04-03-2013 11:01 AM
Hi:
I have been built L2L VPN for 3 sites (Site A <--> Site B <--> Site C). It works fine for a while. But, sometimes I cannot connect from site A to site C. But, I can reconnect once when I restart the Site A firewall. Both Site A and Site C connect to Site B are excellent. Please see configuration below for more ifnormation. Thanks for any suggestion!
Site A
ASA Version 8.4(3)
!
hostname jtfw-lex
enable password Yr4Jr0JzJxYTTQQu encrypted
passwd GCdiui.2NH7n52DU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 172.29.88.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 173.190.234.138 255.255.255.248
!
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object service RDP
service tcp source eq 3389
object service SMTP
service tcp source eq smtp
object service PPTP
service tcp source eq pptp
object service JT_WWW
service tcp source eq www
object service JT_HTTPS
service tcp source eq https
object network jt-dc01
host 172.29.88.151
object network WAN_jt-dc01
host 10.8.8.3
object network obj_lex
subnet 172.29.88.0 255.255.255.0
description Lexinton office network
object network obj_HQ
subnet 172.29.8.0 255.255.255.0
description Jollytech HQ network
object network obj_colo
subnet 172.29.168.0 255.255.255.0
description Jollytech colo network
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended deny tcp any any eq netbios-ssn inactive
access-list inside_access_in extended deny tcp any eq netbios-ssn any inactive
access-list inside_access_in extended deny udp any eq 139 any inactive
access-list inside_access_in extended deny udp any any eq 139 inactive
access-list inside_access_in extended deny tcp any any eq 135 inactive
access-list inside_access_in extended deny tcp any eq 135 any inactive
access-list inside_access_in extended deny udp any eq 135 any inactive
access-list inside_access_in extended deny udp any any eq 135 inactive
access-list inside_access_in extended deny tcp any any eq 1591
access-list inside_access_in extended deny tcp any eq 1591 any
access-list inside_access_in extended deny udp any eq 1591 any
access-list inside_access_in extended deny udp any any eq 1591
access-list inside_access_in extended deny tcp any any eq 1214
access-list inside_access_in extended deny tcp any eq 1214 any
access-list inside_access_in extended deny udp any eq 1214 any
access-list inside_access_in extended deny udp any any eq 1214
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host 10.8.8.3 eq smtp
access-list outside_access_in extended permit tcp any host 10.8.8.3 eq pptp
access-list outside_access_in extended permit tcp any host 10.8.8.3 eq www
access-list outside_access_in extended permit tcp any host 10.8.8.3 eq https
access-list outside_access_in extended permit tcp any host 10.8.8.3 eq 3389
access-list outside_access_in extended permit ip any any
access-list inside_access_out extended permit icmp any any
access-list outside_cryptomap extended permit ip 172.29.88.0 255.255.255.0 object obj_HQ
access-list outside_cryptomap extended permit ip object obj_lex object obj_colo
access-list VPN_Tunnel_user standard permit 172.29.88.0 255.255.255.0
access-list VPN_Tunnel_user standard permit 172.29.8.0 255.255.255.0
access-list VPN_Tunnel_user standard permit 172.29.168.0 255.255.255.0
access-list VPN_Tunnel_user standard permit 192.168.88.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
logging host inside 172.29.88.30
mtu inside 1500
mtu outside 1500
ip local pool jolly_lex_DHCP 192.168.88.100-192.168.88.120 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static jt-dc01 WAN_jt-dc01 service RDP RDP
nat (inside,outside) source static jt-dc01 WAN_jt-dc01 service JT_WWW JT_WWW
nat (inside,outside) source static obj_lex obj_lex destination static obj_HQ obj_HQ route-lookup
nat (inside,outside) source static obj_lex obj_lex destination static obj_colo obj_colo route-lookup
!
object network obj_any
nat (inside,outside) dynamic interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 173.190.234.137 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 172.29.88.0 255.255.255.0 inside
snmp-server host inside 172.29.88.30 community ***** version 2c
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set Remote_VPN_set esp-3des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 173.164.111.140
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map interface outside
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 172.29.88.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 172.29.88.50-172.29.88.100 inside
dhcpd dns 172.29.8.3 166.102.165.11 interface inside
dhcpd domain jollytech.local interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy GroupPolicy_173.164.111.140 internal
group-policy GroupPolicy_173.164.111.140 attributes
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
username who password JOYSoaqW4x32VHKB encrypted
tunnel-group 173.164.111.140 type ipsec-l2l
tunnel-group 173.164.111.140 general-attributes
default-group-policy GroupPolicy_173.164.111.140
tunnel-group 173.164.111.140 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 remote-authentication certificate
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect pptp
inspect ftp
inspect netbios
inspect icmp
!
service-policy global_policy global
smtp-server 172.29.8.3
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:ad903070f970660dc4cc357a8f80bd1c
: end
Site B:
: Saved : ASA Version 8.4(4)1 ! hostname jtfw-hq domain-name jollytech.com enable password Yr4Jr0JzJxYTTQQu encrypted passwd GCdiui.2NH7n52DU encrypted names ! interface Ethernet0/0 switchport access vlan 2 speed 100 ! interface Ethernet0/1 switchport access vlan 2 speed 100 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 nameif inside security-level 100 ip address 172.29.8.254 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 173.164.111.140 255.255.255.248 ! ftp mode passive clock timezone GMT 0 dns server-group DefaultDNS domain-name jollytech.com same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network obj_any subnet 0.0.0.0 0.0.0.0 object service RDP service tcp source eq 3389 object network orange host 172.29.8.151 object network WAN_173_164_111_138 host 173.164.111.138 object service SMTP service tcp source eq smtp object service PPTP service tcp source eq pptp object service JT_WWW service tcp source eq www object service JT_HTTPS service tcp source eq https object network obj_lex subnet 172.29.88.0 255.255.255.0 description Lexington office network object network obj_HQ subnet 172.29.8.0 255.255.255.0 object network guava host 172.29.8.3 object network obj_HQVPN subnet 192.168.8.0 255.255.255.0 object network jt-fn68zv1 host 172.29.8.71 object service JT_FTP service tcp source eq ftp object network obj_colo subnet 172.29.168.0 255.255.255.0 object network Avocado host 172.29.8.18 object service JT_SIP service tcp source eq sip object service JT_5000 service tcp source eq 5000 object service JT_5090 service tcp source eq 5090 access-list VPN_Tunnel_User standard permit 172.29.8.0 255.255.255.0 access-list VPN_Tunnel_User standard permit 192.168.8.0 255.255.255.0 access-list inside_access_in extended permit icmp any any access-list inside_access_in extended deny tcp any any eq 135 inactive access-list inside_access_in extended deny tcp any eq 135 any inactive access-list inside_access_in extended deny udp any eq 135 any inactive access-list inside_access_in extended deny udp any any eq 135 inactive access-list inside_access_in extended deny tcp any any eq 1591 access-list inside_access_in extended deny tcp any eq 1591 any access-list inside_access_in extended deny udp any eq 1591 any access-list inside_access_in extended deny udp any any eq 1591 access-list inside_access_in extended deny tcp any any eq 1214 access-list inside_access_in extended deny tcp any eq 1214 any access-list inside_access_in extended deny udp any any eq 1214 access-list inside_access_in extended deny udp any eq 1214 any access-list inside_access_in extended permit tcp any any eq www access-list inside_access_in extended permit tcp any eq www any access-list inside_access_in extended permit ip any any access-list outside_access_in extended permit icmp any any access-list outside_access_in extended permit tcp any host 173.164.111.138 eq 3389 access-list outside_access_in extended permit tcp any host 173.164.111.138 eq smtp access-list outside_access_in extended permit tcp any host 173.164.111.138 eq pptp access-list outside_access_in extended permit tcp any host 173.164.111.138 eq www access-list outside_access_in extended permit tcp any host 173.164.111.138 eq https access-list outside_access_in extended permit tcp any host 173.164.111.140 eq sip access-list outside_access_in extended permit tcp any host 173.164.111.140 eq 5090 access-list outside_access_in extended permit tcp any host 173.164.111.140 eq 5000 access-list outside_access_in extended permit ip any any access-list inside_access_out extended permit icmp any any access-list inside_access_out extended permit ip any any access-list outside_cryptomap extended permit ip 172.29.8.0 255.255.255.0 172.29.88.0 255.255.255.0 access-list outside_cryptomap extended permit ip object obj_colo object obj_lex access-list inside_in extended permit icmp any any access-list inside_in extended permit ip any any access-list inside_in extended permit udp any any eq isakmp access-list inside_in extended permit udp any eq isakmp any access-list inside_in extended permit udp any any access-list inside_in extended permit tcp any any access-list outside_cryptomap_1 extended permit ip object obj_HQ object obj_colo access-list outside_cryptomap_1 extended permit ip object obj_lex object obj_colo pager lines 24 logging enable logging timestamp logging trap informational logging asdm informational logging from-address jtfw-hq@jollytech.com logging host inside 172.29.8.89 mtu inside 1500 mtu outside 1500 ip local pool Jolly_HQVPN_DHCP 192.168.8.100-192.168.8.150 mask 255.255.255.0 icmp unreachable rate-limit 1 burst-size 1 asdm history enable arp timeout 14400 nat (inside,outside) source static orange interface service RDP RDP nat (inside,outside) source static guava WAN_173_164_111_138 service JT_WWW JT_WWW nat (inside,outside) source static guava WAN_173_164_111_138 service JT_HTTPS JT_HTTPS nat (inside,outside) source static guava WAN_173_164_111_138 service RDP RDP nat (inside,outside) source static guava WAN_173_164_111_138 service SMTP SMTP nat (inside,outside) source static guava WAN_173_164_111_138 service PPTP PPTP nat (inside,outside) source static jt-fn68zv1 interface service JT_FTP JT_FTP nat (inside,outside) source static Avocado interface service JT_SIP JT_SIP nat (any,outside) source static Avocado interface service JT_5090 JT_5090 nat (any,outside) source static Avocado interface service JT_5000 JT_5000 nat (inside,outside) source static obj_HQ obj_HQ destination static obj_colo obj_colo route-lookup nat (inside,outside) source static obj_HQ obj_HQ destination static obj_lex obj_lex route-lookup nat (outside,outside) source static obj_colo obj_colo destination static obj_lex obj_lex route-lookup nat (outside,outside) source static obj_lex obj_lex destination static obj_colo obj_colo route-lookup nat (inside,outside) source static obj_HQ obj_HQ destination static obj_HQVPN obj_HQVPN ! object network obj_any nat (inside,outside) dynamic interface access-group inside_access_in in interface inside access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 173.164.111.142 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 10:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy aaa-server Guava protocol nt aaa-server Guava (inside) host 172.29.8.3 timeout 15 nt-auth-domain-controller guava user-identity default-domain LOCAL user-identity inactive-user-timer minutes 360 http server enable http 172.29.8.0 255.255.255.0 inside snmp-server host inside 172.29.8.89 community ***** version 2c no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec ikev1 transform-set Remote_VPN_Set esp-3des esp-md5-hmac crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES192 protocol esp encryption aes-192 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES protocol esp encryption aes protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal 3DES protocol esp encryption 3des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal DES protocol esp encryption des protocol esp integrity sha-1 md5 crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set Remote_VPN_Set crypto dynamic-map outside_dyn_map 20 set reverse-route crypto map outside_map 1 match address outside_cryptomap crypto map outside_map 1 set pfs crypto map outside_map 1 set peer 173.190.234.138 crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256 crypto map outside_map 2 match address outside_cryptomap_1 crypto map outside_map 2 set pfs crypto map outside_map 2 set peer 198.111.239.218 crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map outside_map 2 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256 crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside crypto ikev2 policy 1 encryption aes-256 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 10 encryption aes-192 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 20 encryption aes integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 30 encryption 3des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 40 encryption des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 enable outside crypto ikev1 enable outside crypto ikev1 policy 10 authentication crack encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 20 authentication rsa-sig encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 30 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 40 authentication crack encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 50 authentication rsa-sig encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 60 authentication pre-share encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 70 authentication crack encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 80 authentication rsa-sig encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 90 authentication pre-share encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 100 authentication crack encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 110 authentication rsa-sig encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 120 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 130 authentication crack encryption des hash sha group 2 lifetime 86400 crypto ikev1 policy 140 authentication rsa-sig encryption des hash sha group 2 lifetime 86400 crypto ikev1 policy 150 authentication pre-share encryption des hash sha group 2 lifetime 86400 telnet 172.29.8.0 255.255.255.0 inside telnet timeout 5 ssh timeout 5 ssh key-exchange group dh-group1-sha1 console timeout 0 dhcpd auto_config outside vpnclient-wins-override ! dhcprelay server 172.29.8.3 inside threat-detection basic-threat threat-detection statistics threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 webvpn enable outside group-policy Jolleytech_VPN internal group-policy Jolleytech_VPN attributes dns-server value 172.29.8.3 vpn-tunnel-protocol ikev1 split-tunnel-policy tunnelspecified split-tunnel-network-list value VPN_Tunnel_User default-domain value jollytech.local group-policy GroupPolicy_10.8.8.1 internal group-policy GroupPolicy_10.8.8.1 attributes vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec username who password eicyrfJBrqOaxQvS encrypted tunnel-group jollytech type remote-access tunnel-group jollytech general-attributes address-pool Jolly_HQVPN_DHCP authentication-server-group Guava default-group-policy Jolleytech_VPN tunnel-group jollytech ipsec-attributes ikev1 pre-shared-key ***** tunnel-group 198.111.239.218 type ipsec-l2l tunnel-group 198.111.239.218 general-attributes default-group-policy GroupPolicy_10.8.8.1 tunnel-group 198.111.239.218 ipsec-attributes ikev1 pre-shared-key ***** ikev2 remote-authentication pre-shared-key ***** ikev2 remote-authentication certificate ikev2 local-authentication pre-shared-key ***** tunnel-group 173.190.234.138 type ipsec-l2l tunnel-group 173.190.234.138 general-attributes default-group-policy GroupPolicy_10.8.8.1 tunnel-group 173.190.234.138 ipsec-attributes ikev1 pre-shared-key ***** ikev2 remote-authentication pre-shared-key ***** ikev2 remote-authentication certificate ikev2 local-authentication pre-shared-key ***** ! class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect pptp inspect ftp inspect netbios inspect http inspect icmp class class-default user-statistics accounting ! service-policy global_policy global smtp-server 172.29.8.3 prompt hostname context no call-home reporting anonymous hpm topN enable Cryptochecksum:8dd2069c8484cd43617a27072c31a92e : end
Site C:
ASA Version 8.4(3)
!
hostname jtfw-colo
domain-name jollytech.com
enable password Yr4Jr0JzJxYTTQQu encrypted
passwd GCdiui.2NH7n52DU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 172.29.168.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 198.111.239.218 255.255.255.248
!
ftp mode passive
clock timezone GMT 0
dns server-group DefaultDNS
domain-name jollytech.com
object network obj_any
subnet 0.0.0.0 0.0.0.0
object service RDP
service tcp source eq 3389
object service JT_SMTP
service tcp source eq smtp
object service PPTP
service tcp source eq pptp
object service JT_WWW
service tcp source eq www
object service JT_HTTPS
service tcp source eq https
object network obj_lex
subnet 172.29.88.0 255.255.255.0
description Lexington office network
object network obj_HQ
subnet 172.29.8.0 255.255.255.0
description Jollytech HQ network
object network guava
host 172.29.8.3
object network obj_HQVPN
subnet 192.168.8.0 255.255.255.0
description Jollytech HQ VPN Network
object network WAN_198_111_239_220
host 198.111.239.220
object network jt-dc01
host 172.29.168.3
object network jt-exch2010
host 172.29.168.25
object network obj_colo
subnet 172.29.168.0 255.255.255.0
description Jollytech colo network
object network RC_jt-r610
host 172.29.168.8
object network WAN_198_111_239_221
host 198.111.239.221
object network jt-sp2010
host 172.29.168.9
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended deny tcp any any eq 135 inactive
access-list inside_access_in extended deny tcp any eq 135 any inactive
access-list inside_access_in extended deny udp any eq 135 any inactive
access-list inside_access_in extended deny udp any any eq 135 inactive
access-list inside_access_in extended deny tcp any any eq 1591
access-list inside_access_in extended deny tcp any eq 1591 any
access-list inside_access_in extended deny udp any eq 1591 any
access-list inside_access_in extended deny udp any any eq 1591
access-list inside_access_in extended deny tcp any any eq 1214
access-list inside_access_in extended deny tcp any eq 1214 any
access-list inside_access_in extended deny udp any any eq 1214
access-list inside_access_in extended deny udp any eq 1214 any
access-list inside_access_in extended permit tcp any any eq www
access-list inside_access_in extended permit tcp any eq www any
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any object WAN_198_111_239_220 eq 3389
access-list outside_access_in extended permit tcp any object WAN_198_111_239_220 eq www
access-list outside_access_in extended permit tcp any object WAN_198_111_239_220 eq https
access-list outside_access_in extended permit tcp any object WAN_198_111_239_221 eq www
access-list outside_access_in extended permit tcp any object WAN_198_111_239_221 eq https
access-list outside_access_in extended permit tcp any object WAN_198_111_239_221 eq 3389
access-list outside_access_in extended permit tcp any object WAN_198_111_239_221 eq smtp
access-list outside_access_in extended permit ip any any
access-list inside_access_out extended permit icmp any any
access-list inside_access_out extended permit ip any any
access-list outside_cryptomap extended permit ip object obj_colo object obj_HQ
access-list outside_cryptomap extended permit ip object obj_colo object obj_lex
pager lines 24
logging enable
logging asdm informational
logging from-address jtfw-colo@jollytech.com
logging recipient-address who@jollytech.com level errors
logging host inside 172.29.168.89
mtu inside 1500
mtu outside 1500
ip local pool Jolly_coloVPN_DHCP 192.168.168.100-192.168.168.110 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
nat (inside,outside) source static RC_jt-r610 interface service JT_WWW JT_WWW
nat (inside,outside) source static RC_jt-r610 interface service JT_HTTPS JT_HTTPS
nat (inside,outside) source static jt-sp2010 WAN_198_111_239_220 service JT_HTTPS JT_HTTPS
nat (inside,outside) source static jt-sp2010 WAN_198_111_239_220 service JT_WWW JT_WWW
nat (inside,outside) source static jt-sp2010 WAN_198_111_239_220 service RDP RDP
nat (inside,outside) source static jt-exch2010 WAN_198_111_239_221 service RDP RDP
nat (inside,outside) source static jt-exch2010 WAN_198_111_239_221 service JT_WWW JT_WWW
nat (inside,outside) source static jt-exch2010 WAN_198_111_239_221 service JT_HTTPS JT_HTTPS
nat (inside,outside) source static jt-exch2010 WAN_198_111_239_221 service JT_SMTP JT_SMTP
nat (inside,outside) source static obj_colo obj_colo destination static obj_HQ obj_HQ route-lookup
nat (inside,outside) source static obj_colo obj_colo destination static obj_lex obj_lex route-lookup
!
object network obj_any
nat (inside,outside) dynamic interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 198.111.239.217 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 172.29.168.0 255.255.255.0 inside
http 172.29.8.0 255.255.255.0 inside
snmp-server host inside 172.29.168.89 community ***** version 2c
snmp-server location HE Fremont Colo
snmp-server contact who@jollytech.com
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set Remote_VPN_Set esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set Remote_vpn_set esp-3des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set Remote_VPN_Set
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 173.164.111.140
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 172.29.8.0 255.255.255.0 inside
telnet 172.29.168.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0dhcpd auto_config outside vpnclient-wins-override
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
group-policy GroupPolicy_173.164.111.140 internal
group-policy GroupPolicy_173.164.111.140 attributes
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
username who password eicyrfJBrqOaxQvS encrypted
tunnel-group 173.164.111.140 type ipsec-l2l
tunnel-group 173.164.111.140 general-attributes
default-group-policy GroupPolicy_173.164.111.140
tunnel-group 173.164.111.140 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 remote-authentication certificate
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect pptp
inspect ftp
inspect netbios
inspect icmp
!
service-policy global_policy global
smtp-server 172.29.8.3
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:6438e01e896c07c1280a7c5b27455c09
: end
asdm history enable
04-03-2013 01:13 PM
It works fine for a while. But, we always have little issue
What's that little issue?))
04-03-2013 01:19 PM
Sorry! I was not made clear description of the issue. I have problem to connect Site A to Site C. Sometimes work, sometimes donot. I tried reboot the Site A firewall once, and it works fine after. But, I try the same thing today. It does not help.
04-04-2013 03:14 PM
Anyone else could help!
04-05-2013 09:22 AM
Any Expert could contribute his experiance?
One update, I post similar issue few weeks ago. One of expert suggest to add
nat (outside,outside) source static obj_colo obj_colo destination static obj_lex obj_lex route-lookup
nat (outside,outside) source static obj_lex obj_lex destination static obj_colo obj_colo route-lookup
It works fine for a few weeks.
Does anyone could point other possible issues?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide