-smpp-gw
pager lines 48
logging enable
logging timestamp
logging buffer-size 16000
logging buffered informational
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu mgmt 1500
ip local pool ippool 10.4.1.1-10.4.1.100 mask 255.255.255.0
failover
failover lan unit primary
failover lan interface state GigabitEthernet0/3
failover polltime unit 5 holdtime 15
failover polltime interface 6 holdtime 30
failover interface-policy 50%
failover link state GigabitEthernet0/3
failover interface ip state 192.168.99.1 255.255.255.252 standby 192.168.99.2
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-623.bin
no asdm history enable
arp timeout 14400
global (outside) 1 66.xx.xx.135 netmask 255.255.255.192
nat (inside) 0 access-list nonat10
nat (inside) 1 0.0.0.0 0.0.0.0
nat (mgmt) 0 access-list nonat10
nat (mgmt) 1 0.0.0.0 0.0.0.0
static (inside,outside) 66.xx.xx.139 10.21.31.111 netmask 255.255.255.255
static (inside,outside) 66.xx.xx.149 10.21.30.64 netmask 255.255.255.255
static (inside,outside) 66.xx.xx.155 10.21.31.101 netmask 255.255.255.255
static (inside,outside) 66.xx.xx.156 10.21.31.202 netmask 255.255.255.255
static (inside,outside) 66.xx.xx.157 10.21.31.204 netmask 255.255.255.255
static (inside,outside) 66.xx.xx.158 10.21.31.205 netmask 255.255.255.255
static (inside,outside) 66.xx.xx.159 10.21.31.200 netmask 255.255.255.255
static (inside,outside) 66.xx.xx.146 10.21.30.62 netmask 255.255.255.255
static (inside,outside) 66.xx.xx.160 10.21.31.203 netmask 255.255.255.255
static (inside,outside) 66.xx.xx.143 10.21.31.201 netmask 255.255.255.255
static (inside,outside) 66.xx.xx.148 10.21.31.207 netmask 255.255.255.255
static (inside,outside) 66.xx.xx.152 10.21.31.206 netmask 255.255.255.255
static (inside,outside) 66.xx.xx.153 10.21.31.67 netmask 255.255.255.255
access-group main_acl in interface outside
access-group mgmt-in in interface mgmt
route outside 0.0.0.0 0.0.0.0 66.xx.xx.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http server enable
http 10.21.31.0 255.255.255.0 inside
http 10.0.0.0 255.0.0.0 inside
http 10.21.31.0 255.255.255.0 mgmt
http datacenter-vpn-network 255.255.255.0 inside
http datacenter-vpn-network 255.255.255.0 mgmt
http authentication-certificate mgmt
http redirect outside 80
snmp-server host inside 10.21.31.103 poll community *****
snmp-server contact it@mycorp.com
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set company_TRANSFORM_SET esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map 10 match address Outside_cryptomap_10
crypto map Outside_map 10 set pfs
crypto map Outside_map 10 set peer 74.xx.x.74
crypto map Outside_map 10 set transform-set ESP-3DES-MD5
crypto map Outside_map 20 match address Outside_cryptomap_20
crypto map Outside_map 20 set pfs
crypto map Outside_map 20 set peer 66.xxx.xx.18
crypto map Outside_map 20 set transform-set ESP-3DES-MD5
crypto map Outside_map 30 match address Outside_cryptomap_30
crypto map Outside_map 30 set peer 64.xx.xx.230
crypto map Outside_map 30 set transform-set company_TRANSFORM_SET
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface outside
crypto ca trustpoint ASATP
enrollment self
subject-name CN=ymtpasa.mycorp.com
crl configure
crypto ca certificate map ymtpcert 10
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
vpn-addr-assign local reuse-delay 10
telnet 10.21.31.0 255.255.255.0 inside
telnet 10.21.31.0 255.255.255.0 mgmt
telnet 10.21.99.0 255.255.255.0 mgmt
telnet timeout 5
ssh datacenter2-inside-network 255.255.255.0 outside
ssh 10.0.0.0 255.0.0.0 inside
ssh datacenter2-inside-network 255.255.255.0 inside
ssh timeout 60
ssh version 2
console timeout 0
management-access inside
dhcpd dns 10.21.31.20 192.168.200.16
dhcpd domain mycorp.com
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 10.21.31.254 source inside
ssl certificate-authentication interface mgmt port 443
webvpn
enable outside
svc enable
group-policy DfltGrpPolicy attributes
vpn-filter value mycorptp_splitacl
vpn-tunnel-protocol svc
group-policy companyGrpPolicy internal
group-policy companyGrpPolicy attributes
vpn-idle-timeout 30
vpn-filter value Outside_cryptomap_30
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy ymVpnGrpPolicy internal
group-policy ymVpnGrpPolicy attributes
dns-server value 10.21.31.20 192.168.200.16
vpn-idle-timeout 300
vpn-session-timeout none
vpn-tunnel-protocol IPSec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value mycorptp_splitacl
default-domain value mycorp.com
address-pools value ippool
group-policy site2site internal
group-policy site2site attributes
vpn-filter value mycorptp_splitacl
vpn-tunnel-protocol IPSec l2tp-ipsec
tunnel-group 74.xx.x.74 type ipsec-l2l
tunnel-group 74.xx.x.74 general-attributes
default-group-policy site2site
tunnel-group 74.xx.x.74 ipsec-attributes
pre-shared-key *****
tunnel-group 66.xxx.xx.18 type ipsec-l2l
tunnel-group 66.xxx.xx.18 general-attributes
default-group-policy site2site
tunnel-group 66.xxx.xx.18 ipsec-attributes
pre-shared-key *****
tunnel-group ymtpssl type remote-access
tunnel-group ymtpssl general-attributes
address-pool ippool
tunnel-group 64.xx.xx.230 type ipsec-l2l
tunnel-group 64.xx.xx.230 general-attributes
default-group-policy companyGrpPolicy
tunnel-group 64.xx.xx.230 ipsec-attributes
pre-shared-key *****
tunnel-group mycorp type remote-access
tunnel-group mycorp general-attributes
address-pool ippool
default-group-policy ymVpnGrpPolicy
tunnel-group mycorp ipsec-attributes
pre-shared-key *****
ASA 5005 side:
domain-name mycorp.com
names
name 192.168.200.0 datacenter2-inside-network
name 10.21.30.0 datacenter-inside-network
name 10.3.185.0 hq_office_inside
name 172.16.1.0 datacenter2-dmz-network
name 10.2.1.0 datacenter2-vpn-network
name 10.1.1.0 datacenter2-mgmt-network
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 10.3.185.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 66.xxx.xx.18 255.255.255.128
!
ftp mode passive
dns server-group DefaultDNS
domain-name mycorp.com
access-list outside_cryptomap_1 extended permit ip hq_office_inside 255.255.255.
access-list outside_cryptomap extended permit ip hq_office_inside 255.255.255.0
access-list outside_cryptomap extended permit ip hq_office_inside 255.255.255.0
access-list outside_cryptomap extended permit ip hq_office_inside 255.255.255.0
access-list outside_cryptomap extended permit ip hq_office_inside 255.255.255.0
access-list nonat extended permit ip hq_office_inside 255.255.255.0 datacenter2-insid
access-list nonat extended permit ip hq_office_inside 255.255.255.0 datacenter-
access-list mycorp_splitacl standard permit datacenter2-inside-network 255.255.255.0
access-list mycorp_splitacl standard permit hq_office_inside 255.255.255.0
access-list mycorp_splitacl standard permit datacenter-inside-network 255.255.
access-list mycorp_splitacl standard permit datacenter2-mgmt-network 255.255.255.0
access-list mycorp_splitacl standard permit datacenter2-vpn-network 255.255.255.0
access-list mycorp_splitacl standard permit 10.3.1.0 255.255.255.0
access-list mycorp_splitacl standard permit 10.4.1.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 66.xxx.xx.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http server session-timeout 30
http hq_office_inside 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map0 1 match address outside_cryptomap
crypto map outside_map0 1 set pfs
crypto map outside_map0 1 set peer 74.xx.x.74
crypto map outside_map0 1 set transform-set ESP-DES-MD5 ESP-3DES-MD5
crypto map outside_map0 2 match address outside_cryptomap_1
crypto map outside_map0 2 set pfs
crypto map outside_map0 2 set peer 66.xx.xx.134
crypto map outside_map0 2 set transform-set ESP-DES-MD5 ESP-3DES-MD5
crypto map outside_map0 interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh hq_office_inside 255.255.255.0 inside
ssh timeout 5
ssh version 2
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.3.185.100-10.3.185.200 inside
dhcpd dns 4.2.2.2 10.21.31.20 interface inside
dhcpd domain mycorp.com interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy ymsite2site internal
group-policy ymsite2site attributes
vpn-filter value mycorp_splitacl
vpn-tunnel-protocol IPSec l2tp-ipsec
tunnel-group 66.xx.xx.134 type ipsec-l2l
tunnel-group 66.xx.xx.134 general-attributes
default-group-policy ymsite2site
tunnel-group 66.xx.xx.134 ipsec-attributes
pre-shared-key *****
tunnel-group 74.xx.x.74 type ipsec-l2l
tunnel-group 74.xx.x.74 general-attributes
default-group-policy ymsite2site
tunnel-group 74.xx.x.74 ipsec-attributes
pre-shared-key *****
06-07-2012 07:46 PM
This ACL line overlaps with the actual crypto ACL "Outside_cryptomap_20"
access-list Outside_cryptomap_10 extended permit ip datacenter-inside-network 255.255.254.0 hq-office-network 255.255.255.0
Please kindly remove the above line, then clear all tunnels so it renegotiates the correct SA.
06-07-2012 08:23 PM
Thank you SOO much Jennifer that was awsome! ...
Deleted that on line and clear and I was up and ready to go...
Now I have another question ut its somewhat unrelated to I'l start a new thread...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide