Need help with a site to site VPN

jsandau · ‎05-12-2011

I have two Cisco ASA 5505 routers. I followed the IP Sec VPN wizard to set up the vpn. Whe I go to the monitoring tab on the ASDM both routers show that they are connected to each other. Here's my problem: Router B can ping anything on Router A's netowrk, but Router A can't ping anything on Router B's Network, including the router.

Router A Config:

: Saved

:

ASA Version 8.2(1)

!

hostname *Router Name*

domain-name *Domain Name*

enable password POgOWyKyb0jgJ1Hm encrypted

passwd POgOWyKyb0jgJ1Hm encrypted

names

name 192.168.4.0 *other office*

name 10.0.1.2 Webserver

name 192.168.2.8 *server*

name 192.168.2.3 *another server*

name 192.168.8.0 *another office*

name 10.0.2.1 outside

name 10.0.2.3 *another server* description NAT 10.0.2.3 to xx.xx.xx.xx

name 10.0.2.6 WebServer description Nat 10.0.2.6 to xx.xx.xx.xx

name 192.168.2.163 Test

name 192.168.3.3 *3rd server*

name 192.168.2.12 UPS

name xx.xx1.xx.xx *Domain Name*

name 192.168.2.42 VIDEOIP

name 10.0.2.4 VIDEOIP

name xx.xx.xx.xx Postini

name 192.168.12.0 *ROUTER B*

dns-guard

!

interface Ethernet0/0

nameif Outside

security-level 0

ip address 10.0.2.2 255.255.255.0

ospf cost 10

!

interface Ethernet0/1

nameif Inside

security-level 100

ip address 192.168.2.1 255.255.254.0

ospf cost 10

!

interface Ethernet0/2

nameif SHAWCABLE

security-level 0

ip address dhcp setroute

!

interface Ethernet0/3

nameif DMZ

security-level 50

ip address 10.0.1.1 255.255.255.0

ospf cost 10

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

ospf cost 10

management-only

!

regex domainlist1 "\.domain\.com"

boot system disk0:/asa821-k8.bin

ftp mode passive

clock timezone MST -7

clock summer-time MDT recurring

dns domain-lookup Inside

dns server-group DefaultDNS

name-server 192.168.2.6

domain-name *Domain Name*

object-group service RDP tcp

port-object eq 3389

object-group service DM_INLINE_TCP_2 tcp

port-object eq www

port-object eq https

port-object eq ftp

port-object eq 3389

object-group service *Service*

description All *Service* Ports

service-object tcp eq 8080

service-object tcp eq 8739

service-object tcp eq *Service*-ica

object-group service DM_INLINE_SERVICE_1

group-object *Service*

service-object tcp eq https

service-object udp eq syslog

service-object tcp eq 8740

object-group service UPS tcp

description MGE Network Shutdown Ports

port-object eq 4679

port-object eq 4680

port-object eq 5000

object-group service DM_INLINE_TCP_1 tcp

group-object UPS

port-object eq www

object-group service BESR

service-object tcp eq 135

service-object tcp eq 137

service-object tcp eq 138

service-object tcp eq 8443

service-object tcp eq 764

service-object tcp eq 763

service-object tcp eq netbios-ssn

service-object udp eq netbios-dgm

service-object udp eq netbios-ns

service-object udp eq nameserver

object-group network DM_INLINE_NETWORK_1

network-object host LB-VMCTX01

network-object host * ANOTHER SERVER*

object-group network DM_INLINE_NETWORK_2

network-object 10.0.4.0 255.255.255.0

network-object * Another office* 255.255.254.0

object-group service Polycom

description Video Conferencing Ports

service-object tcp eq h323

service-object tcp range 3230 3243

service-object udp range 3230 3285

access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any host *Service*_Exchange

access-list Outside_access_in extended permit tcp any host WebServer-outside object-group DM_INLINE_TCP_2

access-list Outside_access_in remark Video Conferencing

access-list Outside_access_in extended permit object-group Polycom any host VIDEOIP-outside

access-list Outside_access_in extended permit icmp any any time-exceeded

access-list Outside_access_in extended permit icmp any any unreachable

access-list Outside_access_in extended permit icmp any any echo

access-list Outside_access_in extended permit icmp any any echo-reply

access-list Outside_access_in remark Smtp from 64.18.0.0./20 to 10.0.2.3

access-list Outside_access_in extended permit tcp Postini 255.255.240.0 host *Service*_Exchange eq smtp

access-list Inside_nat0_outbound extended permit ip 192.168.2.0 255.255.254.0 192.168.6.0 255.255.254.0

access-list Inside_nat0_outbound extended permit ip 192.168.2.0 255.255.254.0 * Another office* 255.255.254.0

access-list Inside_nat0_outbound remark Exempt all client VPN connections

access-list Inside_nat0_outbound extended permit ip any xxx.xx.xx.x 255.255.255.128

access-list Inside_nat0_outbound remark Exempt all client VPN connections

access-list Inside_nat0_outbound extended permit ip any 192.168.10.192 255.255.255.192

access-list Inside_nat0_outbound extended permit ip 192.168.2.0 255.255.254.0 *ROUTER B* 255.255.254.0

access-list Inside_nat0_outbound remark Exempt all client VPN connections

access-list Outside_cryptomap_Medhat extended permit ip 192.168.2.0 255.255.254.0 192.168.6.0 255.255.254.0

access-list Outside_cryptomap_Calg extended permit ip 192.168.2.0 255.255.254.0 object-group DM_INLINE_NETWORK_2

access-list Outside_2_cryptomap extended permit ip 192.168.2.0 255.255.254.0 * Another office* 255.255.254.0

access-list DMZ_access_in extended permit object-group *Service* host Webserver-inside object-group DM_INLINE_NETWORK_1

access-list DMZ_access_in extended permit tcp host Webserver-inside host 192.168.2.6 eq www

access-list DMZ_access_in extended permit tcp host Webserver-inside host MGEUPS object-group DM_INLINE_TCP_1

access-list DMZ_access_in extended permit tcp 10.0.1.0 255.255.255.0 192.168.2.0 255.255.254.0 eq 81

access-list DMZ_access_in extended permit tcp 10.0.1.0 255.255.255.0 192.168.2.0 255.255.254.0 eq ftp

access-list DMZ_access_in extended deny ip any 192.168.2.0 255.255.254.0

access-list *VPN Name*_splitTunnelAcl standard permit any

access-list *Office* standard permit 192.168.2.0 255.255.254.0

access-list Outside_mpc extended permit ip any 192.168.6.0 255.255.254.0

access-list SMTP extended permit tcp host * ANOTHER SERVER* any eq smtp

access-list global_mpc extended permit tcp any any eq 5001 inactive

access-list inside_mpc extended permit tcp any any eq www inactive

access-list inside_mpc extended permit tcp any any eq 8080 inactive

access-list 101 extended permit ip host 192.168.3.42 any

access-list Outside_3_cryptomap extended permit ip 192.168.2.0 255.255.254.0 *ROUTER B* 255.255.254.0

pager lines 24

logging enable

logging list Debugging_All level debugging

logging buffer-size 8000

logging asdm debugging

logging from-address cisco@*Domain Name*

flow-export destination Inside 192.168.3.53 850

flow-export template timeout-rate 15

mtu Outside 1500

mtu Inside 1500

mtu SHAWCABLE 1500

mtu DMZ 1500

mtu management 1500

ip local pool TestLocalAddresses xxx.xx.x.xx-xx.xx.x.xxx mask 255.255.255.0

ip local pool RemoteVpnPool 192.168.10.200-192.168.10.254 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-621.bin

no asdm history enable

arp timeout 14400

nat-control

global (Outside) 10 interface

global (Outside) 1 *Service*_Exchange

global (Outside) 20 10.0.2.10 netmask 255.255.255.255

global (Inside) 1 xx.xx.xx.72-xx.xx.xx.78 netmask 255.255.255.248

global (SHAWCABLE) 101 interface

nat (Inside) 0 access-list Inside_nat0_outbound

nat (Inside) 1 access-list SMTP

nat (Inside) 20 0.0.0.0 0.0.0.0

nat (DMZ) 10 0.0.0.0 0.0.0.0

nat (management) 10 0.0.0.0 0.0.0.0

static (Inside,Outside) tcp *Service*_Exchange smtp * ANOTHER SERVER* smtp netmask 255.255.255.255

static (Inside,Outside) tcp *Service*_Exchange *Service*-ica *SERVER**Service*-ica netmask 255.255.255.255

static (Inside,Outside) tcp *Service*_Exchange 8080 *SERVER*8080 netmask 255.255.255.255

static (Inside,Outside) tcp *Service*_Exchange 8739 *SERVER*8739 netmask 255.255.255.255

static (Inside,Outside) tcp *Service*_Exchange https * ANOTHER SERVER* https netmask 255.255.255.255

static (Inside,Outside) tcp *Service*_Exchange 8740 * ANOTHER SERVER* 8740 netmask 255.255.255.255

static (DMZ,Outside) WebServer-outside Webserver-inside netmask 255.255.255.255

static (DMZ,Inside) *Service*.*Domain Name* Webserver-inside netmask 255.255.255.255

static (Inside,DMZ) 192.168.2.0 192.168.2.0 netmask 255.255.254.0

static (Inside,Outside) VIDEOIP-outside VIDEOIP-inside netmask 255.255.255.255

access-group Outside_access_in in interface Outside

access-group DMZ_access_in in interface DMZ

route Outside 0.0.0.0 0.0.0.0 outside 1

route SHAWCABLE 0.0.0.0 0.0.0.0 70.65.224.82 2

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server *Office* protocol radius

aaa-server *Office* (Inside) host 192.168.2.6

key test

radius-common-pw test

url-server (Inside) vendor websense host 192.168.3.52 timeout 10 protocol TCP version 4 connections 5

aaa authentication ssh console LOCAL

http server enable 444

http 0.0.0.0 0.0.0.0 Inside

http 192.168.2.0 255.255.254.0 Inside

http 192.168.1.0 255.255.255.0 management

http 0.0.0.0 0.0.0.0 Outside

snmp-server host Inside 192.168.2.18 community public

snmp-server location *Office*

snmp-server contact Name

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000

crypto map Outside_map 1 match address Outside_cryptomap_Calg

crypto map Outside_map 1 set pfs

crypto map Outside_map 1 set peer *xxx.xxx.xxx*.6

crypto map Outside_map 1 set transform-set ESP-3DES-SHA

crypto map Outside_map 1 set security-association lifetime seconds 28800

crypto map Outside_map 1 set security-association lifetime kilobytes 4608000

crypto map Outside_map 2 match address Outside_2_cryptomap

crypto map Outside_map 2 set pfs

crypto map Outside_map 2 set peer *xxx.xxx.xxx*.254

crypto map Outside_map 2 set transform-set ESP-3DES-SHA

crypto map Outside_map 2 set security-association lifetime seconds 28800

crypto map Outside_map 2 set security-association lifetime kilobytes 4608000

crypto map Outside_map 3 match address Outside_3_cryptomap

crypto map Outside_map 3 set pfs group1

crypto map Outside_map 3 set peer *ROUTER B EXTERNAL IP ADDRESS*

crypto map Outside_map 3 set transform-set ESP-3DES-SHA

crypto map Outside_map 20 match address Outside_cryptomap_Medhat

crypto map Outside_map 20 set peer *xxx.xxx.xxx*.10

crypto map Outside_map 20 set transform-set ESP-3DES-SHA

crypto map Outside_map 20 set security-association lifetime seconds 28800

crypto map Outside_map 20 set security-association lifetime kilobytes 4608000

crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map Outside_map interface Outside

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

fqdn *xxx.xxx.xxx*.2

subject-name CN=*xxx.xxx.xxx*.2

proxy-ldc-issuer

crl configure

crypto ca certificate chain ASDM_TrustPoint0

certificate d4ae0d4b

30820248 308201b1 a0030201 020204d4 ae0d4b30 0d06092a 864886f7 0d010104

05003036 31163014 06035504 03130d32 30382e31 31382e31 30332e32 311c301a

06092a86 4886f70d 01090216 0d323038 2e313138 2e313033 2e32301e 170d3039

31313235 32323235 32345a17 0d313931 31323332 32323532 345a3036 31163014

06035504 03130d32 30382e31 31382e31 30332e32 311c301a 06092a86 4886f70d

01090216 0d323038 2e313138 2e313033 2e323081 9f300d06 092a8648 86f70d01

01010500 03818d00 30818902 818100ab 7eb19c09 45596e13 e7636253 ea33043f

451fe718 740ef7ac 0b031012 f7eae3bc c72aedf1 8221cef1 396f5b4c e637582b

9c984f6d 20ca0185 0e298276 58dcae5a 43d2d80f 266a4808 c92b3ee1 9a089a7f

4a32e287 01c450ab 212d730b dcdd4664 704ae270 b48fd327 90d70b92 277f64c3

178cc0c9 423b9edf 22842161 a8610502 03010001 a3633061 300f0603 551d1301

01ff0405 30030101 ff300e06 03551d0f 0101ff04 04030201 86301f06 03551d23

04183016 8014611e 894eb537 b833baa3 e623ee8c 1a079168 1a2b301d 0603551d

0e041604 14611e89 4eb537b8 33baa3e6 23ee8c1a 0791681a 2b300d06 092a8648

86f70d01 01040500 03818100 6a025f74 f962cb8f 6c949abb 52bf3967 4feda62f

c61abec7 22919319 739f19e5 1d9c4476 4af78527 6f521324 fa9ef21d baaf747c

5c53e27f ce0289df 713aae6b d4a21634 d031d3f2 f9db1b64 1ce5d764 f91213e6

695a5aaa d39bc718 6b5feaaf 3967d7bb f220fb6e 1661166e 3442f301 f1acbe31

1698f129 99c3c332 07d64635

quit

crypto isakmp identity hostname

crypto isakmp enable Outside

crypto isakmp enable Inside

crypto isakmp enable management

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 192.168.2.0 255.255.254.0 Inside

telnet timeout 30

ssh timeout 5

console timeout 0

management-access Inside

dhcp-client client-id interface SHAWCABLE

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

dhcprelay server 192.168.2.6 Inside

priority-queue Outside

priority-queue Inside

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 129.6.15.28 source Outside prefer

ssl trust-point ASDM_TrustPoint0

webvpn

enable Outside

enable Inside

svc image disk0:/anyconnect-win-2.4.0202-k9.pkg 1

svc profiles Anyconnect disk0:/AnyConnectProfile.xml

svc profiles SBL disk0:/AnyConnectProfile.xml

svc enable

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec l2tp-ipsec

group-policy vpn internal

group-policy vpn attributes

wins-server value 192.168.2.6

dns-server value 192.168.2.6 192.168.2.7

vpn-tunnel-protocol IPSec

default-domain value *Domain Name*

group-policy *VPN Name* internal

group-policy *VPN Name* attributes

wins-server value 192.168.2.6

dns-server value 192.168.2.6 192.168.2.2

vpn-tunnel-protocol IPSec svc

split-tunnel-policy tunnelspecified

split-tunnel-network-list value *Office*

default-domain value *Domain Name*

split-dns value *Domain Name*

webvpn

svc modules value vpngina

svc profiles value Anyconnect

group-policy SBL internal

group-policy SBL attributes

webvpn

svc modules value vpngina

svc profiles value Anyconnect

username admin password shbn5zbLkuHP/mJX encrypted privilege 15

username user password V9WDqkbVcVAqrUu3rqCccA== nt-encrypted

username mpeeng password KqzErd5TLyODddx0 encrypted privilege 0

username mpeeng attributes

vpn-group-policy vpn

tunnel-group DefaultRAGroup general-attributes

authentication-server-group *Office*

authentication-server-group (Inside) *Office*

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

tunnel-group DefaultRAGroup ppp-attributes

no authentication chap

authentication ms-chap-v2

tunnel-group DefaultWEBVPNGroup general-attributes

address-pool TestLocalAddresses

authentication-server-group *Office*

default-group-policy *VPN Name*

tunnel-group *xxx.xxx.xxx*.10 type ipsec-l2l

tunnel-group *xxx.xxx.xxx*.10 ipsec-attributes

pre-shared-key *

tunnel-group *xxx.xxx.xxx*.6 type ipsec-l2l

tunnel-group *xxx.xxx.xxx*.6 ipsec-attributes

pre-shared-key *

tunnel-group *xxx.xxx.xxx*.254 type ipsec-l2l

tunnel-group *xxx.xxx.xxx*.254 ipsec-attributes

pre-shared-key *

tunnel-group *VPN Name* type remote-access

tunnel-group *VPN Name* general-attributes

address-pool TestLocalAddresses

authentication-server-group *Office*

default-group-policy *VPN Name*

dhcp-server 192.168.2.6

dhcp-server 192.168.2.7

tunnel-group *VPN Name* webvpn-attributes

group-alias *Office* enable

tunnel-group *VPN Name* ipsec-attributes

pre-shared-key *

tunnel-group vpn type remote-access

tunnel-group vpn general-attributes

address-pool RemoteVpnPool

default-group-policy vpn

tunnel-group vpn ipsec-attributes

pre-shared-key *

tunnel-group *ROUTER B EXTERNAL IP ADDRESS*type ipsec-l2l

tunnel-group *ROUTER B EXTERNAL IP ADDRESS*ipsec-attributes

pre-shared-key *

!

class-map global-class

match default-inspection-traffic

class-map type regex match-any DomainBlockList

match regex domainlist1

class-map type inspect http match-all BlockDomainsClass

match request header host regex class DomainBlockList

class-map DM_INLINE_Child-Class1

match access-list global_mpc

class-map DM_INLINE_Child-Class

match port tcp eq 5001

class-map pptp-port

match port tcp eq pptp

class-map httptraffic

match access-list inside_mpc

match default-inspection-traffic

!

policy-map type inspect http http_inspection_policy

parameters

protocol-violation action drop-connection

class BlockDomainsClass

reset log

policy-map DM_INLINE_Child-Policy

class DM_INLINE_Child-Class

priority

policy-map type inspect im BlockIM

parameters

match protocol msn-im yahoo-im

drop-connection log

policy-map Inside-policy

class httptraffic

inspect http http_inspection_policy

policy-map global_policy

class class-default

policy-map global-policy

class global-class

inspect im BlockIM

inspect pptp

inspect ftp

class class-default

flow-export event-type all destination 192.168.3.53

policy-map outside_policy

class pptp-port

inspect pptp

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 512

policy-map VideoPolicy

policy-map DM_INLINE_Child-Policy1

class DM_INLINE_Child-Class1

priority

!

service-policy global-policy global

service-policy outside_policy interface Outside

service-policy Inside-policy interface Inside

prompt hostname context

Cryptochecksum:c6aa4f292c23a90ffc50052908bb0350

: end

asdm image disk0:/asdm-621.bin

asdm location 192.168.3.99 255.255.255.255 Inside

asdm location Webserver-inside 255.255.255.255 Inside

asdm location *SERVER*255.255.255.255 Inside

asdm location * Another office* 255.255.254.0 Inside

asdm location outside 255.255.255.255 Inside

asdm location *Service*_Exchange 255.255.255.255 Inside

asdm location WebServer-outside 255.255.255.255 Inside

asdm location *Service*.*Domain Name* 255.255.255.255 Inside

asdm location * ANOTHER SERVER* 255.255.255.255 Inside

asdm location MGEUPS 255.255.255.255 Inside

asdm location Postini 255.255.240.0 Inside

asdm location *ROUTER B* 255.255.254.0 Inside

no asdm history enable

Router A has a lot of stuff because it is a main office and it connects to other offices.

Router B Config:

: Saved

:

ASA Version 8.2(1)

!

hostname ciscoasa

enable password POgOWyKyb0jgJ1Hm encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.12.1 255.255.254.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system disk0:/asa821-k8.bin

ftp mode passive

access-list outside_1_cryptomap extended permit ip 192.168.12.0 255.255.254.0 192.168.2.0 255.255.254.0

access-list inside_nat0_outbound extended permit ip 192.168.12.0 255.255.254.0 192.168.2.0 255.255.254.0

access-list inside_nat0_outbound extended permit ip any 192.168.1.192 255.255.255.192

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool vpn_dhcp 192.168.1.200-192.168.1.250 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-621.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.12.0 255.255.254.0 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer *ROUTER A EXTERNAL IP ADDRESS*

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

dhcpd update dns both

!

dhcpd address 192.168.12.100-192.168.12.254 inside

dhcpd auto_config outside interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy *VPN Name* internal

group-policy *VPN Name* attributes

vpn-tunnel-protocol IPSec

username admin password shbn5zbLkuHP/mJX encrypted privilege 15

username mpeeng password KqzErd5TLyODddx0 encrypted privilege 0

username mpeeng attributes

vpn-group-policy *VPN Name*

tunnel-group *ROUTER A EXTERNAL IP ADDRESS* type ipsec-l2l

tunnel-group *ROUTER A EXTERNAL IP ADDRESS* ipsec-attributes

pre-shared-key *

tunnel-group *VPN Name* type remote-access

tunnel-group *VPN Name* general-attributes

address-pool vpn_dhcp

default-group-policy *VPN Name*

tunnel-group *VPN Name* ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:1c05fd7200f28330effc544eac551f5c

: end

asdm image disk0:/asdm-621.bin

asdm location 192.168.2.0 255.255.254.0 inside

no asdm history enable

Any Ideas why B can ping A but A can't ping B?

Thanks,

jsandau · ‎05-12-2011

Here is some more information:

The DHCP for router B is 192.168.12.100-192.168.12.254

I have a NAS box with a static ip of 192.168.12.20 on Router B's Netowork, I can ping the NAS box form Router A's network.

Also The VPN tunnel seems to close itself, it was connected before I went for lunch but when I cane back it closed. I tried to ping the NAS box from a computer on Router A's network, but that didn't reopen the tunnel (and I couldn't ping the NAS box). I ping a computer on router A's network for Router B's network and that opened the tunnel back up, once the tunnel was open I could ping the NAS box again.