05-12-2011 07:27 AM
I have two Cisco ASA 5505 routers. I followed the IP Sec VPN wizard to set up the vpn. Whe I go to the monitoring tab on the ASDM both routers show that they are connected to each other. Here's my problem: Router B can ping anything on Router A's netowrk, but Router A can't ping anything on Router B's Network, including the router.
Router A Config:
: Saved
:
ASA Version 8.2(1)
!
hostname *Router Name*
domain-name *Domain Name*
enable password POgOWyKyb0jgJ1Hm encrypted
passwd POgOWyKyb0jgJ1Hm encrypted
names
name 192.168.4.0 *other office*
name 10.0.1.2 Webserver
name 192.168.2.8 *server*
name 192.168.2.3 *another server*
name 192.168.8.0 *another office*
name 10.0.2.1 outside
name 10.0.2.3 *another server* description NAT 10.0.2.3 to xx.xx.xx.xx
name 10.0.2.6 WebServer description Nat 10.0.2.6 to xx.xx.xx.xx
name 192.168.2.163 Test
name 192.168.3.3 *3rd server*
name 192.168.2.12 UPS
name xx.xx1.xx.xx *Domain Name*
name 192.168.2.42 VIDEOIP
name 10.0.2.4 VIDEOIP
name xx.xx.xx.xx Postini
name 192.168.12.0 *ROUTER B*
dns-guard
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address 10.0.2.2 255.255.255.0
ospf cost 10
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 192.168.2.1 255.255.254.0
ospf cost 10
!
interface Ethernet0/2
nameif SHAWCABLE
security-level 0
ip address dhcp setroute
!
interface Ethernet0/3
nameif DMZ
security-level 50
ip address 10.0.1.1 255.255.255.0
ospf cost 10
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
ospf cost 10
management-only
!
regex domainlist1 "\.domain\.com"
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns domain-lookup Inside
dns server-group DefaultDNS
name-server 192.168.2.6
domain-name *Domain Name*
object-group service RDP tcp
port-object eq 3389
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
port-object eq ftp
port-object eq 3389
object-group service *Service*
description All *Service* Ports
service-object tcp eq 8080
service-object tcp eq 8739
service-object tcp eq *Service*-ica
object-group service DM_INLINE_SERVICE_1
group-object *Service*
service-object tcp eq https
service-object udp eq syslog
service-object tcp eq 8740
object-group service UPS tcp
description MGE Network Shutdown Ports
port-object eq 4679
port-object eq 4680
port-object eq 5000
object-group service DM_INLINE_TCP_1 tcp
group-object UPS
port-object eq www
object-group service BESR
service-object tcp eq 135
service-object tcp eq 137
service-object tcp eq 138
service-object tcp eq 8443
service-object tcp eq 764
service-object tcp eq 763
service-object tcp eq netbios-ssn
service-object udp eq netbios-dgm
service-object udp eq netbios-ns
service-object udp eq nameserver
object-group network DM_INLINE_NETWORK_1
network-object host LB-VMCTX01
network-object host * ANOTHER SERVER*
object-group network DM_INLINE_NETWORK_2
network-object 10.0.4.0 255.255.255.0
network-object * Another office* 255.255.254.0
object-group service Polycom
description Video Conferencing Ports
service-object tcp eq h323
service-object tcp range 3230 3243
service-object udp range 3230 3285
access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any host *Service*_Exchange
access-list Outside_access_in extended permit tcp any host WebServer-outside object-group DM_INLINE_TCP_2
access-list Outside_access_in remark Video Conferencing
access-list Outside_access_in extended permit object-group Polycom any host VIDEOIP-outside
access-list Outside_access_in extended permit icmp any any time-exceeded
access-list Outside_access_in extended permit icmp any any unreachable
access-list Outside_access_in extended permit icmp any any echo
access-list Outside_access_in extended permit icmp any any echo-reply
access-list Outside_access_in remark Smtp from 64.18.0.0./20 to 10.0.2.3
access-list Outside_access_in extended permit tcp Postini 255.255.240.0 host *Service*_Exchange eq smtp
access-list Inside_nat0_outbound extended permit ip 192.168.2.0 255.255.254.0 192.168.6.0 255.255.254.0
access-list Inside_nat0_outbound extended permit ip 192.168.2.0 255.255.254.0 * Another office* 255.255.254.0
access-list Inside_nat0_outbound extended permit ip 192.168.2.0 255.255.254.0 * Another office* 255.255.254.0
access-list Inside_nat0_outbound remark Exempt all client VPN connections
access-list Inside_nat0_outbound extended permit ip any xxx.xx.xx.x 255.255.255.128
access-list Inside_nat0_outbound remark Exempt all client VPN connections
access-list Inside_nat0_outbound extended permit ip any 192.168.10.192 255.255.255.192
access-list Inside_nat0_outbound extended permit ip 192.168.2.0 255.255.254.0 *ROUTER B* 255.255.254.0
access-list Inside_nat0_outbound remark Exempt all client VPN connections
access-list Outside_cryptomap_Medhat extended permit ip 192.168.2.0 255.255.254.0 192.168.6.0 255.255.254.0
access-list Outside_cryptomap_Calg extended permit ip 192.168.2.0 255.255.254.0 object-group DM_INLINE_NETWORK_2
access-list Outside_2_cryptomap extended permit ip 192.168.2.0 255.255.254.0 * Another office* 255.255.254.0
access-list DMZ_access_in extended permit object-group *Service* host Webserver-inside object-group DM_INLINE_NETWORK_1
access-list DMZ_access_in extended permit tcp host Webserver-inside host 192.168.2.6 eq www
access-list DMZ_access_in extended permit tcp host Webserver-inside host MGEUPS object-group DM_INLINE_TCP_1
access-list DMZ_access_in extended permit tcp 10.0.1.0 255.255.255.0 192.168.2.0 255.255.254.0 eq 81
access-list DMZ_access_in extended permit tcp 10.0.1.0 255.255.255.0 192.168.2.0 255.255.254.0 eq ftp
access-list DMZ_access_in extended deny ip any 192.168.2.0 255.255.254.0
access-list *VPN Name*_splitTunnelAcl standard permit any
access-list *Office* standard permit 192.168.2.0 255.255.254.0
access-list Outside_mpc extended permit ip any 192.168.6.0 255.255.254.0
access-list SMTP extended permit tcp host * ANOTHER SERVER* any eq smtp
access-list global_mpc extended permit tcp any any eq 5001 inactive
access-list inside_mpc extended permit tcp any any eq www inactive
access-list inside_mpc extended permit tcp any any eq 8080 inactive
access-list 101 extended permit ip host 192.168.3.42 any
access-list Outside_3_cryptomap extended permit ip 192.168.2.0 255.255.254.0 *ROUTER B* 255.255.254.0
pager lines 24
logging enable
logging list Debugging_All level debugging
logging buffer-size 8000
logging asdm debugging
logging from-address cisco@*Domain Name*
flow-export destination Inside 192.168.3.53 850
flow-export template timeout-rate 15
mtu Outside 1500
mtu Inside 1500
mtu SHAWCABLE 1500
mtu DMZ 1500
mtu management 1500
ip local pool TestLocalAddresses xxx.xx.x.xx-xx.xx.x.xxx mask 255.255.255.0
ip local pool RemoteVpnPool 192.168.10.200-192.168.10.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
nat-control
global (Outside) 10 interface
global (Outside) 1 *Service*_Exchange
global (Outside) 20 10.0.2.10 netmask 255.255.255.255
global (Inside) 1 xx.xx.xx.72-xx.xx.xx.78 netmask 255.255.255.248
global (SHAWCABLE) 101 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 1 access-list SMTP
nat (Inside) 20 0.0.0.0 0.0.0.0
nat (DMZ) 10 0.0.0.0 0.0.0.0
nat (management) 10 0.0.0.0 0.0.0.0
static (Inside,Outside) tcp *Service*_Exchange smtp * ANOTHER SERVER* smtp netmask 255.255.255.255
static (Inside,Outside) tcp *Service*_Exchange *Service*-ica *SERVER**Service*-ica netmask 255.255.255.255
static (Inside,Outside) tcp *Service*_Exchange 8080 *SERVER*8080 netmask 255.255.255.255
static (Inside,Outside) tcp *Service*_Exchange 8739 *SERVER*8739 netmask 255.255.255.255
static (Inside,Outside) tcp *Service*_Exchange https * ANOTHER SERVER* https netmask 255.255.255.255
static (Inside,Outside) tcp *Service*_Exchange 8740 * ANOTHER SERVER* 8740 netmask 255.255.255.255
static (DMZ,Outside) WebServer-outside Webserver-inside netmask 255.255.255.255
static (DMZ,Inside) *Service*.*Domain Name* Webserver-inside netmask 255.255.255.255
static (Inside,DMZ) 192.168.2.0 192.168.2.0 netmask 255.255.254.0
static (Inside,Outside) VIDEOIP-outside VIDEOIP-inside netmask 255.255.255.255
access-group Outside_access_in in interface Outside
access-group DMZ_access_in in interface DMZ
route Outside 0.0.0.0 0.0.0.0 outside 1
route SHAWCABLE 0.0.0.0 0.0.0.0 70.65.224.82 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server *Office* protocol radius
aaa-server *Office* (Inside) host 192.168.2.6
key test
radius-common-pw test
url-server (Inside) vendor websense host 192.168.3.52 timeout 10 protocol TCP version 4 connections 5
aaa authentication ssh console LOCAL
http server enable 444
http 0.0.0.0 0.0.0.0 Inside
http 192.168.2.0 255.255.254.0 Inside
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 Outside
snmp-server host Inside 192.168.2.18 community public
snmp-server location *Office*
snmp-server contact Name
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map Outside_map 1 match address Outside_cryptomap_Calg
crypto map Outside_map 1 set pfs
crypto map Outside_map 1 set peer *xxx.xxx.xxx*.6
crypto map Outside_map 1 set transform-set ESP-3DES-SHA
crypto map Outside_map 1 set security-association lifetime seconds 28800
crypto map Outside_map 1 set security-association lifetime kilobytes 4608000
crypto map Outside_map 2 match address Outside_2_cryptomap
crypto map Outside_map 2 set pfs
crypto map Outside_map 2 set peer *xxx.xxx.xxx*.254
crypto map Outside_map 2 set transform-set ESP-3DES-SHA
crypto map Outside_map 2 set security-association lifetime seconds 28800
crypto map Outside_map 2 set security-association lifetime kilobytes 4608000
crypto map Outside_map 3 match address Outside_3_cryptomap
crypto map Outside_map 3 set pfs group1
crypto map Outside_map 3 set peer *ROUTER B EXTERNAL IP ADDRESS*
crypto map Outside_map 3 set transform-set ESP-3DES-SHA
crypto map Outside_map 20 match address Outside_cryptomap_Medhat
crypto map Outside_map 20 set peer *xxx.xxx.xxx*.10
crypto map Outside_map 20 set transform-set ESP-3DES-SHA
crypto map Outside_map 20 set security-association lifetime seconds 28800
crypto map Outside_map 20 set security-association lifetime kilobytes 4608000
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn *xxx.xxx.xxx*.2
subject-name CN=*xxx.xxx.xxx*.2
proxy-ldc-issuer
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate d4ae0d4b
30820248 308201b1 a0030201 020204d4 ae0d4b30 0d06092a 864886f7 0d010104
05003036 31163014 06035504 03130d32 30382e31 31382e31 30332e32 311c301a
06092a86 4886f70d 01090216 0d323038 2e313138 2e313033 2e32301e 170d3039
31313235 32323235 32345a17 0d313931 31323332 32323532 345a3036 31163014
06035504 03130d32 30382e31 31382e31 30332e32 311c301a 06092a86 4886f70d
01090216 0d323038 2e313138 2e313033 2e323081 9f300d06 092a8648 86f70d01
01010500 03818d00 30818902 818100ab 7eb19c09 45596e13 e7636253 ea33043f
451fe718 740ef7ac 0b031012 f7eae3bc c72aedf1 8221cef1 396f5b4c e637582b
9c984f6d 20ca0185 0e298276 58dcae5a 43d2d80f 266a4808 c92b3ee1 9a089a7f
4a32e287 01c450ab 212d730b dcdd4664 704ae270 b48fd327 90d70b92 277f64c3
178cc0c9 423b9edf 22842161 a8610502 03010001 a3633061 300f0603 551d1301
01ff0405 30030101 ff300e06 03551d0f 0101ff04 04030201 86301f06 03551d23
04183016 8014611e 894eb537 b833baa3 e623ee8c 1a079168 1a2b301d 0603551d
0e041604 14611e89 4eb537b8 33baa3e6 23ee8c1a 0791681a 2b300d06 092a8648
86f70d01 01040500 03818100 6a025f74 f962cb8f 6c949abb 52bf3967 4feda62f
c61abec7 22919319 739f19e5 1d9c4476 4af78527 6f521324 fa9ef21d baaf747c
5c53e27f ce0289df 713aae6b d4a21634 d031d3f2 f9db1b64 1ce5d764 f91213e6
695a5aaa d39bc718 6b5feaaf 3967d7bb f220fb6e 1661166e 3442f301 f1acbe31
1698f129 99c3c332 07d64635
quit
crypto isakmp identity hostname
crypto isakmp enable Outside
crypto isakmp enable Inside
crypto isakmp enable management
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.2.0 255.255.254.0 Inside
telnet timeout 30
ssh timeout 5
console timeout 0
management-access Inside
dhcp-client client-id interface SHAWCABLE
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
dhcprelay server 192.168.2.6 Inside
priority-queue Outside
priority-queue Inside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 129.6.15.28 source Outside prefer
ssl trust-point ASDM_TrustPoint0
webvpn
enable Outside
enable Inside
svc image disk0:/anyconnect-win-2.4.0202-k9.pkg 1
svc profiles Anyconnect disk0:/AnyConnectProfile.xml
svc profiles SBL disk0:/AnyConnectProfile.xml
svc enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy vpn internal
group-policy vpn attributes
wins-server value 192.168.2.6
dns-server value 192.168.2.6 192.168.2.7
vpn-tunnel-protocol IPSec
default-domain value *Domain Name*
group-policy *VPN Name* internal
group-policy *VPN Name* attributes
wins-server value 192.168.2.6
dns-server value 192.168.2.6 192.168.2.2
vpn-tunnel-protocol IPSec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value *Office*
default-domain value *Domain Name*
split-dns value *Domain Name*
webvpn
svc modules value vpngina
svc profiles value Anyconnect
group-policy SBL internal
group-policy SBL attributes
webvpn
svc modules value vpngina
svc profiles value Anyconnect
username admin password shbn5zbLkuHP/mJX encrypted privilege 15
username user password V9WDqkbVcVAqrUu3rqCccA== nt-encrypted
username mpeeng password KqzErd5TLyODddx0 encrypted privilege 0
username mpeeng attributes
vpn-group-policy vpn
tunnel-group DefaultRAGroup general-attributes
authentication-server-group *Office*
authentication-server-group (Inside) *Office*
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool TestLocalAddresses
authentication-server-group *Office*
default-group-policy *VPN Name*
tunnel-group *xxx.xxx.xxx*.10 type ipsec-l2l
tunnel-group *xxx.xxx.xxx*.10 ipsec-attributes
pre-shared-key *
tunnel-group *xxx.xxx.xxx*.6 type ipsec-l2l
tunnel-group *xxx.xxx.xxx*.6 ipsec-attributes
pre-shared-key *
tunnel-group *xxx.xxx.xxx*.254 type ipsec-l2l
tunnel-group *xxx.xxx.xxx*.254 ipsec-attributes
pre-shared-key *
tunnel-group *VPN Name* type remote-access
tunnel-group *VPN Name* general-attributes
address-pool TestLocalAddresses
authentication-server-group *Office*
default-group-policy *VPN Name*
dhcp-server 192.168.2.6
dhcp-server 192.168.2.7
tunnel-group *VPN Name* webvpn-attributes
group-alias *Office* enable
tunnel-group *VPN Name* ipsec-attributes
pre-shared-key *
tunnel-group vpn type remote-access
tunnel-group vpn general-attributes
address-pool RemoteVpnPool
default-group-policy vpn
tunnel-group vpn ipsec-attributes
pre-shared-key *
tunnel-group *ROUTER B EXTERNAL IP ADDRESS*type ipsec-l2l
tunnel-group *ROUTER B EXTERNAL IP ADDRESS*ipsec-attributes
pre-shared-key *
!
class-map global-class
match default-inspection-traffic
class-map type regex match-any DomainBlockList
match regex domainlist1
class-map type inspect http match-all BlockDomainsClass
match request header host regex class DomainBlockList
class-map DM_INLINE_Child-Class1
match access-list global_mpc
class-map DM_INLINE_Child-Class
match port tcp eq 5001
class-map pptp-port
match port tcp eq pptp
class-map httptraffic
match access-list inside_mpc
match default-inspection-traffic
!
!
policy-map type inspect http http_inspection_policy
parameters
protocol-violation action drop-connection
class BlockDomainsClass
reset log
policy-map DM_INLINE_Child-Policy
class DM_INLINE_Child-Class
priority
policy-map type inspect im BlockIM
parameters
match protocol msn-im yahoo-im
drop-connection log
policy-map Inside-policy
class httptraffic
inspect http http_inspection_policy
policy-map global_policy
class class-default
policy-map global-policy
class global-class
inspect im BlockIM
inspect pptp
inspect ftp
class class-default
flow-export event-type all destination 192.168.3.53
policy-map outside_policy
class pptp-port
inspect pptp
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map VideoPolicy
policy-map DM_INLINE_Child-Policy1
class DM_INLINE_Child-Class1
priority
!
service-policy global-policy global
service-policy outside_policy interface Outside
service-policy Inside-policy interface Inside
prompt hostname context
Cryptochecksum:c6aa4f292c23a90ffc50052908bb0350
: end
asdm image disk0:/asdm-621.bin
asdm location 192.168.3.99 255.255.255.255 Inside
asdm location Webserver-inside 255.255.255.255 Inside
asdm location *SERVER*255.255.255.255 Inside
asdm location * Another office* 255.255.254.0 Inside
asdm location outside 255.255.255.255 Inside
asdm location *Service*_Exchange 255.255.255.255 Inside
asdm location WebServer-outside 255.255.255.255 Inside
asdm location *Service*.*Domain Name* 255.255.255.255 Inside
asdm location * ANOTHER SERVER* 255.255.255.255 Inside
asdm location MGEUPS 255.255.255.255 Inside
asdm location Postini 255.255.240.0 Inside
asdm location *ROUTER B* 255.255.254.0 Inside
no asdm history enable
Router A has a lot of stuff because it is a main office and it connects to other offices.
Router B Config:
: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
enable password POgOWyKyb0jgJ1Hm encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.12.1 255.255.254.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa821-k8.bin
ftp mode passive
access-list outside_1_cryptomap extended permit ip 192.168.12.0 255.255.254.0 192.168.2.0 255.255.254.0
access-list inside_nat0_outbound extended permit ip 192.168.12.0 255.255.254.0 192.168.2.0 255.255.254.0
access-list inside_nat0_outbound extended permit ip any 192.168.1.192 255.255.255.192
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpn_dhcp 192.168.1.200-192.168.1.250 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.12.0 255.255.254.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer *ROUTER A EXTERNAL IP ADDRESS*
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd update dns both
!
dhcpd address 192.168.12.100-192.168.12.254 inside
dhcpd auto_config outside interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy *VPN Name* internal
group-policy *VPN Name* attributes
vpn-tunnel-protocol IPSec
username admin password shbn5zbLkuHP/mJX encrypted privilege 15
username mpeeng password KqzErd5TLyODddx0 encrypted privilege 0
username mpeeng attributes
vpn-group-policy *VPN Name*
tunnel-group *ROUTER A EXTERNAL IP ADDRESS* type ipsec-l2l
tunnel-group *ROUTER A EXTERNAL IP ADDRESS* ipsec-attributes
pre-shared-key *
tunnel-group *VPN Name* type remote-access
tunnel-group *VPN Name* general-attributes
address-pool vpn_dhcp
default-group-policy *VPN Name*
tunnel-group *VPN Name* ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:1c05fd7200f28330effc544eac551f5c
: end
asdm image disk0:/asdm-621.bin
asdm location 192.168.2.0 255.255.254.0 inside
no asdm history enable
Any Ideas why B can ping A but A can't ping B?
Thanks,
05-12-2011 12:15 PM
Here is some more information:
The DHCP for router B is 192.168.12.100-192.168.12.254
I have a NAS box with a static ip of 192.168.12.20 on Router B's Netowork, I can ping the NAS box form Router A's network.
Also The VPN tunnel seems to close itself, it was connected before I went for lunch but when I cane back it closed. I tried to ping the NAS box from a computer on Router A's network, but that didn't reopen the tunnel (and I couldn't ping the NAS box). I ping a computer on router A's network for Router B's network and that opened the tunnel back up, once the tunnel was open I could ping the NAS box again.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide