cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1213
Views
0
Helpful
6
Replies

site to site vpn errors.

ronald.odom
Level 1
Level 1

when setting up a site to site tunnles i get the errors in the fiel ASA logging.

i have included the two configs from the ASA file walls.

any one see what i am missing?

small site

: Saved

: Written by usiadmin at 15:22:08.143 UTC Mon Mar 19 2012

!

ASA Version 7.2(3)

!

hostname smallASA

domain-name domain.com

enable password awSQhSsotCzGWRMo encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 10.16.4.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 116.12.211.66 255.255.255.240

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd L0Wjs4eA25R/befo encrypted

ftp mode passive

dns domain-lookup inside

dns server-group DefaultDNS

name-server 10.10.20.1

domain-name domain.com

access-list outside_1_cryptomap extended permit ip 10.16.4.0 255.255.255.0 any

access-list inside_nat0_outbound extended permit ip 10.16.4.0 255.255.255.0 any

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 116.12.211.65 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 0.0.0.0 0.0.0.0 outside

http 10.16.4.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer 12.69.103.226

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal  20

telnet 10.16.4.0 255.255.255.0 inside

telnet timeout 5

ssh 10.16.4.0 255.255.255.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

dhcpd dns 165.21.83.88 10.10.2.1

dhcpd domain domain.com

dhcpd auto_config outside

!

dhcpd address 10.16.4.100-10.16.4.131 inside

dhcpd enable inside

!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

username usiadmin password DI5M5NnQfLzGHaw1 encrypted privilege 15

username initech password ENDpqoooBPsmGFZP encrypted privilege 15

tunnel-group 12.69.103.226 type ipsec-l2l

tunnel-group 12.69.103.226 ipsec-attributes

pre-shared-key PSK

prompt hostname context

Cryptochecksum:e6bf95f3c25574bfed2adafb3283e882

: end

large site

: Saved

: Written by usiadmin at 22:57:30.549 CDT Mon Mar 19 2012

!

ASA Version 8.0(3)

!

hostname STO-ASA-5510-FW

domain-name domain.com

enable password ..Ge0JnvJlk/gAiB encrypted

names

name 192.168.255.0 BGP-Transit_Network description BGP-Transit

name 10.10.99.0 VPN

name 10.10.2.80 BB

dns-guard

!

interface Ethernet0/0

description Inside Interface

nameif inside

security-level 100

ip address 10.10.200.29 255.255.255.240

ospf cost 10

!

interface Ethernet0/1

description Outside Interface facing the Internet Rotuer.

nameif outside

security-level 0

ip address 12.69.103.226 255.255.255.240

ospf cost 10

!

interface Ethernet0/2

description Physical Trunk interface - Dont use

no nameif

no security-level

no ip address

!

interface Ethernet0/2.900

description DMZ Interface 12.69.103.0 / 26 (useable hosts .1 to .62)

vlan 900

nameif DMZ1-VLAN900

security-level 50

ip address 12.69.103.1 255.255.255.192

ospf cost 10

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 10.10.5.250 255.255.254.0

ospf cost 10

management-only

!

passwd L0Wjs4eA25R/befo encrypted

banner exec **********************************************************************

banner exec                         STO-ASA-5510-FW

banner exec                         ASA5510 - 10.10.200.29

banner exec                         Configured for Data use only

banner exec **********************************************************************

banner login **********************************************************************

banner login WARNING: This system is for the use of authorized clients only.

banner login Individuals using the computer network system without authorization,

banner login or in excess of their authorization, are subject to having all their

banner login activity on this computer network system monitored and recorded by

banner login system personnel.  To protect the computer network system from

banner login unauthorized use and to ensure the computer network systems is

banner login functioning properly, system administrators monitor this system.

banner login Anyone using this computer network system expressly consents to such

banner login monitoring and is advised that if such monitoring reveals possible

banner login conduct of criminal activity, system personnel may provide the

banner login evidence of such activity to law enforcement officers.

banner login Access is restricted to authorized users only. Unauthorized access is

banner login a violation of state and federal, civil and criminal laws.

banner login **********************************************************************

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns server-group DefaultDNS

domain-name universalsilencer.com

same-security-traffic permit intra-interface

object-group service SAP tcp-udp

description SAP Updates

port-object eq 3299

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service HUMANLand tcp

port-object eq citrix-ica

object-group service DM_INLINE_TCP_1 tcp

port-object eq 5061

port-object eq www

port-object eq https

object-group service DM_INLINE_TCP_2 tcp

port-object eq 5061

port-object eq www

port-object eq https

object-group service DM_INLINE_UDP_1 udp

port-object eq snmp

port-object eq snmptrap

object-group service DM_INLINE_SERVICE_1

service-object icmp

service-object tcp-udp eq www

service-object udp eq snmp

service-object udp eq snmptrap

service-object udp eq syslog

service-object tcp eq 2055

service-object udp eq 2055

service-object tcp eq 3389

object-group service Human tcp-udp

port-object eq 8100

object-group service grove tcp

port-object eq 2492

object-group service netflowTcp tcp

port-object eq 2055

object-group service 6144 tcp-udp

description 6144

port-object eq 6144

object-group service 1536-ampr-inter tcp-udp

description 1536-ampr-inter

port-object eq 1536

object-group network DM_INLINE_NETWORK_1

network-object 198.78.0.0 255.255.0.0

network-object 207.152.0.0 255.255.0.0

network-object 69.31.0.0 255.255.0.0

object-group network DM_INLINE_NETWORK_2

network-object 198.78.0.0 255.255.0.0

network-object 207.152.0.0 255.255.0.0

network-object 69.31.0.0 255.255.0.0

object-group network DM_INLINE_NETWORK_3

network-object 198.78.0.0 255.255.0.0

network-object 207.152.0.0 255.255.0.0

network-object 69.31.0.0 255.255.0.0

object-group network DM_INLINE_NETWORK_4

network-object 198.78.0.0 255.255.0.0

network-object 207.152.0.0 255.255.0.0

network-object 69.31.0.0 255.255.0.0

object-group service rdp tcp

description RDP

port-object eq 3389

object-group network DM_INLINE_NETWORK_5

network-object 10.16.0.0 255.255.0.0

network-object 10.16.0.0 255.255.255.0

object-group network DM_INLINE_NETWORK_6

network-object 10.16.0.0 255.255.0.0

network-object 10.16.0.0 255.255.255.0

object-group network DM_INLINE_NETWORK_7

network-object 10.16.0.0 255.255.0.0

network-object 10.16.0.0 255.255.255.0

object-group network DM_INLINE_NETWORK_8

network-object 10.16.0.0 255.255.0.0

network-object 10.16.0.0 255.255.255.0

access-list outside remark 207.152.125.136

access-list outside extended deny object-group TCPUDP object-group DM_INLINE_NETWORK_1 any log

access-list outside extended deny object-group TCPUDP object-group DM_INLINE_NETWORK_2 host 12.69.103.129

access-list outside extended deny object-group TCPUDP any object-group DM_INLINE_NETWORK_3

access-list outside extended deny object-group TCPUDP host 12.69.103.129 object-group DM_INLINE_NETWORK_4

access-list outside remark ************In Bound SAP Update Traffic  per Ron Odom***************

access-list outside extended permit tcp host 194.39.131.34 host 12.69.103.155 range 3200 3300 log

access-list outside remark *** SAP router****

access-list outside extended permit tcp host 10.10.2.110 host 194.39.131.34 range 3200 3300

access-list outside extended permit object-group DM_INLINE_SERVICE_1 any host 12.69.103.154

access-list outside remark ***** Inbound to the Mail server at 10.10.2.10 Peter K *****

access-list outside extended permit tcp any host 12.69.103.147 eq smtp

access-list outside remark ***** Inbound to the OCS EDGE on DMZ Peter K *****

access-list outside extended permit tcp any host 12.69.103.2 object-group DM_INLINE_TCP_1

access-list outside extended permit ip any host 12.69.103.6

access-list outside remark Blocked for malware activity

access-list outside extended deny ip host 77.78.247.86 any

access-list outside extended permit ip any host 12.69.103.156 inactive

access-list outside extended permit tcp any host 12.69.103.147 eq www

access-list outside extended permit tcp any host 12.69.103.147 eq https

access-list outside remark ***** Inbound to host 10.10.3.200 - Dan K *****

access-list outside extended permit tcp any host 12.69.103.145 eq www

access-list outside extended permit tcp any host 12.69.103.145 eq https

access-list outside remark ***** Inbound to host 10.10.2.30 USIFAXBACK- Dan K *****

access-list outside extended permit tcp any host 12.69.103.146 eq www

access-list outside extended permit tcp any host 12.69.103.146 eq https

access-list outside remark ***** Inbound to host 10.10.8.5 - Mitel 7100 - BOB M 4/4-2008 - BV *****

access-list outside extended permit tcp any host 12.69.103.152 eq pptp

access-list outside extended permit tcp any host 200.56.251.118 object-group HUMANLand

access-list outside extended permit tcp any host 200.56.251.121 eq 8100

access-list outside remark Allow all return ICMP traffic disabled to help hid form attacks

access-list outside extended deny icmp any any log

access-list outside extended permit ip 10.14.0.0 255.255.0.0 any log debugging

access-list outside extended permit ip 10.15.0.0 255.255.0.0 any

access-list outside extended permit ip object-group DM_INLINE_NETWORK_7 any

access-list outside extended permit ip any 10.14.0.0 255.255.0.0 log debugging

access-list outside extended permit ip any 10.15.0.0 255.255.0.0

access-list outside extended permit ip any object-group DM_INLINE_NETWORK_6

access-list outside extended permit udp host 12.88.249.62 any object-group DM_INLINE_UDP_1

access-list outside remark added to pervent bocking to Human

access-list outside extended permit object-group TCPUDP host 10.12.2.250 host 200.56.251.121 object-group Human

access-list outside remark added to pervent bocking to Human

access-list outside extended permit object-group TCPUDP host 200.56.251.121 host 10.12.2.250 object-group Human

access-list outside extended permit tcp any any eq pptp log

access-list outside extended deny object-group TCPUDP any any object-group 6144

access-list VPN-SplitTunnel extended permit ip 10.10.0.0 255.255.0.0 VPN 255.255.255.192

access-list VPN-SplitTunnel extended permit ip 10.11.0.0 255.255.0.0 VPN 255.255.255.192

access-list VPN-SplitTunnel extended permit ip 10.12.0.0 255.255.0.0 VPN 255.255.255.192

access-list VPN-SplitTunnel extended permit ip 10.13.0.0 255.255.0.0 VPN 255.255.255.192

access-list VPN-SplitTunnel extended permit ip BGP-Transit_Network 255.255.255.0 VPN 255.255.255.192

access-list VPN-SplitTunnel extended permit ip 10.0.0.0 255.0.0.0 192.168.10.0 255.255.255.0

access-list VPN-SplitTunnel extended permit ip 10.10.0.0 255.255.0.0 10.14.4.0 255.255.254.0

access-list VPN-SplitTunnel extended permit ip 10.10.0.0 255.255.0.0 10.15.4.0 255.255.254.0

access-list VPN-SplitTunnel extended permit ip 10.10.0.0 255.255.0.0 10.14.8.0 255.255.254.0

access-list DMZ1_in remark ***** OCS EDGE -2nd interface to inside hosts Peter K *****

access-list DMZ1_in extended permit tcp host 12.69.103.3 host 10.10.2.15 object-group DM_INLINE_TCP_2

access-list DMZ1_in remark Allow all ICMP traffic

access-list DMZ1_in extended permit icmp any any log

access-list DMZ1_in extended deny ip any 207.152.0.0 255.255.0.0

access-list DMZ1_in extended deny ip 207.152.0.0 255.255.0.0 any

access-list DMZ1_in remark ***** Explicitly block access to all inside networks *****

access-list DMZ1_in remark ***** Any needed permits to inside networks          *****

access-list DMZ1_in remark ***** Need to be done above this section             *****

access-list DMZ1_in extended deny ip any 10.0.0.0 255.0.0.0

access-list DMZ1_in extended deny ip any 172.16.0.0 255.240.0.0

access-list DMZ1_in extended deny ip any 192.168.0.0 255.255.0.0

access-list DMZ1_in remark ***** Permit IP to any - this will be the internet *****

access-list DMZ1_in extended permit ip any any log debugging

access-list ezvpn1 standard permit 10.0.0.0 255.0.0.0

access-list DMZ1-VLAN900_cryptomap extended permit ip any any

access-list nonat extended permit ip 10.10.0.0 255.255.0.0 VPN 255.255.255.192

access-list nonat extended permit ip 10.11.0.0 255.255.0.0 VPN 255.255.255.192

access-list nonat extended permit ip 10.12.0.0 255.255.0.0 VPN 255.255.255.192

access-list nonat extended permit ip 10.13.0.0 255.255.0.0 VPN 255.255.255.192

access-list nonat extended permit ip BGP-Transit_Network 255.255.255.0 VPN 255.255.255.192

access-list nonat extended permit ip 10.0.0.0 255.0.0.0 192.168.10.0 255.255.255.0

access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.14.4.0 255.255.254.0

access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.14.8.0 255.255.254.0

access-list nonat extended permit ip 10.0.0.0 255.0.0.0 10.14.0.0 255.255.0.0

access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.15.4.0 255.255.254.0

access-list nonat extended permit ip 10.0.0.0 255.0.0.0 10.15.0.0 255.255.0.0

access-list traffic extended permit ip 10.0.0.0 255.0.0.0 10.14.0.0 255.255.0.0 inactive

access-list outside_cryptomap extended permit ip 10.0.0.0 255.0.0.0 10.15.0.0 255.255.0.0

access-list outside_nat0_outbound extended permit ip 10.14.0.0 255.255.0.0 VPN 255.255.255.192

access-list outside_nat0_outbound extended permit ip 10.15.0.0 255.255.0.0 VPN 255.255.255.192

access-list outside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_8 VPN 255.255.255.192

access-list outside_cryptomap_1 extended permit ip 10.0.0.0 255.0.0.0 object-group DM_INLINE_NETWORK_5

pager lines 24

logging enable

logging timestamp

logging list VPN level informational class auth

logging list VPN level critical class config

logging list VPN level notifications class vpn

logging list VPN level notifications class vpnc

logging list VPN level notifications class webvpn

logging list all level alerts

logging buffer-size 256000

logging buffered all

logging trap VPN

logging asdm informational

logging host inside 10.10.2.41 format emblem

logging ftp-bufferwrap

logging ftp-server 10.10.2.41 \logs usi\administrator 178US1SIL3~

mtu inside 1500

mtu outside 1500

mtu DMZ1-VLAN900 1500

mtu management 1500

ip local pool VPNClients 10.10.99.1-10.10.99.63 mask 255.255.255.192

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

icmp permit any DMZ1-VLAN900

asdm image disk0:/asdm-611.bin

asdm location VPN 255.255.255.192 inside

asdm location BGP-Transit_Network 255.255.255.0 inside

asdm location 10.10.4.60 255.255.254.255 inside

asdm location BB 255.255.255.255 inside

asdm location 10.16.0.0 255.255.0.0 inside

asdm location 69.31.0.0 255.255.0.0 inside

asdm location 198.78.0.0 255.255.0.0 inside

asdm location 10.16.0.0 255.255.255.0 inside

asdm history enable

arp timeout 14400

global (inside) 1 10.10.2.4 netmask 255.0.0.0

global (outside) 10 12.69.103.129 netmask 255.255.255.255

global (outside) 11 12.69.103.130 netmask 255.255.255.255

global (outside) 12 12.69.103.131 netmask 255.255.255.255

global (outside) 13 12.69.103.132 netmask 255.255.255.255

global (outside) 14 12.69.103.133 netmask 255.0.0.0

nat (inside) 0 access-list nonat

nat (inside) 11 192.168.255.4 255.255.255.252

nat (inside) 12 192.168.255.8 255.255.255.252

nat (inside) 13 192.168.255.12 255.255.255.252

nat (inside) 10 10.10.0.0 255.255.0.0

nat (inside) 11 10.11.0.0 255.255.0.0

nat (inside) 12 10.12.0.0 255.255.0.0

nat (inside) 13 10.13.0.0 255.255.0.0

nat (inside) 10 10.14.0.0 255.255.0.0

nat (outside) 0 access-list outside_nat0_outbound

nat (outside) 10 10.16.0.0 255.255.255.0

nat (outside) 10 10.14.0.0 255.255.0.0

nat (outside) 10 10.15.0.0 255.255.0.0

nat (outside) 10 10.16.0.0 255.255.0.0

static (DMZ1-VLAN900,outside) 12.69.103.0 12.69.103.0 netmask 255.255.255.192

static (inside,outside) 12.69.103.154 10.10.2.41 netmask 255.255.255.255

static (inside,DMZ1-VLAN900) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

static (inside,DMZ1-VLAN900) 192.168.0.0 192.168.0.0 netmask 255.255.0.0

static (inside,DMZ1-VLAN900) 172.16.0.0 172.16.0.0 netmask 255.240.0.0

static (inside,outside) 12.69.103.147 10.10.2.10 netmask 255.255.255.255

static (inside,outside) 12.69.103.152 10.10.8.5 netmask 255.255.255.255

static (inside,outside) 12.69.103.155 10.10.2.110 netmask 255.255.255.255

access-group outside in interface outside

access-group DMZ1_in in interface DMZ1-VLAN900

!

router eigrp 100

network 10.0.0.0 255.0.0.0

!

route outside 0.0.0.0 0.0.0.0 12.69.103.225 1

route inside 10.0.0.0 255.0.0.0 10.10.200.30 1

route inside 10.10.98.0 255.255.255.0 10.10.200.30 1

route outside 10.14.0.0 255.255.0.0 12.69.103.225 1

route outside 10.15.0.0 255.255.0.0 12.69.103.225 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa-server Microsoft protocol radius

accounting-mode simultaneous

reactivation-mode depletion deadtime 30

aaa-server Microsoft host 10.10.2.1

key cisco123

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

http server enable

http 10.10.0.0 255.255.0.0 management

http 10.10.0.0 255.255.0.0 inside

snmp-server host inside 10.10.2.41 community UNISNMP version 2c udp-port 161

snmp-server location STODATDROOM

snmp-server contact SYS Admin

snmp-server community UNISNMP

snmp-server enable traps snmp authentication linkup linkdown coldstart

snmp-server enable traps syslog

snmp-server enable traps ipsec start stop

snmp-server enable traps entity config-change fru-insert fru-remove

snmp-server enable traps remote-access session-threshold-exceeded

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 match address outside_cryptomap

crypto map outside_map 1 set peer 115.111.107.226

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 2 match address outside_cryptomap_1

crypto map outside_map 2 set peer 116.12.211.66

crypto map outside_map 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 10 match address traffic

crypto map outside_map 10 set peer 212.185.51.242

crypto map outside_map 10 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map inside_map interface inside

crypto map DMZ1-VLAN900_map0 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto isakmp identity address

crypto isakmp enable inside

crypto isakmp enable outside

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime none

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 2

lifetime none

crypto isakmp nat-traversal 33

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

vpn-addr-assign local reuse-delay 10

telnet 10.10.0.0 255.255.0.0 inside

telnet 10.10.0.0 255.255.0.0 management

telnet timeout 29

ssh timeout 29

ssh version 2

console timeout 1

management-access inside

dhcprelay server 10.10.2.1 outside

threat-detection basic-threat

threat-detection scanning-threat shun except ip-address 10.14.0.0 255.255.0.0

threat-detection scanning-threat shun except ip-address 10.15.0.0 255.255.0.0

threat-detection statistics

wccp web-cache

wccp interface inside web-cache redirect in

ntp server 192.5.41.41

ntp server 192.5.41.40

ntp server 192.43.244.18

tftp-server inside 10.10.2.2 \asa

group-policy DfltGrpPolicy attributes

banner value WARNING: This system is for the use of authorized clients only.

wins-server value 10.10.2.1

dns-server value 10.10.2.1 10.10.2.2

vpn-tunnel-protocol IPSec svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VPN-SplitTunnel

default-domain value universalsilencer.com

msie-proxy server value 00.00.00.00

address-pools value VPNClients

group-policy CHINAPH internal

group-policy CHINAPH attributes

vpn-tunnel-protocol IPSec svc webvpn

split-tunnel-policy tunnelall

intercept-dhcp 255.255.0.0 enable

address-pools value VPNClients

group-policy ezGROUP1 internal

group-policy ezGROUP1 attributes

vpn-tunnel-protocol svc webvpn

password-storage enable

split-tunnel-policy tunnelspecified

split-tunnel-network-list value ezvpn1

nem enable

users removed

tunnel-group DefaultL2LGroup ipsec-attributes

pre-shared-key germanysilence

tunnel-group USISplitTunnelRemoteAccess type remote-access

tunnel-group USISplitTunnelRemoteAccess general-attributes

address-pool VPNClients

tunnel-group USISplitTunnelRemoteAccess ipsec-attributes

pre-shared-key z2LNoioYVCTyJlX

tunnel-group USISplitTunnelRADIUS type remote-access

tunnel-group USISplitTunnelRADIUS general-attributes

address-pool VPNClients

authentication-server-group Microsoft LOCAL

tunnel-group USISplitTunnelRADIUS ipsec-attributes

pre-shared-key fLFO2p5KSS8Ic2y

tunnel-group ezVPN1 type remote-access

tunnel-group ezVPN1 general-attributes

default-group-policy ezGROUP1

tunnel-group ezVPN1 ipsec-attributes

pre-shared-key PSK

tunnel-group 212.185.51.242 type ipsec-l2l

tunnel-group 212.185.51.242 ipsec-attributes

pre-shared-key PSK

peer-id-validate nocheck

tunnel-group 115.111.107.226 type ipsec-l2l

tunnel-group 115.111.107.226 ipsec-attributes

pre-shared-key PSJ

tunnel-group China type remote-access

tunnel-group China general-attributes

address-pool VPNClients

default-group-policy CHINAPH

tunnel-group 116.12.211.66 type ipsec-l2l

tunnel-group 116.12.211.66 ipsec-attributes

pre-shared-key PSK

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns migrated_dns_map_1

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:834976612f8f76e1b088326516362975

: end

1 Accepted Solution

Accepted Solutions

Hello Ronald,

You are using PFS on one site and not on the other one,

Lets remove it from the site who has it and give it a try.

Change this:

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer 12.69.103.226

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

To this:

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer 12.69.103.226

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

So just do a

NO crypto map outside_map 1 set pfs

Regards,

Julio

Do rate all the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

6 Replies 6

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Ron,

Lets start with the first things.

This is the first thing I checked and it was incorrect.

So please let me know if after changing it worked!

The preshared key shared on both sites is different

Site A

tunnel-group 12.69.103.226 type ipsec-l2l

tunnel-group 12.69.103.226 ipsec-attributes

pre-shared-key unising

Site B:

tunnel-group 116.12.211.66 type ipsec-l2l

tunnel-group 116.12.211.66 ipsec-attributes

pre-shared-key PSK

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

They are the same now.  same errors.

also getting th efollowing on the other ASA

Group = 116.12.211.66, IP = 116.12.211.66, All IPSec SA proposals found unacceptable!

Group = 116.12.211.66, IP = 116.12.211.66, QM FSM error (P2 struct &0xd9032338, mess id 0x739db265)!

I check they have the same translations

Hello Ronald,

You are using PFS on one site and not on the other one,

Lets remove it from the site who has it and give it a try.

Change this:

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer 12.69.103.226

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

To this:

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer 12.69.103.226

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

So just do a

NO crypto map outside_map 1 set pfs

Regards,

Julio

Do rate all the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

that worked.  noew problem DHCP and DSN will not work.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: