Skip to main content

ipsec l2l tunnel between 5505 and 5540

More
15 years 1 month ago #32302 by ixfnx
I'm having trouble getting the tunnel up between the two devices. please take a look and tell me I've left out something silly. here is the config from the 5505, the 5540 is good as I have several other 1841's connected to the device over ipsec vpn.

[code:1]
!
ASA Version 8.2(1)
!
hostname cr201
domain-name bizcom.com
enable password <removed> encrypted
passwd <removed> encrypted
names
!
interface Vlan1
no nameif
no security-level
no ip address
management-only
!
interface Vlan2
description outside ISP connection
nameif outside
security-level 0
ip address A.B.C.13 255.255.255.0
!
interface Vlan3
nameif inside
security-level 100
ip address 10.201.201.1 255.255.255.0
!
interface Ethernet0/0
description outside network
switchport access vlan 2
!
interface Ethernet0/1
description inside network
switchport access vlan 3
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
ftp mode passive
clock timezone EST5EDT -5
dns server-group DefaultDNS
domain-name bizcom.com
access-list 100 extended permit ip 10.201.201.0 255.255.255.0 172.20.0.0 255.255.255.0
access-list 100 extended permit ip 10.201.201.0 255.255.255.0 172.21.1.0 255.255.255.0
access-list 100 extended permit ip 10.201.201.0 255.255.255.0 172.30.0.0 255.255.255.0
access-list 100 extended permit ip 10.201.201.0 255.255.255.0 172.30.1.0 255.255.255.0
access-list 100 extended permit ip 10.201.201.0 255.255.255.0 10.0.219.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging monitor debugging
logging buffered debugging
logging trap debugging
logging history debugging
logging facility 18
logging device-id hostname
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 1440
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 A.B.C.13 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server authbiz protocol tacacs+
aaa-server authbiz (inside) host 172.30.0.4
timeout 5
key <removed>
aaa authentication telnet console authbiz LOCAL
aaa authentication enable console authbiz LOCAL
aaa authentication ssh console authbiz LOCAL
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set foo esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map biz 10 match address 100
crypto map biz 10 set peer A.B.C.2
crypto map biz 10 set transform-set foo
crypto map biz interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
ssh A.B.C.D 255.255.255.0 outside
ssh 10.0.219.0 inside
ssh timeout 5
console timeout 0
dhcpd ping_timeout 750
dhcpd domain bizcom.com
!
dhcpd address 10.201.201.101-10.201.201.132 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 172.30.1.121 source inside
username admin password <removed> encrypted privilege 15
tunnel-group A.B.C.2 type ipsec-l2l
tunnel-group A.B.C.2 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
inspect http
!
service-policy global_policy global
prompt hostname context
!
end
[/code:1]
More
15 years 1 month ago #32330 by ikon
Where is the other ends config?

Looks ok but you dont have any access lists allowing traffic from inside to the VPN, you have crytomap access lists to tell the vn what the interesting traffic is, it might be that the VPN is connected but traffic is not flowwing because of ACL?

do you have any logs?
enable syslog or look in the ASDM for syslog messages.
Time to create page: 0.120 seconds