08-31-2015 01:53 PM
I'm trying to bring up a L2L VPN and am having trouble. Packet tracer seems to allow it but the tunnel never gets created. What am I missing?
asa5505# packet-tracer input inside tcp 10.1.3.2 25 172.19.104.2 25
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 3
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 27769857, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
sh run
: Saved
:
ASA Version 8.2(5)
!
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
switchport access vlan 4
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 13.12.194.49 255.255.255.248
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 10.1.255.1 255.255.255.0
!
interface Vlan4
nameif maldev
security-level 100
ip address 10.1.0.1 255.255.255.252
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network maldev
network-object 172.16.26.0 255.255.255.0
network-object 172.16.27.0 255.255.255.0
network-object 172.16.28.0 255.255.255.0
network-object 172.16.29.0 255.255.255.0
network-object 172.16.30.0 255.255.255.0
object-group network vpnclientnat0
object-group network RS-VPN
access-list inbound extended permit icmp any any unreachable
access-list inbound extended permit icmp any any echo-reply
access-list inbound extended permit icmp any any time-exceeded
access-list no-nat-inside extended permit ip 10.1.1.0 255.255.255.0 10.1.3.0 255.255.255.0
access-list no-nat-inside extended permit ip 10.1.1.0 255.255.255.0 172.16.20.0 255.255.255.0
access-list no-nat-inside extended permit ip 10.1.1.0 255.255.255.0 172.16.21.0 255.255.255.0
access-list no-nat-inside extended permit ip 10.1.1.0 255.255.255.0 172.16.25.0 255.255.255.0
access-list no-nat-inside extended permit ip 10.1.1.0 255.255.255.0 10.15.40.0 255.255.255.0
access-list no-nat-inside extended permit ip 10.1.1.0 255.255.255.0 10.95.49.0 255.255.255.0
access-list no-nat-inside extended permit ip 10.1.1.0 255.255.255.0 10.122.10.0 255.255.255.0
access-list no-nat-inside extended permit ip 10.1.1.0 255.255.255.0 172.16.27.0 255.255.255.0
access-list no-nat-inside extended permit ip 10.1.1.0 255.255.255.0 172.16.26.0 255.255.255.0
access-list no-nat-inside extended permit ip 10.1.1.0 255.255.255.0 172.16.28.0 255.255.255.0
access-list no-nat-inside extended permit ip 10.1.1.0 255.255.255.0 172.16.29.0 255.255.255.0
access-list no-nat-inside extended permit ip 10.1.1.0 255.255.255.0 172.16.30.0 255.255.255.0
access-list no-nat-inside extended permit ip 10.1.1.0 255.255.255.0 10.1.0.0 255.255.255.252
access-list no-nat-inside extended permit ip 10.1.1.0 255.255.255.0 172.19.104.0 255.255.252.0
access-list no-nat-inside extended permit ip 10.1.1.0 255.255.255.0 172.19.100.0 255.255.252.0
access-list vpnclient standard permit 10.1.1.0 255.255.255.0
access-list vpnclient standard permit 172.16.20.0 255.255.255.0
access-list vpnclient standard permit 172.16.21.0 255.255.255.0
access-list vpnclient standard permit 172.16.25.0 255.255.255.0
access-list vpnclient standard permit 10.15.40.0 255.255.255.0
access-list vpnclient standard permit 172.16.27.0 255.255.255.0
access-list vpnclient standard permit 172.16.26.0 255.255.255.0
access-list vpnclient standard permit 172.16.28.0 255.255.255.0
access-list vpnclient standard permit 172.16.29.0 255.255.255.0
access-list vpnclient standard permit 172.16.30.0 255.255.255.0
access-list acl-vpzn extended permit ip any 172.16.20.0 255.255.255.0
access-list acl-vpzn extended permit ip any 172.16.21.0 255.255.255.0
access-list acl-vpzn extended permit ip any 172.16.25.0 255.255.255.0
access-list vpzn-filter extended permit icmp any any echo-reply
access-list vpzn-filter extended deny ip any any
access-list vpzn-filter extended permit ip 172.16.20.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list vpzn-filter extended permit ip 172.16.21.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list vpzn-filter extended permit ip 172.16.20.0 255.255.255.0 10.1.3.0 255.255.255.0
access-list vpzn-filter extended permit ip 172.16.21.0 255.255.255.0 10.1.3.0 255.255.255.0
access-list vpzn-filter extended permit ip 172.16.25.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list vpzn-filter extended permit ip 172.16.25.0 255.255.255.0 10.1.3.0 255.255.255.0
access-list nat0outside extended permit ip 10.0.0.0 255.255.255.0 10.1.3.0 255.255.255.0
access-list nat0outside extended permit ip 10.1.3.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list nat0outside extended permit ip 10.1.3.0 255.255.255.0 172.16.20.0 255.255.255.0
access-list nat0outside extended permit ip 10.1.3.0 255.255.255.0 172.16.21.0 255.255.255.0
access-list nat0outside extended permit ip 10.1.3.0 255.255.255.0 172.16.25.0 255.255.255.0
access-list nat0outside extended permit ip 10.1.3.0 255.255.255.0 10.15.40.0 255.255.255.0
access-list nat0outside extended permit ip 10.15.40.0 255.255.255.0 10.1.3.0 255.255.255.0
access-list nat0outside extended permit ip 10.1.3.0 255.255.255.0 172.16.27.0 255.255.255.0
access-list nat0outside extended permit ip 10.1.3.0 255.255.255.0 172.16.26.0 255.255.255.0
access-list nat0outside extended permit ip 10.1.3.0 255.255.255.0 172.16.28.0 255.255.255.0
access-list nat0outside extended permit ip 10.1.3.0 255.255.255.0 172.16.29.0 255.255.255.0
access-list nat0outside extended permit ip 10.1.3.0 255.255.255.0 172.16.30.0 255.255.255.0
access-list nat0outside extended permit ip 10.1.3.0 255.255.255.0 172.19.104.0 255.255.252.0
access-list nat0outside extended permit ip 10.1.3.0 255.255.255.0 172.19.100.0 255.255.252.0
access-list SSLVPN_Anyconnect standard permit 10.1.1.0 255.255.255.0
access-list SSLVPN_Anyconnect standard permit 10.0.0.0 255.255.255.0
access-list SSLVPN_Anyconnect standard permit 10.0.1.0 255.255.255.0
access-list baltimore extended permit ip 10.1.1.0 255.255.255.0 10.15.40.0 255.255.255.0
access-list baltimore extended permit ip 10.1.1.0 255.255.255.0 10.95.49.0 255.255.255.0
access-list baltimore extended permit ip 10.1.3.0 255.255.255.0 10.15.40.0 255.255.255.0
access-list baltimore extended permit ip 10.1.1.0 255.255.255.0 10.122.10.0 255.255.255.0
access-list acl-vpzn2 extended permit ip any 172.16.27.0 255.255.255.0
access-list acl-vpzn2 extended permit ip any 172.16.26.0 255.255.255.0
access-list acl-vpzn2 extended permit ip any 172.16.28.0 255.255.255.0
access-list acl-vpzn2 extended permit ip any 172.16.29.0 255.255.255.0
access-list acl-vpzn2 extended permit ip any 172.16.30.0 255.255.255.0
access-list acl-vpn22 extended permit ip 10.1.1.0 255.255.255.0 172.19.104.0 255.255.255.0
access-list acl-vpn22 extended permit ip 10.1.1.0 255.255.255.0 172.19.100.0 255.255.255.0
access-list acl-vpn22 extended permit ip 10.1.3.0 255.255.255.0 172.19.104.0 255.255.255.0
access-list acl-vpn22 extended permit ip 10.1.3.0 255.255.255.0 172.19.100.0 255.255.255.0
access-list acl-vpn22 extended permit ip 10.0.1.0 255.255.255.0 172.19.104.0 255.255.255.0
access-list acl-vpn22 extended permit ip 10.0.1.0 255.255.255.0 172.19.100.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging buffer-size 16384
logging console notifications
logging monitor notifications
logging buffered notifications
logging asdm informational
no logging message 402127
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu maldev 1500
ip local pool vpnpool 10.1.3.1-10.1.3.200
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no-nat-inside
nat (inside) 1 10.1.1.0 255.255.255.0
nat (outside) 0 access-list nat0outside
nat (dmz) 1 10.1.255.0 255.255.255.0
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 13.12.194.54 1
route maldev 172.16.26.0 255.255.255.0 10.1.0.2 1
route maldev 172.16.27.0 255.255.255.0 10.1.0.2 1
route maldev 172.16.28.0 255.255.255.0 10.1.0.2 1
route maldev 172.16.29.0 255.255.255.0 10.1.0.2 1
route maldev 172.16.30.0 255.255.255.0 10.1.0.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 10.1.1.10
key *****
http server enable
http 10.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 1
type echo protocol ipIcmpEcho 172.16.21.31 interface inside
frequency 10
sla monitor schedule 1 life forever start-time now
crypto ipsec transform-set ESP-3DES esp-3des esp-sha-hmac
crypto ipsec transform-set transform-vpzn esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec security-association replay window-size 128
crypto dynamic-map remote 10 set transform-set ESP-3DES
crypto map remote 5 match address baltimore
crypto map remote 5 set peer 50.249.16.41
crypto map remote 5 set transform-set ESP-3DES
crypto map remote 10 match address acl-vpzn
crypto map remote 10 set pfs
crypto map remote 10 set peer 72.21.29.26 72.21.29.14
crypto map remote 10 set transform-set transform-vpzn
crypto map remote 20 match address acl-vpzn2
crypto map remote 20 set pfs
crypto map remote 20 set peer 25.21.23.19 25.21.23.10
crypto map remote 20 set transform-set transform-vpzn
crypto map remote 30 match address acl-vpn22
crypto map remote 30 set pfs
crypto map remote 30 set peer 18.16.18.28
crypto map remote 30 set transform-set transform-vpzn
crypto map remote 65000 ipsec-isakmp dynamic remote
crypto map remote interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=sslvpn.educate-online.local
keypair SSLvpn
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate
0d656475 63617465 6f6e6c69 6e653081 9f300d06 092a8648 86f70d01 01010500
03818d00 30818902 818100ad e216db05 45e6cdd9 432470da a8f0e293 06f64f97
a316ba28 dfbf481f ef24ab6a 5def1920 0294d633 f8efb776 ce49485f 60ff64b6
aba937b1 c764728c 737456f7 e145870e c667bd43 a84a3b39 7a666ca4 7d7da1a4
b09eed72 749a3b72 e2ec64cf 311defbc 7ebcaf2b a40ccb9e bfc845c6 9927cc2e
4ec59aab ff440be7 3c0a4b02 03010001 300d0609 2a864886 f70d0101 05050003
8181009a 83ca61e9 388b4aa4 c3aea10e 3c910f0c 99fe5ac2 f050a814 6343d770
6e2b7207 547ab4ec 424b4571 84ec20fa e4a0113f 361443c4 90361a5f 4f44f1a0
1bd45c7c 726077e2 d5c0e0e1 36f80bbe 1b5dc408 84f9a619 473d50cb 6d2788d1
5b56cd97 ffd88fdd a36dc37d 70fabd25 6714a501 79f395cb ebba7df2 384b0f84 5d78ed
quit
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption aes
hash sha
group 2
lifetime 28800
crypto isakmp nat-traversal 30
telnet 10.1.1.0 255.255.255.0 inside
telnet timeout 5
ssh 10.1.1.0 255.255.255.0 inside
ssh timeout 15
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd address 10.1.255.100-10.1.255.199 dmz
dhcpd dns 75.75.75.75 75.75.76.76 interface dmz
dhcpd lease 86400 interface dmz
dhcpd enable dmz
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
anyconnect-essentials
svc image disk0:/anyconnect-win-3.1.04072-k9.pkg 2
svc image disk0:/anyconnect-macosx-i386-3.1.04072-k9.pkg 3
svc enable
tunnel-group-list enable
group-policy SSLVPN_Anyconnect internal
group-policy SSLVPN_Anyconnect attributes
vpn-tunnel-protocol svc
group-policy vpnclient internal
group-policy vpnclient attributes
dns-server value 10.1.1.10
vpn-tunnel-protocol IPSec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnclient
default-domain value educate-online.local
split-dns value educate-online.local
group-policy vpzn-filter internal
group-policy vpzn-filter attributes
vpn-filter value vpzn-filter
tunnel-group vpnclient type remote-access
tunnel-group vpnclient general-attributes
address-pool vpnpool
authentication-server-group RADIUS
default-group-policy vpnclient
tunnel-group vpnclient webvpn-attributes
group-alias vpnclient enable
tunnel-group vpnclient ipsec-attributes
pre-shared-key *****
tunnel-group 72.21.29.26 type ipsec-l2l
tunnel-group 72.21.29.26 ipsec-attributes
pre-shared-key *****
isakmp keepalive disable
tunnel-group 72.21.29.14 type ipsec-l2l
tunnel-group 72.21.29.14 ipsec-attributes
pre-shared-key *****
isakmp keepalive disable
tunnel-group SSLVPN type remote-access
tunnel-group SSLVPN general-attributes
address-pool vpnpool
authentication-server-group RADIUS
default-group-policy SSLVPN_Anyconnect
tunnel-group 25.21.23.10 type ipsec-l2l
tunnel-group 25.21.23.10 ipsec-attributes
pre-shared-key *****
isakmp keepalive disable
tunnel-group 25.21.23.19 type ipsec-l2l
tunnel-group 205.251.233.119 ipsec-attributes
pre-shared-key *****
isakmp keepalive disable
tunnel-group 50.29.16.41 type ipsec-l2l
tunnel-group 50.29.16.41 ipsec-attributes
pre-shared-key *****
tunnel-group 25.21.23.12 type ipsec-l2l
tunnel-group 25.21.23.12 ipsec-attributes
pre-shared-key *****
tunnel-group 18.16.18.28 type ipsec-l2l
tunnel-group 18.16.18.28 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 4000
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
policy-map globa_policy
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:b7ce884616ddc3d3e2b6b2063a1d446e
: end
09-02-2015 11:09 PM
Hey,
Is the network 10.1.3.0 located on the inside? From the running-config I can see that it is configured as the pool subnet.
If the traffic from 10.1.3.0 network is coming from outside, then you need to do the following packet-tracer:
packet-tracer input outside tcp <pool ip for the client that is connected to the ASA> 1234 172.19.104.2 detailed.
The Traffic will only hit the vpn, if in the packet-tracer it shows hitting VPN as the phase.
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide