site to site VPN - cisco asa 5505

jessie · ‎02-28-2013

having VPN connection problem between 69.x.x.54 VPN 208.x.x.165. Please help.

This is 69.x.x.54/172.16.0.0/16 - - A site - ASDM:6.2(1) ASA: 8.2(1)

ASA Version 8.2(1)

!

interface Vlan1

nameif inside

security-level 100

ip address 172.16.0.1 255.255.0.0

!

interface Vlan2

nameif outside

security-level 0

ip address 69.x.x.54 255.255.255.248

!

interface Vlan5

shutdown

no forward interface Vlan1

nameif dmz

security-level 50

ip address dhcp

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 172.16.0.2

name-server 69.x.x.6

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service TS-777 tcp-udp

port-object eq 777

object-group service Graphon tcp-udp

port-object eq 491

object-group service TS-778 tcp-udp

port-object eq 778

object-group service moodle tcp-udp

port-object eq 5801

object-group service moodle-5801 tcp-udp

port-object eq 5801

object-group service smtp-587 tcp-udp

port-object eq 587

access-list outside_access_in extended permit tcp any host 69.x.x.50 eq imap4

access-list outside_access_in extended permit tcp any host 69.x.x.52 eq ftp

access-list outside_access_in extended permit object-group TCPUDP any host 69.x.x.50 object-group smtp-587

access-list outside_access_in extended permit tcp any host 69.x.x.52 eq telnet

access-list outside_access_in extended permit tcp any host 69.x.x.52 eq ssh

access-list outside_access_in extended permit object-group TCPUDP any host 69.x.x.52 object-group moodle-5801

access-list outside_access_in extended permit tcp any host 69.x.x.52 eq smtp

access-list outside_access_in extended permit tcp any host 69.x.x.52 eq https

access-list outside_access_in extended permit tcp any host 69.x.x.52 eq www

access-list outside_access_in extended permit tcp any host 69.x.x.50 eq ftp

access-list outside_access_in extended permit tcp any host 69.x.x.50 eq smtp

access-list outside_access_in extended permit tcp any host 69.x.x.50 eq pop3

access-list outside_access_in extended permit object-group TCPUDP any host 69.x.x.50 eq domain

access-list outside_access_in extended permit tcp any host 69.x.x.50 eq https

access-list outside_access_in extended permit tcp any host 69.x.x.50 eq www

access-list outside_access_in extended permit object-group TCPUDP any host 69.x.x.51 eq domain

access-list outside_access_in extended permit object-group TCPUDP any host 69.x.x.51 object-group TS-778

access-list outside_access_in extended permit object-group TCPUDP any host 69.x.x.51 object-group Graphon

access-list outside_access_in extended permit tcp any host 69.x.x.51 eq https

access-list outside_access_in extended permit tcp any host 69.x.x.51 eq www

access-list outside_access_in extended permit object-group TCPUDP any host 69.x.x.50 object-group TS-777

access-list outside_access_in extended permit tcp any host 69.x.x.54 eq https

access-list outside_2_cryptomap extended permit ip 172.16.0.0 255.255.0.0 192.168.50.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 192.168.0.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any 172.16.0.32 255.255.255.224

access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 192.168.50.0 255.255.255.0

access-list inside_access_in extended permit ip any any

access-list Split-Tunnel standard permit 172.16.0.0 255.255.0.0

access-list NONAT extended permit ip 172.16.0.0 255.255.0.0 192.168.0.0 255.255.255.0

access-list NONAT extended permit ip 172.16.0.0 255.255.0.0 172.16.100.0 255.255.255.0

access-list NONAT extended permit ip 172.16.0.0 255.255.0.0 192.168.50.0 255.255.255.0

access-list outside_cryptomap extended permit ip 172.16.0.0 255.255.0.0 192.168.0.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

ip local pool vpn_users 172.16.100.10-172.16.100.2

0 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list NONAT

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) 69.x.x.50 172.16.0.2 netmask 255.255.255.255

static (inside,outside) 69.x.x.51 172.16.1.2 netmask 255.255.255.255

static (inside,outside) 69.x.x.52 172.16.1.3 netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 69.x.x.49 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-reco

rd DfltAccessPolicy

http server enable

http 172.16.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 match address outside_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer 208.x.x.162

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set pfs group1

crypto map outside_map 2 set peer 208.x.x.165

crypto map outside_map 2 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 28800

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 172.16.0.20-172.16.0.40 inside

dhcpd dns 172.16.0.2 69.x.x.6 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable outside

svc image disk0:/anyconnect-win-2.5.

2014-k9.pk

g 1

svc enable

tunnel-group-list enable

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

group-policy sales internal

group-policy sales attributes

dns-server value 172.16.1.2 172.16.0.2

vpn-tunnel-protocol svc

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Split-Tunnel

webvpn

svc mtu 1406

username graciela password CdnZ0hm9o72q6Ddj encrypted

tunnel-group 208.x.x.165 type ipsec-l2l

tunnel-group 208.x.x.165 ipsec-attributes

pre-shared-key *

tunnel-group TunnelGroup1 type remote-access

tunnel-group TunnelGroup1 general-attributes

address-pool vpn_users

default-group-policy sales

dhcp-server 172.16.0.1

tunnel-group TunnelGroup1 webvpn-attributes

group-alias Remote_Access enable

group-alias sales_department disable

tunnel-group 208.x.x.162 type ipsec-l2l

tunnel-group 208.x.x.162 ipsec-attributes

pre-shared-key *

!

class-map global-class

match default-inspection-traffic

!

policy-map global-policy

class global-class

inspect icmp

!

service-policy global-policy global

prompt hostname context

: end

asdm location 192.168.50.0 255.255.255.0 inside

no asdm history enable

__________________________

__________

_______

This is 208.x.x.165/192.168.50.0/2

4- - B site - ASDM:6.4(7) ASA: 8.4(3)

ASA Version 8.4(3)

!

hostname ciscoasa

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.50.51 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 208.x.x.165 255.255.255.248

!

ftp mode passive

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network NETWORK_OBJ_192.168.50.0_2

4

subnet 192.168.50.0 255.255.255.0

object network email

host 172.16.0.0

description 255.255.0.0

access-list 1 standard permit 192.168.50.0 255.255.255.0

access-list outside_cryptomap extended permit ip object NETWORK_OBJ_192.168.50.0

_24 object email

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside,outside) source static NETWORK_OBJ_192.168.50.0_2

4 NETWORK_OBJ_192.1

68.50.0_24 destination static email email no-proxy-arp route-lookup

!

object network obj_any

nat (inside,outside) dynamic interface

route outside 0.0.0.0 0.0.0.0 208.x.x.161 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-reco

rd DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.50.0 255.255.255.0 inside

http 192.168.50.51 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des