Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
564
Views
0
Helpful
1
Replies

ASA Multicontext - VPN IPsec problem

crusier2015
Level 1
Level 1

‎03-09-2017 08:44 AM - edited ‎03-12-2019 02:02 AM

Hi,

I´m trying use the VPN over ASA Multicontext, but the ASA never show information about ipsec when I try UP the tunnel.  Looks like that IPsec is not active on ASA, but i didnt find the problem, if i enable any debug about ipsec not appears.

Could you help me?

Follow system multicontext config :

: Hardware: ASA5525, 8192 MB RAM, CPU Lynnfield 2393 MHz, 1 CPU (4 cores)
:
ASA Version 9.6(2) <system>
!
hostname xxx
domain-name XXX.com.br
enable password XXXX encrypted
no mac-address auto
!
interface GigabitEthernet0/0
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface GigabitEthernet0/3
!
interface GigabitEthernet0/4
!
interface GigabitEthernet0/5
!
interface GigabitEthernet0/6
!
interface GigabitEthernet0/7
!
interface Management0/0
!
class default
limit-resource All 0
limit-resource Mac-addresses 16384
limit-resource ASDM 5
limit-resource SSH 5
limit-resource Telnet 5
!

class vpn-2000
limit-resource VPN Burst Other 70
limit-resource VPN Other 25.0%
limit-resource VPN IKEv1 in-negotiation 25.0%
!

boot system disk0:/asa962-smp-k8.bin
ftp mode passive
pager lines 24
failover
failover lan unit primary
failover lan interface FULLSTATE GigabitEthernet0/7
failover key *****
failover link LF GigabitEthernet0/6
failover interface ip FULLSTATE 192.168.255.1 255.255.255.0 standby 192.168.255.2
failover interface ip LF 192.168.254.1 255.255.255.0 standby 192.168.254.2
asdm image disk0:/asdm-762-150.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
no ssh stricthostkeycheck
console timeout 0

admin-context admin
context admin
member vpn-2000
allocate-interface GigabitEthernet0/0
allocate-interface GigabitEthernet0/1
config-url disk0:/admin.cfg
!

context p1
member vpn-2000
allocate-interface GigabitEthernet0/2
allocate-interface GigabitEthernet0/3
config-url disk0:/planner.cfg
!

context p2
member vpn-2000
allocate-interface GigabitEthernet0/4
allocate-interface GigabitEthernet0/5
config-url disk0:/spinelli.cfg
!

context p3
config-url disk0:/concordia.cfg

Follow p1 multicontext :

hostname p1
names
!
interface GigabitEthernet0/2
nameif outside2
security-level 0
ip address x.x.x.1 255.255.255.192 standby x.x.x.2
!
interface GigabitEthernet0/3
nameif internal
security-level 100
ip address y.y.y.1 255.255.255.0 standby y.y.y.2
!
access-list internal_access_in extended permit icmp any any
access-list internal_access_in extended permit ip any any

access-list vpn extended permit ip y.y.y.0 255.255.255.0 host p.p.p.10

access-list outin extended permit icmp any any
access-group outin in interface outside2

pager lines 24
logging enable
logging console errors
logging monitor errors
logging buffered errors
logging asdm informational
mtu outside2 1500
mtu internal 1500
ip verify reverse-path interface internal
icmp unreachable rate-limit 50 burst-size 1
no asdm history enable
arp timeout 14400

route outside2 0.0.0.0 0.0.0.0 x.x.x.254 1

timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
aaa authorization exec LOCAL
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map outside2_map3 1 match address vpn
crypto map outside2_map3 1 set peer h.h.h.10
crypto map outside2_map3 1 set ikev1 transform-set ESP-3DES-SHA
crypto map outside2_map3 1 set security-association lifetime seconds 86400
crypto map outside2_map3 interface outside2

crypto isakmp identity address
crypto ikev1 enable outside2
crypto ikev1 enable pinterna1

crypto ikev1 am-disable
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
crypto ikev1 policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 outside2
ssh timeout 5
ssh key-exchange group dh-group1-sha1
no threat-detection statistics tcp-intercept
group-policy GroupPolicy-bvp internal
group-policy GroupPolicy-bvp attributes
vpn-idle-timeout 30
vpn-session-timeout none
vpn-tunnel-protocol ikev1

tunnel-group h.h.h.10 type ipsec-l2l
tunnel-group h.h.h.10 general-attributes
default-group-policy GroupPolicy-bvp
tunnel-group h.h.h.10 ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp error
inspect icmp
!
service-policy global_policy global
!

Labels:
0 Helpful
1 Reply 1

crusier2015
Level 1
Level 1

‎03-20-2017 04:44 AM

Hi,

Plz, any suggeston?

Tks

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card