Site to site problem ASA

X-No-Archive: yes

please see below config of two ASA trying to set VPN up betrween then they are linked by a cross over cable When I do sh crypto isakmp sa i get the message no SA established. The devices can ping one another

I now its somthing stupid I just cannot see it

Thanks Peter

: Saved : ASA Version 7.2(2) ! hostname chelsmsfordas domain-name enable password 22uQXN7whsdc79IC encrypted no names name 10.0.20.0 Heston name 10.0.50.0 Chelmsford name 10.0.50.2 caffreys ! interface Vlan1 nameif inside security-level 100 ip address 10.0.50.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 192.168.0.2 255.255.255.0 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! passwd 2KFQnbNIdI.2KYOU encrypted ftp mode passive clock timezone GMT/BST 0 clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00 dns server-group DefaultDNS domain-name object-group service std tcp port-object eq domain port-object eq ftp port-object eq ftp-data port-object eq www port-object eq https object-group service Domain tcp-udp port-object eq domain access-list inside_access_in extended permit ip 10.0.50.0 255.255.255.0

10.0.20.0 255.255.255.0 log alerts access-list inside_access_in extended permit tcp any any object-group std access-list inside_access_in extended permit udp host 10.0.50.2 any eq domain access-list inside_access_in extended permit tcp host 10.0.50.2 any eq domain access-list outside_20_cryptomap extended permit ip 10.0.50.0 255.255.255.0 10.0.20.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 10.0.50.0 255.255.255.0 10.0.20.0 255.255.255.0 access-list outside_access_in extended permit ip 10.0.20.0 255.255.255.0 10.0.50.0 255.255.255.0 log alerts access-list outside_20_cryptomap_1 extended permit ip 10.0.50.0 255.255.255.0 10.0.20.0 255.255.255.0 pager lines 24 logging enable logging asdm alerts mtu inside 1442 mtu outside 1442 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-522.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0 access-group inside_access_in in interface inside access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute group-policy DfltGrpPolicy attributes banner none wins-server none dns-server none dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 3 vpn-idle-timeout 30 vpn-session-timeout none vpn-filter none vpn-tunnel-protocol IPSec password-storage disable ip-comp disable re-xauth disable group-lock none pfs disable ipsec-udp disable ipsec-udp-port 10000 split-tunnel-policy tunnelall split-tunnel-network-list none default-domain none split-dns none intercept-dhcp 255.255.255.255 disable secure-unit-authentication disable user-authentication disable user-authentication-idle-timeout 30 ip-phone-bypass disable leap-bypass disable nem disable backup-servers keep-client-config msie-proxy server none msie-proxy method no-modify msie-proxy except-list none msie-proxy local-bypass disable nac disable nac-sq-period 300 nac-reval-period 36000 nac-default-acl none address-pools none client-firewall none client-access-rule none webvpn functions url-entry html-content-filter none homepage none keep-alive-ignore 4 http-comp gzip filter none url-list none customization value DfltCustomization port-forward none port-forward-name value Application Access sso-server none deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information svc none svc keep-installer installed svc keepalive none svc rekey time none svc rekey method none svc dpd-interval client none svc dpd-interval gateway none svc compression deflate url-server (inside) vendor websense host 10.0.20.8 timeout 30 protocol UDP version 4 filter url 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow http server enable http 10.0.50.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto map outside_map 20 match address outside_20_cryptomap_1 crypto map outside_map 20 set peer 192.168.0.1 crypto map outside_map 20 set transform-set ESP-3DES-MD5 crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 crypto isakmp policy 40 authentication pre-share encryption 3des hash md5 group 1 lifetime 86400 crypto isakmp nat-traversal 20 crypto isakmp ipsec-over-tcp port 10000 tunnel-group 192.168.0.1 type ipsec-l2l tunnel-group 192.168.0.1 ipsec-attributes pre-shared-key * peer-id-validate nocheck telnet 0.0.0.0 0.0.0.0 inside telnet timeout 5 ssh timeout 5 console timeout 0 management-access inside dhcpd auto_config outside ! !

! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global ntp server 10.0.20.12 source outside prompt hostname context Cryptochecksum:50e070c1618d12cb58de85fe1635002f : end asdm image disk0:/asdm-522.bin no asdm history enable

: Saved : ASA Version 7.2(3) ! hostname hestontest domain-name lowery.co.uk enable password 22uQXN7whsdc79IC encrypted no names name 10.0.20.0 Heston name 10.0.50.0 Chelmsford name 10.0.50.2 caffreys ! interface Vlan1 nameif inside security-level 100 ip address 10.0.20.253 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 192.168.0.1 255.255.255.0 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! passwd 2KFQnbNIdI.2KYOU encrypted ftp mode passive clock timezone GMT/BST 0 clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00 dns server-group DefaultDNS domain-name object-group service std tcp port-object eq domain port-object eq ftp port-object eq ftp-data port-object eq www port-object eq https object-group service Domain tcp-udp port-object eq domain access-list inside_access_in extended permit ip 10.0.20.0 255.255.255.0

10.0.50.0 255.255.255.0 log alerts access-list inside_access_in extended permit tcp any any object-group std access-list inside_access_in extended permit udp host 10.0.50.2 any eq domain access-list inside_access_in extended permit tcp host 10.0.50.2 any eq domain access-list outside_20_cryptomap extended permit ip 10.0.20.0 255.255.255.0 10.0.50.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 10.0.20.0 255.255.255.0 10.0.50.0 255.255.255.0 access-list outside_access_in extended permit ip 10.0.50.0 255.255.255.0 10.0.20.0 255.255.255.0 log alerts access-list outside_20_cryptomap_1 extended permit ip 10.0.20.0 255.255.255.0 10.0.50.0 255.255.255.0 pager lines 24 logging enable logging asdm alerts mtu inside 1442 mtu outside 1442 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-523.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0 access-group inside_access_in in interface inside access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xxx timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute http server enable http 10.0.20.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto map outside_map 20 match address outside_20_cryptomap_1 crypto map outside_map 20 set peer 192.168.0.2 crypto map outside_map 20 set transform-set ESP-3DES-MD5 crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 crypto isakmp policy 40 authentication pre-share encryption 3des hash md5 group 1 lifetime 86400 crypto isakmp nat-traversal 20 crypto isakmp ipsec-over-tcp port 10000 telnet 0.0.0.0 0.0.0.0 inside telnet timeout 5 ssh timeout 5 console timeout 0 management-access inside dhcpd address 10.0.20.254-10.0.20.254 inside dhcpd dns 10.0.20.12 10.0.20.16 interface inside dhcpd lease 360000 interface inside dhcpd domain lowery interface inside dhcpd option 3 ip 10.0.50.1 interface inside !

! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global ntp server 10.0.20.12 source outside group-policy DfltGrpPolicy attributes banner none wins-server none dns-server none dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 3 vpn-idle-timeout 30 vpn-session-timeout none vpn-filter none vpn-tunnel-protocol IPSec password-storage disable ip-comp disable re-xauth disable group-lock none pfs disable ipsec-udp disable ipsec-udp-port 10000 split-tunnel-policy tunnelall split-tunnel-network-list none default-domain none split-dns none intercept-dhcp 255.255.255.255 disable secure-unit-authentication disable user-authentication disable user-authentication-idle-timeout 30 ip-phone-bypass disable leap-bypass disable nem disable backup-servers keep-client-config msie-proxy server none msie-proxy method no-modify msie-proxy except-list none msie-proxy local-bypass disable nac disable nac-sq-period 300 nac-reval-period 36000 nac-default-acl none address-pools none smartcard-removal-disconnect enable client-firewall none client-access-rule none webvpn functions url-entry html-content-filter none homepage none keep-alive-ignore 4 http-comp gzip filter none url-list none customization value DfltCustomization port-forward none port-forward-name value Application Access sso-server none deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information svc none svc keep-installer installed svc keepalive none svc rekey time none svc rekey method none svc dpd-interval client none svc dpd-interval gateway none svc compression deflate tunnel-group 192.168.0.2 type ipsec-l2l tunnel-group 192.168.0.2 ipsec-attributes pre-shared-key * peer-id-validate nocheck prompt hostname context Cryptochecksum:8d8c8aa466a9b29fcf22655cb87552cf : end asdm image disk0:/asdm-523.bin no asdm history enable

Reply to
Peter Simons
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.