cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1467
Views
0
Helpful
3
Replies

Having trouble with Dynamic-to-static

Cybervex3
Level 1
Level 1

Having an issue with traffic passing over a dynamic-to-static VPN.  Phase 1 and Phase 2 both complete.  sh cry ips sa on the ASA shows 0 #pkts encaps.  From the 861 it shows 0 #pkts decaps

I know its a lot to look at but hopefully someone will see something obvious that I messed up. 

The second tunnel is working.  It is coming from a CradlePoint MBR1400 so I am unable to apply the config from that.

____________________________________________________________________________________________

ciscoasa# sh crypto isakmp sa

   Active SA: 2

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 2

1   IKE Peer: 107.46.57.189

    Type    : L2L             Role    : responder

    Rekey   : no              State   : MM_ACTIVE

2   IKE Peer: xxx.xxx.xxx.xxx

    Type    : L2L             Role    : responder

    Rekey   : no              State   : MM_ACTIVE

____________________________________________________________________________________________

ciscoasa# sh crypto ipsec sa

interface: outside

    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr:

      local ident (addr/mask/prot/port): (10.10.0.0/255.255.0.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)

      current_peer: 107.46.57.189

      #pkts encaps: 3166, #pkts encrypt: 3166, #pkts digest: 3166

      #pkts decaps: 2828, #pkts decrypt: 2828, #pkts verify: 2828

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 3166, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: xxx.xxx.xxx.98, remote crypto endpt.: 107.46.57.189

      path mtu 1500, ipsec overhead 74, media mtu 1500

      current outbound spi: 0D67A97D

      current inbound spi : B59B6F50

    inbound esp sas:

      spi: 0xB59B6F50 (3046862672)

         transform: esp-aes esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 5472256, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 3020

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0xFFFFFFFF 0xFFF7FFFF

    outbound esp sas:

      spi: 0x0D67A97D (224897405)

         transform: esp-aes esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 5472256, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 3020

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: xxx.xxx.xxx.98

      local ident (addr/mask/prot/port): (10.10.0.0/255.255.0.0/0/0)

      remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)

      current_peer: xxx.xxx.xxx.xxx

     #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 1041, #pkts decrypt: 1044, #pkts verify: 1044

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: xxx.xxx.xxx.xxx/4500, remote crypto endpt.: xxx.xxx.xxx.xxx/2944

      path mtu 1500, ipsec overhead 82, media mtu 1500

      current outbound spi: 9613FEAC

      current inbound spi : 186C9E40

    inbound esp sas:

      spi: 0x186C9E40 (409771584)

         transform: esp-aes esp-sha-hmac no compression

         in use settings ={L2L, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 5476352, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (kB/sec): (3914991/3199)

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0xFFFFFFFF 0xFFFFFFFF

    outbound esp sas:

      spi: 0x9613FEAC (2517892780)

         transform: esp-aes esp-sha-hmac no compression

         in use settings ={L2L, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 5476352, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (kB/sec): (3915000/3198)

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

____________________________________________________________________________

REMOTE Config  Cisco 861

Current configuration : 3112 bytes

!

! Last configuration change at 13:07:07 UTC Mon Jan 2 2006 by jwright

! NVRAM config last updated at 12:10:49 UTC Mon Jan 2 2006 by jwright

!

version 15.0

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

service sequence-numbers

!

hostname Corvid

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

logging console critical

!

no aaa new-model

memory-size iomem 10

!

crypto pki trustpoint TP-self-signed-3769564853

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3769564853

revocation-check none

rsakeypair TP-self-signed-3769564853

!

!

crypto pki certificate chain TP-self-signed-3769564853

certificate self-signed 02

ip source-route

!

!

ip dhcp excluded-address 10.10.10.1

!

ip dhcp pool ccp-pool

   import all

   network 10.10.10.0 255.255.255.248

   default-router 10.10.10.1

   lease 0 2

!

!

ip cef

no ip bootp server

no ip domain lookup

ip domain name yourdomain.com

!

!

license udi pid CISCO861-K9 sn

!

!

username xxxxx privilege 15 secret 5 $1$SI.

username xxxxx privilege 15 secret 5 $1$y1

!

!

ip tcp synwait-time 10

!

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key ************ address xxx.xxx.xxx.xxx

!

!

crypto ipsec transform-set RTPSET esp-aes esp-sha-hmac

!

crypto map RTP 1 ipsec-isakmp

set peer xxx.xxx.xxx.xxx

set transform-set RTPSET

match address 100

!

!

!

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

ip address dhcp

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map RTP

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$

ip address 10.10.10.1 255.255.255.248

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

ip forward-protocol nd

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source route-map nonat interface FastEthernet4 overload

ip route 0.0.0.0 0.0.0.0 dhcp

!

logging trap debugging

access-list 23 permit 10.10.10.0 0.0.0.7

access-list 24 permit 192.168.0.0 0.0.0.255

access-list 100 permit ip 10.10.10.0 0.0.0.255 10.10.0.0 0.0.255.255

access-list 100 deny   ip 10.10.10.0 0.0.0.255 any

access-list 120 deny   ip 10.10.10.0 0.0.0.255 10.10.0.0 0.0.255.255

access-list 120 permit ip 10.10.10.0 0.0.0.255 any

no cdp run

route-map nonat permit 10

match ip address 120

!

!

control-plane

!

!

line con 0

logging synchronous

login local

no modem enable

line aux 0

line vty 0 4

access-class 23 in

privilege level 15

login local

transport input telnet ssh

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

end

________________________________________________________________________________________

ASA5510

ciscoasa# sh run

: Saved

:

ASA Version 8.2(1)11

!

hostname ciscoasa

domain-name pme.local

enable password xxx encrypted

passwd xxx encrypted

names

!

interface Ethernet0/0

nameif backup

security-level 1

ip address xxx.xxx.xxx.xxx 255.255.255.248

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.10.1.1 255.255.0.0

!

interface Ethernet0/2

shutdown

nameif outside2

security-level 0

no ip address

!

interface Ethernet0/3

nameif outside

security-level 0

ip address xxx.xxx.xxx.xxx 255.255.255.224

!

interface Management0/0

nameif management

security-level 100

ip address 172.17.0.199 255.255.255.0

management-only

!

banner motd       **************************** NOTICE ******************************

banner motd       *    Unauthorized access to this network device is FORBIDDEN!    *

banner motd       *  All connection attempts and sessions are logged and AUDITED!  *

banner motd       ******************************************************************

banner motd       **************************** NOTICE ******************************

banner motd       *    Unauthorized access to this network device is FORBIDDEN!    *

banner motd       *  All connection attempts and sessions are logged and AUDITED!  *

banner motd       ******************************************************************

boot system disk0:/asa821-11-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup inside

dns domain-lookup outside2

dns domain-lookup outside

dns domain-lookup management

dns server-group DefaultDNS

name-server HOMESTEAD-INT

name-server SEBRING-INT

domain-name pme.local

object-group service SQLTEST udp

description SQLTEST for VES

port-object eq 1434

object-group service SQLTEST_TCP tcp

description SQLTEST For VES

port-object eq 1433

object-group service DM_INLINE_TCP_1 tcp

port-object eq ftp

port-object eq ftp-data

access-list nonat extended permit ip any 10.10.11.0 255.255.255.0

access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.10.11.0 255.255.255.0

access-list nonat extended permit ip 10.10.0.0 255.255.0.0 192.168.101.0 255.255.255.0

access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.10.10.0 255.255.255.248

access-list outside_access_in extended permit tcp any host DAYTONA-EXT-BAK eq smtp

access-list outside_access_in extended permit tcp any host DAYTONA-EXT-BAK eq https

access-list outside_access_in extended permit tcp any host DAYTONA-EXT-BAK eq www

access-list outside_access_in extended permit tcp any host SonomaBullsEye eq https inactive

access-list outside_access_in extended permit tcp any host AUTHENTICA-EXT-BAK eq www

access-list outside_access_in extended permit tcp any host AUTHENTICA-EXT-BAK eq https

access-list outside_access_in extended permit udp any host xxx.xxx.xxx.xxx eq 1434

access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.xxx eq 1433 inactive

access-list outside_access_in extended permit tcp any host FILETRANSFER-EXT-BAK eq www

access-list outside_access_in extended permit tcp any host FILETRANSFER-EXT-BAK eq https

access-list outside_access_in remark HTTP for TeamWeb

access-list outside_access_in extended permit tcp any host ALEXSYS-EXT-BAK eq www

access-list outside_access_in remark HTTPS for TeamWeb

access-list outside_access_in extended permit tcp any host ALEXSYS-EXT-BAK eq https

access-list outside_access_in extended deny icmp any any

access-list Split_Tunnel_List standard permit 10.10.0.0 255.255.0.0

access-list outside_access_in_1 extended permit tcp any host DAYTONA-EXT-OUT eq smtp

access-list outside_access_in_1 extended permit tcp any host DAYTONA-EXT-OUT eq https

access-list outside_access_in_1 extended permit tcp any host DAYTONA-EXT-OUT eq www

access-list outside_access_in_1 extended permit tcp any host Sonoma eq https inactive

access-list outside_access_in_1 extended permit tcp any host PMEUPDATE-EXT-OUT eq www

access-list outside_access_in_1 extended permit tcp any host FILETRANSFER-EXT-OUT eq www

access-list outside_access_in_1 extended permit tcp any host FILETRANSFER-EXT-OUT eq ssh inactive

access-list outside_access_in_1 extended permit tcp any host FILETRANSFER-EXT-OUT eq https

access-list outside_access_in_1 remark FTPS

access-list outside_access_in_1 extended permit tcp any host FTP-EXT-OUT object-group DM_INLINE_TCP_1

access-list outside_access_in_1 extended permit tcp any host FTP-EXT-OUT range 60200 60400

access-list outside_access_in_1 extended permit tcp any host AUTHENTICA-EXT-OUT eq www

access-list outside_access_in_1 extended permit tcp any host AUTHENTICA-EXT-OUT eq https

access-list outside_access_in_1 extended permit tcp any host OSCODA-EXT-OUT object-group SQLTEST_TCP inactive

access-list outside_access_in_1 extended permit udp any host OSCODA-EXT-OUT object-group SQLTEST inactive

access-list outside_access_in_1 extended permit tcp any host ALEXSYS123-EXT-OUT eq www

access-list outside_access_in_1 extended permit tcp any host ALEXSYS123-EXT-OUT eq https

access-list outside_access_in_1 extended deny icmp any any

access-list inside_access_out extended permit ip any any log

pager lines 24

logging enable

logging timestamp

logging trap notifications

logging asdm notifications

logging from-address asa@p.com

logging recipient-address j@p.com level errors

logging host inside 10.10.2.12

logging permit-hostdown

no logging message 302015

no logging message 302014

no logging message 302013

no logging message 302012

no logging message 302017

no logging message 302016

mtu backup 1500

mtu inside 1500

mtu outside2 1500

mtu outside 1500

mtu management 1500

ip local pool IPSECVPN2 10.10.11.76-10.10.11.100

ip local pool SSLVPN 10.10.11.101-10.10.11.200 mask 255.255.0.0

ip local pool IPSECVPN 10.10.11.25-10.10.11.75

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-623.bin

no asdm history enable

arp timeout 14400

global (backup) 1 xxx.xxx.xxx.xxx

global (outside) 1 xxx.xxx.xxx.xxx netmask 255.255.255.224

nat (inside) 0 access-list nonat

nat (inside) 1 10.10.0.0 255.255.0.0

static (inside,outside) DAYTONA-EXT-OUT DAYTONA-INT netmask 255.255.255.255

static (inside,outside) AUTHENTICA-EXT-OUT AUTHENTICA-INT netmask 255.255.255.255

static (inside,outside) ALEXSYS123-EXT-OUT MIDOHIO-INT netmask 255.255.255.255

static (inside,outside) PMEUPDATE-EXT-OUT PMEUPDATE-INT netmask 255.255.255.255

static (inside,outside) FILETRANSFER-EXT-OUT FILETRANSFER-INT netmask 255.255.255.255

static (inside,outside) FTP-EXT-OUT FTP-INT netmask 255.255.255.255

static (inside,backup) FILETRANSFER-EXT-BAK FILETRANSFER-INT netmask 255.255.255.255

static (inside,backup) DAYTONA-EXT-BAK DAYTONA-INT netmask 255.255.255.255

static (inside,backup) AUTHENTICA-EXT-BAK AUTHENTICA-INT netmask 255.255.255.255

static (inside,backup) ALEXSYS-EXT-BAK MIDOHIO-INT netmask 255.255.255.255

access-group outside_access_in in interface backup

access-group inside_access_out in interface inside

access-group outside_access_in_1 in interface outside

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1 track 1

route backup 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 254

route backup 62.109.192.0 255.255.240.0 xxx.xxx.xxx.xxx 1

route backup 64.68.96.0 255.255.224.0 xxx.xxx.xxx.xxx 1

route backup 66.114.160.0 255.255.240.0 xxx.xxx.xxx.xxx 1

route backup 66.163.32.0 255.255.240.0 xxx.xxx.xxx.xxx 1

route backup 209.197.192.0 255.255.224.0 xxx.xxx.xxx.xxx 1

route backup 210.4.192.0 255.255.240.0 xxx.xxx.xxx.xxx 1

timeout xlate 3:00:00

timeout conn 24:00:00 half-closed 0:05:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

webvpn

  http-proxy enable

aaa-server PMERADIUS protocol radius

aaa-server PMERADIUS (inside) host HOMESTEAD-INT

key ******

radius-common-pw ******

aaa authentication ssh console LOCAL

http server enable

http 10.10.0.0 255.255.0.0 inside

http 172.17.0.0 255.255.255.0 management

http redirect backup 80

http redirect outside 80

snmp-server location Server Room

snmp-server contact Jay

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

sla monitor 100

type echo protocol ipIcmpEcho xxx.xxx.xxx.xxx interface outside

timeout 3000

frequency 10

sla monitor schedule 100 life forever start-time now

crypto ipsec transform-set PM1 esp-3des esp-md5-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map dyn1 1 set pfs group1

crypto dynamic-map dyn1 1 set transform-set PM1

crypto dynamic-map dyn1 1 set security-association lifetime seconds 28800

crypto dynamic-map dyn1 1 set security-association lifetime kilobytes 4608000

crypto dynamic-map dyn1 1 set reverse-route

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map cryptomap1 1 ipsec-isakmp dynamic dyn1

crypto map cryptomap1 interface backup

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpoint xxx.xxx.xxx.xxx

enrollment terminal

fqdn xxx.xxx.xxx.xxx

subject-name CN= xxx.xxx.xxx.xxx, O=xxxx, C=US, St=MI, L=xxxx

keypair xxx.xxx.xxx.xxx

crl configure

crypto ca certificate chain xxx.xxx.xxx.xxx

certificate 041200616c79f4

    30820577 3082045f a0030201 02020704 1200616c 79f4300d 06092a86 4886f70d

  quit

crypto isakmp identity address

crypto isakmp enable backup

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

crypto isakmp policy 50

authentication pre-share

encryption aes-256

hash md5

group 5

lifetime 86400

crypto isakmp nat-traversal 33

!

track 1 rtr 100 reachability

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 15

ssh version 2

console timeout 0

management-access inside

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 64.22.86.210 source backup prefer

ssl trust-point vpn.prattmiller.com outside

ssl trust-point vpn.prattmiller.com backup

ssl trust-point vpn.prattmiller.com outside2

webvpn

enable backup

enable outside2

enable outside

svc image disk0:/anyconnect-win-2.5.3055-k9.pkg 2

svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 3

svc profiles AllowRemoteUsers disk0:/AnyConnectProfile.xml

svc enable

internal-password enable

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

dns-server value 10.10.2.1

vpn-tunnel-protocol IPSec l2tp-ipsec

default-domain none

group-policy DfltGrpPolicy attributes

dns-server value 10.10.2.1 10.10.2.62

vpn-idle-timeout 600

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Split_Tunnel_List

default-domain value pme.local

webvpn

  url-list value Book1

  svc profiles value AllowRemoteUsers

  svc ask enable default webvpn timeout 10

group-policy AnyConnect internal

group-policy AnyConnect attributes

vpn-tunnel-protocol webvpn

webvpn

  svc ask enable default webvpn timeout 15

username xxxx password RrjDgdg5BBLrGPnn encrypted privilege 15

username xxxx password qDxllXruMJHEVZji encrypted privilege 15

username xxxx password dGOqWbOOjP0FVxtl encrypted privilege 15

tunnel-group DefaultL2LGroup ipsec-attributes

pre-shared-key *

tunnel-group DefaultRAGroup general-attributes

default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

tunnel-group DefaultRAGroup ppp-attributes

authentication ms-chap-v2

tunnel-group DefaultWEBVPNGroup general-attributes

address-pool (backup) IPSECVPN2

address-pool (outside2) IPSECVPN2

address-pool (outside) SSLVPN

address-pool SSLVPN

authentication-server-group PMERADIUS

tunnel-group pm_ipsec type remote-access

tunnel-group pm_ipsec general-attributes

address-pool IPSECVPN2

tunnel-group pm_ipsec ipsec-attributes

pre-shared-key *

tunnel-group prattmiller type remote-access

tunnel-group prattmiller general-attributes

address-pool IPSECVPN

tunnel-group prattmiller ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 1024

policy-map global_policy

class inspection_default

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect pptp

class class-default

!

service-policy global_policy global

smtp-server 10.10.2.6

prompt hostname context

Cryptochecksum:8316029502f6698d4015f5e1b3d40a08

: end

________________________________________________________________________

[code] TEST   [/code]

3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

Please configure the following route:

route outside 10.10.10.0 255.255.255.248 xxx.xxx.xxx.xxx

My question about this is the other Dynamic VPN that is working has no static route.

I added:

route outside 10.10.10.0 255.255.255.248 xxx.xxx.xxx.xxx (where xxx.xxx.xxx.xxx is the IP of the non working remote IKE Peer)

This had no effect.

Looking at the two tunnels.  The working tunnel is using IKE IPSEC and the nonworking tunnel is using IKE IPsecOverNatT.  What have I entered that tells the VPN to use IPsecOverNatT?

This is the command (global command) that tells the VPN to use IPSecOverNatT if it detected there is a NAT device along the path of the VPN tunnel:

crypto isakmp nat-traversal 33

Maybe there is firewall that might be blocking the IPSecOverNatT port that you might need to open: it's UDP/4500.