Hello, thank you for the reply.

I deleted the access list 102 and there was no change so I rewrote the crypto map as you suggested. No joy! Could this be a NAT issue? It looks like the tunnel itself is up but there is no traffic passing to the remote lan.

Hi David,

Do you have a router in front of the firewall or you are using your ASA as your main router?

Also please post the sh outputs commands below:

on 5510

sh crypto ipsec sa peer xxx.117.69.146

sh crypto isakmp sa

on 5505

sh crypto ipsec sa peer XXX..123.133.162

sh crypto isakmp sa

regards,

Terence

Thank you for the help Both ASAs are connected directly to the outside fiber on e0/0.

On 5505:

Result of the command: "sh crypto ipsec sa peer xxx.123.133.162"

peer address: xxx.123.133.162

    Crypto map tag: outside_map, seq num: 1, local addr: xxx.117.69.146

      access-list outside_cryptomap_1 extended permit ip 192.168.62.0 255.255.255.0 any

      local ident (addr/mask/prot/port): (192.168.62.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

      current_peer: xxx.123.133.162

      #pkts encaps: 865, #pkts encrypt: 865, #pkts digest: 865

      #pkts decaps: 457, #pkts decrypt: 457, #pkts verify: 457

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 865, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: xxx.117.69.146, remote crypto endpt.: xxx.123.133.162

      path mtu 1500, ipsec overhead 58, media mtu 1500

      current outbound spi: B24CD8E4

      current inbound spi : D432035D

    inbound esp sas:

      spi: 0xD432035D (3560047453)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, PFS Group 2, }

         slot: 0, conn_id: 18173952, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (3914960/27057)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0xFFFFFFFF 0xFFFFFFFF

    outbound esp sas:

      spi: 0xB24CD8E4 (2991380708)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, PFS Group 2, }

         slot: 0, conn_id: 18173952, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (3914937/27057)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

Result of the command: "sh crypto isakmp sa"

   Active SA: 1

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1   IKE Peer: xxx.123.133.162

    Type    : L2L             Role    : initiator

    Rekey   : no              State   : MM_ACTIVE

On 5510

Result of the command: "sh crypto ipsec sa peer XXX.117.69.146"

peer address: XXX.117.69.146

    Crypto map tag: outside_map0, seq num: 1, local addr: XXX.123.133.162

      access-list outside_cryptomap_1 extended permit ip any 192.168.62.0 255.255.255.0

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.62.0/255.255.255.0/0/0)

      current_peer: XXX.117.69.146

      #pkts encaps: 476, #pkts encrypt: 476, #pkts digest: 476

      #pkts decaps: 932, #pkts decrypt: 932, #pkts verify: 932

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 476, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: XXX.123.133.162, remote crypto endpt.: XXX.117.69.146

      path mtu 1500, ipsec overhead 58, media mtu 1500

      current outbound spi: D432035D

      current inbound spi : B24CD8E4

    inbound esp sas:

      spi: 0xB24CD8E4 (2991380708)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, PFS Group 2, }

         slot: 0, conn_id: 18219008, crypto-map: outside_map0

         sa timing: remaining key lifetime (kB/sec): (4373934/26881)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0xFFFFFFFF 0xFFFFFFFF

    outbound esp sas:

      spi: 0xD432035D (3560047453)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, PFS Group 2, }

         slot: 0, conn_id: 18219008, crypto-map: outside_map0

         sa timing: remaining key lifetime (kB/sec): (4373959/26881)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

Result of the command: "sh crypto isakmp sa"

   Active SA: 1

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1   IKE Peer: XXX.117.69.146

    Type    : L2L             Role    : responder

    Rekey   : no              State   : MM_ACTIVE

Here's a trace from the ASA5505 to the internal interface of the 5510, looks like it has an idea on where to go. The reverse trace from the 5510 is empty. Perhaps a routing or nat issue with the 5510? Packet tracer shows implicit denies catching traffic (which can't be accurate with temporary permit ip any any statements above them):

Result of the command: "trace 192.168.100.1"

Type escape sequence to abort.

Tracing the route to 192.168.100.1

1  xxx.117.69.145 0 msec 10 msec 0 msec

2  xxx.117.67.3 10 msec 0 msec 10 msec

Output posted above! THANK YOU FOR THE HELP!

Right now my only access to the 5505 is through the outside interface. It's local LAN is up (and operating properly). Should I issue the management-access inside command then?

Hey ,

happy to know it is working fine .

the managment-access inside is up to you do you want to be able to pass traffic through the tunnel using the inside interface of the ASA ?

cheers.

Mohammad.

Wait, don't leave! The tunnel is working but the connectivity problem still exists!

I'll issue the management access command now.

Hi David,

i do not see any crypto access-list on your ASA 5510.

Please check and revert.

And also use the suggested access-list i show you above otherwise it will conflict with your NAt statement.

HTH.

Regards,

Terence

Terrence,

I deleted the access-list 102 earlier... After rearranging the access lists to the following the tunnel dropped.

ON 5505:

access-list outside_1_cryptomap extended permit ip 192.168.62.0 255.255.255.0 192.168.100.0 255.255.255.0

ON 5510:

access-list outside_1_cryptomap extended permit ip 192.168.100.0 255.255.255.0 192.168.62.0 255.255.255.0

outside_1_cryptomap is the crypto access list, right? That's on the 5510 as well.

Asa5510 can ping into the Asa5505's network now, but not vice versa. Any thoughts?

Hi David,

can you repost your config.

Regards,

Terence

ASA 5510

Hi david,

All looks ok from your config.

But can you change the route on the 5510 to the below:

route outside 192.168.62.0 255.255.255.0 XXX.123.133.162

HTH.

Regards,

Terence