cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1023
Views
0
Helpful
13
Replies

VPN LAN2LAN _8.6 nat 0 problem

o.fulbert
Level 1
Level 1

hello,

    I just have migrate a 8.0.5 config to a 8.6 and having problem on doing a L2L.

    got this error but i can t find where to add the new nat 0 command for exempt traffic.

     some one can help ?

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 90.80.x.x 255.255.255.0

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 172.17.2.250 255.255.255.0

object network POOL-IPEXTERNE

range 90.80.12.1 90.80.x.x

object network LAN-INTERNE

subnet 0.0.0.0 0.0.0.0

object network IPPUB-EXCHANGE

host 90.80.x.x

object network SERVEUR-EXCHANGE

host 172.17.2.3

object network NETWORK_OBJ_10.254.254.0_27

subnet 10.254.254.0 255.255.255.224

object network NETWORK_OBJ_172.17.2.0_24

subnet 172.17.2.0 255.255.255.0

object network LAN-RIBERAC

subnet 172.17.8.0 255.255.255.0

access-list Enter extended permit tcp any host 172.17.2.3 eq smtp

access-list Enter extended permit tcp any host 172.17.2.3 eq pop3

access-list Enter extended permit tcp any host 172.17.2.3 eq www

access-list Enter extended permit tcp any host 172.17.2.3 eq https

access-list Enter extended permit tcp any host 172.17.2.3 eq imap4

access-list Enter extended permit icmp any any echo-reply

access-list Enter extended permit icmp any any source-quench

access-list Enter extended permit icmp any any unreachable

access-list Enter extended permit icmp any any time-exceeded

access-list ocea_splitTunnelAcl standard permit 172.17.2.0 255.255.255.0

access-list outside_cryptomap extended permit ip 172.17.2.0 255.255.255.0 172.17.8.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool POOL-VPNC 10.254.254.1-10.254.254.20 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-66114.bin

no asdm history enable

arp timeout 14400

nat (inside,outside) source static NETWORK_OBJ_172.17.2.0_24 NETWORK_OBJ_172.17.2.0_24 destination static NETWORK_OBJ_10.254.254.0_27 NETWORK_OBJ_10.254.254.0_27 no-proxy-arp route-lookup

!

object network LAN-INTERNE

nat (inside,outside) dynamic POOL-IPEXTERNE

object network IPPUB-EXCHANGE

nat (outside,inside) static 172.17.2.3

object network SERVEUR-EXCHANGE

nat (inside,outside) static IPPUB-EXCHANGE

access-group Enter in interface outside

1 Accepted Solution

Accepted Solutions

What are you testing the L2L VPN with? ICMP? Or some TCP service?

Have you gotten any logs through ASDM or CLI for TCP connection attempts?

If you are trying ICMP, make sure you have the following configuration on both ASAs

policy-map global_policy

class inspection_default

  inspect icmp

- Jouni

View solution in original post

13 Replies 13

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

According to the above configuration you already have a new type of "NAT0/NAT Exempt" configuration for the VPN Client Pool

You should be able to configure another NAT configuration just like it while naturally using the networks related to the L2L VPN connection

Basic Configuration Format

object network LAN

subnet 10.10.10.0 255.255.255.0

object network REMOTE-LAN

subnet 10.10.20.0 255.255.255.0

nat (inside,outside) source static LAN LAN destination static REMOTE-LAN REMOTE-LAN

If the following ACL is the one for your L2L VPN connection  then your configuration could be like this

access-list outside_cryptomap extended permit ip 172.17.2.0 255.255.255.0 172.17.8.0 255.255.255.0

object network LAN

subnet 172.17.2.0 255.255.255.0

object network REMOTE-LAN

subnet 172.17.8.0 255.255.255.0

nat (inside,outside) source static LAN LAN destination static REMOTE-LAN REMOTE-LAN

Please rate if the information was helpfull

- Jouni

Hi Jouni,

    thks for your help.

     I ve add this line but not working. I well have Ipsec up but nothing pass inthetunnel.

nat (inside,outside) source static NETWORK_OBJ_172.17.2.0_24 NETWORK_OBJ_172.17.2.0_24 destination static LAN-RIBERAC LAN-RIBERAC

!

Hi,

Without knowing any exact configurations related to the L2L VPN, logs or show command outputs its hard to say what the problem is.

First of all I would attempt connections towards the remote network and see if the Phase1 of the L2L VPN is ok. You can use the command "show crypto isakmp sa" or "show crypto ikev1 sa"

If the Phase1 is fine then you should confirm if the rest of the negotiations have gone through.

You can for example use the following commands

  • show vpn-sessiondb l2l
  • show crypto ipsec sa peer x.x.x.x

With the above you should be able to confirm if the L2L VPN connection has formed completely and also see if packets are getting encrypted to the L2L VPN connection.

Unless you havent made sure yet (havent seen the configuration) do notice that some of the old isakmp/IPsec commands have been changed abit to include the parameter "ikev1" since ikev2 is also used in the new software compared to the old ones

You could also take the output of

  • sh run crypto
  • sh run tunnel-group

And ofcourse one option is to look through the ASDM monitoring window what happens to the L2L VPN connection or the connection attempts while trying.

- Jouni

Hi, In asdm i see that L2L is up.

FIREWALL-5525(config)#  sh run crypto

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 match address outside_cryptomap

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer 171.33.x.x

crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

subject-name CN=GUENON-FIREWALL-5525

proxy-ldc-issuer

crl configure

crypto ca certificate chain ASDM_TrustPoint0

certificate caccdb50

    30820264 308201cd a0030201 020204ca ccdb5030 0d06092a 864886f7 0d010105

    05003044 311d301b 06035504 03131447 55454e4f 4e2d4649 52455741 4c4c2d35

    35323531 23302106 092a8648 86f70d01 09021614 4755454e 4f4e2d46 49524557

    414c4c2d 35353235 301e170d 31323132 32373034 32383439 5a170d32 32313232

    35303432 3834395a 3044311d 301b0603 55040313 14475545 4e4f4e2d 46495245

    57414c4c 2d353532 35312330 2106092a 864886f7 0d010902 16144755 454e4f4e

    2d464952 4557414c 4c2d3535 32353081 9f300d06 092a8648 86f70d01 01010500

    03818d00 30818902 8181009e 344d1241 f569d344 24abb0f9 a4a7d641 84de7d3b

    00a5c6c7 54b52cd8 6e1a545e e67f0f21 dfd7144d d6153e2e 7844b972 6eb69fe2

    3e3ed89c bebba020 12a404bf 289e42b8 4097b883 89d330c6 2c9e6fd2 6fc12343

    3610a5fd d55afb33 20341461 74e15787 d01c4d45 11fc5abf e1919243 554d5b46

    dc4a85b2 e28bf092 30f7f702 03010001 a3633061 300f0603 551d1301 01ff0405

    30030101 ff300e06 03551d0f 0101ff04 04030201 86301f06 03551d23 04183016

    80140801 439d4638 40752cd3 462848bd 7e76b10d 9985301d 0603551d 0e041604

    14080143 9d463840 752cd346 2848bd7e 76b10d99 85300d06 092a8648 86f70d01

    01050500 03818100 0c34b22f 52c236f4 4775f605 16c730ee a8dd611b d1e94db7

    0c291668 fe3d87d2 f4a95675 57cddd98 405d9dae 7c0b5ac8 fa04195a a543562e

    2169a71e fa0ade51 9d62ae87 fe581a71 aac36c9e 1a19122d 3e069fb0 5cc69e99

    21848ec6 bd671ed8 2d5eebeb c28260cb 89f746d9 5e4ab300 5ece2353 e384952a

    58c538f2 0e5cbf32

  quit

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable outside

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha    

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha    

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha    

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication crack

encryption des

hash sha    

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

FIREWALL-5525(config)#

GUENON-FIREWALL-5525(config)# sh run tunnel-group

tunnel-group ocea type remote-access

tunnel-group ocea general-attributes

address-pool POOL-VPNC

default-group-policy ocea

tunnel-group ocea ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group 171.33.154.74 type ipsec-l2l

tunnel-group 171.33.154.74 general-attributes

default-group-policy GroupPolicy_171.33.154.74

tunnel-group 171.33.154.74 ipsec-attributes

ikev1 pre-shared-key *****

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

FIREWALL-5525(config)# 

FIREWALL-5525(config)# show vpn-sessiondb l2l

Session Type: LAN-to-LAN

Connection   : 171.33.x.x

Index        : 158                    IP Addr      : 171.33.x.x

Protocol     : IKEv1 IPsec

Encryption   : 3DES                   Hashing      : SHA1

Bytes Tx     : 0                      Bytes Rx     : 56516

Login Time   : 08:32:09 UTC Thu Dec 27 2012

Duration     : 0h:17m:19s

GUENON-FIREWALL-5525(config)# show crypto ipsec sa peer 171.33.x.x

peer address: 171.33.x.x

    Crypto map tag: outside_map, seq num: 1, local addr: 90.80.x.x

      access-list outside_cryptomap extended permit ip 172.17.2.0 255.255.255.0 172.17.8.0 255.255.255.0

      local ident (addr/mask/prot/port): (172.17.2.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (172.17.8.0/255.255.255.0/0/0)

      current_peer: 171.33.x.x

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 793, #pkts decrypt: 793, #pkts verify: 793

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 90.80.x.x/0, remote crypto endpt.: 171.33.x.x/0

      path mtu 1500, ipsec overhead 58, media mtu 1500

      current outbound spi: B4BA815F

      current inbound spi : FD3C7494

    inbound esp sas:

      spi: 0xFD3C7494 (4248597652)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, PFS Group 1, }

         slot: 0, conn_id: 647168, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (3914943/27730)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0xFFFFFFFF 0xFFFFFFFF

    outbound esp sas:

      spi: 0xB4BA815F (3032121695)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, PFS Group 1, }

         slot: 0, conn_id: 647168, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (3915000/27730)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

FIREWALL-5525(config)#

Hi,

So seems that your L2L VPN in itself is ok.

It seems though that the L2L VPN is negotiated up from the remote side and not from your LAN. Theres only traffic arriving from the remote site through the L2L VPN but no return traffic or traffic for your connection attempts are going to the tunnel.

I assume the hosts behind your firewall have also been configured with the correct default gateway address which is the ASA LAN interface IP address? Though if this wasnt the case then Internet connections wouldnt work for the LAN hosts either.

Can you use the "packet-tracer" command to simulate traffic coming from your LAN to the REMOTE-LAN?

Command format should be for example (In the cases where the L2L VPN isnt up, you should issue the "packet-tracer" command twice since the first command might not give the complete output)

packet-tracer input inside tcp 172.17.2.100 1025 172.17.8.100 80

Or any other source/destination IP addresses or ports.

Copy that output here.

Also seems you connection is using IKEv1 which is natural if you have just migrated. The older software you were using (8.0) doesnt even support IKEv2. Though it also seems that you are only using 3DES instead of for example AES256. Though this doesnt have anything to do with the actual problem (to my understanding)

- Jouni

This is the output :

-FIREWALL-5525# packet-tracer input inside tcp 172.17.2.100 1025 172.17.$

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 2

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 3

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside,outside) source static LAN LAN destination static REMOTE-LAN REMOTE-LAN no-proxy-arp route-lookup

Additional Information:

Static translate 172.17.2.100/1025 to 172.17.2.100/1025

Phase: 4     

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: USER-STATISTICS

Subtype: user-statistics

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: USER-STATISTICS

Subtype: user-statistics

Result: ALLOW

Config:

Additional Information:

Phase: 9

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 15835, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

FIREWALL-5525#

I ve add the same command to the other side :

ASA-RIBERAC# packet-tracer input inside tcp 172.17.8.250 1025 172.17.2.5 80 

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: NAT-EXEMPT

Subtype:

Result: ALLOW

Config:

  match ip inside 172.17.8.0 255.255.255.0 outside 172.17.2.0 255.255.255.0

    NAT exempt

    translate_hits = 2603, untranslate_hits = 0

Additional Information:

Phase: 6

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside) 10 0.0.0.0 0.0.0.0

  match ip inside any outside any

    dynamic translation to pool 10 (171.33.154.74 [Interface PAT])

    translate_hits = 5760, untranslate_hits = 3760

Additional Information:

Phase: 7

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (inside) 10 0.0.0.0 0.0.0.0

  match ip inside any inside any

    dynamic translation to pool 10 (No matching global)

    translate_hits = 0, untranslate_hits = 0

Additional Information:

Phase: 8

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Phase: 9

Type: VPN    

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Phase: 10

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 11

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 8602, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

Hi,

That "packet-tracer" output from both firewalls would lead to believe that everything related to the configurations of the ASAs are fine.

The  traffic is allowed by the firewall, the traffic is hitting the correct  NAT rule, the traffic is being forwarded to a L2L VPN connection.

The earlier output of the command "show crypto ipsec sa peer x.x.x.x" showed that traffic was going through the L2L VPN connection but no return traffic is going through.

Can you initiate traffic from hosts behind both ASAs to see that if we can get something to those Tx counters saying zero. (Traffic from network 172.17.2.0/24 host to a host on network 172.17.8.0/24)

GUENON-FIREWALL-5525(config)# show crypto ipsec sa peer 171.33.x.x

peer address: 171.33.x.x

    Crypto map tag: outside_map, seq num: 1, local addr: 90.80.x.x

      access-list outside_cryptomap extended permit ip 172.17.2.0 255.255.255.0 172.17.8.0 255.255.255.0

      local ident (addr/mask/prot/port): (172.17.2.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (172.17.8.0/255.255.255.0/0/0)

      current_peer: 171.33.x.x

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 793, #pkts decrypt: 793, #pkts verify: 793

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

Still it doesnt seem like a problem with the ASA configurations. Not really sure what the situation is.

- Jouni

I ve check all route.

FIREWALL-5525# show crypto ipsec sa peer 171.33.x.x

peer address: 171.33.154.74

    Crypto map tag: outside_map, seq num: 1, local addr: 90.80.x.x

      access-list outside_cryptomap extended permit ip 172.17.2.0 255.255.255.0 172.17.8.0 255.255.255.0

      local ident (addr/mask/prot/port): (172.17.2.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (172.17.8.0/255.255.255.0/0/0)

      current_peer: 171.33.x.x

      #pkts encaps: 17, #pkts encrypt: 17, #pkts digest: 17

      #pkts decaps: 45, #pkts decrypt: 45, #pkts verify: 45

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 17, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 90.80.12.253/0, remote crypto endpt.: 171.33.154.74/0

      path mtu 1500, ipsec overhead 58, media mtu 1500

      current outbound spi: 2FC3B44B

      current inbound spi : CD50B273

    inbound esp sas:

      spi: 0xCD50B273 (3444617843)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, PFS Group 1, }

         slot: 0, conn_id: 659456, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (3914996/28727)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x0003FFFF 0xFFFFFFFF

    outbound esp sas:

      spi: 0x2FC3B44B (801354827)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, PFS Group 1, }

         slot: 0, conn_id: 659456, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (3914998/28727)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

What are you testing the L2L VPN with? ICMP? Or some TCP service?

Have you gotten any logs through ASDM or CLI for TCP connection attempts?

If you are trying ICMP, make sure you have the following configuration on both ASAs

policy-map global_policy

class inspection_default

  inspect icmp

- Jouni

Well !!!! it works now with the ip inspect !

Thks a lot for your Help Jouni !!!

Too bad I didnt ask about the ICMP earlier

But no matter, main thing is that its working now.

Though I suspect the actual TCP services you might be using through the L2L VPN should have been working already.

- Jouni

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: