Solved: have a Site to site VPN that will not pass data to each end point

ronald.odom · ‎01-18-2011

have a Site to site VPN that will not pass data to each end point. we can reach the internet and the vpn shows that it is up on the ASA and the router. Cisco 881W

version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname UniIndia800
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa group server radius rad_eap
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa accounting network acct_methods
action-type start-stop
group rad_acct
!
!
!
!
!
!
aaa session-id common
memory-size iomem 10
!
!
ip source-route
!
!
!
!
ip cef
ip domain name xxx.com
no ipv6 cef
!
!
license udi pid CISCO881W-GN-A-K9 sn FTX144000CM
!
!
archive
log config
hidekeys
username xxx privilege 15 password 0 xxx
!
!
!
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
crypto isakmp key xxx address aaa.bbb.ccc.ddd no-xauth
crypto isakmp key xxx address 10.0.0.0 255.0.0.0
!
!
crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac
crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac
crypto ipsec transform-set 3des-sha-compression esp-3des esp-sha-hmac comp-lzs
crypto ipsec transform-set aes-sha-compression esp-aes esp-sha-hmac comp-lzs
!
crypto map VPN-Map-1 10 ipsec-isakmp
set peer aaa.bbb.ccc.ddd
set transform-set 3des-sha
match address Crypto-list
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address xxx.yyy.107.226 255.255.255.252
ip helper-address 10.10.2.1
ip helper-address 10.10.2.2
duplex auto
speed auto
crypto map VPN-Map-1
!
interface wlan-ap0
description Service module interface to manage the embedded AP
no ip address
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
!
interface Vlan1
ip address 10.15.4.1 255.255.254.0
ip helper-address 10.10.2.1
ip helper-address 10.10.2.2
!
ip default-gateway xxx.yyy.107.225
ip forward-protocol nd
ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 12.69.103.225
ip route 0.0.0.0 0.0.0.0 xxx.yyy.107.225
ip route 10.15.4.0 255.255.254.0 10.15.5.254
ip route xxx.yyy.107.0 255.255.255.0 xxx.yyy.107.225
!
ip access-list standard re
!
ip access-list extended Crypto-list
permit ip 10.15.0.0 0.0.255.255 any
ip access-list extended Internet-inbound-ACL
permit udp host aaa.bbb.ccc.ddd any eq isakmp
permit esp host aaa.bbb.ccc.ddd any
ip access-list extended SDM_AH
remark SDM_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark SDM_ACL Category=1
permit esp any any
!
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 101 remark SDM_ACL Category=128
access-list 101 permit ip host 255.255.255.255 any
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip 10.14.0.0 0.0.7.255 any
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip 10.10.10.0 0.0.0.7 any
access-list 101 permit ip 10.15.0.0 0.0.7.255 any
access-list 102 remark SDM_ACL Category=128
access-list 102 permit ip host aaa.bbb.ccc.ddd any
access-list 103 remark SDM_ACL Category=0
access-list 103 remark IPSec Rule
access-list 103 permit ip 10.10.200.0 0.0.1.255 10.10.10.0 0.0.0.7
!
!
!
!
snmp-server community UNISNMP RW
radius-server attribute 32 include-in-access-req format %h
radius-server vsa send accounting
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
privilege level 15
password -----
transport input telnet ssh
!
scheduler max-task-time 5000
ntp server 10.10.2.1
ntp server 195.43.74.3
end

firewall

Here is the firewall config.

ASA Version 8.0(3)

enable password ..Ge0JnvJlk/gAiB encrypted
names
name 192.168.255.0 BGP-Transit_Network description BGP-Transit
name 10.10.99.0 IP-Pool-VPNClients description Addresses Assigned to VPN Clients
dns-guard
!
interface Ethernet0/0
description Inside Interface
nameif inside
security-level 100
ip address 10.10.200.29 255.255.255.240
ospf cost 10
!
interface Ethernet0/1
description Outside Interface facing the Internet Rotuer.
nameif outside
security-level 0
ip address 12.69.103.226 255.255.255.240
ospf cost 10
!
interface Ethernet0/2
description Physical Trunk interface - Dont use
no nameif
no security-level
no ip address
!
interface Ethernet0/2.900
description DMZ Interface 12.69.103.0 / 26 (useable hosts .1 to .62)
vlan 900
nameif DMZ1-VLAN900
security-level 50
ip address 12.69.103.1 255.255.255.192
ospf cost 10
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 10.10.5.250 255.255.254.0
ospf cost 10
management-only
!
passwd L0Wjs4eA25R/befo encrypted
banner exec **********************************************************************
banner exec                         STO-ASA-5510-FW
banner exec                         ASA5510 - 10.10.200.29
banner exec                         Configured for Data use only
banner exec **********************************************************************
banner login **********************************************************************
banner login WARNING: This system is for the use of authorized clients only.
banner login Individuals using the computer network system without authorization,
banner login or in excess of their authorization, are subject to having all their
banner login activity on this computer network system monitored and recorded by
banner login system personnel. To protect the computer network system from
banner login unauthorized use and to ensure the computer network systems is
banner login functioning properly, system administrators monitor this system.
banner login Anyone using this computer network system expressly consents to such
banner login monitoring and is advised that if such monitoring reveals possible
banner login conduct of criminal activity, system personnel may provide the
banner login evidence of such activity to law enforcement officers.
banner login Access is restricted to authorized users only. Unauthorized access is
banner login a violation of state and federal, civil and criminal laws.
banner login **********************************************************************
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name universalsilencer.com
same-security-traffic permit intra-interface
object-group service SAP tcp-udp
description SAP Updates
port-object eq 3299
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service HUMANLand tcp
port-object eq citrix-ica
object-group service DM_INLINE_TCP_1 tcp
port-object eq 5061
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_2 tcp
port-object eq 5061
port-object eq www
port-object eq https
object-group service DM_INLINE_UDP_1 udp
port-object eq snmp
port-object eq snmptrap
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object tcp-udp eq www
service-object udp eq snmp
service-object udp eq snmptrap
object-group service Human tcp-udp
port-object eq 8100
access-list outside remark ************In Bound SAP Update Traffic per Ron Odom***************
access-list outside extended permit tcp any host 12.69.103.155 range 3200 3300 log
access-list outside remark *** SAP router****
access-list outside extended permit tcp host 12.69.103.155 host 194.39.131.34 range 3200 3300
access-list outside extended permit object-group DM_INLINE_SERVICE_1 any host 12.69.103.154
access-list outside remark ***** Inbound to the Mail server at 10.10.2.10 Peter K *****
access-list outside extended permit tcp any host 12.69.103.147 eq smtp
access-list outside remark ***** Inbound to the OCS EDGE on DMZ Peter K *****
access-list outside extended permit tcp any host 12.69.103.2 object-group DM_INLINE_TCP_1
access-list outside extended permit ip any host 12.69.103.6
access-list outside remark Blocked for malware activity
access-list outside extended deny ip host 77.78.247.86 any
access-list outside extended permit tcp any host 12.69.103.147 eq www
access-list outside extended permit tcp any host 12.69.103.147 eq https
access-list outside remark ***** Inbound to host 10.10.3.200 - Dan K *****
access-list outside extended permit tcp any host 12.69.103.145 eq www
access-list outside extended permit tcp any host 12.69.103.145 eq https
access-list outside remark ***** Inbound to host 10.10.2.30 USIFAXBACK- Dan K *****
access-list outside extended permit tcp any host 12.69.103.146 eq www
access-list outside extended permit tcp any host 12.69.103.146 eq https
access-list outside remark ***** Inbound to host 10.10.8.5 - Mitel 7100 - BOB M 4/4-2008 - BV *****
access-list outside extended permit tcp any host 12.69.103.152 eq pptp
access-list outside extended permit tcp any host 200.56.251.118 object-group HUMANLand
access-list outside extended permit tcp any host 200.56.251.121 eq 8100
access-list outside remark Allow all return ICMP traffic
access-list outside extended permit icmp any any log
access-list outside extended permit ip 10.14.0.0 255.255.0.0 any log debugging
access-list outside extended permit ip any 10.14.0.0 255.255.0.0 log debugging
access-list outside extended permit ip 10.15.0.0 255.255.0.0 any
access-list outside extended permit ip any 10.15.0.0 255.255.0.0
access-list outside extended permit udp host 12.88.249.62 any object-group DM_INLINE_UDP_1
access-list outside remark add to pervent bocking to Human
access-list outside extended permit object-group TCPUDP host 10.12.2.250 host 200.56.251.121 object-group Human
access-list outside extended permit object-group TCPUDP host 200.56.251.121 host 10.12.2.250 object-group Human
access-list VPN-SplitTunnel extended permit ip 10.10.0.0 255.255.0.0 IP-Pool-VPNClients 255.255.255.192
access-list VPN-SplitTunnel extended permit ip 10.11.0.0 255.255.0.0 IP-Pool-VPNClients 255.255.255.192
access-list VPN-SplitTunnel extended permit ip 10.12.0.0 255.255.0.0 IP-Pool-VPNClients 255.255.255.192
access-list VPN-SplitTunnel extended permit ip 10.13.0.0 255.255.0.0 IP-Pool-VPNClients 255.255.255.192
access-list VPN-SplitTunnel extended permit ip BGP-Transit_Network 255.255.255.0 IP-Pool-VPNClients 255.255.255.192
access-list VPN-SplitTunnel extended permit ip 10.0.0.0 255.0.0.0 192.168.10.0 255.255.255.0
access-list VPN-SplitTunnel extended permit ip 10.10.0.0 255.255.0.0 10.14.4.0 255.255.254.0
access-list VPN-SplitTunnel extended permit ip 10.10.0.0 255.255.0.0 10.14.8.0 255.255.254.0
access-list DMZ1_in remark ***** OCS EDGE -2nd interface to inside hosts Peter K *****
access-list DMZ1_in extended permit tcp host 12.69.103.3 host 10.10.2.15 object-group DM_INLINE_TCP_2
access-list DMZ1_in remark Allow all ICMP traffic
access-list DMZ1_in extended permit icmp any any log
access-list DMZ1_in remark ***** Explicitly block access to all inside networks *****
access-list DMZ1_in remark ***** Any needed permits to inside networks          *****
access-list DMZ1_in remark ***** Need to be done above this section             *****
access-list DMZ1_in extended deny ip any 10.0.0.0 255.0.0.0
access-list DMZ1_in extended deny ip any 172.16.0.0 255.240.0.0
access-list DMZ1_in extended deny ip any 192.168.0.0 255.255.0.0
access-list DMZ1_in remark ***** Permit IP to any - this will be the internet *****
access-list DMZ1_in extended permit ip any any log debugging
access-list ezvpn1 standard permit 10.0.0.0 255.0.0.0
access-list DMZ1-VLAN900_cryptomap extended permit ip any any
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 IP-Pool-VPNClients 255.255.255.192
access-list nonat extended permit ip 10.11.0.0 255.255.0.0 IP-Pool-VPNClients 255.255.255.192
access-list nonat extended permit ip 10.12.0.0 255.255.0.0 IP-Pool-VPNClients 255.255.255.192
access-list nonat extended permit ip 10.13.0.0 255.255.0.0 IP-Pool-VPNClients 255.255.255.192
access-list nonat extended permit ip BGP-Transit_Network 255.255.255.0 IP-Pool-VPNClients 255.255.255.192
access-list nonat extended permit ip 10.0.0.0 255.0.0.0 192.168.10.0 255.255.255.0
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.14.4.0 255.255.254.0
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.14.8.0 255.255.254.0
access-list nonat extended permit ip 10.0.0.0 255.0.0.0 10.14.0.0 255.255.0.0
access-list traffic extended permit ip 10.0.0.0 255.0.0.0 10.14.0.0 255.255.0.0
access-list outside_cryptomap extended permit ip 10.0.0.0 255.0.0.0 10.15.0.0 255.255.0.0
pager lines 24
logging enable
logging timestamp
logging list VPN level informational class auth
logging list VPN level critical class config
logging list VPN level notifications class vpn
logging list VPN level notifications class vpnc
logging list VPN level notifications class webvpn
logging list all level alerts
logging buffer-size 256000
logging buffered all
logging trap VPN
logging asdm informational
logging host inside 10.10.2.41 format emblem
logging ftp-bufferwrap
logging ftp-server 10.10.2.41 \logs usi\administrator ****
mtu inside 1500
mtu outside 1500
mtu DMZ1-VLAN900 1500
mtu management 1500
ip local pool VPNClients 10.10.99.1-10.10.99.63 mask 255.255.255.192
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
icmp permit any DMZ1-VLAN900
asdm image disk0:/asdm-611.bin
asdm history enable
arp timeout 14400
global (outside) 10 12.69.103.129 netmask 255.255.255.255
global (outside) 11 12.69.103.130 netmask 255.255.255.255
global (outside) 12 12.69.103.131 netmask 255.255.255.255
global (outside) 13 12.69.103.132 netmask 255.255.255.255
nat (inside) 0 access-list nonat
nat (inside) 11 192.168.255.4 255.255.255.252
nat (inside) 12 192.168.255.8 255.255.255.252
nat (inside) 13 192.168.255.12 255.255.255.252
nat (inside) 10 10.10.0.0 255.255.0.0
nat (inside) 11 10.11.0.0 255.255.0.0
nat (inside) 12 10.12.0.0 255.255.0.0
nat (inside) 13 10.13.0.0 255.255.0.0
nat (outside) 10 10.14.0.0 255.255.0.0
nat (outside) 10 10.15.0.0 255.255.0.0
static (DMZ1-VLAN900,outside) 12.69.103.0 12.69.103.0 netmask 255.255.255.192
static (inside,outside) 12.69.103.154 10.10.2.41 netmask 255.255.255.255
static (inside,DMZ1-VLAN900) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
static (inside,DMZ1-VLAN900) 192.168.0.0 192.168.0.0 netmask 255.255.0.0
static (inside,DMZ1-VLAN900) 172.16.0.0 172.16.0.0 netmask 255.240.0.0
static (inside,outside) 12.69.103.148 10.255.2.2 netmask 255.255.255.255
static (inside,outside) 12.69.103.147 10.10.2.10 netmask 255.255.255.255
static (inside,outside) 12.69.103.152 10.10.8.5 netmask 255.255.255.255
static (inside,outside) 12.69.103.155 10.10.2.110 netmask 255.255.255.255
access-group outside in interface outside
access-group DMZ1_in in interface DMZ1-VLAN900
!
router eigrp 100
network 10.0.0.0 255.0.0.0
!
route outside 0.0.0.0 0.0.0.0 12.69.103.225 1
route inside 10.0.0.0 255.0.0.0 10.10.200.30 1
route inside 10.10.98.0 255.255.255.0 10.10.200.30 1
route outside 10.14.0.0 255.255.0.0 12.69.103.225 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server Microsoft protocol radius
accounting-mode simultaneous
reactivation-mode depletion deadtime 30
aaa-server Microsoft host 10.10.2.1
key cisco123
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
http server enable
http 10.10.0.0 255.255.0.0 inside
http 10.10.0.0 255.255.0.0 management
snmp-server host inside 10.10.2.41 community UNISNMP version 2c udp-port 161
snmp-server location STODATDROOM
snmp-server contact SYS Admin
snmp-server community UNISNMP
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps remote-access session-threshold-exceeded
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA

ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 10 match address traffic
crypto map outside_map 10 set peer 212.185.51.242
crypto map outside_map 10 set transform-set ESP-3DES-SHA
crypto map outside_map 11 match address outside_cryptomap
crypto map outside_map 11 set peer 115.111.107.226
crypto map outside_map 11 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto map DMZ1-VLAN900_map0 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5

ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto isakmp identity address
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 33
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
vpn-addr-assign local reuse-delay 10
telnet 10.10.0.0 255.255.0.0 inside
telnet 10.10.0.0 255.255.0.0 management
telnet timeout 29
ssh timeout 29
ssh version 2
console timeout 1
management-access inside
dhcprelay server 10.10.2.1 outside
threat-detection basic-threat
threat-detection statistics
wccp web-cache
wccp interface inside web-cache redirect in
ntp server 192.5.41.41
ntp server 192.5.41.40
ntp server 192.43.244.18
tftp-server inside 10.10.2.2 \asa
webvpn
group-policy DfltGrpPolicy attributes
banner value WARNING: This system is for the use of authorized clients only.
wins-server value 10.10.2.1
dns-server value 10.10.2.1 10.10.2.2
vpn-tunnel-protocol IPSec webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN-SplitTunnel
default-domain value universalsilencer.com
msie-proxy server value 00.00.00.00
address-pools value VPNClients
group-policy ezGROUP1 internal
group-policy ezGROUP1 attributes
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ezvpn1
nem enable
USERS REMOVED
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
tunnel-group USISplitTunnelRemoteAccess type remote-access
tunnel-group USISplitTunnelRemoteAccess general-attributes
address-pool VPNClients
tunnel-group USISplitTunnelRemoteAccess ipsec-attributes
pre-shared-key *
tunnel-group USISplitTunnelRADIUS type remote-access
tunnel-group USISplitTunnelRADIUS general-attributes
address-pool VPNClients
authentication-server-group Microsoft LOCAL
tunnel-group USISplitTunnelRADIUS ipsec-attributes
pre-shared-key *
tunnel-group ezVPN1 type remote-access
tunnel-group ezVPN1 general-attributes
default-group-policy ezGROUP1
tunnel-group ezVPN1 ipsec-attributes
pre-shared-key *
tunnel-group 212.185.51.242 type ipsec-l2l
tunnel-group 212.185.51.242 ipsec-attributes
pre-shared-key *
tunnel-group 115.111.107.226 type ipsec-l2l
tunnel-group 115.111.107.226 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:33bcbec6ab3835eadbe9418c697c72ac
: end
asdm image disk0:/asdm-611.bin
asdm location IP-Pool-VPNClients 255.255.255.192 inside
asdm location BGP-Transit_Network 255.255.255.0 inside
asdm location 10.10.4.60 255.255.254.255 inside
asdm history enable

andamani · ‎01-19-2011

Hi,

Please bring the tunnel down.

On ASA please enter the following commands:

clear cry isa sa

clear cry ips sa peer

Enable the following debugs on the ASA:

deb cry isa 127

deb cry ips 127

enable the debugs on the router:

debug cry isa

debug cry ips

Please try passing the traffic and bring the tunnel up.

Please attach the outputs of the same on passing the traffic.

Regards,

Anisha

View solution in original post

andamani · ‎01-19-2011

Hi,

Please send the output of "sh cry isa sa" and "show cry ipsec sa" from both the ASA and router.

Please confirm if the tunnel configuration below are the correct ones i am looking at :

Router:

crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
crypto isakmp key xxx address aaa.bbb.ccc.ddd no-xauth
!
crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac
!
crypto map VPN-Map-1 10 ipsec-isakmp
set peer aaa.bbb.ccc.ddd
set transform-set 3des-sha
match address Crypto-list

!

ip access-list extended Crypto-list
permit ip 10.15.0.0 0.0.255.255 any

!

interface FastEthernet4
ip address xxx.yyy.107.226 255.255.255.252
ip helper-address 10.10.2.1
ip helper-address 10.10.2.2
duplex auto
speed auto
crypto map VPN-Map-1

ASA:
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map outside_map 11 match address outside_cryptomap
crypto map outside_map 11 set peer 115.111.107.226
crypto map outside_map 11 set transform-set ESP-3DES-SHA

!

access-list outside_cryptomap extended permit ip 10.0.0.0 255.0.0.0 10.15.0.0 255.255.0.0

!

tunnel-group 115.111.107.226 type ipsec-l2l
tunnel-group 115.111.107.226 ipsec-attributes
pre-shared-key *

!

crypto map outside_map interface outside

!

crypto isakmp enable outside

!

nat (inside) 0 access-list nonat

access-list nonat extended permit ip 10.10.0.0 255.255.0.0 IP-Pool-VPNClients 255.255.255.192

access-list nonat extended permit ip 10.11.0.0 255.255.0.0 IP-Pool-VPNClients 255.255.255.192

access-list nonat extended permit ip 10.12.0.0 255.255.0.0 IP-Pool-VPNClients 255.255.255.192

access-list nonat extended permit ip 10.13.0.0 255.255.0.0 IP-Pool-VPNClients 255.255.255.192

access-list nonat extended permit ip BGP-Transit_Network 255.255.255.0 IP-Pool-VPNClients 255.255.255.192

access-list nonat extended permit ip 10.0.0.0 255.0.0.0 192.168.10.0 255.255.255.0

access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.14.4.0 255.255.254.0

access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.14.8.0 255.255.254.0

access-list nonat extended permit ip 10.0.0.0 255.0.0.0 10.14.0.0 255.255.0.0

!

ronald.odom · ‎01-19-2011

yes that is correct

shows

router

UniIndia800#sh cry isa sa

IPv4 Crypto ISAKMP SA

dst src state conn-id status

12.69.103.226 115.111.107.226 QM_IDLE 2001 ACTIVE

IPv6 Crypto ISAKMP SA

show cry ipsec sa

interface: FastEthernet4

Crypto map tag: VPN-Map-1, local addr 115.111.107.226

protected vrf: (none)

local ident (addr/mask/prot/port): (10.15.0.0/255.255.0.0/0/0)

remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

current_peer 12.69.103.226 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 26683, #pkts encrypt: 26683, #pkts digest: 26683

#pkts decaps: 18878, #pkts decrypt: 18878, #pkts verify: 18878

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 6, #recv errors 0

local crypto endpt.: 115.111.107.226, remote crypto endpt.: 12.69.103.226

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4

current outbound spi: 0x420061E6(1107321318)

PFS (Y/N): N, DH group: none

inbound esp sas:

spi: 0x26766AC0(645294784)

transform: esp-3des esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 3, flow_id: Onboard VPN:3, sibling_flags 80000046, crypto map: VPN-Map-1

sa timing: remaining key lifetime (k/sec): (4456896/2010)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x420061E6(1107321318)

transform: esp-3des esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 4, flow_id: Onboard VPN:4, sibling_flags 80000046, crypto map: VPN-Map-1

sa timing: remaining key lifetime (k/sec): (4460364/2010)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

protected vrf: (none)

local ident (addr/mask/prot/port): (10.15.0.0/255.255.0.0/0/0)

remote ident (addr/mask/prot/port): (115.111.0.0/255.255.0.0/0/0)

current_peer 12.69.103.226 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 115.111.107.226, remote crypto endpt.: 12.69.103.226

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4

current outbound spi: 0x0(0)

PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

UniIndia800#

ASA

Result of the command: "sh cry isa sa"

Active SA: 4

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 4

1 IKE Peer: 115.111.107.226

Type : L2L Role : responder

Rekey : no State : MM_ACTIVE

2 IKE Peer: 116.12.211.66

Type : user Role : responder

Rekey : no State : AM_ACTIVE

3 IKE Peer: 116.12.211.66

Type : user Role : responder

Rekey : no State : AM_ACTIVE

4 IKE Peer: 212.185.51.242

Type : L2L Role : initiator

Rekey : no State : MM_ACTIVE

Result of the command: "show cry ipsec sa"

interface: outside

Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 12.69.103.226

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (10.15.0.0/255.255.0.0/0/0)

current_peer: 115.111.107.226

#pkts encaps: 27644, #pkts encrypt: 27644, #pkts digest: 27644

#pkts decaps: 35493, #pkts decrypt: 35493, #pkts verify: 35493

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 27644, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 12.69.103.226, remote crypto endpt.: 115.111.107.226

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: 26766AC0

inbound esp sas:

spi: 0x420061E6 (1107321318)

transform: esp-3des esp-sha-hmac none

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 55889920, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

sa timing: remaining key lifetime (kB/sec): (3822769/1291)

IV size: 8 bytes

replay detection support: Y

outbound esp sas:

spi: 0x26766AC0 (645294784)

transform: esp-3des esp-sha-hmac none

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 55889920, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

sa timing: remaining key lifetime (kB/sec): (3813436/1291)

IV size: 8 bytes

replay detection support: Y

Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 12.69.103.226

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (10.10.99.33/255.255.255.255/0/0)

current_peer: 116.12.211.66, username: pheng

dynamic allocated peer ip: 10.10.99.33

#pkts encaps: 10163, #pkts encrypt: 10187, #pkts digest: 10187

#pkts decaps: 10354, #pkts decrypt: 10354, #pkts verify: 10354

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 10163, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 24, #pre-frag failures: 0, #fragments created: 48

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 48

#send errors: 0, #recv errors: 0

local crypto endpt.: 12.69.103.226/4500, remote crypto endpt.: 116.12.211.66/1172

path mtu 1500, ipsec overhead 82, media mtu 1500

current outbound spi: 822B0511

inbound esp sas:

spi: 0x29D1C8C1 (701614273)

transform: esp-aes esp-sha-hmac none

in use settings ={RA, Tunnel, NAT-T-Encaps, }

slot: 0, conn_id: 55832576, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

sa timing: remaining key lifetime (sec): 26019

IV size: 16 bytes

replay detection support: Y

outbound esp sas:

spi: 0x822B0511 (2183857425)

transform: esp-aes esp-sha-hmac none

in use settings ={RA, Tunnel, NAT-T-Encaps, }

slot: 0, conn_id: 55832576, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

sa timing: remaining key lifetime (sec): 26019

IV size: 16 bytes

replay detection support: Y

Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 12.69.103.226

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (10.10.99.32/255.255.255.255/0/0)

current_peer: 116.12.211.66, username: pheng

dynamic allocated peer ip: 10.10.99.32

#pkts encaps: 9523, #pkts encrypt: 9547, #pkts digest: 9547

#pkts decaps: 9308, #pkts decrypt: 9308, #pkts verify: 9308

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 9523, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 24, #pre-frag failures: 0, #fragments created: 48

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 48

#send errors: 0, #recv errors: 0

local crypto endpt.: 12.69.103.226/4500, remote crypto endpt.: 116.12.211.66/1163

path mtu 1500, ipsec overhead 82, media mtu 1500

current outbound spi: 99A5DC54

inbound esp sas:

spi: 0x0AA3D3C5 (178508741)

transform: esp-aes esp-sha-hmac none

in use settings ={RA, Tunnel, NAT-T-Encaps, }

slot: 0, conn_id: 55828480, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

sa timing: remaining key lifetime (sec): 25550

IV size: 16 bytes

replay detection support: Y

outbound esp sas:

spi: 0x99A5DC54 (2577783892)

transform: esp-aes esp-sha-hmac none

in use settings ={RA, Tunnel, NAT-T-Encaps, }

slot: 0, conn_id: 55828480, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

sa timing: remaining key lifetime (sec): 25550

IV size: 16 bytes

replay detection support: Y

Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 12.69.103.226

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (10.14.0.0/255.255.0.0/0/0)

current_peer: 212.185.51.242

#pkts encaps: 127, #pkts encrypt: 127, #pkts digest: 127

#pkts decaps: 130, #pkts decrypt: 130, #pkts verify: 130

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 127, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 12.69.103.226, remote crypto endpt.: 212.185.51.242

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: B215F054

inbound esp sas:

spi: 0x59CAB074 (1506455668)

transform: esp-3des esp-sha-hmac none

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 46747648, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

sa timing: remaining key lifetime (kB/sec): (4274962/3297)

IV size: 8 bytes

replay detection support: Y

outbound esp sas:

spi: 0xB215F054 (2987782228)

transform: esp-3des esp-sha-hmac none

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 46747648, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

sa timing: remaining key lifetime (kB/sec): (4274906/3297)

IV size: 8 bytes

replay detection support: Y

Crypto map tag: outside_map, seq num: 10, local addr: 12.69.103.226

access-list traffic permit ip 10.0.0.0 255.0.0.0 10.14.0.0 255.255.0.0

local ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)

remote ident (addr/mask/prot/port): (10.14.0.0/255.255.0.0/0/0)

current_peer: 212.185.51.242

#pkts encaps: 62539, #pkts encrypt: 62572, #pkts digest: 62572

#pkts decaps: 60327, #pkts decrypt: 60327, #pkts verify: 60327

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 62539, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 33, #pre-frag failures: 0, #fragments created: 66

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 87

#send errors: 0, #recv errors: 0

local crypto endpt.: 12.69.103.226, remote crypto endpt.: 212.185.51.242

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: 400A31BF

inbound esp sas:

spi: 0x9BA5177B (2611287931)

transform: esp-3des esp-sha-hmac none

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 46747648, crypto-map: outside_map

sa timing: remaining key lifetime (kB/sec): (4273924/1219)

IV size: 8 bytes

replay detection support: Y

outbound esp sas:

spi: 0x400A31BF (1074409919)

transform: esp-3des esp-sha-hmac none

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 46747648, crypto-map: outside_map

sa timing: remaining key lifetime (kB/sec): (4274168/1219)

IV size: 8 bytes

replay detection support: Y

ronald.odom · ‎01-19-2011

when i do a packet trace i get a IPSEC-SPOOF errer

ronald.odom · ‎01-19-2011

well i got traffic to route over the vpn and to the internet but not the LAN on the other side and back. so we can get the internet but no internal resources.

andamani · ‎01-19-2011

Hi Ronald,

The no nat statement is missing from the configuration.

Please configure the following on the ASA:

access-list nonat extended permit ip 10.0.0.0 255.0.0.0 10.15.0.0 255.255.0.0

Regards,

Anisha

P.S.: Please mark this post answered if you think your query is answered.

ronald.odom · ‎01-19-2011

I added the requested line and the problem is still ongoing

current asa config

: Saved

: Written by usiadmin at 06:22:45.200 CST Wed Jan 19 2011

!

ASA Version 8.0(3)

!

hostname STO-ASA-5510-FW

domain-name universalsilencer.com

enable password ..Ge0JnvJlk/gAiB encrypted

names

name 192.168.255.0 BGP-Transit_Network description BGP-Transit

name 10.10.99.0 IP-Pool-VPNClients description Addresses Assigned to VPN Clients

dns-guard

!

interface Ethernet0/0

description Inside Interface

nameif inside

security-level 100

ip address 10.10.200.29 255.255.255.240

ospf cost 10

!

interface Ethernet0/1

description Outside Interface facing the Internet Rotuer.

nameif outside

security-level 0

ip address 12.69.103.226 255.255.255.240

ospf cost 10

!

interface Ethernet0/2

description Physical Trunk interface - Dont use

no nameif

no security-level

no ip address

!

interface Ethernet0/2.900

description DMZ Interface 12.69.103.0 / 26 (useable hosts .1 to .62)

vlan 900

nameif DMZ1-VLAN900

security-level 50

ip address 12.69.103.1 255.255.255.192

ospf cost 10

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 10.10.5.250 255.255.254.0

ospf cost 10

management-only

!

passwd L0Wjs4eA25R/befo encrypted

banner exec **********************************************************************

banner exec STO-ASA-5510-FW

banner exec ASA5510 - 10.10.200.29

banner exec Configured for Data use only

banner exec **********************************************************************

banner login **********************************************************************

banner login WARNING: This system is for the use of authorized clients only.

banner login Individuals using the computer network system without authorization,

banner login or in excess of their authorization, are subject to having all their

banner login activity on this computer network system monitored and recorded by

banner login system personnel. To protect the computer network system from

banner login unauthorized use and to ensure the computer network systems is

banner login functioning properly, system administrators monitor this system.

banner login Anyone using this computer network system expressly consents to such

banner login monitoring and is advised that if such monitoring reveals possible

banner login conduct of criminal activity, system personnel may provide the

banner login evidence of such activity to law enforcement officers.

banner login Access is restricted to authorized users only. Unauthorized access is

banner login a violation of state and federal, civil and criminal laws.

banner login **********************************************************************

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns server-group DefaultDNS

domain-name universalsilencer.com

same-security-traffic permit intra-interface

object-group service SAP tcp-udp

description SAP Updates

port-object eq 3299

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service HUMANLand tcp

port-object eq citrix-ica

object-group service DM_INLINE_TCP_1 tcp

port-object eq 5061

port-object eq www

port-object eq https

object-group service DM_INLINE_TCP_2 tcp

port-object eq 5061

port-object eq www

port-object eq https

object-group service DM_INLINE_UDP_1 udp

port-object eq snmp

port-object eq snmptrap

object-group service DM_INLINE_SERVICE_1

service-object icmp

service-object tcp-udp eq www

service-object udp eq snmp

service-object udp eq snmptrap

object-group service Human tcp-udp

port-object eq 8100

access-list outside remark ************In Bound SAP Update Traffic per Ron Odom***************

access-list outside extended permit tcp any host 12.69.103.155 range 3200 3300 log

access-list outside remark *** SAP router****

access-list outside extended permit tcp host 12.69.103.155 host 194.39.131.34 range 3200 3300

access-list outside extended permit object-group DM_INLINE_SERVICE_1 any host 12.69.103.154

access-list outside remark ***** Inbound to the Mail server at 10.10.2.10 Peter K *****

access-list outside extended permit tcp any host 12.69.103.147 eq smtp

access-list outside remark ***** Inbound to the OCS EDGE on DMZ Peter K *****

access-list outside extended permit tcp any host 12.69.103.2 object-group DM_INLINE_TCP_1

access-list outside extended permit ip any host 12.69.103.6

access-list outside remark Blocked for malware activity

access-list outside extended deny ip host 77.78.247.86 any

access-list outside extended permit tcp any host 12.69.103.147 eq www

access-list outside extended permit tcp any host 12.69.103.147 eq https

access-list outside remark ***** Inbound to host 10.10.3.200 - Dan K *****

access-list outside extended permit tcp any host 12.69.103.145 eq www

access-list outside extended permit tcp any host 12.69.103.145 eq https

access-list outside remark ***** Inbound to host 10.10.2.30 USIFAXBACK- Dan K *****

access-list outside extended permit tcp any host 12.69.103.146 eq www

access-list outside extended permit tcp any host 12.69.103.146 eq https

access-list outside remark ***** Inbound to host 10.10.8.5 - Mitel 7100 - BOB M 4/4-2008 - BV *****

access-list outside extended permit tcp any host 12.69.103.152 eq pptp

access-list outside extended permit tcp any host 200.56.251.118 object-group HUMANLand

access-list outside extended permit tcp any host 200.56.251.121 eq 8100

access-list outside remark Allow all return ICMP traffic

access-list outside extended permit icmp any any log

access-list outside extended permit ip 10.14.0.0 255.255.0.0 any log debugging

access-list outside extended permit ip 10.15.0.0 255.255.0.0 any

access-list outside extended permit ip any 10.14.0.0 255.255.0.0 log debugging

access-list outside extended permit ip any 10.15.0.0 255.255.0.0

access-list outside extended permit udp host 12.88.249.62 any object-group DM_INLINE_UDP_1

access-list outside remark add to pervent bocking to Human

access-list outside extended permit object-group TCPUDP host 10.12.2.250 host 200.56.251.121 object-group Human

access-list outside extended permit object-group TCPUDP host 200.56.251.121 host 10.12.2.250 object-group Human

access-list outside extended permit ip any host 12.69.103.156

access-list VPN-SplitTunnel extended permit ip 10.10.0.0 255.255.0.0 IP-Pool-VPNClients 255.255.255.192

access-list VPN-SplitTunnel extended permit ip 10.11.0.0 255.255.0.0 IP-Pool-VPNClients 255.255.255.192

access-list VPN-SplitTunnel extended permit ip 10.12.0.0 255.255.0.0 IP-Pool-VPNClients 255.255.255.192

access-list VPN-SplitTunnel extended permit ip 10.13.0.0 255.255.0.0 IP-Pool-VPNClients 255.255.255.192

access-list VPN-SplitTunnel extended permit ip BGP-Transit_Network 255.255.255.0 IP-Pool-VPNClients 255.255.255.192

access-list VPN-SplitTunnel extended permit ip 10.0.0.0 255.0.0.0 192.168.10.0 255.255.255.0

access-list VPN-SplitTunnel extended permit ip 10.10.0.0 255.255.0.0 10.14.4.0 255.255.254.0

access-list VPN-SplitTunnel extended permit ip 10.10.0.0 255.255.0.0 10.15.4.0 255.255.254.0

access-list VPN-SplitTunnel extended permit ip 10.10.0.0 255.255.0.0 10.14.8.0 255.255.254.0

access-list DMZ1_in remark ***** OCS EDGE -2nd interface to inside hosts Peter K *****

access-list DMZ1_in extended permit tcp host 12.69.103.3 host 10.10.2.15 object-group DM_INLINE_TCP_2

access-list DMZ1_in remark Allow all ICMP traffic

access-list DMZ1_in extended permit icmp any any log

access-list DMZ1_in remark ***** Explicitly block access to all inside networks *****

access-list DMZ1_in remark ***** Any needed permits to inside networks *****

access-list DMZ1_in remark ***** Need to be done above this section *****

access-list DMZ1_in extended deny ip any 10.0.0.0 255.0.0.0

access-list DMZ1_in extended deny ip any 172.16.0.0 255.240.0.0

access-list DMZ1_in extended deny ip any 192.168.0.0 255.255.0.0

access-list DMZ1_in remark ***** Permit IP to any - this will be the internet *****

access-list DMZ1_in extended permit ip any any log debugging

access-list ezvpn1 standard permit 10.0.0.0 255.0.0.0

access-list DMZ1-VLAN900_cryptomap extended permit ip any any