Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- Technology and Support
- Networking
- Routing
- Site to site VPN issues ASA 8.2(5)
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
2064
Views
0
Helpful
15
Replies
Site to site VPN issues ASA 8.2(5)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-15-2020 07:33 AM
So I am having much difficulty with a VPN connection.
I have a site-to-site connection to IP 204.90.187.158, the tunnel is down and I cannot ping it.
I also have an access list "101" that pertains to the connection.
Is it possible to apply an acl list only to a specific VPN connection??
I had a recent issue with not being able to ping the LAN from the anyconnect VPN and have since corrected that, but somehow broke the site to site connection in the process. I am not sure how to correct this issue. Please help?
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2020.04.15 10:11:59 =~=~=~=~=~=~=~=~=~=~=~=
show running-config
: Saved
:
ASA Version 8.2(5)
!
hostname XtremeV3
domain-name default.domain.invalid
enable password *** encrypted
passwd *** encrypted
multicast-routing
names
name 10.102.1.49 FTP-Server
name 198.133.250.19 GSX-INTERNAL description GSX-INTERNAL
name 10.102.1.84 DVR_Camera
name 10.102.1.52 ERP description MANMAN
name 10.103.1.0 VPN_Network_Range
ddns update method 65.32.1.70
ddns both
interval maximum 1 0 0 0
!
ddns update method 65.32.1.65
ddns both
interval maximum 1 0 0 0
!
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport trunk allowed vlan 1,5
switchport trunk native vlan 1
switchport mode trunk
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 10.102.1.1 255.255.255.0
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
ip address 67.78.158.186 255.255.255.248
igmp forward interface inside
ospf cost 10
!
interface Vlan5
nameif Guest-VLAN
security-level 10
ip address 10.0.0.1 255.255.255.0
!
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 208.67.222.222
name-server 208.67.220.220
name-server 65.32.1.65
name-server 65.32.1.70
domain-name default.domain.invalid
dns server-group OpenDNS
name-server 208.67.222.222
name-server 208.67.220.220
domain-name default.domain.invalid
same-security-traffic permit intra-interface
object-group service Reflection tcp
port-object eq 1570
object-group network STATIC-PAT
object-group service NVRCamera tcp
description NVR access
port-object eq 7443
object-group service HTTP_camera tcp
port-object eq 7080
object-group service RDP tcp
port-object eq 3389
object-group network VPN
access-list inside_nat0_outbound extended permit ip any 10.102.1.16 255.255.255.240
access-list outside_access_in extended permit ip any any inactive
access-list outside_access_in extended permit tcp any 67.78.158.184 255.255.255.248 object-group NVRCamera
access-list outside_access_in extended permit tcp any interface outside object-group HTTP_camera
access-list inside_outbound_nat0_acl extended permit ip host 10.102.1.10 host GSX-INTERNAL
access-list inside_outbound_nat0_acl extended permit ip host 10.102.1.10 host 198.133.250.39
access-list inside_outbound_nat0_acl extended permit ip host 67.78.158.187 host GSX-INTERNAL
<--- More --->
access-list inside_outbound_nat0_acl extended permit ip host 67.78.158.187 host 198.133.250.39
access-list inside_outbound_nat0_acl extended permit ip 10.102.1.0 255.255.255.0 67.78.158.184 255.255.255.248
access-list inside_outbound_nat0_acl extended permit ip 10.102.1.0 255.255.255.0 VPN_Network_Range 255.255.255.0
access-list Locan_lan_access remark VNP client local lan access
access-list Locan_lan_access standard permit host 0.0.0.0
access-list Locan_lan_access remark VNP client local lan access
access-list Locan_lan_access remark VNP client local lan access
access-list Locan_lan_access remark VNP client local lan access
access-list Locan_lan_access remark VNP client local lan access
access-list Locan_lan_access remark VNP client local lan access
access-list outside_1_cryptomap extended permit ip host 10.102.1.10 host GSX-INTERNAL
access-list outside_1_cryptomap extended permit ip host 10.102.1.10 host 198.133.250.39
access-list outside_1_cryptomap extended permit ip host 67.78.158.187 host GSX-INTERNAL
access-list outside_1_cryptomap extended permit ip host 67.78.158.187 host 198.133.250.39
access-list 101 extended permit ip host GSX-INTERNAL host ERP
access-list 101 extended permit ip host 204.90.187.158 host ERP
access-list 101 extended permit esp host GSX-INTERNAL host ERP
access-list 101 extended permit esp host 204.90.187.158 host ERP
access-list 101 extended permit tcp host GSX-INTERNAL host ERP
access-list 101 extended permit tcp host 204.90.187.158 host ERP
access-list 101 extended permit tcp host GSX-INTERNAL host 67.78.158.186
access-list 101 extended permit tcp host 204.90.187.158 host 67.78.158.186
access-list 101 extended permit ip host 198.133.250.39 host ERP
access-list 101 extended permit esp host 198.133.250.39 host ERP
access-list 101 extended permit tcp host 198.133.250.39 host ERP
access-list 101 extended permit tcp host 198.133.250.39 host 67.78.158.186
access-list 101 extended permit ip host 198.133.250.39 host 10.102.1.10
access-list 101 extended permit esp host 198.133.250.39 host 10.102.1.10
access-list 101 extended permit tcp host 198.133.250.39 host 10.102.1.10
access-list 101 extended permit ip host GSX-INTERNAL host 10.102.1.10
access-list 101 extended permit esp host GSX-INTERNAL host 10.102.1.10
access-list 101 extended permit tcp host GSX-INTERNAL host 10.102.1.10
access-list 101 extended permit ip host GSX-INTERNAL host 67.78.158.187
access-list 101 extended permit ip host 204.90.187.158 host 67.78.158.187
access-list 101 extended permit esp host GSX-INTERNAL host 67.78.158.187
access-list 101 extended permit esp host 204.90.187.158 host 67.78.158.187
access-list 101 extended permit tcp host GSX-INTERNAL host 67.78.158.187
access-list 101 extended permit tcp host 204.90.187.158 host 67.78.158.187
access-list 101 extended permit ip host 198.133.250.39 host 67.78.158.187
access-list 101 extended permit esp host 198.133.250.39 host 67.78.158.187
access-list 101 extended permit tcp host 198.133.250.39 host 67.78.158.187
access-list 101 extended permit ip host 65.182.161.9 any
access-list Split_Tunnel_List remark Network behind the ASA Firewall.
access-list Split_Tunnel_List standard permit 10.102.1.16 255.255.255.240
access-list Split_Tunnel_List standard permit host FTP-Server
access-list Split_Tunnel_List standard permit host ERP
access-list Split_Tunnel_List standard permit host 10.102.1.10
access-list Split_Tunnel_List standard permit 10.102.1.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended deny tcp any any eq smtp
access-list inside_nat0_outbound_1 extended permit ip any VPN_Network_Range 255.255.255.0
access-list vpn-dflt-access extended permit ip 10.102.1.0 255.255.255.0 VPN_Network_Range 255.255.255.0
access-list vpn-dflt-access extended permit ip VPN_Network_Range 255.255.255.0 10.102.1.0 255.255.255.0
access-list split-acl standard permit 10.102.1.0 255.255.255.0
access-list NONAT extended permit ip 10.102.1.0 255.255.255.0 VPN_Network_Range 255.255.255.0
access-list Split-Tunnel standard permit 10.102.1.0 255.255.255.0
access-list Split-Tunnel standard permit VPN_Network_Range 255.255.255.0
access-list SPLIT_TUNNEL standard permit 10.102.1.0 255.255.255.0
pager lines 24
logging enable
logging list VPNLogging level informational class vpn
logging buffer-size 16384
logging buffered informational
logging trap informational
logging asdm informational
logging class auth asdm informational
mtu inside 1500
mtu outside 1500
mtu Guest-VLAN 1500
ip local pool xtremv3 10.103.1.31-10.103.1.80 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
asdm image disk0:/asdm-649-103.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0
nat (Guest-VLAN) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 7443 DVR_Camera 7443 netmask 255.255.255.255
static (inside,outside) tcp interface 7080 DVR_Camera 7080 netmask 255.255.255.255
static (inside,outside) 67.78.158.187 ERP netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 67.78.158.185 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
reval-period 36000
sq-period 300
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http server enable
http 65.182.161.9 255.255.255.255 outside
http 10.102.1.0 255.255.255.0 inside
http 67.78.158.190 255.255.255.255 outside
http 65.182.188.212 255.255.255.255 outside
http 202.164.41.226 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec fragmentation after-encryption inside
crypto ipsec fragmentation after-encryption outside
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 204.90.187.158
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca certificate map DefaultCertificateMap 10
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 3600
crypto isakmp policy 10
authentication pre-share
<--- More --->
encryption 3des
hash md5
group 2
lifetime 28800
crypto isakmp policy 30
authentication crack
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 100
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
vpn-addr-assign local reuse-delay 5
telnet 10.102.1.90 255.255.255.255 inside
telnet ERP 255.255.255.255 inside
telnet 10.102.1.70 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcp-client update dns server both
dhcpd auto_config outside
!
dhcpd address 10.0.0.100-10.0.0.254 Guest-VLAN
dhcpd dns 8.8.8.8 8.8.4.4 interface Guest-VLAN
dhcpd lease 11520 interface Guest-VLAN
dhcpd enable Guest-VLAN
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 129.6.15.28 source outside
webvpn
enable inside
enable outside
anyconnect-essentials
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.5.6005-k9.pkg 2
svc enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
dns-server value 208.67.222.222 208.67.220.220
vpn-simultaneous-logins 10
vpn-filter value vpn-dflt-access
vpn-tunnel-protocol IPSec l2tp-ipsec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
default-domain value default.domain.invalid
nac-settings value DfltGrpPolicy-nac-framework-create
address-pools value xtremv3
webvpn
svc keepalive none
svc rekey method ssl
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
customization value DfltCustomization
group-policy vthree-na internal
group-policy vthree-na attributes
wins-server none
dns-server value 208.67.222.222 208.67.220.220
vpn-idle-timeout 47
vpn-tunnel-protocol IPSec l2tp-ipsec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT_TUNNEL
default-domain value default.domain.invalid
address-pools value xtremv3
tunnel-group DefaultL2LGroup general-attributes
default-group-policy vthree-na
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *****
tunnel-group DefaultRAGroup general-attributes
address-pool xtremv3
authorization-server-group LOCAL
default-group-policy vthree-na
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
peer-id-validate nocheck
isakmp ikev1-user-authentication none
tunnel-group DefaultRAGroup ppp-attributes
authentication pap
authentication ms-chap-v2
authentication eap-proxy
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool xtremv3
default-group-policy vthree-na
password-management password-expire-in-days 5
tunnel-group vthree-na type remote-access
tunnel-group vthree-na general-attributes
address-pool (inside) xtremv3
address-pool xtremv3
authorization-server-group LOCAL
default-group-policy vthree-na
username-from-certificate use-entire-name
tunnel-group vthree-na ipsec-attributes
pre-shared-key *****
peer-id-validate nocheck
isakmp ikev1-user-authentication none
tunnel-group cisco type remote-access
tunnel-group cisco general-attributes
address-pool xtremv3
default-group-policy vthree-na
tunnel-group cisco ipsec-attributes
pre-shared-key *****
tunnel-group 204.90.187.158 type ipsec-l2l
tunnel-group 204.90.187.158 general-attributes
default-group-policy vthree-na
tunnel-group 204.90.187.158 ipsec-attributes
pre-shared-key *****
tunnel-group-map enable rules
tunnel-group-map default-group vthree-na
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no compression svc http-comp
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:
: end
XtremeV3(config)#
Labels:
- Labels:
-
Routing Protocols
15 Replies 15
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-16-2020 11:24 AM
I believe that you can use the command debug crypto isakmp 127. But it has been a long time since I used 8.2 code and the syntax might be different. If that does not work you can use the ? for help like
debug crypto ?
and it will give you the available options. I hope this link has information that you will find useful.
https://community.cisco.com/t5/network-security/debug-crypto-isakmp-on-asa/m-p/3726313
HTH
Rick
Rick
- « Previous
-
- 1
- 2
- Next »
Learn, share, save
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
Customers Also Viewed These Support Documents
