12-27-2012 07:05 AM - edited 03-11-2019 05:41 PM
hello,
I just have migrate a 8.0.5 config to a 8.6 and having problem on doing a L2L.
got this error but i can t find where to add the new nat 0 command for exempt traffic.
some one can help ?
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 90.80.x.x 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.17.2.250 255.255.255.0
object network POOL-IPEXTERNE
range 90.80.12.1 90.80.x.x
object network LAN-INTERNE
subnet 0.0.0.0 0.0.0.0
object network IPPUB-EXCHANGE
host 90.80.x.x
object network SERVEUR-EXCHANGE
host 172.17.2.3
object network NETWORK_OBJ_10.254.254.0_27
subnet 10.254.254.0 255.255.255.224
object network NETWORK_OBJ_172.17.2.0_24
subnet 172.17.2.0 255.255.255.0
object network LAN-RIBERAC
subnet 172.17.8.0 255.255.255.0
access-list Enter extended permit tcp any host 172.17.2.3 eq smtp
access-list Enter extended permit tcp any host 172.17.2.3 eq pop3
access-list Enter extended permit tcp any host 172.17.2.3 eq www
access-list Enter extended permit tcp any host 172.17.2.3 eq https
access-list Enter extended permit tcp any host 172.17.2.3 eq imap4
access-list Enter extended permit icmp any any echo-reply
access-list Enter extended permit icmp any any source-quench
access-list Enter extended permit icmp any any unreachable
access-list Enter extended permit icmp any any time-exceeded
access-list ocea_splitTunnelAcl standard permit 172.17.2.0 255.255.255.0
access-list outside_cryptomap extended permit ip 172.17.2.0 255.255.255.0 172.17.8.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool POOL-VPNC 10.254.254.1-10.254.254.20 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-66114.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static NETWORK_OBJ_172.17.2.0_24 NETWORK_OBJ_172.17.2.0_24 destination static NETWORK_OBJ_10.254.254.0_27 NETWORK_OBJ_10.254.254.0_27 no-proxy-arp route-lookup
!
object network LAN-INTERNE
nat (inside,outside) dynamic POOL-IPEXTERNE
object network IPPUB-EXCHANGE
nat (outside,inside) static 172.17.2.3
object network SERVEUR-EXCHANGE
nat (inside,outside) static IPPUB-EXCHANGE
access-group Enter in interface outside
Solved! Go to Solution.
12-27-2012 08:52 AM
What are you testing the L2L VPN with? ICMP? Or some TCP service?
Have you gotten any logs through ASDM or CLI for TCP connection attempts?
If you are trying ICMP, make sure you have the following configuration on both ASAs
policy-map global_policy
class inspection_default
inspect icmp
- Jouni
12-27-2012 07:24 AM
Hi,
According to the above configuration you already have a new type of "NAT0/NAT Exempt" configuration for the VPN Client Pool
You should be able to configure another NAT configuration just like it while naturally using the networks related to the L2L VPN connection
Basic Configuration Format
object network LAN
subnet 10.10.10.0 255.255.255.0
object network REMOTE-LAN
subnet 10.10.20.0 255.255.255.0
nat (inside,outside) source static LAN LAN destination static REMOTE-LAN REMOTE-LAN
If the following ACL is the one for your L2L VPN connection then your configuration could be like this
access-list outside_cryptomap extended permit ip 172.17.2.0 255.255.255.0 172.17.8.0 255.255.255.0
object network LAN
subnet 172.17.2.0 255.255.255.0
object network REMOTE-LAN
subnet 172.17.8.0 255.255.255.0
nat (inside,outside) source static LAN LAN destination static REMOTE-LAN REMOTE-LAN
Please rate if the information was helpfull
- Jouni
12-27-2012 07:36 AM
Hi Jouni,
thks for your help.
I ve add this line but not working. I well have Ipsec up but nothing pass inthetunnel.
nat (inside,outside) source static NETWORK_OBJ_172.17.2.0_24 NETWORK_OBJ_172.17.2.0_24 destination static LAN-RIBERAC LAN-RIBERAC
!
12-27-2012 07:45 AM
Hi,
Without knowing any exact configurations related to the L2L VPN, logs or show command outputs its hard to say what the problem is.
First of all I would attempt connections towards the remote network and see if the Phase1 of the L2L VPN is ok. You can use the command "show crypto isakmp sa" or "show crypto ikev1 sa"
If the Phase1 is fine then you should confirm if the rest of the negotiations have gone through.
You can for example use the following commands
With the above you should be able to confirm if the L2L VPN connection has formed completely and also see if packets are getting encrypted to the L2L VPN connection.
Unless you havent made sure yet (havent seen the configuration) do notice that some of the old isakmp/IPsec commands have been changed abit to include the parameter "ikev1" since ikev2 is also used in the new software compared to the old ones
You could also take the output of
And ofcourse one option is to look through the ASDM monitoring window what happens to the L2L VPN connection or the connection attempts while trying.
- Jouni
12-27-2012 07:53 AM
Hi, In asdm i see that L2L is up.
FIREWALL-5525(config)# sh run crypto
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 171.33.x.x
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=GUENON-FIREWALL-5525
proxy-ldc-issuer
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate caccdb50
30820264 308201cd a0030201 020204ca ccdb5030 0d06092a 864886f7 0d010105
05003044 311d301b 06035504 03131447 55454e4f 4e2d4649 52455741 4c4c2d35
35323531 23302106 092a8648 86f70d01 09021614 4755454e 4f4e2d46 49524557
414c4c2d 35353235 301e170d 31323132 32373034 32383439 5a170d32 32313232
35303432 3834395a 3044311d 301b0603 55040313 14475545 4e4f4e2d 46495245
57414c4c 2d353532 35312330 2106092a 864886f7 0d010902 16144755 454e4f4e
2d464952 4557414c 4c2d3535 32353081 9f300d06 092a8648 86f70d01 01010500
03818d00 30818902 8181009e 344d1241 f569d344 24abb0f9 a4a7d641 84de7d3b
00a5c6c7 54b52cd8 6e1a545e e67f0f21 dfd7144d d6153e2e 7844b972 6eb69fe2
3e3ed89c bebba020 12a404bf 289e42b8 4097b883 89d330c6 2c9e6fd2 6fc12343
3610a5fd d55afb33 20341461 74e15787 d01c4d45 11fc5abf e1919243 554d5b46
dc4a85b2 e28bf092 30f7f702 03010001 a3633061 300f0603 551d1301 01ff0405
30030101 ff300e06 03551d0f 0101ff04 04030201 86301f06 03551d23 04183016
80140801 439d4638 40752cd3 462848bd 7e76b10d 9985301d 0603551d 0e041604
14080143 9d463840 752cd346 2848bd7e 76b10d99 85300d06 092a8648 86f70d01
01050500 03818100 0c34b22f 52c236f4 4775f605 16c730ee a8dd611b d1e94db7
0c291668 fe3d87d2 f4a95675 57cddd98 405d9dae 7c0b5ac8 fa04195a a543562e
2169a71e fa0ade51 9d62ae87 fe581a71 aac36c9e 1a19122d 3e069fb0 5cc69e99
21848ec6 bd671ed8 2d5eebeb c28260cb 89f746d9 5e4ab300 5ece2353 e384952a
58c538f2 0e5cbf32
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
FIREWALL-5525(config)#
GUENON-FIREWALL-5525(config)# sh run tunnel-group
tunnel-group ocea type remote-access
tunnel-group ocea general-attributes
address-pool POOL-VPNC
default-group-policy ocea
tunnel-group ocea ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 171.33.154.74 type ipsec-l2l
tunnel-group 171.33.154.74 general-attributes
default-group-policy GroupPolicy_171.33.154.74
tunnel-group 171.33.154.74 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
FIREWALL-5525(config)#
FIREWALL-5525(config)# show vpn-sessiondb l2l
Session Type: LAN-to-LAN
Connection : 171.33.x.x
Index : 158 IP Addr : 171.33.x.x
Protocol : IKEv1 IPsec
Encryption : 3DES Hashing : SHA1
Bytes Tx : 0 Bytes Rx : 56516
Login Time : 08:32:09 UTC Thu Dec 27 2012
Duration : 0h:17m:19s
GUENON-FIREWALL-5525(config)# show crypto ipsec sa peer 171.33.x.x
peer address: 171.33.x.x
Crypto map tag: outside_map, seq num: 1, local addr: 90.80.x.x
access-list outside_cryptomap extended permit ip 172.17.2.0 255.255.255.0 172.17.8.0 255.255.255.0
local ident (addr/mask/prot/port): (172.17.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.17.8.0/255.255.255.0/0/0)
current_peer: 171.33.x.x
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 793, #pkts decrypt: 793, #pkts verify: 793
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 90.80.x.x/0, remote crypto endpt.: 171.33.x.x/0
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: B4BA815F
current inbound spi : FD3C7494
inbound esp sas:
spi: 0xFD3C7494 (4248597652)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 1, }
slot: 0, conn_id: 647168, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914943/27730)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xB4BA815F (3032121695)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 1, }
slot: 0, conn_id: 647168, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3915000/27730)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
FIREWALL-5525(config)#
12-27-2012 08:12 AM
Hi,
So seems that your L2L VPN in itself is ok.
It seems though that the L2L VPN is negotiated up from the remote side and not from your LAN. Theres only traffic arriving from the remote site through the L2L VPN but no return traffic or traffic for your connection attempts are going to the tunnel.
I assume the hosts behind your firewall have also been configured with the correct default gateway address which is the ASA LAN interface IP address? Though if this wasnt the case then Internet connections wouldnt work for the LAN hosts either.
Can you use the "packet-tracer" command to simulate traffic coming from your LAN to the REMOTE-LAN?
Command format should be for example (In the cases where the L2L VPN isnt up, you should issue the "packet-tracer" command twice since the first command might not give the complete output)
packet-tracer input inside tcp 172.17.2.100 1025 172.17.8.100 80
Or any other source/destination IP addresses or ports.
Copy that output here.
Also seems you connection is using IKEv1 which is natural if you have just migrated. The older software you were using (8.0) doesnt even support IKEv2. Though it also seems that you are only using 3DES instead of for example AES256. Though this doesnt have anything to do with the actual problem (to my understanding)
- Jouni
12-27-2012 08:17 AM
This is the output :
-FIREWALL-5525# packet-tracer input inside tcp 172.17.2.100 1025 172.17.$
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static LAN LAN destination static REMOTE-LAN REMOTE-LAN no-proxy-arp route-lookup
Additional Information:
Static translate 172.17.2.100/1025 to 172.17.2.100/1025
Phase: 4
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 15835, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
FIREWALL-5525#
12-27-2012 08:20 AM
I ve add the same command to the other side :
ASA-RIBERAC# packet-tracer input inside tcp 172.17.8.250 1025 172.17.2.5 80
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip inside 172.17.8.0 255.255.255.0 outside 172.17.2.0 255.255.255.0
NAT exempt
translate_hits = 2603, untranslate_hits = 0
Additional Information:
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 10 0.0.0.0 0.0.0.0
match ip inside any outside any
dynamic translation to pool 10 (171.33.154.74 [Interface PAT])
translate_hits = 5760, untranslate_hits = 3760
Additional Information:
Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 10 0.0.0.0 0.0.0.0
match ip inside any inside any
dynamic translation to pool 10 (No matching global)
translate_hits = 0, untranslate_hits = 0
Additional Information:
Phase: 8
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 8602, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
12-27-2012 08:26 AM
Hi,
That "packet-tracer" output from both firewalls would lead to believe that everything related to the configurations of the ASAs are fine.
The traffic is allowed by the firewall, the traffic is hitting the correct NAT rule, the traffic is being forwarded to a L2L VPN connection.
The earlier output of the command "show crypto ipsec sa peer x.x.x.x" showed that traffic was going through the L2L VPN connection but no return traffic is going through.
Can you initiate traffic from hosts behind both ASAs to see that if we can get something to those Tx counters saying zero. (Traffic from network 172.17.2.0/24 host to a host on network 172.17.8.0/24)
GUENON-FIREWALL-5525(config)# show crypto ipsec sa peer 171.33.x.x
peer address: 171.33.x.x
Crypto map tag: outside_map, seq num: 1, local addr: 90.80.x.x
access-list outside_cryptomap extended permit ip 172.17.2.0 255.255.255.0 172.17.8.0 255.255.255.0
local ident (addr/mask/prot/port): (172.17.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.17.8.0/255.255.255.0/0/0)
current_peer: 171.33.x.x
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 793, #pkts decrypt: 793, #pkts verify: 793
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
Still it doesnt seem like a problem with the ASA configurations. Not really sure what the situation is.
- Jouni
12-27-2012 08:41 AM
I ve check all route.
FIREWALL-5525# show crypto ipsec sa peer 171.33.x.x
peer address: 171.33.154.74
Crypto map tag: outside_map, seq num: 1, local addr: 90.80.x.x
access-list outside_cryptomap extended permit ip 172.17.2.0 255.255.255.0 172.17.8.0 255.255.255.0
local ident (addr/mask/prot/port): (172.17.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.17.8.0/255.255.255.0/0/0)
current_peer: 171.33.x.x
#pkts encaps: 17, #pkts encrypt: 17, #pkts digest: 17
#pkts decaps: 45, #pkts decrypt: 45, #pkts verify: 45
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 17, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 90.80.12.253/0, remote crypto endpt.: 171.33.154.74/0
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 2FC3B44B
current inbound spi : CD50B273
inbound esp sas:
spi: 0xCD50B273 (3444617843)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 1, }
slot: 0, conn_id: 659456, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914996/28727)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x0003FFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x2FC3B44B (801354827)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 1, }
slot: 0, conn_id: 659456, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914998/28727)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
12-27-2012 08:52 AM
What are you testing the L2L VPN with? ICMP? Or some TCP service?
Have you gotten any logs through ASDM or CLI for TCP connection attempts?
If you are trying ICMP, make sure you have the following configuration on both ASAs
policy-map global_policy
class inspection_default
inspect icmp
- Jouni
12-27-2012 09:09 AM
Well !!!! it works now with the ip inspect !
12-27-2012 09:10 AM
Thks a lot for your Help Jouni !!!
12-27-2012 09:15 AM
Too bad I didnt ask about the ICMP earlier
But no matter, main thing is that its working now.
Though I suspect the actual TCP services you might be using through the L2L VPN should have been working already.
- Jouni
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: