Thank you so much for your response. I am not sure as to exactly how to go about this. When I type that in on both sides nothing happens. Is there something that I should be seeing, or collecting for you? If you have more detailing instructions I would appreciate that as well. Thanks again for the help!

Dan

Hi Dan ,

when you enable the debugs , and then try to initiate the traffic you should start seeing the Debugs output on the Screen .

regards.

Ok, so I enabled that and then from the l2lsite1 cli I tried to ping 192.168.3.1 and nothing outputted on the screen.

Thanks for the help!

Ah Ha! I got it! The issue was I did not have anything plugged in on both sides just the outside was plugged into the switch and nothing on the inside. When I plugged devices into the inside the tunnel came right up and works well. Through that ping I found out that the inside interfaces were down and decided to plugged devices in. That brought the tunnel right up, now no matter if a device is plugged in or not I can use the tunnel.

Thanks again for the help, I have removed my configs from the top post, but I will repost them again so hopefully it will help someone else.

Thanks for the help!

Dan

Hi Dan ,

it is good to know that it is working now

and many thanks for the Rating .

Your very welcome! Thanks again for the hlep!

Hello,

I am in need of more help. Now that I have moved the installation I cannot get it to work properly.  The issue is the two asa's can ping eachothers inside interfaces just fine(see below) but they cannot ping any other devices on the network(see below). This issue relates to both sides. Thanks in advance.

L2Lsite2# ping inside 10.0.0.5 (site1's internal IP)

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.0.0.5, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 30/36/40 ms

L2Lsite2# ping inside 10.0.0.1(device on site1's network)

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

The help is greatly appreciated.

Side 1:

L2LSite1# sh run

: Saved

:

ASA Version 7.2(3)

!

hostname L2LSite1

enable password 0M8kPLt5hmzMzfqa encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 10.0.0.5 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address x.x.x.x 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list crypto_acl extended permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0

access-list do_not_nat extended permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0

pager lines 24

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list do_not_nat

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

aaa authentication ssh console LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set encryption_type_set esp-3des esp-sha-hmac

crypto map outside_map 20 match address crypto_acl

crypto map outside_map 20 set pfs

crypto map outside_map 20 set peer x.x.x.x

crypto map outside_map 20 set transform-set encryption_type_set

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 5

management-access inside

!

class-map inspection_default

match default-inspection-traffic

class-map class

match default-inspection-traffic

!

!

policy-map type inspect dns dns_inspection

parameters

  message-length maximum 512

policy-map policy

class class

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

  inspect snmp

  inspect http

  inspect dns dns_inspection

!

service-policy policy global

username aplus password m6zItLhnhjBU/z6I encrypted

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key *

prompt hostname context

Cryptochecksum:ef9e72ae4d06957f050dbc1fd16a842c

: end

L2LSite1# sh ipsec sa

interface: outside

    Crypto map tag: outside_map, seq num: 20, local addr: x.x.x.x

      access-list crypto_acl permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0

      local ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (10.0.1.0/255.255.255.0/0/0)

      current_peer: x.x.x.x

      #pkts encaps: 17, #pkts encrypt: 17, #pkts digest: 17

      #pkts decaps: 7, #pkts decrypt: 7, #pkts verify: 7

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 17, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x

      path mtu 1500, ipsec overhead 58, media mtu 1500

      current outbound spi: 14952F72

    inbound esp sas:

      spi: 0x009CB49C (10269852)

         transform: esp-3des esp-sha-hmac none

         in use settings ={L2L, Tunnel, PFS Group 2, }

         slot: 0, conn_id: 7, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (3824999/28369)

         IV size: 8 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0x14952F72 (345321330)

         transform: esp-3des esp-sha-hmac none

         in use settings ={L2L, Tunnel, PFS Group 2, }

         slot: 0, conn_id: 7, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (3824998/28369)

         IV size: 8 bytes

         replay detection support: Y

L2LSite1# packet-tracer input inside icmp 10.0.0.5 8 8 10.0.1.6

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:      

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Site 2:

L2Lsite2# sh run

: Saved

:

ASA Version 7.2(4)

!

hostname L2Lsite2

enable password 0M8kPLt5hmzMzfqa encrypted

passwd 0M8kPLt5hmzMzfqa encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 10.0.1.49 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

shutdown    

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

ftp mode passive

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 8.8.8.8

access-list crypto_acl extended permit ip 10.0.1.0 255.255.255.0 10.0.0.0 255.255.255.0

access-list do_not_nat extended permit ip 10.0.1.0 255.255.255.0 10.0.0.0 255.255.255.0

pager lines 24

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin\

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list do_not_nat

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

aaa authentication ssh console LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set encryption_type_set esp-3des esp-sha-hmac

crypto map outside_map 20 match address crypto_acl

crypto map outside_map 20 set pfs

crypto map outside_map 20 set peer x.x.x.x

crypto map outside_map 20 set transform-set encryption_type_set

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 5

management-access inside

username aplus password m6zItLhnhjBU/z6I encrypted

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key *

!

class-map class

match default-inspection-traffic

!

!            

policy-map type inspect dns dns_inspection

parameters

  message-length maximum 512

policy-map policy

class class

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

  inspect snmp

  inspect http

  inspect dns dns_inspection

!

service-policy policy global

prompt hostname context

Cryptochecksum:4d1dc33d95e4d294a1c96473ef81a393

: end

L2Lsite2# sh ipsec sa

interface: outside

    Crypto map tag: outside_map, seq num: 20, local addr: x.x.x.x

      access-list crypto_acl permit ip 10.0.1.0 255.255.255.0 10.0.0.0 255.255.255.0

      local ident (addr/mask/prot/port): (10.0.1.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)

      current_peer: x.x.x.x

      #pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9

      #pkts decaps: 19, #pkts decrypt: 19, #pkts verify: 19

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 9, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: x.x.x.x , remote crypto endpt.: x.x.x.x

      path mtu 1500, ipsec overhead 58, media mtu 1500

      current outbound spi: 009CB49C

    inbound esp sas:

      spi: 0x14952F72 (345321330)

         transform: esp-3des esp-sha-hmac none

         in use settings ={L2L, Tunnel, PFS Group 2, }

         slot: 0, conn_id: 7, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (4274998/28008)

         IV size: 8 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0x009CB49C (10269852)

         transform: esp-3des esp-sha-hmac none

         in use settings ={L2L, Tunnel, PFS Group 2, }

         slot: 0, conn_id: 7, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (4274999/28008)

         IV size: 8 bytes

         replay detection support: Y

L2Lsite2# packet-tracer input inside  icmp 10.0.1.49 8 8 10.0.0.1

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:      

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Thanks again!

Hello Ankur,

I thought that I did get this resolved,  but it turns out that when I moved the installation it stopped  functiong properly(to make a long story short I think that when I did it internally the 192.168.2.0 and 192.168.3.0 where within the subnet mask of the external and so it routed them fine) so I reposted the configs again, with my issue now, in the post above  yours. Unforuntely I do not know how to mark the thread unaswered once it has been marked answered. If you know how to solve the problem above your help would be greatly appreciated.

Thanks,

Dan

Hi Dan ,

take a look at this :

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information

are you sure there is no access-list on your configuration , and can you please provide the packet tracer with the detailed option !

Got it fixed!

The issue was it needed a route in the default gateway for the networks and it also need to have sysopt connect vpn-enable on both sides, and now it is functioning properly!

Thanks for the help!

Dan

Good to know !

cheers!