07-26-2012 06:33 AM
I've been pulling my hair out on this one. I had 3 tunnels using a pix firewall at each location going to the main office (I didn't set it up). One of the pix toasted, so I'm trying to replace it with a cisco asa 5505. I created the tunnel, it sees the tunnel on both sides, I can see the encaps and decaps at the main office, but I can't ping from the new tunnel to the main office, or vice-versa. I've tried all kinds of things, rebuilt the tunnel umpteen times, and I just can't see where the problem is. Maybe fresh eyes can save my hair. I hope someone sees something that I missed. Here's the config:
: Saved : ASA Version 7.2(2) ! hostname ciscoasa domain-name default.domain.invalid enable password 8Ry2YjIyt7RRXU24 encrypted names ! interface Vlan1 nameif inside security-level 100 ip address 10.0.1.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 142.176.18.178 255.255.255.252 ! interface Ethernet0/0 switchport access vlan 2 speed 100 duplex half ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! passwd 2KFQnbNIdI.2KYOU encrypted ftp mode passive clock timezone AST -4 clock summer-time ADT recurring dns domain-lookup inside dns domain-lookup outside dns server-group DefaultDNS name-server 142.177.1.2 name-server 142.177.129.11 domain-name default.domain.invalid access-list outside_cryptomap_20 extended permit ip 10.0.1.0 255.255.255.0 10.0.0.0 255.255.255.0 access-list outside_cryptomap_40 extended permit ip 10.0.1.0 255.255.255.0 10.0.0.0 255.255.255.0 access-list outside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 10.0.0.0 255.255.255.0 pager lines 24 logging enable logging history debugging logging asdm informational mtu inside 1500 mtu outside 1500 icmp unreachable rate-limit 1 burst-size 1 icmp permit any inside icmp permit any outside asdm image disk0:/asdm-522.bin no asdm history enable arp timeout 14400 global (inside) 1 10.0.1.2-10.0.1.254 netmask 255.255.255.0 global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (outside) 0 access-list outside_nat0_outbound nat (outside) 1 0.0.0.0 0.0.0.0 route outside 0.0.0.0 0.0.0.0 142.176.18.177 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute group-policy DfltGrpPolicy attributes banner none wins-server none dns-server none dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 3 vpn-idle-timeout 30 vpn-session-timeout none vpn-filter none vpn-tunnel-protocol IPSec l2tp-ipsec password-storage disable ip-comp disable re-xauth disable group-lock none pfs disable ipsec-udp disable ipsec-udp-port 10000 split-tunnel-policy tunnelall split-tunnel-network-list none default-domain none split-dns none intercept-dhcp 255.255.255.255 disable secure-unit-authentication disable user-authentication disable user-authentication-idle-timeout 30 ip-phone-bypass disable leap-bypass disable nem disable backup-servers keep-client-config msie-proxy server none msie-proxy method no-modify msie-proxy except-list none msie-proxy local-bypass disable nac disable nac-sq-period 300 nac-reval-period 36000 nac-default-acl none address-pools none client-firewall none client-access-rule none webvpn functions url-entry html-content-filter none homepage none keep-alive-ignore 4 http-comp gzip filter none url-list none customization value DfltCustomization port-forward none port-forward-name value Application Access sso-server none deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information svc none svc keep-installer installed svc keepalive none svc rekey time none svc rekey method none svc dpd-interval client none svc dpd-interval gateway none svc compression deflate http server enable http 10.0.1.0 255.255.255.0 inside http 24.222.27.154 255.255.255.255 outside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart sysopt noproxyarp outside crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto map outside_map 20 match address outside_cryptomap_20 crypto map outside_map 20 set peer 142.176.4.90 crypto map outside_map 20 set transform-set ESP-3DES-SHA crypto map outside_map 20 set reverse-route crypto map outside_map 40 match address outside_cryptomap_40 crypto map outside_map 40 set peer 142.176.4.90 crypto map outside_map 40 set transform-set ESP-3DES-SHA crypto map outside_map 40 set reverse-route crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 tunnel-group 142.176.4.90 type ipsec-l2l tunnel-group 142.176.4.90 ipsec-attributes pre-shared-key * tunnel-group-map enable rules tunnel-group-map default-group 142.176.4.90 telnet 10.0.1.220 255.255.255.255 inside telnet 10.0.1.0 255.255.255.0 inside telnet 24.222.27.154 255.255.255.255 outside telnet timeout 5 ssh 24.222.27.154 255.255.255.255 outside ssh timeout 5 console timeout 0 dhcpd dns 142.177.1.2 142.177.129.11 dhcpd auto_config outside dhcpd option 3 ip 10.0.1.1 ! dhcpd address 10.0.1.2-10.0.1.129 inside dhcpd option 3 ip 10.0.1.1 interface inside dhcpd enable inside ! ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global prompt hostname context Cryptochecksum:7f220b76774dd4827498398c39a951f7 : end asdm image disk0:/asdm-522.bin no asdm history enable
07-26-2012 06:51 AM
Hi Eric,
Thanks for the problem description
May I know the peer IP address of the new tunnel?
Can you also include the configuration of the other VPN device?
Your collaboration on this issue is highly appreciated.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide