cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2636
Views
0
Helpful
47
Replies

problem with l2l vpn

goran ljubic
Level 1
Level 1

i have two asa's 5505 in l2l vpn. l2l vpn had worked ok ,but now i have problem.my configuration is LAN(192.168.5.0)>inside asa5505(192.168.5.1) inside of router(10.15.100.1) >router inside(10.13.174.1)>asa 5505 inside 192.168.0.17> LAN(192.168.0.0)

configuration asa 5505 from LAN (192.168.0.0)

                 

ASA Version 8.2(1)
!
hostname ciscoasa
enable password csq7sfr0bQJqMGET encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.5.0 PALATA
name 192.168.50.0 VPN-POOL
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.17 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 10.13.74.33 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object tcp
service-object icmp echo
service-object icmp echo-reply
service-object tcp eq domain
service-object tcp eq ldap
service-object tcp eq smtp
object-group service DM_INLINE_SERVICE_2
service-object ip
service-object tcp eq domain
service-object tcp eq www
service-object tcp eq https
service-object tcp eq smtp
object-group service Sharepoint8080 tcp
port-object eq 8080
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any any
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_2 192.168.0.0 255.255.255.0 any
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 PALATA 255.255.255.0
access-list outside_2_cryptomap extended permit ip 192.168.0.0 255.255.255.0 PALATA 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 192.168.0.0 255.255.255.0 PALATA 255.255.255.0
pager lines 24
logging enable
logging asdm informational
logging mail errors
logging from-address gljubic@gmail.com
logging recipient-address gljubic@gmail.com level debugging
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 1 192.168.0.0 255.255.255.0
static (inside,outside) 10.13.74.35 192.168.0.22 netmask 255.255.255.255
static (inside,outside) 10.13.74.34 192.168.0.20 netmask 255.255.255.255 dns
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.13.74.1 1
route inside VPN-POOL 255.255.255.0 192.168.0.10 1
route inside 0.0.0.0 0.0.0.0 192.168.0.17 tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication telnet console LOCAL
http server enable
http 192.168.0.0 255.255.255.0 inside
http 10.15.100.0 255.255.255.0 outside
http 10.13.74.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
virtual telnet 192.168.0.53
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_2_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 10.15.100.15
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username driadmin password AojCAMO/soZo8W.W encrypted privilege 15
tunnel-group 10.15.100.15 type ipsec-l2l
tunnel-group 10.15.100.15 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
smtp-server 173.194.79.109
prompt hostname context
Cryptochecksum:22d84dcad2f930132ac4eab4b4fb2543
: end


configuration of asa from lan 192.168.5.0

ASA Version 8.4(2)
!
hostname asa-siv
enable password csq7sfr0bQJqMGET encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.5.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 10.15.100.15 255.255.255.0
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
object network local
subnet 192.168.5.0 255.255.255.0
object network NETWORK_OBJ_192.168.0.0_24
subnet 192.168.0.0 255.255.255.0
object network NETWORK_OBJ_192.168.5.0_24
subnet 192.168.5.0 255.255.255.0
object network uprava
subnet 192.168.5.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object tcp
service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_2
service-object ip
service-object tcp
service-object tcp-udp destination eq domain
service-object tcp destination eq www
service-object tcp destination eq https
service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_3
service-object ip
service-object tcp
service-object icmp echo-reply
service-object tcp-udp destination eq domain
service-object tcp destination eq www
service-object tcp destination eq https
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 any any
access-list outside_cryptomap extended permit ip object NETWORK_OBJ_192.168.5.0_24 object NETWORK_OBJ_192.168.0.0_24
access-list inside_to_outside extended permit object-group DM_INLINE_SERVICE_2 object NETWORK_OBJ_192.168.5.0_24 any
access-list inside_to_outside extended permit object-group DM_INLINE_SERVICE_3 any any
access-list inside_to_outside extended permit tcp object NETWORK_OBJ_192.168.5.0_24 any eq www
access-list inside_to_outside extended permit tcp object NETWORK_OBJ_192.168.5.0_24 any eq https
access-list inside_to_outside extended permit udp object NETWORK_OBJ_192.168.5.0_24 any eq domain
access-list inside_to_outside extended deny ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static NETWORK_OBJ_192.168.5.0_24 NETWORK_OBJ_192.168.5.0_24 destination static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 no-proxy-arp route-lookup
!
object network uprava
nat (inside,outside) static 10.15.100.16 dns
access-group inside_to_outside in interface inside
route outside 0.0.0.0 0.0.0.0 10.15.100.1 1
route inside 0.0.0.0 0.0.0.0 192.168.5.1 tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.5.0 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 outside
http 10.13.74.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 10.13.74.33
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map interface outside
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0

dhcpd dns 10.8.2.5 192.168.0.20
dhcpd auto_config outside vpnclient-wins-override
dhcpd update dns both
!
dhcpd address 192.168.5.2-192.168.5.128 inside
dhcpd auto_config outside interface inside
dhcpd update dns both interface inside
dhcpd option 6 ip 192.168.0.20 10.8.2.5 interface inside
dhcpd option 5 ip 10.8.2.5 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy GroupPolicy_10.13.74.33 internal
group-policy GroupPolicy_10.13.74.33 attributes
vpn-tunnel-protocol ikev1 ikev2
tunnel-group 10.13.74.33 type ipsec-l2l
tunnel-group 10.13.74.33 general-attributes
default-group-policy GroupPolicy_10.13.74.33
tunnel-group 10.13.74.33 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context


when i use commands

Result of the command: "show isakmp sa"

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 10.15.100.15
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE
Result of the command: "show ipsec sa"

interface: outside
    Crypto map tag: outside_map, seq num: 1, local addr: 10.13.74.33

      access-list outside_2_cryptomap permit ip 192.168.0.0 255.255.255.0 PALATA 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (PALATA/255.255.255.0/0/0)
      current_peer: 10.15.100.15

      #pkts encaps: 504, #pkts encrypt: 504, #pkts digest: 504
      #pkts decaps: 871, #pkts decrypt: 871, #pkts verify: 871
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 504, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 10.13.74.33, remote crypto endpt.: 10.15.100.15

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: B6D7C988

    inbound esp sas:
      spi: 0xBE6E0B86 (3194882950)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 40960, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3914890/28067)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0xB6D7C988 (3067595144)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 40960, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3914924/28067)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

esult of the command: "show crypto isakmp"

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 10.15.100.15
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE

Global IKE Statistics
Active Tunnels: 1
Previous Tunnels: 10
In Octets: 92184
In Packets: 654
In Drop Packets: 24
In Notifys: 593
In P2 Exchanges: 3
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In P2 Sa Delete Requests: 0
Out Octets: 74772
Out Packets: 658
Out Drop Packets: 22
Out Notifys: 1070
Out P2 Exchanges: 23
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 3
Initiator Tunnels: 7
Initiator Fails: 0
Responder Fails: 0
System Capacity Fails: 0
Auth Fails: 0
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 0

Global IPSec over TCP Statistics
--------------------------------
Embryonic connections: 0
Active connections: 0
Previous connections: 0
Inbound packets: 0
Inbound dropped packets: 0
Outbound packets: 0
Outbound dropped packets: 0
RST packets: 0
Recevied ACK heart-beat packets: 0
Bad headers: 0
Bad trailers: 0
Timer failures: 0
Checksum errors: 0
Internal errors: 0

like that phase 1 of l2l vpn works, but phase 2 doesnot works. what i do?

thanks

47 Replies 47

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

The commands would indicate that everything is working?

There is traffic in both directions and Phase1 and Phase2 have gone through. If the Phase2 parameters didnt match the connection wouldnt be up at all.

What connections is failing? Which IP address is trying to connect which IP address and it fails?

I dont know if you really need these configurations. Especially when the "route" point towards your same ASAs interface IP address

route inside 0.0.0.0 0.0.0.0 192.168.0.17 tunneled

route inside 0.0.0.0 0.0.0.0 192.168.5.1 tunneled

You might want to add this on the "asa-civ"

policy-map global_policy

class inspection_default

inspect icmp

- Jouni

You can also use the command

show vpn-sessiondb l2l

To show all active L2L VPN connections that are UP

- Jouni

goran ljubic
Level 1
Level 1

when i type command show run crypto isakmp on asa 5505 for lan 192.168.5.0 i receive

The command has been sent to the device

when i type show run crypto isakmp on asa 5505 192.168.0.0

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

when i type show vpn-sessiondb l2l on asa from lan 192.168.0.0

Result of the command: "show vpn-sessiondb l2l"

Session Type: LAN-to-LAN

Connection   : 10.15.100.15
Index        : 15                     IP Addr      : PALATA
Protocol     : IKE IPsec
Encryption   : 3DES AES128            Hashing      : SHA1
Bytes Tx     : 175324                 Bytes Rx     : 169883
Login Time   : 20:41:07 CEDT Tue May 7 2013
Duration     : 0h:33m:15s

and when i type this command on asa from lan 192.168.5.0

Session Type: LAN-to-LAN

Connection   : 10.13.74.33
Index        : 24                     IP Addr      : 10.13.74.33
Protocol     : IKEv1 IPsec
Encryption   : 3DES AES128            Hashing      : SHA1
Bytes Tx     : 185350                 Bytes Rx     : 0
Login Time   : 20:36:13 CEDT Tue May 7 2013
Duration     : 0h:35m:40s

Hi,

I dont know if the "show run crypto isakmp" outputs matter in this case.

The L2L VPN is up which means there are matching Phase1 ISAKMP policies on the devices already. Since we are talking about new and old software the format is a bit different

Other ASA has this

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

And the other one has this

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

The outputs in the second message dont quite match. Dont know why

Other site has both send and received traffic.

Other site has only sent traffic.

Your earlier output showed though that there is traffic in both directions

- Jouni

traffic is worked in both directions but now traffic does not work's.just asa 5505 on network 192.168.0.0 show this

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

but asa on network 192.168.5.0 does not show nothing

Hi,

As I said the Crytpo ISAKMP configurations are fine on the both ends. Atleast seems to me

Use this command on the other device as its software is newer

show run crypto ikev1

- Jouni

show run crypto ikev1 give me

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

can you tell me why traffic does not works? i don't understand

when i do packet trace on nat rule in asa 5505 on lan 192.168.5.0

(inside) to (outside) source static NETWORK_OBJ_192.168.5.0_24 NETWORK_OBJ_192.168.5.0_24   destination static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 no-proxy-arp route-lookup

    translate_hits = 6981, untranslate_hits = 0

thic command does not works, and when i do packet trace on exemption rule on asa 5505 on network 192.168.0.0 this command works

Hi,

Can you show the complete "packet-tracer" commands you are using and the complete output of those commands

- Jouni

i send two pictures with packet trace

Hi,

Please use TCP on both of the "packet-tracer" tests.

Also DONT use the ASA interface IP address as the source address of the "packet-tracer". This will automatically cause the "packet-tracer" to fail right at the start.

- Jouni

i corrected my mistake and packet trace from asa5505 LAN 192.168.5.0

       from this picture packet trace works on both sides.

Hi,

If "packet-tracer" on both ends goes through fine hitting all the correct NAT rules and the VPN Phases then it would seem that the problem is elsewhere.

I still dont know if its a problem between 2 hosts on the LANs or doesnt anything work between these two networks?

I would try connections to multiple hosts and with multiple services

- Jouni

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: