- Cisco Community
- Technology and Support
- Security
- VPN
- site to site vpn errors.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-19-2012 09:11 PM
when setting up a site to site tunnles i get the errors in the fiel ASA logging.
i have included the two configs from the ASA file walls.
any one see what i am missing?
small site
: Saved
: Written by usiadmin at 15:22:08.143 UTC Mon Mar 19 2012
!
ASA Version 7.2(3)
!
hostname smallASA
domain-name domain.com
enable password awSQhSsotCzGWRMo encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.16.4.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 116.12.211.66 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd L0Wjs4eA25R/befo encrypted
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.10.20.1
domain-name domain.com
access-list outside_1_cryptomap extended permit ip 10.16.4.0 255.255.255.0 any
access-list inside_nat0_outbound extended permit ip 10.16.4.0 255.255.255.0 any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 116.12.211.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 0.0.0.0 0.0.0.0 outside
http 10.16.4.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 12.69.103.226
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
telnet 10.16.4.0 255.255.255.0 inside
telnet timeout 5
ssh 10.16.4.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd dns 165.21.83.88 10.10.2.1
dhcpd domain domain.com
dhcpd auto_config outside
!
dhcpd address 10.16.4.100-10.16.4.131 inside
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
username usiadmin password DI5M5NnQfLzGHaw1 encrypted privilege 15
username initech password ENDpqoooBPsmGFZP encrypted privilege 15
tunnel-group 12.69.103.226 type ipsec-l2l
tunnel-group 12.69.103.226 ipsec-attributes
pre-shared-key PSK
prompt hostname context
Cryptochecksum:e6bf95f3c25574bfed2adafb3283e882
: end
large site
: Saved
: Written by usiadmin at 22:57:30.549 CDT Mon Mar 19 2012
!
ASA Version 8.0(3)
!
hostname STO-ASA-5510-FW
domain-name domain.com
enable password ..Ge0JnvJlk/gAiB encrypted
names
name 192.168.255.0 BGP-Transit_Network description BGP-Transit
name 10.10.99.0 VPN
name 10.10.2.80 BB
dns-guard
!
interface Ethernet0/0
description Inside Interface
nameif inside
security-level 100
ip address 10.10.200.29 255.255.255.240
ospf cost 10
!
interface Ethernet0/1
description Outside Interface facing the Internet Rotuer.
nameif outside
security-level 0
ip address 12.69.103.226 255.255.255.240
ospf cost 10
!
interface Ethernet0/2
description Physical Trunk interface - Dont use
no nameif
no security-level
no ip address
!
interface Ethernet0/2.900
description DMZ Interface 12.69.103.0 / 26 (useable hosts .1 to .62)
vlan 900
nameif DMZ1-VLAN900
security-level 50
ip address 12.69.103.1 255.255.255.192
ospf cost 10
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 10.10.5.250 255.255.254.0
ospf cost 10
management-only
!
passwd L0Wjs4eA25R/befo encrypted
banner exec **********************************************************************
banner exec STO-ASA-5510-FW
banner exec ASA5510 - 10.10.200.29
banner exec Configured for Data use only
banner exec **********************************************************************
banner login **********************************************************************
banner login WARNING: This system is for the use of authorized clients only.
banner login Individuals using the computer network system without authorization,
banner login or in excess of their authorization, are subject to having all their
banner login activity on this computer network system monitored and recorded by
banner login system personnel. To protect the computer network system from
banner login unauthorized use and to ensure the computer network systems is
banner login functioning properly, system administrators monitor this system.
banner login Anyone using this computer network system expressly consents to such
banner login monitoring and is advised that if such monitoring reveals possible
banner login conduct of criminal activity, system personnel may provide the
banner login evidence of such activity to law enforcement officers.
banner login Access is restricted to authorized users only. Unauthorized access is
banner login a violation of state and federal, civil and criminal laws.
banner login **********************************************************************
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name universalsilencer.com
same-security-traffic permit intra-interface
object-group service SAP tcp-udp
description SAP Updates
port-object eq 3299
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service HUMANLand tcp
port-object eq citrix-ica
object-group service DM_INLINE_TCP_1 tcp
port-object eq 5061
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_2 tcp
port-object eq 5061
port-object eq www
port-object eq https
object-group service DM_INLINE_UDP_1 udp
port-object eq snmp
port-object eq snmptrap
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object tcp-udp eq www
service-object udp eq snmp
service-object udp eq snmptrap
service-object udp eq syslog
service-object tcp eq 2055
service-object udp eq 2055
service-object tcp eq 3389
object-group service Human tcp-udp
port-object eq 8100
object-group service grove tcp
port-object eq 2492
object-group service netflowTcp tcp
port-object eq 2055
object-group service 6144 tcp-udp
description 6144
port-object eq 6144
object-group service 1536-ampr-inter tcp-udp
description 1536-ampr-inter
port-object eq 1536
object-group network DM_INLINE_NETWORK_1
network-object 198.78.0.0 255.255.0.0
network-object 207.152.0.0 255.255.0.0
network-object 69.31.0.0 255.255.0.0
object-group network DM_INLINE_NETWORK_2
network-object 198.78.0.0 255.255.0.0
network-object 207.152.0.0 255.255.0.0
network-object 69.31.0.0 255.255.0.0
object-group network DM_INLINE_NETWORK_3
network-object 198.78.0.0 255.255.0.0
network-object 207.152.0.0 255.255.0.0
network-object 69.31.0.0 255.255.0.0
object-group network DM_INLINE_NETWORK_4
network-object 198.78.0.0 255.255.0.0
network-object 207.152.0.0 255.255.0.0
network-object 69.31.0.0 255.255.0.0
object-group service rdp tcp
description RDP
port-object eq 3389
object-group network DM_INLINE_NETWORK_5
network-object 10.16.0.0 255.255.0.0
network-object 10.16.0.0 255.255.255.0
object-group network DM_INLINE_NETWORK_6
network-object 10.16.0.0 255.255.0.0
network-object 10.16.0.0 255.255.255.0
object-group network DM_INLINE_NETWORK_7
network-object 10.16.0.0 255.255.0.0
network-object 10.16.0.0 255.255.255.0
object-group network DM_INLINE_NETWORK_8
network-object 10.16.0.0 255.255.0.0
network-object 10.16.0.0 255.255.255.0
access-list outside remark 207.152.125.136
access-list outside extended deny object-group TCPUDP object-group DM_INLINE_NETWORK_1 any log
access-list outside extended deny object-group TCPUDP object-group DM_INLINE_NETWORK_2 host 12.69.103.129
access-list outside extended deny object-group TCPUDP any object-group DM_INLINE_NETWORK_3
access-list outside extended deny object-group TCPUDP host 12.69.103.129 object-group DM_INLINE_NETWORK_4
access-list outside remark ************In Bound SAP Update Traffic per Ron Odom***************
access-list outside extended permit tcp host 194.39.131.34 host 12.69.103.155 range 3200 3300 log
access-list outside remark *** SAP router****
access-list outside extended permit tcp host 10.10.2.110 host 194.39.131.34 range 3200 3300
access-list outside extended permit object-group DM_INLINE_SERVICE_1 any host 12.69.103.154
access-list outside remark ***** Inbound to the Mail server at 10.10.2.10 Peter K *****
access-list outside extended permit tcp any host 12.69.103.147 eq smtp
access-list outside remark ***** Inbound to the OCS EDGE on DMZ Peter K *****
access-list outside extended permit tcp any host 12.69.103.2 object-group DM_INLINE_TCP_1
access-list outside extended permit ip any host 12.69.103.6
access-list outside remark Blocked for malware activity
access-list outside extended deny ip host 77.78.247.86 any
access-list outside extended permit ip any host 12.69.103.156 inactive
access-list outside extended permit tcp any host 12.69.103.147 eq www
access-list outside extended permit tcp any host 12.69.103.147 eq https
access-list outside remark ***** Inbound to host 10.10.3.200 - Dan K *****
access-list outside extended permit tcp any host 12.69.103.145 eq www
access-list outside extended permit tcp any host 12.69.103.145 eq https
access-list outside remark ***** Inbound to host 10.10.2.30 USIFAXBACK- Dan K *****
access-list outside extended permit tcp any host 12.69.103.146 eq www
access-list outside extended permit tcp any host 12.69.103.146 eq https
access-list outside remark ***** Inbound to host 10.10.8.5 - Mitel 7100 - BOB M 4/4-2008 - BV *****
access-list outside extended permit tcp any host 12.69.103.152 eq pptp
access-list outside extended permit tcp any host 200.56.251.118 object-group HUMANLand
access-list outside extended permit tcp any host 200.56.251.121 eq 8100
access-list outside remark Allow all return ICMP traffic disabled to help hid form attacks
access-list outside extended deny icmp any any log
access-list outside extended permit ip 10.14.0.0 255.255.0.0 any log debugging
access-list outside extended permit ip 10.15.0.0 255.255.0.0 any
access-list outside extended permit ip object-group DM_INLINE_NETWORK_7 any
access-list outside extended permit ip any 10.14.0.0 255.255.0.0 log debugging
access-list outside extended permit ip any 10.15.0.0 255.255.0.0
access-list outside extended permit ip any object-group DM_INLINE_NETWORK_6
access-list outside extended permit udp host 12.88.249.62 any object-group DM_INLINE_UDP_1
access-list outside remark added to pervent bocking to Human
access-list outside extended permit object-group TCPUDP host 10.12.2.250 host 200.56.251.121 object-group Human
access-list outside remark added to pervent bocking to Human
access-list outside extended permit object-group TCPUDP host 200.56.251.121 host 10.12.2.250 object-group Human
access-list outside extended permit tcp any any eq pptp log
access-list outside extended deny object-group TCPUDP any any object-group 6144
access-list VPN-SplitTunnel extended permit ip 10.10.0.0 255.255.0.0 VPN 255.255.255.192
access-list VPN-SplitTunnel extended permit ip 10.11.0.0 255.255.0.0 VPN 255.255.255.192
access-list VPN-SplitTunnel extended permit ip 10.12.0.0 255.255.0.0 VPN 255.255.255.192
access-list VPN-SplitTunnel extended permit ip 10.13.0.0 255.255.0.0 VPN 255.255.255.192
access-list VPN-SplitTunnel extended permit ip BGP-Transit_Network 255.255.255.0 VPN 255.255.255.192
access-list VPN-SplitTunnel extended permit ip 10.0.0.0 255.0.0.0 192.168.10.0 255.255.255.0
access-list VPN-SplitTunnel extended permit ip 10.10.0.0 255.255.0.0 10.14.4.0 255.255.254.0
access-list VPN-SplitTunnel extended permit ip 10.10.0.0 255.255.0.0 10.15.4.0 255.255.254.0
access-list VPN-SplitTunnel extended permit ip 10.10.0.0 255.255.0.0 10.14.8.0 255.255.254.0
access-list DMZ1_in remark ***** OCS EDGE -2nd interface to inside hosts Peter K *****
access-list DMZ1_in extended permit tcp host 12.69.103.3 host 10.10.2.15 object-group DM_INLINE_TCP_2
access-list DMZ1_in remark Allow all ICMP traffic
access-list DMZ1_in extended permit icmp any any log
access-list DMZ1_in extended deny ip any 207.152.0.0 255.255.0.0
access-list DMZ1_in extended deny ip 207.152.0.0 255.255.0.0 any
access-list DMZ1_in remark ***** Explicitly block access to all inside networks *****
access-list DMZ1_in remark ***** Any needed permits to inside networks *****
access-list DMZ1_in remark ***** Need to be done above this section *****
access-list DMZ1_in extended deny ip any 10.0.0.0 255.0.0.0
access-list DMZ1_in extended deny ip any 172.16.0.0 255.240.0.0
access-list DMZ1_in extended deny ip any 192.168.0.0 255.255.0.0
access-list DMZ1_in remark ***** Permit IP to any - this will be the internet *****
access-list DMZ1_in extended permit ip any any log debugging
access-list ezvpn1 standard permit 10.0.0.0 255.0.0.0
access-list DMZ1-VLAN900_cryptomap extended permit ip any any
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 VPN 255.255.255.192
access-list nonat extended permit ip 10.11.0.0 255.255.0.0 VPN 255.255.255.192
access-list nonat extended permit ip 10.12.0.0 255.255.0.0 VPN 255.255.255.192
access-list nonat extended permit ip 10.13.0.0 255.255.0.0 VPN 255.255.255.192
access-list nonat extended permit ip BGP-Transit_Network 255.255.255.0 VPN 255.255.255.192
access-list nonat extended permit ip 10.0.0.0 255.0.0.0 192.168.10.0 255.255.255.0
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.14.4.0 255.255.254.0
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.14.8.0 255.255.254.0
access-list nonat extended permit ip 10.0.0.0 255.0.0.0 10.14.0.0 255.255.0.0
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.15.4.0 255.255.254.0
access-list nonat extended permit ip 10.0.0.0 255.0.0.0 10.15.0.0 255.255.0.0
access-list traffic extended permit ip 10.0.0.0 255.0.0.0 10.14.0.0 255.255.0.0 inactive
access-list outside_cryptomap extended permit ip 10.0.0.0 255.0.0.0 10.15.0.0 255.255.0.0
access-list outside_nat0_outbound extended permit ip 10.14.0.0 255.255.0.0 VPN 255.255.255.192
access-list outside_nat0_outbound extended permit ip 10.15.0.0 255.255.0.0 VPN 255.255.255.192
access-list outside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_8 VPN 255.255.255.192
access-list outside_cryptomap_1 extended permit ip 10.0.0.0 255.0.0.0 object-group DM_INLINE_NETWORK_5
pager lines 24
logging enable
logging timestamp
logging list VPN level informational class auth
logging list VPN level critical class config
logging list VPN level notifications class vpn
logging list VPN level notifications class vpnc
logging list VPN level notifications class webvpn
logging list all level alerts
logging buffer-size 256000
logging buffered all
logging trap VPN
logging asdm informational
logging host inside 10.10.2.41 format emblem
logging ftp-bufferwrap
logging ftp-server 10.10.2.41 \logs usi\administrator 178US1SIL3~
mtu inside 1500
mtu outside 1500
mtu DMZ1-VLAN900 1500
mtu management 1500
ip local pool VPNClients 10.10.99.1-10.10.99.63 mask 255.255.255.192
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
icmp permit any DMZ1-VLAN900
asdm image disk0:/asdm-611.bin
asdm location VPN 255.255.255.192 inside
asdm location BGP-Transit_Network 255.255.255.0 inside
asdm location 10.10.4.60 255.255.254.255 inside
asdm location BB 255.255.255.255 inside
asdm location 10.16.0.0 255.255.0.0 inside
asdm location 69.31.0.0 255.255.0.0 inside
asdm location 198.78.0.0 255.255.0.0 inside
asdm location 10.16.0.0 255.255.255.0 inside
asdm history enable
arp timeout 14400
global (inside) 1 10.10.2.4 netmask 255.0.0.0
global (outside) 10 12.69.103.129 netmask 255.255.255.255
global (outside) 11 12.69.103.130 netmask 255.255.255.255
global (outside) 12 12.69.103.131 netmask 255.255.255.255
global (outside) 13 12.69.103.132 netmask 255.255.255.255
global (outside) 14 12.69.103.133 netmask 255.0.0.0
nat (inside) 0 access-list nonat
nat (inside) 11 192.168.255.4 255.255.255.252
nat (inside) 12 192.168.255.8 255.255.255.252
nat (inside) 13 192.168.255.12 255.255.255.252
nat (inside) 10 10.10.0.0 255.255.0.0
nat (inside) 11 10.11.0.0 255.255.0.0
nat (inside) 12 10.12.0.0 255.255.0.0
nat (inside) 13 10.13.0.0 255.255.0.0
nat (inside) 10 10.14.0.0 255.255.0.0
nat (outside) 0 access-list outside_nat0_outbound
nat (outside) 10 10.16.0.0 255.255.255.0
nat (outside) 10 10.14.0.0 255.255.0.0
nat (outside) 10 10.15.0.0 255.255.0.0
nat (outside) 10 10.16.0.0 255.255.0.0
static (DMZ1-VLAN900,outside) 12.69.103.0 12.69.103.0 netmask 255.255.255.192
static (inside,outside) 12.69.103.154 10.10.2.41 netmask 255.255.255.255
static (inside,DMZ1-VLAN900) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
static (inside,DMZ1-VLAN900) 192.168.0.0 192.168.0.0 netmask 255.255.0.0
static (inside,DMZ1-VLAN900) 172.16.0.0 172.16.0.0 netmask 255.240.0.0
static (inside,outside) 12.69.103.147 10.10.2.10 netmask 255.255.255.255
static (inside,outside) 12.69.103.152 10.10.8.5 netmask 255.255.255.255
static (inside,outside) 12.69.103.155 10.10.2.110 netmask 255.255.255.255
access-group outside in interface outside
access-group DMZ1_in in interface DMZ1-VLAN900
!
router eigrp 100
network 10.0.0.0 255.0.0.0
!
route outside 0.0.0.0 0.0.0.0 12.69.103.225 1
route inside 10.0.0.0 255.0.0.0 10.10.200.30 1
route inside 10.10.98.0 255.255.255.0 10.10.200.30 1
route outside 10.14.0.0 255.255.0.0 12.69.103.225 1
route outside 10.15.0.0 255.255.0.0 12.69.103.225 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server Microsoft protocol radius
accounting-mode simultaneous
reactivation-mode depletion deadtime 30
aaa-server Microsoft host 10.10.2.1
key cisco123
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
http server enable
http 10.10.0.0 255.255.0.0 management
http 10.10.0.0 255.255.0.0 inside
snmp-server host inside 10.10.2.41 community UNISNMP version 2c udp-port 161
snmp-server location STODATDROOM
snmp-server contact SYS Admin
snmp-server community UNISNMP
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps remote-access session-threshold-exceeded
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 115.111.107.226
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_cryptomap_1
crypto map outside_map 2 set peer 116.12.211.66
crypto map outside_map 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 10 match address traffic
crypto map outside_map 10 set peer 212.185.51.242
crypto map outside_map 10 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto map DMZ1-VLAN900_map0 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto isakmp identity address
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime none
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime none
crypto isakmp nat-traversal 33
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
vpn-addr-assign local reuse-delay 10
telnet 10.10.0.0 255.255.0.0 inside
telnet 10.10.0.0 255.255.0.0 management
telnet timeout 29
ssh timeout 29
ssh version 2
console timeout 1
management-access inside
dhcprelay server 10.10.2.1 outside
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address 10.14.0.0 255.255.0.0
threat-detection scanning-threat shun except ip-address 10.15.0.0 255.255.0.0
threat-detection statistics
wccp web-cache
wccp interface inside web-cache redirect in
ntp server 192.5.41.41
ntp server 192.5.41.40
ntp server 192.43.244.18
tftp-server inside 10.10.2.2 \asa
group-policy DfltGrpPolicy attributes
banner value WARNING: This system is for the use of authorized clients only.
wins-server value 10.10.2.1
dns-server value 10.10.2.1 10.10.2.2
vpn-tunnel-protocol IPSec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN-SplitTunnel
default-domain value universalsilencer.com
msie-proxy server value 00.00.00.00
address-pools value VPNClients
group-policy CHINAPH internal
group-policy CHINAPH attributes
vpn-tunnel-protocol IPSec svc webvpn
split-tunnel-policy tunnelall
intercept-dhcp 255.255.0.0 enable
address-pools value VPNClients
group-policy ezGROUP1 internal
group-policy ezGROUP1 attributes
vpn-tunnel-protocol svc webvpn
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ezvpn1
nem enable
users removed
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key germanysilence
tunnel-group USISplitTunnelRemoteAccess type remote-access
tunnel-group USISplitTunnelRemoteAccess general-attributes
address-pool VPNClients
tunnel-group USISplitTunnelRemoteAccess ipsec-attributes
pre-shared-key z2LNoioYVCTyJlX
tunnel-group USISplitTunnelRADIUS type remote-access
tunnel-group USISplitTunnelRADIUS general-attributes
address-pool VPNClients
authentication-server-group Microsoft LOCAL
tunnel-group USISplitTunnelRADIUS ipsec-attributes
pre-shared-key fLFO2p5KSS8Ic2y
tunnel-group ezVPN1 type remote-access
tunnel-group ezVPN1 general-attributes
default-group-policy ezGROUP1
tunnel-group ezVPN1 ipsec-attributes
pre-shared-key PSK
tunnel-group 212.185.51.242 type ipsec-l2l
tunnel-group 212.185.51.242 ipsec-attributes
pre-shared-key PSK
peer-id-validate nocheck
tunnel-group 115.111.107.226 type ipsec-l2l
tunnel-group 115.111.107.226 ipsec-attributes
pre-shared-key PSJ
tunnel-group China type remote-access
tunnel-group China general-attributes
address-pool VPNClients
default-group-policy CHINAPH
tunnel-group 116.12.211.66 type ipsec-l2l
tunnel-group 116.12.211.66 ipsec-attributes
pre-shared-key PSK
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:834976612f8f76e1b088326516362975
: end
Solved! Go to Solution.
- Labels:
-
VPN
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-20-2012 12:19 PM
Hello Ronald,
You are using PFS on one site and not on the other one,
Lets remove it from the site who has it and give it a try.
Change this:
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 12.69.103.226
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
To this:
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 12.69.103.226
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
So just do a
NO crypto map outside_map 1 set pfs
Regards,
Julio
Do rate all the helpful posts
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-19-2012 09:53 PM
Hello Ron,
Lets start with the first things.
This is the first thing I checked and it was incorrect.
So please let me know if after changing it worked!
The preshared key shared on both sites is different
Site A
tunnel-group 12.69.103.226 type ipsec-l2l
tunnel-group 12.69.103.226 ipsec-attributes
pre-shared-key unising
Site B:
tunnel-group 116.12.211.66 type ipsec-l2l
tunnel-group 116.12.211.66 ipsec-attributes
pre-shared-key PSK
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-19-2012 09:57 PM
They are the same now. same errors.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-19-2012 10:02 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-19-2012 10:54 PM
also getting th efollowing on the other ASA
Group = 116.12.211.66, IP = 116.12.211.66, All IPSec SA proposals found unacceptable!
Group = 116.12.211.66, IP = 116.12.211.66, QM FSM error (P2 struct &0xd9032338, mess id 0x739db265)!
I check they have the same translations
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-20-2012 12:19 PM
Hello Ronald,
You are using PFS on one site and not on the other one,
Lets remove it from the site who has it and give it a try.
Change this:
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 12.69.103.226
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
To this:
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 12.69.103.226
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
So just do a
NO crypto map outside_map 1 set pfs
Regards,
Julio
Do rate all the helpful posts
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-20-2012 08:59 PM
that worked. noew problem DHCP and DSN will not work.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide