04-14-2011 01:37 PM
After upgrading a couple of AS5505 to asa8.41 and using ASDM-641 I have been unable to set up a Site to Site using the Wizard.
Had enough of a headache doing the upgrades on the CLI.
Hopefully someone can figure up my messup while I wait for my PO for Sec+ to clear so I can Add Failover and more headaches!
Any one have any ideas PING was enabled and both '05 can ping each other
below are the two configs
Thanks
: Saved | : Saved |
: | : |
ASA Version 8.4(1) | ASA Version 8.4(1) |
! | ! |
hostname ciscoasa | hostname ciscoasa |
enable password uqvFhCjkmooWuWcH encrypted | enable password uqvFhCjkmooWuWcH encrypted |
passwd 2KFQnbNIdI.2KYOU encrypted | passwd 2KFQnbNIdI.2KYOU encrypted |
names | names |
! | ! |
interface Vlan1 | interface Vlan1 |
nameif inside | nameif inside |
security-level 100 | security-level 100 |
ip address 10.102.3.10 255.255.255.0 | ip address 192.168.146.1 255.255.255.0 |
! | ! |
interface Vlan2 | interface Vlan2 |
nameif outside | nameif outside |
security-level 0 | security-level 0 |
ip address 173.xxx.xxx.153 255.255.255.240 | ip address 173.xxx.xxx.157 255.255.255.240 |
! | ! |
interface Ethernet0/0 | interface Ethernet0/0 |
switchport access vlan 2 | switchport access vlan 2 |
! | ! |
interface Ethernet0/1 | interface Ethernet0/1 |
! | ! |
interface Ethernet0/2 | interface Ethernet0/2 |
! | ! |
interface Ethernet0/3 | interface Ethernet0/3 |
! | ! |
interface Ethernet0/4 | interface Ethernet0/4 |
! | ! |
interface Ethernet0/5 | interface Ethernet0/5 |
! | ! |
interface Ethernet0/6 | interface Ethernet0/6 |
! | ! |
interface Ethernet0/7 | interface Ethernet0/7 |
! | ! |
ftp mode passive | ftp mode passive |
clock timezone EST -5 | clock timezone EST -5 |
clock summer-time EDT recurring | clock summer-time EDT recurring |
object network obj_any | object network obj_any |
subnet 0.0.0.0 0.0.0.0 | subnet 0.0.0.0 0.0.0.0 |
object network 192.168.146.0 | object network 10.102.3.0 |
subnet 192.168.146.0 255.255.255.0 | subnet 10.102.3.0 255.255.255.0 |
access-list outside_cryptomap extended permit ip 10.102.3.0 255.255.255.0 object 192.168.146.0 | access-list outside_cryptomap extended permit ip 192.168.146.0 255.255.255.0 object 10.102.3.0 |
pager lines 24 | pager lines 24 |
logging enable | logging asdm informational |
logging asdm informational | mtu inside 1500 |
mtu inside 1500 | mtu outside 1500 |
mtu outside 1500 | icmp unreachable rate-limit 1 burst-size 1 |
icmp unreachable rate-limit 1 burst-size 1 | icmp permit 10.102.3.0 255.255.255.0 inside |
icmp permit 196.168.146.0 255.255.255.0 inside | icmp permit 10.102.2.0 255.255.255.0 inside |
icmp permit 173.xxx.xxx.144 255.255.255.240 outside | icmp permit 10.102.1.0 255.255.255.0 inside |
no asdm history enable | icmp permit 173.xxx.xxx.144 255.255.255.240 outside |
arp timeout 14400 | no asdm history enable |
! | arp timeout 14400 |
object network obj_any | ! |
nat (inside,outside) dynamic interface | object network obj_any |
timeout xlate 3:00:00 | nat (inside,outside) dynamic interface |
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 | timeout xlate 3:00:00 |
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 | timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 |
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 | timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 |
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute | timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 |
timeout tcp-proxy-reassembly 0:01:00 | timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute |
dynamic-access-policy-record DfltAccessPolicy | timeout tcp-proxy-reassembly 0:01:00 |
http server enable | dynamic-access-policy-record DfltAccessPolicy |
http 10.102.3.0 255.255.255.0 inside | http server enable |
no snmp-server location | http 192.168.146.0 255.255.255.0 inside |
no snmp-server contact | no snmp-server location |
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart | no snmp-server contact |
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac | snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart |
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac | crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac |
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac | crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac |
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac | crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac |
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac | crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac |
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac | crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac |
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac | crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac |
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac | crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac |
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac | crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac |
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac | crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac |
crypto map outside_map 1 match address outside_cryptomap | crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac |
crypto map outside_map 1 set pfs | crypto map outside_map 1 match address outside_cryptomap |
crypto map outside_map 1 set peer 173.xxx.xxx.157 | crypto map outside_map 1 set pfs |
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-MD5 | crypto map outside_map 1 set peer 173.xxx.xxx.153 |
crypto map outside_map interface outside | crypto map outside_map 1 set ikev1 transform-set ESP-3DES-MD5 |
crypto ikev1 enable outside | crypto map outside_map interface outside |
crypto ikev1 policy 10 | crypto ikev1 enable outside |
authentication crack | crypto ikev1 policy 10 |
encryption aes-256 | authentication crack |
hash sha | encryption aes-256 |
group 2 | hash sha |
lifetime 86400 | group 2 |
crypto ikev1 policy 20 | lifetime 86400 |
authentication rsa-sig | crypto ikev1 policy 20 |
encryption aes-256 | authentication rsa-sig |
hash sha | encryption aes-256 |
group 2 | hash sha |
lifetime 86400 | group 2 |
crypto ikev1 policy 30 | lifetime 86400 |
authentication pre-share | crypto ikev1 policy 30 |
encryption aes-256 | authentication pre-share |
hash sha | encryption aes-256 |
group 2 | hash sha |
lifetime 86400 | group 2 |
crypto ikev1 policy 40 | lifetime 86400 |
authentication crack | crypto ikev1 policy 40 |
encryption aes-192 | authentication crack |
hash sha | encryption aes-192 |
group 2 | hash sha |
lifetime 86400 | group 2 |
crypto ikev1 policy 50 | lifetime 86400 |
authentication rsa-sig | crypto ikev1 policy 50 |
encryption aes-192 | authentication rsa-sig |
hash sha | encryption aes-192 |
group 2 | hash sha |
lifetime 86400 | group 2 |
crypto ikev1 policy 60 | lifetime 86400 |
authentication pre-share | crypto ikev1 policy 60 |
encryption aes-192 | authentication pre-share |
hash sha | encryption aes-192 |
group 2 | hash sha |
lifetime 86400 | group 2 |
crypto ikev1 policy 70 | lifetime 86400 |
authentication crack | crypto ikev1 policy 70 |
encryption aes | authentication crack |
hash sha | encryption aes |
group 2 | hash sha |
lifetime 86400 | group 2 |
crypto ikev1 policy 80 | lifetime 86400 |
authentication rsa-sig | crypto ikev1 policy 80 |
encryption aes | authentication rsa-sig |
hash sha | encryption aes |
group 2 | hash sha |
lifetime 86400 | group 2 |
crypto ikev1 policy 90 | lifetime 86400 |
authentication pre-share | crypto ikev1 policy 90 |
encryption aes | authentication pre-share |
hash sha | encryption aes |
group 2 | hash sha |
lifetime 86400 | group 2 |
crypto ikev1 policy 100 | lifetime 86400 |
authentication crack | crypto ikev1 policy 100 |
encryption 3des | authentication crack |
hash sha | encryption 3des |
group 2 | hash sha |
lifetime 86400 | group 2 |
crypto ikev1 policy 110 | lifetime 86400 |
authentication rsa-sig | crypto ikev1 policy 110 |
encryption 3des | authentication rsa-sig |
hash sha | encryption 3des |
group 2 | hash sha |
lifetime 86400 | group 2 |
crypto ikev1 policy 120 | lifetime 86400 |
authentication pre-share | crypto ikev1 policy 120 |
encryption 3des | authentication pre-share |
hash sha | encryption 3des |
group 2 | hash sha |
lifetime 86400 | group 2 |
telnet timeout 5 | lifetime 86400 |
ssh timeout 5 | telnet timeout 5 |
console timeout 0 | ssh timeout 5 |
console timeout 0 | |
dhcpd address 10.102.3.14-10.102.3.45 inside | |
dhcpd enable inside | dhcpd address 192.168.146.20-192.168.146.40 inside |
! | dhcpd enable inside |
threat-detection basic-threat | ! |
threat-detection statistics access-list | threat-detection basic-threat |
no threat-detection statistics tcp-intercept | threat-detection statistics access-list |
webvpn | no threat-detection statistics tcp-intercept |
group-policy GroupPolicy_173.xxx.xxx.157 internal | webvpn |
group-policy GroupPolicy_173.xxx.xxx.157 attributes | group-policy GroupPolicy_173.xxx.xxx.153 internal |
vpn-tunnel-protocol ikev1 | group-policy GroupPolicy_173.xxx.xxx.153 attributes |
tunnel-group 173.xxx.xxx.157 type ipsec-l2l | vpn-tunnel-protocol ikev1 |
tunnel-group 173.xxx.xxx.157 general-attributes | tunnel-group 173.xxx.xxx.153 type ipsec-l2l |
default-group-policy GroupPolicy_173.xxx.xxx.157 | tunnel-group 173.xxx.xxx.153 general-attributes |
tunnel-group 173.xxx.xxx.157 ipsec-attributes | default-group-policy GroupPolicy_173.xxx.xxx.153 |
ikev1 pre-shared-key ***** | tunnel-group 173.xxx.xxx.153 ipsec-attributes |
! | ikev1 pre-shared-key ***** |
class-map inspection_default | ! |
match default-inspection-traffic | class-map inspection_default |
! | match default-inspection-traffic |
! | ! |
policy-map type inspect dns preset_dns_map | ! |
parameters | policy-map type inspect dns preset_dns_map |
message-length maximum client auto | parameters |
message-length maximum 512 | message-length maximum client auto |
policy-map global_policy | message-length maximum 512 |
class inspection_default | policy-map global_policy |
inspect dns preset_dns_map | class inspection_default |
inspect ftp | inspect dns preset_dns_map |
inspect h323 h225 | inspect ftp |
inspect h323 ras | inspect h323 h225 |
inspect rsh | inspect h323 ras |
inspect rtsp | inspect rsh |
inspect esmtp | inspect rtsp |
inspect sqlnet | inspect esmtp |
inspect skinny | inspect sqlnet |
inspect sunrpc | inspect skinny |
inspect xdmcp | inspect sunrpc |
inspect sip | inspect xdmcp |
inspect netbios | inspect sip |
inspect tftp | inspect netbios |
inspect ip-options | inspect tftp |
! | inspect ip-options |
service-policy global_policy global | ! |
prompt hostname context | service-policy global_policy global |
call-home | prompt hostname context |
profile CiscoTAC-1 | call-home |
no active | profile CiscoTAC-1 |
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService | no active |
destination address email callhome@cisco.com | destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService |
destination transport-method http | destination address email callhome@cisco.com |
subscribe-to-alert-group diagnostic | destination transport-method http |
subscribe-to-alert-group environment | subscribe-to-alert-group diagnostic |
subscribe-to-alert-group inventory periodic monthly | subscribe-to-alert-group environment |
subscribe-to-alert-group configuration periodic monthly | subscribe-to-alert-group inventory periodic monthly |
subscribe-to-alert-group telemetry periodic daily | subscribe-to-alert-group configuration periodic monthly |
Cryptochecksum:9a29cdbdf3c946ecdf122f01f746aac0 | subscribe-to-alert-group telemetry periodic daily |
: end | Cryptochecksum:984986098f0a35a1e4bc870acacd78e2 |
no asdm history enable | : end |
no asdm history enable |
04-14-2011 07:05 PM
Hi,
The nat exemption is missing.
Please put the following:
On ASA with outside ip address: 173.xxx.xxx.153
object network 10.102.3.0
subnet 10.102.3.0 255.255.255.0
nat (inside,outside) 1 source static 10.102.3.0 10.102.3.0 destination static 192.168.146.0 192.168.146.0
On ASA with outside ip address:
object network 192.168.146.0
subnet 192.168.146.0 255.255.255.0
nat (inside,outside) 1 source static 92.168.146.0 192.168.146.0 destination static10.102.3.0 10.102.3.0
Hope this helps.
Regards,
Anisha
P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: