%ASA-7-710005: TCP request discarded error in Client to Site VPN in CISCO ASA 5510

Similar Messages

• ASA-7-710005: UDP request discarded

  Hi All,
  Hope you are doing good,
  Continously I am getting below error log.
  Dec 07 2013 11:30:02: %ASA-7-710005: UDP request discarded from 10.109.6.1/67 to WTBB:255.255.255.255/68
  Dec 07 2013 11:24:00: %ASA-7-710005: UDP request discarded from 0.0.0.0/68 to WTBB:255.255.255.255/67
  Kindly let me know the rean for such errors and how rectify the same,
  Attaching the configuration file for your reference.
  Regards / Ramesh M

  The easiest way to do this is to set the logging level for these messages to a higher level than what you are logging.  For example.  You are currently logging debug (which is why your are seeing this message).  If you log informational messages, you will not see this message.
  Another option is to create a custom logging list,  But depending on what and how much you want to log, this might not be a very good option.
  http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/monitor_syslog.html
  Please remember to rate and select a correct answer

• Azure Site to Site VPN with Cisco ASA 5505

  I have got Cisco ASA 5505 device (version 9.0(2)). And i cannot connect S2S with azure (azure network alway in "connecting" state). In my cisco log:
  IP = 104.40.182.93, Keep-alives configured on but peer does not support keep-alives (type = None)
  Group = 104.40.182.93, IP = 104.40.182.93, QM FSM error (P2 struct &0xcaaa2a38, mess id 0x1)!
  Group = 104.40.182.93, IP = 104.40.182.93, Removing peer from correlator table failed, no match!
  Group = 104.40.182.93, IP = 104.40.182.93,Overriding Initiator's IPSec rekeying duration from 102400000 to 4608000 Kbs
  Group = 104.40.182.93, IP = 104.40.182.93, PHASE 1 COMPLETED
  I have done all cisco s2s congiguration over standard wizard cos seems your script for 8.x version of asa only?
  (Does azure support 9.x version of asa?)
  How can i fix it?

  Hi,
  As of now, we do not have any scripts for Cisco ASA 9x series.
  Thank you for your interest in Windows Azure. The Dynamic routing is not supported for the Cisco ASA family of devices.
  Unfortunately, a dynamic routing VPN gateway is required for Multi-Site VPN, VNet to VNet, and Point-to-Site.
  However, you should be able to setup a site-to-site VPN with Cisco ASA 5505 series security appliance as
  demonstrated in this blog:
  Step-By-Step: Create a Site-to-Site VPN between your network and Azure
  http://blogs.technet.com/b/canitpro/archive/2013/10/09/step-by-step-create-a-site-to-site-vpn-between-your-network-and-azure.aspx
  You can refer to this article for Cisco ASA templates for Static routing:
  http://msdn.microsoft.com/en-us/library/azure/dn133793.aspx
  Did you download the VPN configuration file from the dashboard and copy the content of the configuration
  file to the Command Line Interface of the Cisco ASDM application? It seems that there is no specified IP address in the access list part and maybe that is why the states message appeared.
  According to the
  Cisco ASA template, it should be similar to this:
  access-list <RP_AccessList>
  extended permit ip object-group
  <RP_OnPremiseNetwork> object-group <RP_AzureNetwork>
  nat (inside,outside) source static <RP_OnPremiseNetwork>
  <RP_OnPremiseNetwork> destination static <RP_AzureNetwork>
  <RP_AzureNetwork>
  Based on my experience, to establish
  IPSEC tunnel, you need to allow the ESP protocol and UDP Port 500. Please make sure that the
  VPN device cannot be located behind a NAT. Besides, since Cisco ASA templates are not
  compatible for dynamic routing, please make sure that you chose the static routing.
  Since you configure the VPN device yourself, it's important that you would be familiar with the device and its configuration settings.
  Hope this helps you.
  Girish Prajwal

• Site-to-Site VPN between Cisco ASA 5505 (8.4) and Cisco Router (IOS 15.2)

  Hi, I'm trying to create Site-to-Site VPN between Cisco ASA 5505 and Cisco Router 3945.
  I've tried create configuration with and without ASA wizard, but anyway it doesn't work.
  Please help me to find where is the issue.
  I have two sites and would like to get access from 192.168.83.0 to 192.168.17.0
  192.168.17.0 --- S1.S1.S1.S1 (IOS Router) ==================== S2.S2.S2.S2 (ASA 5505) --- 192.168.83.0
  Here is my current configuration.
  Thanks for your help.
  IOS Configuration
  version 15.2
  crypto isakmp policy 1
  encr aes 256
  authentication pre-share
  group 2
  crypto isakmp key cisco address 198.0.183.225
  crypto isakmp invalid-spi-recovery
  crypto ipsec transform-set AES-SET esp-aes esp-sha-hmac
  mode transport
  crypto map static-map 1 ipsec-isakmp
  set peer S2.S2.S2.S2
  set transform-set AES-SET
  set pfs group2
  match address 100
  interface GigabitEthernet0/0
  ip address S1.S1.S1.S1 255.255.255.240
  ip nat outside
  ip virtual-reassembly in
  duplex auto
  speed auto
  crypto map static-map
  interface GigabitEthernet0/1
  ip address 192.168.17.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly in
  duplex auto
  speed auto
  access-list 100 permit ip 192.168.17.0 0.0.0.255 192.168.83.0 0.0.0.255
  ASA Configuration
  ASA Version 8.4(3)
  interface Ethernet0/0
  switchport access vlan 2
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.83.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address S2.S2.S2.S2 255.255.255.248
  ftp mode passive
  same-security-traffic permit intra-interface
  object network inside-network
  subnet 192.168.83.0 255.255.255.0
  object network datacenter
  host S1.S1.S1.S1
  object network datacenter-network
  subnet 192.168.17.0 255.255.255.0
  object network NETWORK_OBJ_192.168.83.0_24
  subnet 192.168.83.0 255.255.255.0
  access-list outside_access_in extended permit icmp any any echo-reply
  access-list outside_access_in extended deny ip any any log
  access-list outside_cryptomap extended permit ip 192.168.83.0 255.255.255.0 object datacenter-network
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool vpn_pool 192.168.83.200-192.168.83.254 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source dynamic inside-network interface
  nat (inside,outside) source static inside-network inside-network destination static inside-network inside-network no-proxy-arp route-lookup
  nat (inside,outside) source static inside-network inside-network destination static datacenter-network datacenter-network no-proxy-arp route-lookup
  nat (inside,outside) source static NETWORK_OBJ_192.168.83.0_24 NETWORK_OBJ_192.168.83.0_24 destination static datacenter-network pdatacenter-network no-proxy-arp route-lookup
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 DEFAULT_GATEWAY 1
  crypto ipsec ikev1 transform-set vpn-transform-set esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set vpn-transform-set mode transport
  crypto ipsec ikev1 transform-set L2L_SET esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set L2L_SET mode transport
  crypto dynamic-map dyno 10 set ikev1 transform-set vpn-transform-set
  crypto map vpn 1 match address outside_cryptomap
  crypto map vpn 1 set pfs
  crypto map vpn 1 set peer S1.S1.S1.S1
  crypto map vpn 1 set ikev1 transform-set L2L_SET
  crypto map vpn 20 ipsec-isakmp dynamic dyno
  crypto map vpn interface outside
  crypto isakmp nat-traversal 3600
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 20
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  group-policy GroupPolicy_S1.S1.S1.S1 internal
  group-policy GroupPolicy_S1.S1.S1.S1 attributes
  vpn-tunnel-protocol ikev1
  group-policy remote_vpn_policy internal
  group-policy remote_vpn_policy attributes
  vpn-tunnel-protocol ikev1 l2tp-ipsec
  username artem password 8xs7XK3To4s5WfTvtKAutA== nt-encrypted
  username admin password rqiFSVJFung3fvFZ encrypted privilege 15
  tunnel-group DefaultRAGroup general-attributes
  address-pool vpn_pool
  default-group-policy remote_vpn_policy
  tunnel-group DefaultRAGroup ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group DefaultRAGroup ppp-attributes
  authentication ms-chap-v2
  tunnel-group S1.S1.S1.S1 type ipsec-l2l
  tunnel-group S1.S1.S1.S1 general-attributes
  default-group-policy GroupPolicy_S1.S1.S1.S1
  tunnel-group S1.S1.S1.S1 ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:f55f10c19a0848edd2466d08744556eb
  : end

  Thanks for helping me again. I really appreciate.
  I don't hve any NAT-exemptions in Cisco IOS Router. Transform-set I will change soon, but I've tried with tunnel mode and it didn't work.
  Maybe NAT-exemptions is the issue. Can you advice me which exemptions should be in Cisco IOS Router?
  Because on Cisco ASA I guess I have everything.
  Here is show crypto session detail
  router(config)#do show crypto session detail
  Crypto session current status
  Code: C - IKE Configuration mode, D - Dead Peer Detection
  K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
  X - IKE Extended Authentication, F - IKE Fragmentation
  Interface: GigabitEthernet0/0
  Session status: DOWN
  Peer: 198.0.183.225 port 500 fvrf: (none) ivrf: (none)
        Desc: (none)
        Phase1_id: (none)
    IPSEC FLOW: permit ip 192.168.17.0/255.255.255.0 192.168.83.0/255.255.255.0
          Active SAs: 0, origin: crypto map
          Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
          Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
  Should I see something in crypto isakmp sa?
  pp-border#sh crypto isakmp sa
  IPv4 Crypto ISAKMP SA
  dst             src             state          conn-id status
  IPv6 Crypto ISAKMP SA
  Thanks again for your help.

• Setting up site to site vpn with cisco asa 5505

  I have a cisco asa 5505 that needs to be set up for site to site vpn to a cisco asa 5500. The 5505 is the remote office and the 5500 is the main office.
  IP of remote office router is 71.37.178.142
  IP of the main office firewall is 209.117.141.82
  Can someone tell me if my config is correct, this is the first time I am setting this up and it can not be tested until I set it up at the remote office. I would rather know its correct before I go.
  ciscoasa# show run
  : Saved
  ASA Version 7.2(4)
  hostname ciscoasa
  domain-name default.domain.invalid
  enable password TMACBloMlcBsq1kp encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address dhcp setroute
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  dns server-group DefaultDNS
  domain-name default.domain.invalid
  access-list outside_1_cryptomap extended permit ip host 71.37.178.142 host 209.117.141.82
  access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 host 209.117.141.82
  access-list inside_nat0_outbound extended permit ip host 71.37.178.142 host 209.117.141.82
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-524.bin
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set pfs group5
  crypto map outside_map 1 set peer 209.117.141.82
  crypto map outside_map 1 set transform-set ESP-AES-256-SHA
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption aes-256
  hash sha
  group 5
  lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  vpdn username [email protected] password ********* store-local
  dhcpd auto_config outside
  dhcpd address 192.168.1.2-192.168.1.129 inside
  dhcpd enable inside
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:7e338fb2bf32a9ceb89560b314a5ef6c
  : end
  ciscoasa#
  Thanks!

  Hi Mandy,
  By using following access list define Peer IP as source and destination
  access-list outside_1_cryptomap extended permit ip host 71.37.178.142 host 209.117.141.82
  you are not defining the interesting traffic / subnets from both ends.
  Make some number ACL 101 as you do not have to write the extended keyword then if you like as follows, or else NAME aCL will also work:
  access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
  access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
  access-list 101 remark CCP_ACL Category=4 access-list 101 remark IPSEC Rule
  !.1..source subnet(called local encryption domain) at your end  192.168.200.0
  !..2.and destination subnet(called remote encryption domain)at other end 192.168.100.0 !.3..I mean you have to define what subnets you need to communicate between which are behind these firewalls
  !..4...Local Subnets behind IP of the main office firewall is 209.117.141.82 say
  !...at your end  192.168.200.0
  !..5.Remote Subnets behind IP of remote office router is 71.37.178.142 say
  !...at other end 192.168.100.0
  Please use Baisc Steps as follows:
  A. Configuration in your MAIN office  having IP = 209.117.141.82  (follow step 1 to 6)
  Step 1.
  Define Crypto ACL/ mirror ACL for other end (change source to destination and destination to source in other side router or VPN device and thats why they are called mirror ACL/ or also called Proxy ID or also called Proxy ACL, your interesting traffic , that you want to encrypt / trave/enter in the tunnel)
  access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
  Step 2.
  Config ISAKMP Policy with minimum 4 parameters are to be config for
  crypto isakmp policy 10
  authentication pre-share  ---> Ist parameter of setting Authentication type ISAKMP Policy is OK
  encryption aes-256   --->2nd parameter of ISAKMP Policy is OK
  hash sha   --->  3rd parameter of ISAKMP Policy is OK
  group 5  --->  4th parameter of ISAKMP Policy is OK
  lifetime 86400  ------ >  this 5th parameter is optional , and will negotiate for the less value at either end or by default is will be taken 86400
  Step 3.
  Define Preshared key or PKI which you will use with other side Peer address 71.37.178.142, either key type 0 is Plain text anyone can see it over internet, or use key type 6 for encrypted key , say your password is CISCO123
  Here in your case in step 2 Authentication is using PSK, looks you have not defines Password
  Use following command:
  crypto isakmp key 0 CISCO123 address 71.37.178.142
  or , but not both
  crypto isakmp key 6 CISCO123 address71.37.178.142
  step 4.
  Define Transform set , which will be used for phase 2 tunnel parameters, if you use ESP it can have to sets one cor encryption and other for Authentication.
  Here is yours one:
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  this is correct but give name somthing easier to remember /distinguish it is a transform set , like TSET1 instead of ESP-AES-256-SHA ,try following (here you are using ESP so for encryption we use first set as esp-des and for authentication we use second set esp-sha-hmac)
  crypto ipsec transform-set TSET1 esp-des esp-sha-hmac
  or
  crypto ipsec transform-set TSET1 esp-aes-256 esp-sha-hmac
  Suppose you are using only AH then as AH does not support encryption or confidentiality hence it always use onle one set not 2 sets like ESP(remember the difference) say for example only one set for auth etc but no set for encryption hence AH have no such sets like ah-des or ah-3des or ah-aes, it has only second set for authentication like
  ah-sha-hmac or  ah-md5-hmac
  crypto ipsec transform-set TSET1 ah-sha-hmac
  or
  crypto ipsec transform-set TSET1 ah-md5-hmac
  Step 5.
  Now configure Crypto MAP as follows and only one CMPA can be applied to OUTSIDE Interface as VPN tunnel is alsways applied for traffic from inside subnets to outside subnets and only once Cryptomap can be applied to OUTSIDE Interface and hence for several VPN peers from different vendors we use seq no 10, 2 30 for different tunnels in one single CMAP:
  crypto map ipsec-isakmp
  1. Define peer -- called WHO to set tunnel with
  2. Define or call WHICH - Transform Set
  3. Define WHAT to call interesting traffic define in your ACL or Proxy ID or Proxy ACL in step 1 using match address
  Like in your case it is but ipsec-isakmp keyword missing in the ;ast
  crypto map outside_map 10 ipsec-isakmp
  1. set peer 209.117.141.82  -----> is correct as this is your other side peer called WHO in my step
  2. set transform-set TSET1  -----> is correct as this is WHICH, and only one transform set can be called
  !..In you case it is correct
  !...set transform-set ESP-AES-256-SHA (also correct)
  3.  match address outside_1_cryptomap  ---->Name of the extended ACL define as WHAT to pass through this tunnel
  4. set pfs group5 (this is optional but if config at one end same has to be config at other side peer as well)
  Step 6.
  Now apply this one crypto MAP to your OUTSIDE interface always
  interface outside
  crypto map outside_map
  Configure the same but just change ACL on other end in step one  by reversing source and destination
  and also set the peer IP of this router in other end.
  So other side config should look as follows:
  B.  Configuration in oyur Remote PEER IP having IP = 71.37.178.142 (follow step 7 to 12)
  Step 7.
  Define Crypto ACL/ mirror ACL for other end (change source to destination and destination to source in other side router or VPN device and thats why they are called mirror ACL/ or also called Proxy ID or also called Proxy ACL, your interesting traffic , that you want to encrypt / trave/enter in the tunnel)
  access-list outside_1_cryptomap extended ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255
  Step 8.
  Config ISAKMP Policy with minimum 4 parameters are to be config for
  crypto isakmp policy 10
  authentication pre-share  ---> Ist parameter of setting Authentication type ISAKMP Policy is OK
  encryption aes-256   --->2nd parameter of ISAKMP Policy is OK
  hash sha   --->  3rd parameter of ISAKMP Policy is OK
  group 5  --->  4th parameter of ISAKMP Policy is OK
  lifetime 86400  ------ >  this 5th parameter is optional , and will negotiate for the less value at either end or by default is will be taken 86400
  Step 9.
  Define Preshared key or PKI which you will use with other side Peer address key type 0 is Plain text anyone can see it over internet, or use key type 6 for encrypted key , say your password is CISCO123
  Here in your case in step 8 Authentication is using PSK, looks you have not defines Password
  Use following command:
  crypto isakmp key 0 CISCO123 address 209.117.141.82
  or , but not both
  crypto isakmp key 6 CISCO123 address 209.117.141.82
  step 10.
  Define Transform set , which will be used for phase 2 tunnel parameters, if you use ESP it can have to sets one cor encryption and other for Authentication.
  Here is yours one:
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  this is correct but give name somthing easier to remember /distinguish it is a transform set , like TSET1 instead of ESP-AES-256-SHA ,try following (here you are using ESP so for encryption we use first set as esp-des and for authentication we use second set esp-sha-hmac)
  crypto ipsec transform-set TSET1 esp-des esp-sha-hmac
  or
  crypto ipsec transform-set TSET1 esp-aes-256 esp-sha-hmac
  Suppose you are using only AH then as AH does not support encryption or confidentiality hence it always use onle one set not 2 sets like ESP(remember the difference) say for example only one set for auth etc but no set for encryption hence AH have no such sets like ah-des or ah-3des or ah-aes, it has only second set for authentication like
  ah-sha-hmac or  ah-md5-hmac
  crypto ipsec transform-set TSET1 ah-sha-hmac
  or
  crypto ipsec transform-set TSET1 ah-md5-hmac
  Step 11.
  Now configure Crypto MAP as follows and only one CMPA can be applied to OUTSIDE Interface as VPN tunnel is alsways applied for traffic from inside subnets to outside subnets and only once Cryptomap can be applied to OUTSIDE Interface and hence for several VPN peers from different vendors we use seq no 10, 2 30 for different tunnels in one single CMAP:
  crypto map    ipsec-isakmp
  1. Define peer -- called WHO to set tunnel with
  2. Define or call WHICH - Transform Set, only one is permissible
  3. Define WHAT to call interesting traffic define in your ACL or Proxy ID or Proxy ACL in step 1 using match address
  Like in your case it is but ipsec-isakmp keyword missing in the ;ast
  crypto map outside_map 10 ipsec-isakmp
  1. set peer 209.117.141.82  -----> is correct as this is your other side peer called WHO in my step
  2. set transform-set TSET1  -----> is correct as this is WHICH, and only one transform set can be called
  !..In you case it is correct
  !...set transform-set ESP-AES-256-SHA (also correct)
  3.  match address outside_1_cryptomap  ---->Name of the extended ACL define as WHAT to pass through this tunnel
  4. set pfs group5 (this is optional but if config at one end same has to be config at other side peer as well)
  Step 12.
  Now apply this one crypto MAP to your OUTSIDE interface always
  interface outside
  crypto map outside_map
  Now initite a ping
  Here is for your summary:
  IPSec: Site to Site - Routers
  Configuration Steps
  Phase 1
  Step 1: Configure Mirrored ACL/Crypto ACL       for Interesting Traffic
  Step 2: Configure ISAKMP Policy
  Step 3: Configure ISAKMP Key
  Phase 2
  Step 4: Configure Transform Set
  Step 5: Configure Crypto Map
  Step 6: Apply Crypto Map to an Interface
  To debug for Phase 1 and Phase 2. Store it in buffer without displaying logs on terminal.
  Router#debug crpyto isakmp
  Router#debug crpyto ipsec
  Router(config)# logging buffer 7
  Router(config)# logging buffer 99999
  Router(config)# logging console 6
  Router# clear logging
  Configuration
  In R1:
  (config)# access-list 101 permit ipo host 10.1.1.1 host      10.1.2.1
  (config)# crypto isakmp policy 10
  (config-policy)# encryption 3des
  (config-policy)# authentication pre-share
  (config-policy)# group 2
  (config-policy)# hash sha1
  (config)# crypto isakmp key 0 cisco address 2.2.2.1
  (config)# crypto ipsec transform-set TSET esp-3des      sha-aes-hmac
  (config)# crypto map CMAP 10 ipsec-isakmp
  (config-crypto-map)# set peer 2.2.2.1
  (config-crypto-map)# match address 101
  (config-crypto-map)# set transform-set TSET
  (config)# int f0/0
  (config-if)# crypto map CMAP
  Similarly in R2
  Verification Commands
  #show crypto isakmp SA
  #show crypto ipsec SA
  Change to Transport Mode, add the following command in Step 4:
  (config-tranform-set)# mode transport
  Even after  doing this change, the ipsec negotiation will still be done through  tunnel mode if pinged from Loopback to Loopback. To overcome this we  make changes to ACL.
  Change to Aggressive Mode, replace the Step 3 command with these commands in R1:
  (config)# crypto isakmp peer address 2.2.2.1
  (config-peer)# set aggressive-mode password cisco
  (config-peer)# set aggressive-mode clien-endpoint       ipv4-address 2.2.2.1
  Similarly on R2.
  The below process is for the negotiation using RSA-SIG (PKI) as authentication type
  Debug Process:
  After  we debug, we can see the negotiation between the two peers. The first  packet of the interesting traffic triggers the ISAKMP (Phase1)  negotiation. Important messages are marked in BOLD and explanation in  RED
  R2(config)#do ping 10.1.1.1 so lo0 // Interesting Traffic
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
  Packet sent with a source address of 2.2.2.2
  Mar  2 16:18:42.939: ISAKMP:(0): SA request profile is (NULL) //  Router tried to find any IPSec SA matching the outgoing connection but  no valid SA has been found in Security Association Database (SADB)
  Mar  2 16:18:42.939: ISAKMP: Created a peer struct for 20.1.1.10, peer port 500
  Mar  2 16:18:42.939: ISAKMP: New peer created peer = 0x46519678 peer_handle = 0x8000000D
  Mar  2 16:18:42.939: ISAKMP: Locking peer struct 0x46519678, refcount 1 for isakmp_initiator
  Mar  2 16:18:42.939: ISAKMP: local port 500, remote port 500
  Mar  2 16:18:42.939: ISAKMP: set new node 0 to QM_IDLE    
  Mar  2 16:18:42.939: ISAKMP:(0):insert sa successfully sa = 4542B818
  Mar  2 16:18:42.939: ISAKMP:(0):Can not start Aggressive mode, trying Main mode. // Not an error. By default it is configured for Main Mode
  Mar  2 16:18:42.939: ISAKMP:(0):No pre-shared key with 20.1.1.10! // Since we are using RSA Signature, this message. If we use pre-share, this is where it would indicate so!
  Mar  2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
  Mar  2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-07 ID
  Mar  2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-03 ID
  Mar  2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-02 ID
  Mar  2 16:18:42.939: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
  Mar  2 16:18:42.939: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1
  Mar  2 16:18:42.943: ISAKMP:(0): beginning Main Mode exchange
  Mar  2 16:18:42.943: ISAKMP:(0): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_NO_STATE // Sending ISAKMP Policy to peer
  Mar  2 16:18:42.943: ISAKMP:(0):Sending an IKE IPv4 Packet.
  Mar  2 16:18:42.943: ISAKMP (0): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_NO_STATE // Sending ISAKMP Policy to peer
  Mar  2 16:18:42.947: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  Mar  2 16:18:42.947: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2
  Mar  2 16:18:42.947: ISAKMP:(0): processing SA payload. message ID = 0
  Mar  2 16:18:42.947: ISAKMP:(0): processing vendor id payload
  Mar  2 16:18:42.947: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch // Do not worry about this! Not an ERROR!
  Mar  2 16:18:42.947: ISAKMP:(0): vendor ID is NAT-T v2
  Mar  2 16:18:42.947:.!!!!
  Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms
  R2(config)# ISAKMP:(0): processing vendor id payload
  Mar  2 16:18:42.947: ISAKMP:(0): processing IKE frag vendor id payload
  Mar  2 16:18:42.947: ISAKMP:(0):Support for IKE Fragmentation not enabled
  Mar  2 16:18:42.947: ISAKMP : Scanning profiles for xauth ...
  Mar  2 16:18:42.947: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
  Mar  2 16:18:42.947: ISAKMP:      encryption 3DES-CBC
  Mar  2 16:18:42.947: ISAKMP:      hash SHA
  Mar  2 16:18:42.947: ISAKMP:      default group 2
  Mar  2 16:18:42.947: ISAKMP:      auth RSA sig
  Mar  2 16:18:42.947: ISAKMP:      life type in seconds
  Mar  2 16:18:42.947: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
  Mar  2 16:18:42.947: ISAKMP:(0):atts are acceptable. Next payload is 0
  Mar  2 16:18:42.947: ISAKMP:(0):Acceptable atts:actual life: 0
  Mar  2 16:18:42.947: ISAKMP:(0):Acceptable atts:life: 0
  Mar  2 16:18:42.947: ISAKMP:(0):Fill atts in sa vpi_length:4
  Mar  2 16:18:42.947: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
  Mar  2 16:18:42.947: ISAKMP:(0):Returning Actual lifetime: 86400
  Mar  2 16:18:42.947: ISAKMP:(0)::Started lifetime timer: 86400.
  Mar  2 16:18:42.947: ISAKMP:(0): processing vendor id payload
  Mar  2 16:18:42.947: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
  Mar  2 16:18:42.947: ISAKMP:(0): vendor ID is NAT-T v2
  Mar  2 16:18:42.947: ISAKMP:(0): processing vendor id payload
  Mar  2 16:18:42.951: ISAKMP:(0): processing IKE frag vendor id payload
  Mar  2 16:18:42.951: ISAKMP:(0):Support for IKE Fragmentation not enabled
  Mar  2 16:18:42.951: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  Mar  2 16:18:42.951: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2
  Mar  2 16:18:42.951: ISAKMP (0): constructing CERT_REQ for issuer cn=ca_server OU=cisco C=India S=Karnataka L=Bangalore
  Mar  2 16:18:42.951: ISAKMP:(0): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_SA_SETUP // Sending Key Exchange Information to peer
  Mar  2 16:18:42.951: ISAKMP:(0):Sending an IKE IPv4 Packet.
  Mar  2 16:18:42.951: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  Mar  2 16:18:42.951: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3
  Mar  2 16:18:42.955: ISAKMP (0): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_SA_SETUP // Receive key exchange information from peer
  Mar  2 16:18:42.955: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  Mar  2 16:18:42.955: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4
  Mar  2 16:18:42.959: ISAKMP:(0): processing KE payload. message ID = 0
  Mar  2 16:18:43.003: ISAKMP:(0): processing NONCE payload. message ID = 0
  Mar  2 16:18:43.007: ISAKMP:(1008): processing CERT_REQ payload. message ID = 0
  Mar  2 16:18:43.007: ISAKMP:(1008): peer wants a CT_X509_SIGNATURE cert
  Mar  2 16:18:43.007: ISAKMP:(1008): peer wants cert issued by cn=ca_server OU=cisco C=India S=Karnataka L=Bangalore
  Mar  2 16:18:43.007:  Choosing trustpoint CA_Server as issuer
  Mar  2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
  Mar  2 16:18:43.007: ISAKMP:(1008): vendor ID is Unity
  Mar  2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
  Mar  2 16:18:43.007: ISAKMP:(1008): vendor ID seems Unity/DPD but major 180 mismatch
  Mar  2 16:18:43.007: ISAKMP:(1008): vendor ID is XAUTH
  Mar  2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
  Mar  2 16:18:43.007: ISAKMP:(1008): speaking to another IOS box!
  Mar  2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
  Mar  2 16:18:43.007: ISAKMP:(1008):vendor ID seems Unity/DPD but hash mismatch
  Mar  2 16:18:43.007: ISAKMP:received payload type 20
  Mar  2 16:18:43.007: ISAKMP (1008): His hash no match - this node outside NAT
  Mar  2 16:18:43.007: ISAKMP:received payload type 20
  Mar  2 16:18:43.007: ISAKMP (1008): No NAT Found for self or peer
  Mar  2 16:18:43.007: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  Mar  2 16:18:43.007: ISAKMP:(1008):Old State = IKE_I_MM4  New State = IKE_I_MM4
  Mar  2 16:18:43.011: ISAKMP:(1008):Send initial contact
  Mar  2 16:18:43.011: ISAKMP:(1008):My ID configured as IPv4 Addr, but Addr not in Cert!
  Mar  2 16:18:43.011: ISAKMP:(1008):Using FQDN as My ID
  Mar  2 16:18:43.011: ISAKMP:(1008):SA is doing RSA signature authentication using id type ID_FQDN
  Mar  2 16:18:43.011: ISAKMP (1008): ID payload
            next-payload : 6
            type         : 2
            FQDN name    : R2
            protocol     : 17
            port         : 500
            length       : 10
  Mar  2 16:18:43.011: ISAKMP:(1008):Total payload length: 10
  Mar  2 16:18:43.019: ISAKMP (1008): constructing CERT payload for hostname=R2+serialNumber=FHK1502F2H8
  Mar  2 16:18:43.019: ISAKMP:(1008): using the CA_Server trustpoint's keypair to sign
  Mar  2 16:18:43.035: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_KEY_EXCH
  Mar  2 16:18:43.035: ISAKMP:(1008):Sending an IKE IPv4 Packet.
  Mar  2 16:18:43.035: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  Mar  2 16:18:43.035: ISAKMP:(1008):Old State = IKE_I_MM4  New State = IKE_I_MM5
  Mar  2 16:18:43.047: ISAKMP (1008): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_KEY_EXCH
  // "MM_KEY_EXCH" indicates that the peers have exchanged DH Public keys and generated a shared secret!
  Mar  2 16:18:43.047: ISAKMP:(1008): processing ID payload. message ID = 0
  Mar  2 16:18:43.047: ISAKMP (1008): ID payload
            next-payload : 6
            type         : 2
            FQDN name    : ASA1
            protocol     : 0
            port         : 0
            length       : 12
  Mar  2 16:18:43.047: ISAKMP:(0):: peer matches *none* of the profiles // Normal Message! Not an error!
  Mar  2 16:18:43.047: ISAKMP:(1008): processing CERT payload. message ID = 0
  Mar  2 16:18:43.047: ISAKMP:(1008): processing a CT_X509_SIGNATURE cert
  Mar  2 16:18:43.051: ISAKMP:(1008): peer's pubkey isn't cached
  Mar  2 16:18:43.059: ISAKMP:(1008): Unable to get DN from certificate!
  Mar  2 16:18:43.059: ISAKMP:(1008): Cert presented by peer contains no OU field.
  Mar  2 16:18:43.059: ISAKMP:(0):: peer matches *none* of the profiles
  Mar  2 16:18:43.063: ISAKMP:(1008): processing SIG payload. message ID = 0
  Mar  2 16:18:43.067: ISAKMP:received payload type 17
  Mar  2 16:18:43.067: ISAKMP:(1008): processing vendor id payload
  Mar  2 16:18:43.067: ISAKMP:(1008): vendor ID is DPD
  Mar  2 16:18:43.067: ISAKMP:(1008):SA authentication status:
            authenticated
  Mar  2 16:18:43.067: ISAKMP:(1008):SA has been authenticated with 20.1.1.10
  Mar  2 16:18:43.067: ISAKMP: Trying to insert a peer 40.1.1.1/20.1.1.10/500/,  and inserted successfully 46519678. // SA inserted into SADB
  Mar  2 16:18:43.067: ISAKMP:(1008):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
  Mar  2 16:18:43.067: ISAKMP:(1008):Old State = IKE_I_MM5  New State = IKE_I_MM6
  Mar  2 16:18:43.067: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
  Mar  2 16:18:43.067: ISAKMP:(1008):Old State = IKE_I_MM6  New State = IKE_I_MM6
  Mar  2 16:18:43.071: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  Mar  2 16:18:43.071: ISAKMP:(1008):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE
  Mar  2 16:18:43.071: ISAKMP:(1008):beginning Quick Mode exchange, M-ID of -1523793378
  Mar  2 16:18:43.071: ISAKMP:(1008):QM Initiator gets spi
  Mar  2 16:18:43.075: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) QM_IDLE    
  Mar  2 16:18:43.075: ISAKMP:(1008):Sending an IKE IPv4 Packet.
  Mar  2 16:18:43.075: ISAKMP:(1008):Node -1523793378, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
  Mar  2 16:18:43.075: ISAKMP:(1008):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
  Mar  2 16:18:43.075: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
  Mar  2 16:18:43.075: ISAKMP:(1008):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
  Mar  2 16:18:43.079: ISAKMP (1008): received packet from 20.1.1.10 dport 500 sport 500 Global (I) QM_IDLE // IPSec Policies
  Mar  2 16:18:43.079: ISAKMP:(1008): processing HASH payload. message ID = -1523793378
  Mar  2 16:18:43.079: ISAKMP:(1008): processing SA payload. message ID = -1523793378
  Mar  2 16:18:43.079: ISAKMP:(1008):Checking IPSec proposal 1
  Mar  2 16:18:43.079: ISAKMP: transform 1, ESP_3DES
  Mar  2 16:18:43.079: ISAKMP:   attributes in transform:
  Mar  2 16:18:43.079: ISAKMP:      SA life type in seconds
  Mar  2 16:18:43.079: ISAKMP:      SA life duration (basic) of 3600
  Mar  2 16:18:43.079: ISAKMP:      SA life type in kilobytes
  Mar  2 16:18:43.079: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
  Mar  2 16:18:43.079: ISAKMP:      encaps is 1 (Tunnel)
  Mar  2 16:18:43.079: ISAKMP:      authenticator is HMAC-SHA
  Mar  2 16:18:43.079: ISAKMP:(1008):atts are acceptable. // IPSec attributes are acceptable!
  Mar  2 16:18:43.079: ISAKMP:(1008): processing NONCE payload. message ID = -1523793378
  Mar  2 16:18:43.079: ISAKMP:(1008): processing ID payload. message ID = -1523793378
  Mar  2 16:18:43.079: ISAKMP:(1008): processing ID payload. message ID = -1523793378
  Mar  2 16:18:43.083: ISAKMP:(1008): Creating IPSec SAs
  Mar  2 16:18:43.083:         inbound SA from 20.1.1.10 to 40.1.1.1 (f/i)  0/ 0
            (proxy 1.1.1.1 to 2.2.2.2)
  Mar  2 16:18:43.083:         has spi 0xA9A66D46 and conn_id 0
  Mar  2 16:18:43.083:         lifetime of 3600 seconds
  Mar  2 16:18:43.083:         lifetime of 4608000 kilobytes
  Mar  2 16:18:43.083:         outbound SA from 40.1.1.1 to 20.1.1.10 (f/i) 0/0
            (proxy 2.2.2.2 to 1.1.1.1)
  Mar  2 16:18:43.083:         has spi  0x2B367FB4 and conn_id 0
  Mar  2 16:18:43.083:         lifetime of 3600 seconds
  Mar  2 16:18:43.083:         lifetime of 4608000 kilobytes
  Mar  2 16:18:43.083: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) QM_IDLE    
  Mar  2 16:18:43.083: ISAKMP:(1008):Sending an IKE IPv4 Packet.
  Mar  2 16:18:43.083: ISAKMP:(1008):deleting node -1523793378 error FALSE reason "No Error"
  Mar  2 16:18:43.083: ISAKMP:(1008):Node -1523793378, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
  Mar  2 16:18:43.083: ISAKMP:(1008):Old State = IKE_QM_I_QM1  New State = IKE_QM_PHASE2_COMPLETE // At this point tunnels are up and ready to pass traffic!
  Verification Commands
  #show crypto isakmp SA
  #show crypto ipsec SA
  Kindly rate if you find the explanation useful !!
  Best Regards
  Sachin Garg

• Site to Site VPN on Cisco ASA

  Hello,
  I'm trying to set up a site to site VPN. I've never done this before and can't get it to work. I've watched training vids online and thought it looked straight forward enough. My problem appears to be that th ASA is not trying to create a tunnel. It doesn't seem to know that this traffic should be sent over the tunnel. Both the outside interfaces can ping one another and are on the same subnet.
  I've pasted the two configs below. They're just base configs with all the VPN commands having been created by the wizard. I've not put any routes in as the two devices are on the same subnet. If you can see my mistake I'd be very grateful to you if you could point it out or even point me in the right direction.
  Cheers,
  Tormod
  ciscoasa1
  : Saved
  : Written by enable_15 at 05:11:30.489 UTC Wed Jun 19 2013
  ASA Version 8.2(5)13
  hostname ciscoasa1
  enable password 8Ry2YjIyt7RRXU24 encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface GigabitEthernet0/0
  nameif outside
  security-level 0
  ip address 1.1.1.1 255.255.255.0
  interface GigabitEthernet0/1
  nameif inside
  security-level 100
  ip address 10.1.1.1 255.255.255.0
  interface GigabitEthernet0/2
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  shutdown
  no nameif
  no security-level
  no ip address
  ftp mode passive
  access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu outside 1500
  mtu inside 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat (inside) 0 access-list inside_nat0_outbound
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 0.0.0.0 0.0.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set pfs group1
  crypto map outside_map 1 set peer 1.1.1.2
  crypto map outside_map 1 set transform-set ESP-3DES-SHA
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 65535
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh 0.0.0.0 0.0.0.0 inside
  ssh timeout 5
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
  tunnel-group 1.1.1.2 type ipsec-l2l
  tunnel-group 1.1.1.2 ipsec-attributes
  pre-shared-key ciscocisco
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect ip-options
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny 
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip 
    inspect xdmcp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:29e3cdb2d704736b7fbbc477e8418d65
  : end
  ciscoasa2
  : Saved
  : Written by enable_15 at 15:40:31.509 UTC Wed Jun 19 2013
  ASA Version 8.2(5)13
  hostname ciscoasa2
  enable password 8Ry2YjIyt7RRXU24 encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Ethernet0/0
  nameif outside
  security-level 0
  ip address 1.1.1.2 255.255.255.0
  interface Ethernet0/1
  nameif inside
  security-level 100
  ip address 10.1.2.1 255.255.255.0
  interface Ethernet0/2
  shutdown
  no nameif
  no security-level
  no ip address
  interface Ethernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  shutdown
  no nameif
  no security-level
  no ip address
  ftp mode passive
  access-list outside_1_cryptomap extended permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu outside 1500
  mtu inside 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat (inside) 0 access-list inside_nat0_outbound
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 0.0.0.0 0.0.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set pfs group1
  crypto map outside_map 1 set peer 1.1.1.1
  crypto map outside_map 1 set transform-set ESP-3DES-SHA
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 65535
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh 0.0.0.0 0.0.0.0 inside
  ssh timeout 5
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
  tunnel-group 1.1.1.1 type ipsec-l2l
  tunnel-group 1.1.1.1 ipsec-attributes
  pre-shared-key ciscocisco
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect ip-options
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny 
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip 
    inspect xdmcp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:92dca65f5c2cf16486aa7d564732b0e1
  : end

  Thanks very much for your help Jouni. I came in this morning and ran the crypto map outside_map 1 set reverse-route command and everything started to work. I'm surprised the wizard didn't include that command but maybe it's because I didn't have a default route set.
  However, I now have a new problem. We're working towards migrating from ASA8.2 to 9.1. In order to prepare for this I've created a mock of our environment and am testing that everything works prior to making the changes. I can't get this site to site VPN to work. (The one I posted yesterday was just to get a basic site to site VPN working so that I could go from there)
  I've posted the debug from the ASA to which I'm trying to connect. To my undtrained eye it looks like it completes phase one but fails to match a vpn tunnel map. I'm coming from 10.99.99.99 going to 10.1.1.57
  Hope you can help as I'm going nuts here. Although I will of course understand if you've something better to do with your time than bail me out.
  access-list 1111_cryptomap extended permit ip 10.1.1.0 255.255.255.0 Private1 255.255.255.0
  access-list 1111_cryptomap extended permit ip 10.99.99.0 255.255.255.0 10.1.1.0 255.255.255.0
  crypto map vpntunnelmap 1 match address 1111_cryptomap
  crypto map vpntunnelmap 1 set pfs
  crypto map vpntunnelmap 1 set peer 1.1.1.1
  crypto map vpntunnelmap 1 set transform-set ESP-3DES-MD5
  ciscoasa# debug crypto isakmp 255
  IKE Recv RAW packet dump
  db 86 ce 3f 3a a9 e7 0a 00 00 00 00 00 00 00 00    |  ...?:...........
  01 10 02 00 00 00 00 00 00 00 00 f4 0d 00 00 84    |  ................
  00 00 00 01 00 00 00 01 00 00 00 78 01 01 00 03    |  ...........x....
  03 00 00 24 01 01 00 00 80 04 00 02 80 01 00 05    |  ...$............
  80 02 00 02 80 03 00 01 80 0b 00 01 00 0c 00 04    |  ................
  00 00 70 80 03 00 00 28 02 01 00 00 80 04 00 02    |  ..p....(........
  80 01 00 07 80 0e 00 c0 80 02 00 02 80 03 00 01    |  ................
  80 0b 00 01 00 0c 00 04 00 00 70 80 00 00 00 24    |  ..........p....$
  03 01 00 00 80 04 00 02 80 01 00 05 80 02 00 01    |  ................
  80 03 00 01 80 0b 00 01 00 0c 00 04 00 01 51 80    |  ..............Q.
  0d 00 00 14 90 cb 80 91 3e bb 69 6e 08 63 81 b5    |  ........>.in.c..
  ec 42 7b 1f 0d 00 00 14 7d 94 19 a6 53 10 ca 6f    |  .B{.....}...S..o
  2c 17 9d 92 15 52 9d 56 0d 00 00 14 4a 13 1c 81    |  ,....R.V....J...
  07 03 58 45 5c 57 28 f2 0e 95 45 2f 00 00 00 18    |  ..XE\W(...E/....
  40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3    |  @H..n...%.....
  c0 00 00 00                                        |  ....
  RECV PACKET from 1.1.1.2
  ISAKMP Header
    Initiator COOKIE: db 86 ce 3f 3a a9 e7 0a
    Responder COOKIE: 00 00 00 00 00 00 00 00
    Next Payload: Security Association
    Version: 1.0
    Exchange Type: Identity Protection (Main Mode)
    Flags: (none)
    MessageID: 00000000
    Length: 244
    Payload Security Association
      Next Payload: Vendor ID
      Reserved: 00
      Payload Length: 132
      DOI: IPsec
      Situation:(SIT_IDENTITY_ONLY)
      Payload Proposal
        Next Payload: None
        Reserved: 00
        Payload Length: 120
        Proposal #: 1
        Protocol-Id: PROTO_ISAKMP
        SPI Size: 0
        # of transforms: 3
        Payload Transform
          Next Payload: Transform
          Reserved: 00
          Payload Length: 36
          Transform #: 1
          Transform-Id: KEY_IKE
          Reserved2: 0000
          Group Description: Group 2
          Encryption Algorithm: 3DES-CBC
          Hash Algorithm: SHA1
          Authentication Method: Preshared key
          Life Type: seconds
          Life Duration (Hex): 00 00 70 80
        Payload Transform
          Next Payload: Transform
          Reserved: 00
          Payload Length: 40
          Transform #: 2
          Transform-Id: KEY_IKE
          Reserved2: 0000
          Group Description: Group 2
          Encryption Algorithm: AES-CBC
          Key Length: 192
          Hash Algorithm: SHA1
          Authentication Method: Preshared key
          Life Type: seconds
          Life Duration (Hex): 00 00 70 80
        Payload Transform
          Next Payload: None
          Reserved: 00
          Payload Length: 36
          Transform #: 3
          Transform-Id: KEY_IKE
          Reserved2: 0000
          Group Description: Group 2
          Encryption Algorithm: 3DES-CBC
          Hash Algorithm: MD5
          Authentication Method: Preshared key
          Life Type: seconds
          Life Duration (Hex): 00 01 51 80
    Payload Vendor ID
      Next Payload: Vendor ID
      Reserved: 00
      Payload Length: 20
      Data (In Hex):
        90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f
    Payload Vendor ID
      Next Payload: Vendor ID
      Reserved: 00
      Payload Length: 20
      Data (In Hex):
        7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56
    Payload Vendor ID
      Next Payload: Vendor ID
      Reserved: 00
      Payload Length: 20
      Data (In Hex):
        4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f
    Payload Vendor ID
      Next Payload: None
      Reserved: 00
      Payload Length: 24
      Data (In Hex):
        40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
        c0 00 00 00
  Jun 20 16:29:42 [IKEv1]: IP = 1.1.1.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 244
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, processing SA payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Oakley proposal is acceptable
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, processing VID payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Received NAT-Traversal ver 02 VID
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, processing VID payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Received NAT-Traversal ver 03 VID
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, processing VID payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Received NAT-Traversal RFC VID
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, processing VID payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Received Fragmentation VID
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  True
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, processing IKE SA payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, IKE SA Proposal # 1, Transform # 1 acceptable  Matches global IKE entry # 1
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, constructing ISAKMP SA payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, constructing Fragmentation VID + extended capabilities payload
  Jun 20 16:29:42 [IKEv1]: IP = 1.1.1.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 104
  SENDING PACKET to 1.1.1.2
  ISAKMP Header
    Initiator COOKIE: db 86 ce 3f 3a a9 e7 0a
    Responder COOKIE: 6c 4d 2c ce 68 03 55 58
    Next Payload: Security Association
    Version: 1.0
    Exchange Type: Identity Protection (Main Mode)
    Flags: (none)
    MessageID: 00000000
    Length: 104
    Payload Security Association
      Next Payload: Vendor ID
      Reserved: 00
      Payload Length: 52
      DOI: IPsec
      Situation:(SIT_IDENTITY_ONLY)
      Payload Proposal
        Next Payload: None
        Reserved: 00
        Payload Length: 40
        Proposal #: 1
        Protocol-Id: PROTO_ISAKMP
        SPI Size: 0
        # of transforms: 1
        Payload Transform
          Next Payload: None
          Reserved: 00
          Payload Length: 32
          Transform #: 1
          Transform-Id: KEY_IKE
          Reserved2: 0000
          Encryption Algorithm: 3DES-CBC
          Hash Algorithm: SHA1
          Group Description: Group 2
          Authentication Method: Preshared key
          Life Type: seconds
          Life Duration (Hex): 70 80
    Payload Vendor ID
      Next Payload: None
      Reserved: 00
      Payload Length: 24
      Data (In Hex):
        40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
        c0 00 00 00
  IKE Recv RAW packet dump
  db 86 ce 3f 3a a9 e7 0a 6c 4d 2c ce 68 03 55 58    |  ...?:...lM,.h.UX
  04 10 02 00 00 00 00 00 00 00 01 00 0a 00 00 84    |  ................
  00 c8 2a 4d bf 63 9f 5c d3 b6 e9 fb 1e c9 61 b3    |  ..*M.c.\......a.
  f9 09 19 75 63 23 3f 59 ef c2 57 4b 59 9f 60 53    |  ...uc#?Y..WKY.`S
  0d d2 b5 2b b5 31 e8 75 46 57 ed 5b 4c f3 96 aa    |  ...+.1.uFW.[L...
  a5 c9 4a e7 62 68 e3 55 4c 54 ac 79 73 be ba f0    |  ..J.bh.ULT.ys...
  09 fe d0 5a 3f 9c 9c 2e 90 88 4d db b0 7b 7c f4    |  ...Z?.....M..{|.
  cc b4 07 1a 11 30 5b 2f 4f bd 56 b5 07 a3 9a cb    |  .....0[/O.V.....
  b3 e3 c8 10 20 a5 41 3a f9 fe 1b ed f0 d7 fa 05    |  .... .A:........
  fa df ef 8a 03 e9 4a 1c 09 ad 05 e6 02 f1 0a fa    |  ......J.........
  0d 00 00 18 bc d2 18 cc 37 f5 cb 77 b6 e2 0a 04    |  ........7..w....
  de c9 d3 1a b0 6f ee a8 0d 00 00 14 12 f5 f2 8c    |  .....o..........
  45 71 68 a9 70 2d 9f e2 74 cc 01 00 0d 00 00 0c    |  Eqh.p-..t.......
  09 00 26 89 df d6 b7 12 0d 00 00 14 2e 41 69 22    |  ..&..........Ai"
  3a a8 e7 0a cd 38 ba 43 ed f2 db 2c 00 00 00 14    |  :....8.C...,....
  1f 07 f7 0e aa 65 14 d3 b0 fa 96 54 2a 50 01 00    |  .....e.....T*P..
  RECV PACKET from 1.1.1.2
  ISAKMP Header
    Initiator COOKIE: db 86 ce 3f 3a a9 e7 0a
    Responder COOKIE: 6c 4d 2c ce 68 03 55 58
    Next Payload: Key Exchange
    Version: 1.0
    Exchange Type: Identity Protection (Main Mode)
    Flags: (none)
    MessageID: 00000000
    Length: 256
    Payload Key Exchange
      Next Payload: Nonce
      Reserved: 00
      Payload Length: 132
      Data:
        00 c8 2a 4d bf 63 9f 5c d3 b6 e9 fb 1e c9 61 b3
        f9 09 19 75 63 23 3f 59 ef c2 57 4b 59 9f 60 53
        0d d2 b5 2b b5 31 e8 75 46 57 ed 5b 4c f3 96 aa
        a5 c9 4a e7 62 68 e3 55 4c 54 ac 79 73 be ba f0
        09 fe d0 5a 3f 9c 9c 2e 90 88 4d db b0 7b 7c f4
        cc b4 07 1a 11 30 5b 2f 4f bd 56 b5 07 a3 9a cb
        b3 e3 c8 10 20 a5 41 3a f9 fe 1b ed f0 d7 fa 05
        fa df ef 8a 03 e9 4a 1c 09 ad 05 e6 02 f1 0a fa
    Payload Nonce
      Next Payload: Vendor ID
      Reserved: 00
      Payload Length: 24
      Data:
        bc d2 18 cc 37 f5 cb 77 b6 e2 0a 04 de c9 d3 1a
        b0 6f ee a8
    Payload Vendor ID
      Next Payload: Vendor ID
      Reserved: 00
      Payload Length: 20
      Data (In Hex):
        12 f5 f2 8c 45 71 68 a9 70 2d 9f e2 74 cc 01 00
    Payload Vendor ID
      Next Payload: Vendor ID
      Reserved: 00
      Payload Length: 12
      Data (In Hex): 09 00 26 89 df d6 b7 12
    Payload Vendor ID
      Next Payload: Vendor ID
      Reserved: 00
      Payload Length: 20
      Data (In Hex):
        2e 41 69 22 3a a8 e7 0a cd 38 ba 43 ed f2 db 2c
    Payload Vendor ID
      Next Payload: None
      Reserved: 00
      Payload Length: 20
      Data (In Hex):
        1f 07 f7 0e aa 65 14 d3 b0 fa 96 54 2a 50 01 00
  Jun 20 16:29:42 [IKEv1]: IP = 1.1.1.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, processing ke payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, processing ISA_KE payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, processing nonce payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, processing VID payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Received Cisco Unity client VID
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, processing VID payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Received xauth V6 VID
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, processing VID payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Processing VPN3000/ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, processing VID payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Received Altiga/Cisco VPN3000/Cisco ASA GW VID
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, constructing ke payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, constructing nonce payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, constructing Cisco Unity VID payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, constructing xauth V6 VID payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Send IOS VID
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, constructing VID payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
  Jun 20 16:29:42 [IKEv1]: IP = 1.1.1.2, Connection landed on tunnel_group 1.1.1.2
  Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, Generating keys for Responder...
  Jun 20 16:29:42 [IKEv1]: IP = 1.1.1.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
  SENDING PACKET to 1.1.1.2
  ISAKMP Header
    Initiator COOKIE: db 86 ce 3f 3a a9 e7 0a
    Responder COOKIE: 6c 4d 2c ce 68 03 55 58
    Next Payload: Key Exchange
    Version: 1.0
    Exchange Type: Identity Protection (Main Mode)
    Flags: (none)
    MessageID: 00000000
    Length: 256
    Payload Key Exchange
      Next Payload: Nonce
      Reserved: 00
      Payload Length: 132
      Data:
        27 62 7f 00 84 06 59 07 28 a1 05 9f 2a 13 ad ff
        47 10 99 27 68 01 2a c8 06 52 b8 55 0c 7d 82 3d
        31 94 0d 68 aa 98 5e 60 ee 2b 37 a5 0f ca 06 5c
        2a f7 83 bb 2e 8b 53 13 49 8b 4e 4c bf d1 34 67
        df ff 50 5b ab e9 f2 12 cb bd c2 0c ab 95 3a 39
        ca 60 31 7a d4 80 80 b6 0c 85 3e f5 16 fb f5 f8
        27 5d 28 b9 b1 2e b3 35 79 1a 9e f7 fd 13 8f f4
        5f 5d 53 93 74 6d d1 60 97 ca d2 bc b3 b4 e6 03
    Payload Nonce
      Next Payload: Vendor ID
      Reserved: 00
      Payload Length: 24
      Data:
        a7 f8 48 c1 98 b4 cb 02 79 de ae 6e 59 3d 23 cb
        4c a1 7b 44
    Payload Vendor ID
      Next Payload: Vendor ID
      Reserved: 00
      Payload Length: 20
      Data (In Hex):
        12 f5 f2 8c 45 71 68 a9 70 2d 9f e2 74 cc 01 00
    Payload Vendor ID
      Next Payload: Vendor ID
      Reserved: 00
      Payload Length: 12
      Data (In Hex): 09 00 26 89 df d6 b7 12
    Payload Vendor ID
      Next Payload: Vendor ID
      Reserved: 00
      Payload Length: 20
      Data (In Hex):
        99 8a 8b d3 68 02 55 58 44 16 79 1c 51 be 23 8f
    Payload Vendor ID
      Next Payload: None
      Reserved: 00
      Payload Length: 20
      Data (In Hex):
        1f 07 f7 0e aa 65 14 d3 b0 fa 96 54 2a 50 01 00
  IKE Recv RAW packet dump
  db 86 ce 3f 3a a9 e7 0a 6c 4d 2c ce 68 03 55 58    |  ...?:...lM,.h.UX
  05 10 02 01 00 00 00 00 00 00 00 64 8f a8 6e 03    |  ...........d..n.
  81 b9 24 e5 f0 ba ca 1a 0f fa 5a a1 3c 2d 61 1a    |  ..$.......Z.<-a.
  7d 48 b0 0c 7f 09 bc 82 9b b1 25 b4 f6 04 45 a0    |  }H......%...E.
  13 12 27 ff 7a 41 9f e9 8e 96 c2 80 b9 59 b0 ec    |  ..'.zA.......Y..
  40 e3 95 4d 96 ef eb ce e2 fb d9 45 83 50 0d e7    |  @..M.......E.P..
  9c c7 70 7f                                        |  ..
  RECV PACKET from 1.1.1.2
  ISAKMP Header
    Initiator COOKIE: db 86 ce 3f 3a a9 e7 0a
    Responder COOKIE: 6c 4d 2c ce 68 03 55 58
    Next Payload: Identification
    Version: 1.0
    Exchange Type: Identity Protection (Main Mode)
    Flags: (Encryption)
    MessageID: 00000000
    Length: 100
  AFTER DECRYPTION
  ISAKMP Header
    Initiator COOKIE: db 86 ce 3f 3a a9 e7 0a
    Responder COOKIE: 6c 4d 2c ce 68 03 55 58
    Next Payload: Identification
    Version: 1.0
    Exchange Type: Identity Protection (Main Mode)
    Flags: (Encryption)
    MessageID: 00000000
    Length: 100
    Payload Identification
      Next Payload: Hash
      Reserved: 00
      Payload Length: 12
      ID Type: IPv4 Address (1)
      Protocol ID (UDP/TCP, etc...): 17
      Port: 500
      ID Data: 1.1.1.2
    Payload Hash
      Next Payload: IOS Proprietary Keepalive or CHRE
      Reserved: 00
      Payload Length: 24
      Data:
        f4 40 eb 6b 55 f0 19 cd 10 81 e6 53 cf 23 75 c5
        45 ab 7f 3d
    Payload IOS Proprietary Keepalive or CHRE
      Next Payload: Vendor ID
      Reserved: 00
      Payload Length: 12
      Default Interval: 32767
      Retry Interval: 32767
    Payload Vendor ID
      Next Payload: None
      Reserved: 00
      Payload Length: 20
      Data (In Hex):
        af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00
  Jun 20 16:29:42 [IKEv1]: IP = 1.1.1.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 96
  Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing ID payload
  Jun 20 16:29:42 [IKEv1 DECODE]: Group = 1.1.1.2, IP = 1.1.1.2, ID_IPV4_ADDR ID received
  1.1.1.2
  Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing hash payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, Computing hash for ISAKMP
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Processing IOS keep alive payload: proposal=32767/32767 sec.
  Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing VID payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, Received DPD VID
  Jun 20 16:29:42 [IKEv1]: IP = 1.1.1.2, Connection landed on tunnel_group 1.1.1.2
  Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, constructing ID payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, constructing hash payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, Computing hash for ISAKMP
  Jun 20 16:29:42 [IKEv1 DEBUG]: IP = 1.1.1.2, Constructing IOS keep alive payload: proposal=32767/32767 sec.
  Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, constructing dpd vid payload
  Jun 20 16:29:42 [IKEv1]: IP = 1.1.1.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 96
  BEFORE ENCRYPTION
  RAW PACKET DUMP on SEND
  db 86 ce 3f 3a a9 e7 0a 6c 4d 2c ce 68 03 55 58    |  ...?:...lM,.h.UX
  05 10 02 00 00 00 00 00 1c 00 00 00 08 00 00 0c    |  ................
  01 11 01 f4 c2 9f 09 02 80 00 00 18 58 00 80 06    |  ............X...
  e9 66 ba 20 1e ba 79 c8 16 85 2d 2f a0 96 b4 e5    |  .f. ..y...-/....
  0d 00 00 0c 80 00 7f ff 80 00 7f ff 00 00 00 14    |  ............
  af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00    |  ....h...k...wW..
  ISAKMP Header
    Initiator COOKIE: db 86 ce 3f 3a a9 e7 0a
    Responder COOKIE: 6c 4d 2c ce 68 03 55 58
    Next Payload: Identification
    Version: 1.0
    Exchange Type: Identity Protection (Main Mode)
    Flags: (none)
    MessageID: 00000000
    Length: 469762048
    Payload Identification
      Next Payload: Hash
      Reserved: 00
      Payload Length: 12
      ID Type: IPv4 Address (1)
      Protocol ID (UDP/TCP, etc...): 17
      Port: 500
      ID Data: 1.1.1.1
    Payload Hash
      Next Payload: IOS Proprietary Keepalive or CHRE
      Reserved: 00
      Payload Length: 24
      Data:
        58 00 80 06 e9 66 ba 20 1e ba 79 c8 16 85 2d 2f
        a0 96 b4 e5
    Payload IOS Proprietary Keepalive or CHRE
      Next Payload: Vendor ID
      Reserved: 00
      Payload Length: 12
      Default Interval: 32767
      Retry Interval: 32767
    Payload Vendor ID
      Next Payload: None
      Reserved: 00
      Payload Length: 20
      Data (In Hex):
        af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00
  SENDING PACKET to 1.1.1.2
  ISAKMP Header
    Initiator COOKIE: db 86 ce 3f 3a a9 e7 0a
    Responder COOKIE: 6c 4d 2c ce 68 03 55 58
    Next Payload: Identification
    Version: 1.0
    Exchange Type: Identity Protection (Main Mode)
    Flags: (Encryption)
    MessageID: 00000000
    Length: 100
  Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, PHASE 1 COMPLETED
  Jun 20 16:29:42 [IKEv1]: IP = 1.1.1.2, Keep-alive type for this connection: DPD
  Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, Starting P1 rekey timer: 27360 seconds.
  IKE Recv RAW packet dump
  db 86 ce 3f 3a a9 e7 0a 6c 4d 2c ce 68 03 55 58    |  ...?:...lM,.h.UX
  08 10 20 01 56 e5 a4 1e 00 00 01 4c d2 44 3e 24    |  .. .V......L.D>$
  87 96 a1 fe d1 a3 d3 a3 ed 59 45 2d 53 be 17 9f    |  .........YE-S...
  42 72 2b a3 5f f8 5e 41 5a 62 25 0c 5d bf 6c 2a    |  Br+._.^AZb%.].l*
  e6 e0 1f 77 d5 ed c8 1c 06 cb ef f2 58 07 1d 35    |  ...w........X..5
  a9 d5 7b 86 24 05 88 32 e7 33 6f f2 f7 9d 70 07    |  ..{.$..2.3o...p.
  18 40 51 77 7d 7e 6c 77 55 d9 18 7a 57 5d b9 88    |  .@Qw}~lwU..zW]..
  6c a6 d5 f3 60 5e 14 4f da cb 42 65 88 d6 75 0e    |  l...`^.O..Be..u.
  22 1c bb 89 1f 57 bd c2 f2 46 30 31 30 9c 63 e6    |  "....W...F010.c.
  e2 e9 5b 68 71 f2 ed 69 f1 eb a7 65 2d b2 31 85    |  ..[hq..i...e-.1.
  31 93 0a c1 21 44 57 de ad 8b 79 5e 3d 36 5c 44    |  1...!DW...y^=6\D
  88 23 a8 44 76 2c d6 c2 ed 31 2d 69 b1 50 26 9f    |  .#.Dv,...1-i.P&.
  ee 48 3e c4 dd 0d 40 8f 65 d2 fb 82 19 42 b7 0f    |  .H>[email protected]..
  a0 74 b3 e6 df dd 16 c4 fa ca bf d2 b6 33 b0 5f    |  .t...........3._
  d6 59 4f 6a 84 9e 0d 76 a4 d6 d3 94 67 bc 9c df    |  .YOj...v....g...
  33 20 48 61 d7 80 b6 97 0d a9 32 48 7d 5b 79 8b    |  3 Ha......2H}[y.
  7b bc e0 9b b4 5d ed 49 04 6b 5d 72 d7 5b 82 90    |  {....].I.k]r.[..
  47 e5 65 64 a9 25 ce 2f 3f a2 ca 98 b1 0b ff 01    |  G.ed.%./?.......
  9c 32 64 5c dd 9c 26 71 c4 59 cd 52 da 1f b9 23    |  .2d\..&q.Y.R...#
  32 dd d8 a5 d1 1c 2a d0 0f ef 2b 26 66 c0 14 48    |  2.....*...+&f..H
  52 35 3a ee 36 a6 00 df a5 d6 6b 42                |  R5:.6.....kB
  RECV PACKET from 1.1.1.2
  ISAKMP Header
    Initiator COOKIE: db 86 ce 3f 3a a9 e7 0a
    Responder COOKIE: 6c 4d 2c ce 68 03 55 58
    Next Payload: Hash
    Version: 1.0
    Exchange Type: Quick Mode
    Flags: (Encryption)
    MessageID: 56E5A41E
    Length: 332
  Jun 20 16:29:42 [IKEv1 DECODE]: IP = 1.1.1.2, IKE Responder starting QM: msg id = 56e5a41e
  AFTER DECRYPTION
  ISAKMP Header
    Initiator COOKIE: db 86 ce 3f 3a a9 e7 0a
    Responder COOKIE: 6c 4d 2c ce 68 03 55 58
    Next Payload: Hash
    Version: 1.0
    Exchange Type: Quick Mode
    Flags: (Encryption)
    MessageID: 56E5A41E
    Length: 332
    Payload Hash
      Next Payload: Security Association
      Reserved: 00
      Payload Length: 24
      Data:
        78 09 81 d2 54 22 37 a1 b0 a8 53 cf df d4 1e fb
        4a 7b 99 f7
    Payload Security Association
      Next Payload: Nonce
      Reserved: 00
      Payload Length: 64
      DOI: IPsec
      Situation:(SIT_IDENTITY_ONLY)
      Payload Proposal
        Next Payload: None
        Reserved: 00
        Payload Length: 52
        Proposal #: 1
        Protocol-Id: PROTO_IPSEC_ESP
        SPI Size: 4
        # of transforms: 1
        SPI: b2 c1 66 6e
        Payload Transform
          Next Payload: None
          Reserved: 00
          Payload Length: 40
          Transform #: 1
          Transform-Id: ESP_3DES
          Reserved2: 0000
          Life Type: Seconds
          Life Duration (Hex): 70 80
          Life Type: Kilobytes
          Life Duration (Hex): 00 46 50 00
          Encapsulation Mode: Tunnel
          Authentication Algorithm: MD5
          Group Description: Group 2
    Payload Nonce
      Next Payload: Key Exchange
      Reserved: 00
      Payload Length: 24
      Data:
        1e 43 34 fa cc 9f 77 65 45 7c b6 18 2f 18 fd a9
        86 e6 58 42
    Payload Key Exchange
      Next Payload: Identification
      Reserved: 00
      Payload Length: 132
      Data:
        3c 26 4c 94 68 33 4b 2d ce 37 4a d2 8c 62 ab 6b
        e6 d4 d2 8a df 70 bc 67 62 ca 96 8c 3b 30 cd 58
        54 55 71 0f 9e bc da 63 a9 68 86 fd ba 7a 13 f3
        e9 51 e9 a4 13 b0 b0 20 45 cf 1f 36 1e 95 95 c9
        dd 92 c9 cd 2b 33 2d 4b 7e bd ed d4 ec bf 54 b9
        6e 13 7f 17 dc 28 61 5d 46 fe 1d ba 88 e5 ca 70
        40 59 12 c1 0c 3a 51 7f ae 5f e2 95 73 bc c9 16
        67 ce 38 82 e7 b3 1b 6a 39 05 46 71 b8 da c3 57
    Payload Identification
      Next Payload: Identification
      Reserved: 00
      Payload Length: 16
      ID Type: IPv4 Subnet (4)
      Protocol ID (UDP/TCP, etc...): 0
      Port: 0
      ID Data: 10.99.99.0/255.255.255.0
    Payload Identification
      Next Payload: Notification
      Reserved: 00
      Payload Length: 16
      ID Type: IPv4 Subnet (4)
      Protocol ID (UDP/TCP, etc...): 0
      Port: 0
      ID Data: 10.1.1.0/255.255.255.0
    Payload Notification
      Next Payload: None
      Reserved: 00
      Payload Length: 28
      DOI: IPsec
      Protocol-ID: PROTO_ISAKMP
      Spi Size: 16
      Notify Type: STATUS_INITIAL_CONTACT
      SPI:
        db 86 ce 3f 3a a9 e7 0a 6c 4d 2c ce 68 03 55 58
  Jun 20 16:29:42 [IKEv1]: IP = 1.1.1.2, IKE_DECODE RECEIVED Message (msgid=56e5a41e) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 332
  Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing hash payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing SA payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing nonce payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing ke payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing ISA_KE for PFS in phase 2
  Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing ID payload
  Jun 20 16:29:42 [IKEv1 DECODE]: Group = 1.1.1.2, IP = 1.1.1.2, ID_IPV4_ADDR_SUBNET ID received--10.99.99.0--255.255.255.0
  Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Received remote IP Proxy Subnet data in ID Payload:   Address 10.99.99.0, Mask 255.255.255.0, Protocol 0, Port 0
  Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing ID payload
  Jun 20 16:29:42 [IKEv1 DECODE]: Group = 1.1.1.2, IP = 1.1.1.2, ID_IPV4_ADDR_SUBNET ID received--10.1.1.0--255.255.255.0
  Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Received local IP Proxy Subnet data in ID Payload:   Address 10.1.1.0, Mask 255.255.255.0, Protocol 0, Port 0
  Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing notify payload
  Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, QM IsRekeyed old sa not found by addr
  Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Static Crypto Map check, checking map = vpntunnelmap, seq = 1...
  Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Static Crypto Map check, map = vpntunnelmap, seq = 1, ACL does not match proxy IDs src:10.99.99.0 dst:10.1.1.0
  Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Static Crypto Map check, checking map = vpntunnelmap, seq = 2...
  Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Static Crypto Map check, map = vpntunnelmap, seq = 2, ACL does not match proxy IDs src:10.99.99.0 dst:10.1.1.0
  Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Static Crypto Map check, checking map = vpntunnelmap, seq = 3...
  Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Static Crypto Map check, map = vpntunnelmap, seq = 3, ACL does not match proxy IDs src:10.99.99.0 dst:10.1.1.0
  Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Static Crypto Map check, checking map = vpntunnelmap, seq = 35...
  Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Static Crypto Map check, map = vpntunnelmap, seq = 35, ACL does not match proxy IDs src:10.99.99.0 dst:10.1.1.0
  Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Static Crypto Map check, checking map = vpntunnelmap, seq = 40...
  Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Static Crypto Map check, map = vpntunnelmap, seq = 40, ACL does not match proxy IDs src:10.99.99.0 dst:10.1.1.0
  Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Static Crypto Map check, checking map = vpntunnelmap, seq = 41...
  Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Static Crypto Map check, map = vpntunnelmap, seq = 41, ACL does not match proxy IDs src:10.99.99.0 dst:10.1.1.0
  Jun 20 16:29:42 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 10.99.99.0/255.255.255.0/0/0 local proxy 10.1.1.0/255.255.255.0/0/0 on interface thus
  Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, sending notify message
  Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, constructing blank hash payload
  Jun 20 16:29:42 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, constructing qm hash payload
  Jun 20 16:29:42 [IKEv1]: IP = 1.1.1.2, IKE_DECODE SENDING Message (msgid=7ecccf15) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 384
  BEFORE ENCRYPTION
  RAW PACKET DUMP on SEND
  db 86 ce 3f 3a a9 e7 0a 6c 4d 2c ce 68 03 55
  IKE Recv RAW packet dump

• Site to site VPN between cisco asa 5550 and checkpoint r75

  Hi all ,
  below is cisco asa config for our customer end:
  crypto ipsec transform-set chello-transform esp-aes-256 esp-sha-hmac
  crypto ipsec security-association lifetime seconds 3600
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
  What should i configure on checkpoint for first phase and second phase ?
  Regards,
  Suhail

  In checkpoint VPN community, default setting for phase 1 is 86400 seconds so you're good there.  Phase II default is 28,800 so  you need to edit the parameter and change it to 3600.  the rest is the same as cisco with the exception of the lifetime in kilobytes which CP does not have
  Easy right?

• Site to Site VPN between Cisco ASA 5520 and Avaya VPN Phone

  Hi,
  I am wondering if anyone can assist me on configuring Cisco ASA 5520 site to site vpn with Avaya VPN Phone? According to Avaya, the Avaya 9630 phone acts as a VPN client so a VPN router or firewall is not needed.
  The scanario:
  Avaya System ------ ASA 5520 ------ INTERNET ----- Avaya 9630 VPN Phone
  Any help or advice is much appreciated.
  Thanks.

  Hello Bernard,
  What you are looking for is a Remote Ipsec VPN mode not a L2L.
  Here is the link you should use to make this happen:)
  https://devconnect.avaya.com/public/download/interop/vpnphon_asa.pdf
  Regards,
  Julio

• Site to Site VPN Between Two ASA 5505's Up But Not Passing Traffic

  hello,
  i am setting up a site to site vpn between two asa 5505's.  the tunnel is up but i cannot get it to pass traffic and i have run out of ideas at this point.  i am on site as i am posting this question and only have about 4 hours left to figure this out, so any help asap is greatly appreciated.  i'll post the configs below along with the output of sh crypto isakmp sa and sh ipsec sa.
  FYI the asa's are different versions, one is 9.2 the other is 8.2
  Note: 1.1.1.1 = public ip for Site A 2.2.2.2 = public ip for site B
  Site A running config:
  Result of the command: "sh run"
  : Saved
  ASA Version 8.2(2)
  hostname csol-asa
  enable password WI19w3dXj6ANP8c6 encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  name 192.168.1.0 san_antonio_inside
  interface Vlan1
   nameif inside
   security-level 100
   ip address 192.168.2.1 255.255.255.0
  interface Vlan2
   nameif outside
   security-level 0
   ip address 1.1.1.1 255.255.255.248
  interface Ethernet0/0
   switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  dns domain-lookup inside
  dns server-group DefaultDNS
   name-server 24.93.41.125
   name-server 24.93.41.126
  object-group network NETWORK_OBJ_192.168.2.0_24
  access-list inside_access_out extended permit ip any any
  access-list outside_access_out extended permit ip any any
  access-list outside_access_in extended permit icmp any any
  access-list outside_access_in_1 extended permit icmp any interface outside
  access-list outside_access_in_1 extended permit tcp any interface outside eq pop3
  access-list outside_access_in_1 extended permit tcp any interface outside eq 8100
  access-list outside_access_in_1 extended permit udp any interface outside eq 8100
  access-list outside_access_in_1 extended permit udp any interface outside eq 1025
  access-list outside_access_in_1 extended permit tcp any interface outside eq 1025
  access-list outside_access_in_1 extended permit tcp any interface outside eq 5020
  access-list outside_access_in_1 extended permit tcp any interface outside eq 8080
  access-list outside_access_in_1 extended permit tcp any interface outside eq www
  access-list outside_access_in_1 extended permit ip san_antonio_inside 255.255.255.0 any
  access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 host san_antonio_inside
  access-list outside_1_cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 san_antonio_inside 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 san_antonio_inside 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat-control
  global (inside) 2 interface
  global (outside) 101 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 101 0.0.0.0 0.0.0.0
  static (inside,outside) tcp interface pop3 192.168.2.249 pop3 netmask 255.255.255.255
  static (inside,outside) tcp interface 8100 192.168.2.161 8100 netmask 255.255.255.255
  static (inside,outside) udp interface 8100 192.168.2.161 8100 netmask 255.255.255.255
  static (inside,outside) udp interface 1025 192.168.2.161 1025 netmask 255.255.255.255
  static (inside,outside) tcp interface 5020 192.168.2.8 5020 netmask 255.255.255.255
  static (inside,outside) tcp interface 8080 192.168.2.251 8080 netmask 255.255.255.255
  static (inside,inside) tcp interface www 192.168.2.8 www netmask 255.255.255.255
  static (inside,outside) tcp interface 1025 192.168.2.161 1025 netmask 255.255.255.255
  access-group inside_access_out out interface inside
  access-group outside_access_in_1 in interface outside
  route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.2.0 255.255.255.0 inside
  http 2.2.2.2 255.255.255.255 outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transport
  crypto ipsec transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-AES-128-MD5-TRANS mode transport
  crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transport
  crypto ipsec transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5-TRANS mode transport
  crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transport
  crypto ipsec transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-MD5-TRANS mode transport
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transport
  crypto ipsec transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5-TRANS mode transport
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-SHA-TRANS mode transport
  crypto ipsec transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-DES-MD5-TRANS mode transport
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map outside_map1 1 match address outside_1_cryptomap_1
  crypto map outside_map1 1 set peer 2.2.2.2
  crypto map outside_map1 1 set transform-set ESP-3DES-SHA
  crypto map outside_map1 interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
   authentication pre-share
   encryption 3des
   hash sha
   group 2
   lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd address 192.168.2.30-192.168.2.155 inside
  dhcpd dns 24.93.41.125 24.93.41.126 interface inside
  dhcpd domain corporatesolutionsfw.local interface inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
   anyconnect-essentials
  group-policy DfltGrpPolicy attributes
  tunnel-group 2.2.2.2 type ipsec-l2l
  tunnel-group 2.2.2.2 ipsec-attributes
   pre-shared-key *****
  prompt hostname context
  call-home
   profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:021cf43a4211a99232849372c380dda2
  : end
  Site A sh crypto isakmp sa:
  Active SA: 1
      Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
  Total IKE SA: 1
  1   IKE Peer: 2.2.2.2
      Type    : L2L             Role    : responder
      Rekey   : no              State   : MM_ACTIVE
  Site A sh ipsec sa:
  Result of the command: "sh ipsec sa"
  interface: outside
      Crypto map tag: outside_map1, seq num: 1, local addr: 1.1.1.1
        access-list outside_1_cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
        local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
        remote ident (addr/mask/prot/port): (san_antonio_inside/255.255.255.0/0/0)
        current_peer: 2.2.2.2
        #pkts encaps: 1, #pkts encrypt: 1, #pkts digest: 1
        #pkts decaps: 239, #pkts decrypt: 239, #pkts verify: 239
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 1, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: 1.1.1.1, remote crypto endpt.: 71.40.110.179
        path mtu 1500, ipsec overhead 58, media mtu 1500
        current outbound spi: C1074C40
        current inbound spi : B21273A9
      inbound esp sas:
        spi: 0xB21273A9 (2987553705)
           transform: esp-3des esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, }
           slot: 0, conn_id: 1691648, crypto-map: outside_map1
           sa timing: remaining key lifetime (kB/sec): (3914989/27694)
           IV size: 8 bytes
           replay detection support: Y
           Anti replay bitmap:
            0xFFFFFFFF 0xFFFFFFFF
      outbound esp sas:
        spi: 0xC1074C40 (3238480960)
           transform: esp-3des esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, }
           slot: 0, conn_id: 1691648, crypto-map: outside_map1
           sa timing: remaining key lifetime (kB/sec): (3914999/27694)
           IV size: 8 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x00000001
  Site B running config:
  Result of the command: "sh run"
  : Saved
  : Serial Number: JMX184640WY
  : Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
  ASA Version 9.2(2)4
  hostname CSOLSAASA
  enable password WI19w3dXj6ANP8c6 encrypted
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  names
  interface Ethernet0/0
   switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
   nameif inside
   security-level 100
   ip address 192.168.1.1 255.255.255.0
  interface Vlan2
   nameif outside
   security-level 0
   ip address 2.2.2.2 255.255.255.248
  ftp mode passive
  object network NETWORK_OBJ_192.168.1.0_24
   subnet 192.168.1.0 255.255.255.0
  object network mcallen_network
   subnet 192.168.2.0 255.255.255.0
  access-list outside_cryptomap extended permit ip object NETWORK_OBJ_192.168.1.0_24 object mcallen_network
  access-list outside_access_in extended permit ip object mcallen_network 192.168.1.0 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-731-101.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static mcallen_network mcallen_network no-proxy-arp route-lookup
  nat (inside,outside) after-auto source dynamic any interface
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 2.2.2.2 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
  crypto ipsec ikev2 ipsec-proposal DES
   protocol esp encryption des
   protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
   protocol esp encryption 3des
   protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
   protocol esp encryption aes
   protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
   protocol esp encryption aes-192
   protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES256
   protocol esp encryption aes-256
   protocol esp integrity sha-1 md5
  crypto ipsec security-association pmtu-aging infinite
  crypto map outside_map3 1 match address outside_cryptomap
  crypto map outside_map3 1 set peer 1.1.1.1
  crypto map outside_map3 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map3 interface outside
  crypto ca trustpool policy
  crypto ikev2 policy 1
   encryption aes-256
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 policy 10
   encryption aes-192
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 policy 20
   encryption aes
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 policy 30
   encryption 3des
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 policy 40
   encryption des
   integrity sha
   group 5 2
   prf sha
   lifetime seconds 86400
  crypto ikev2 enable outside
  crypto ikev1 enable outside
  crypto ikev1 policy 120
   authentication pre-share
   encryption 3des
   hash sha
   group 2
   lifetime 86400
  telnet timeout 5
  ssh stricthostkeycheck
  ssh timeout 5
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  dhcpd address 192.168.1.200-192.168.1.250 inside
  dhcpd dns 24.93.41.125 24.93.41.126 interface inside
  dhcpd domain CSOLSA.LOCAL interface inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
   anyconnect-essentials
  group-policy DfltGrpPolicy attributes
   vpn-tunnel-protocol ikev1
  tunnel-group 1.1.1.1 type ipsec-l2l
  tunnel-group 1.1.1.1 ipsec-attributes
   ikev1 pre-shared-key *****
  policy-map type inspect dns preset_dns_map
   parameters
    message-length maximum client auto
    message-length maximum 512
  prompt hostname context
  no call-home reporting anonymous
  call-home
   profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:4e058021a6e84ac7956dca0e5a143b8d
  : end
  Site B sh crypto isakmp sa:
  Result of the command: "sh crypto isakmp sa"
  IKEv1 SAs:
     Active SA: 1
      Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
  Total IKE SA: 1
  1   IKE Peer: 1.1.1.1
      Type    : L2L             Role    : initiator
      Rekey   : no              State   : MM_ACTIVE
  There are no IKEv2 SAs
  Site B sh ipsec sa:
  Result of the command: "sh ipsec sa"
  interface: outside
      Crypto map tag: outside_map3, seq num: 1, local addr: 71.40.110.179
        access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
        local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
        remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
        current_peer: 1.1.1.1
        #pkts encaps: 286, #pkts encrypt: 286, #pkts digest: 286
        #pkts decaps: 1, #pkts decrypt: 1, #pkts verify: 1
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 286, #pkts comp failed: 0, #pkts decomp failed: 0
        #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
        #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
        #TFC rcvd: 0, #TFC sent: 0
        #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
        #send errors: 0, #recv errors: 0
        local crypto endpt.: 2.2.2.2/0, remote crypto endpt.: 1.1.1.1/0
        path mtu 1500, ipsec overhead 58(36), media mtu 1500
        PMTU time remaining (sec): 0, DF policy: copy-df
        ICMP error validation: disabled, TFC packets: disabled
        current outbound spi: B21273A9
        current inbound spi : C1074C40
      inbound esp sas:
        spi: 0xC1074C40 (3238480960)
           transform: esp-3des esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, IKEv1, }
           slot: 0, conn_id: 28672, crypto-map: outside_map3
           sa timing: remaining key lifetime (kB/sec): (4373999/27456)
           IV size: 8 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x00000003
      outbound esp sas:
        spi: 0xB21273A9 (2987553705)
           transform: esp-3des esp-sha-hmac no compression
           in use settings ={L2L, Tunnel, IKEv1, }
           slot: 0, conn_id: 28672, crypto-map: outside_map3
           sa timing: remaining key lifetime (kB/sec): (4373987/27456)
           IV size: 8 bytes
           replay detection support: Y
           Anti replay bitmap:
            0x00000000 0x00000001

  Hi Keegan,
  Your tunnel is up and encrypting traffic one way, the other end is not able to encrypt the traffic.
  I would suggest to do a 'clear xlate'?  Sometimes if you setup the nonat configuration after you've attempted other configurations, you need to 'clear xlate' before the previous NAT configuration is cleared and the new one works.
  HTH
  "Please rate useful posts"

• VPN PROBLEM CISCO ASA 5505

      Hello,  I have been trying to configure a VPN with Cisco Asa 5505 and Cisco VPN client 5.X for 3 weeks and I am not being able to accomplish it, so I decided to reset to factory defaults and start over again.
       I used ASDM 6.4 VPN wizard to configure it (I selected exempt local network from NAT and enabled split tunneling, but I have tried other combinations as well).
       Tunnel seems to be established properly since I do see an endpoint while using 'sh crypto isakmp sa' but 'sh crypto ipsec sa' shows no packets encrypted or decrypted, so VPN is not working as expected. I can't ping or rdp to internal LAN:
       #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
        #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
       The running-config it created is:
  ciscoasa# sh run
  : Saved
  ASA Version 8.4(2)
  hostname ciscoasa
  enable password XXXX encrypted
  passwd XXXX encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 172.16.1.254 255.255.0.0
  interface Vlan2
  nameif outside
  security-level 0
  pppoe client vpdn group ADSL_Telefonica
  ip address pppoe setroute
  ftp mode passive
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network NETWORK_OBJ_10.0.0.0_24
  subnet 10.0.0.0 255.255.255.0
  object network NETWORK_OBJ_172.16.0.0_16
  subnet 172.16.0.0 255.255.0.0
  access-list test_splitTunnelAcl standard permit 172.16.0.0 255.255.0.0
  pager lines 24
  logging asdm informational
  mtu outside 1500
  mtu inside 1500
  ip local pool test 10.0.0.1-10.0.0.254 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source static NETWORK_OBJ_172.16.0.0_16 NETWORK_OBJ_172.16.0.0_16 destination static NETWORK_OBJ_10.0.0.0_24 NETWORK_OBJ_10.0.0.0_24 no-proxy-arp route-lookup
  object network obj_any
  nat (inside,outside) dynamic interface
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication ssh console LOCAL
  http server enable
  http 172.16.0.0 255.255.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet 172.16.0.0 255.255.0.0 inside
  telnet timeout 55
  ssh 172.16.0.0 255.255.0.0 inside
  ssh timeout 55
  console timeout 0
  vpdn group ADSL_Telefonica request dialout pppoe
  vpdn group ADSL_Telefonica localname adslppp@telefonicanetpa
  vpdn group ADSL_Telefonica ppp authentication pap
  vpdn username adslppp@telefonicanetpa password *****
  dhcpd auto_config outside
  dhcpd address 172.16.2.2-172.16.2.129 inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy test internal
  group-policy test attributes
  dns-server value 172.16.1.1
  vpn-tunnel-protocol ikev1
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value test_splitTunnelAcl
  username test password XXXXXX encrypted privilege 0
  username test attributes
  vpn-group-policy test
  username ignacio password XXXXXXX encrypted
  tunnel-group test type remote-access
  tunnel-group test general-attributes
  address-pool test
  default-group-policy test
  tunnel-group test ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:c8935bd572dfd37e81c6aa9f9dc8207c
  : end
  Thank you very much for your help

  Yes, it was a VPN client problem. I was doing test with a WWAN card and it seems it is not compatible with windows 7.
  • The VPN Client on Windows 7 does not support WWAN devices (also called wireless data cards).
  I should have read Release Notes before. Thank you very much for your help and effort.

• Site-to-site vpn with 2 asa and home router

  I am trying to establish a site-to-site vpn between 2 ASAs and am able to get the tunnel to establish and can get connectivity from the remote end of the connection to the local side. However, traffic from the local side is not able to get to the remote end. We have 2 ASA 5505 establishing the tunnel, on the remote end there is a linksys home router forwarding all traffic to the ASA outside interface on a private subnet. Our layout is as follows.
  Internal Network              Local ASA                   ISP1      ISP2          Remote Router                       Remote ASA                 Remote Network
  192.168.1.0/24         local-gateway/public ip                                 public ip/192.168.0.1/24     192.168.0.10/10.10.10.254         10.10.10.0/24
  10.10.10.0/24 (remote) -> 192.168.1.0/24 (local) works
  192.168.1.0/24 (local) -> 10.10.10.0/24 (remote) does not work
  Below are the configs of the local and remote asa. any help would be greatly appreaciated.
  local-asa
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.1.6 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address dhcp setroute
  same-security-traffic permit inter-interface
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network Switch
  host 192.168.1.5
  description 2960-24 Switch
  object network NETWORK_OBJ_192.168.1.0_24
  subnet 192.168.1.0 255.255.255.0
  object network Mark_Public
  host 76.98.2.63
  description Mark Public
  object network Mark
  subnet 10.10.10.0 255.255.255.0
  description Marks Network
  object network Mark_routed_subnet
  subnet 192.168.0.0 255.255.255.0
  access-list outside_access_in extended permit icmp any4 any4 echo-reply
  access-list outside_access_in extended permit tcp any object home-app-svr object-group DM_INLINE_TCP_2
  access-list outside_access_in extended permit ip object Mark 192.168.1.0 255.255.255.0
  access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 object Mark
  access-list Home standard permit 192.168.1.0 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  icmp deny any outside
  asdm image disk0:/asdm-711.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static Mark Mark no-proxy-arp
  object network obj_any
  nat (inside,outside) dynamic interface
  access-group outside_access_in in interface outside
  route outside 10.10.10.0 255.255.255.0 24.163.112.1 1
  route outside 10.10.10.0 255.255.255.0 76.98.2.63 128
  aaa-server Radius protocol radius
  aaa-server Radius (inside) host 192.168.1.101
  key *****
  user-identity default-domain LOCAL
  aaa authentication ssh console Radius LOCAL
  aaa authentication telnet console Radius LOCAL
  aaa authentication enable console Radius LOCAL
  aaa authentication http console Radius LOCAL
  aaa authentication serial console Radius LOCAL
  aaa accounting enable console Radius
  aaa accounting serial console Radius
  aaa accounting ssh console Radius
  aaa accounting telnet console Radius
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  http 66.162.9.0 255.255.255.0 outside
  http 76.98.2.63 255.255.255.255 outside
  http 10.10.10.0 255.255.255.0 inside
  snmp-server host inside 192.168.1.101 community *****
  snmp-server location 149 Cinder Cross
  snmp-server contact Ted Stout
  snmp-server community *****
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  snmp-server enable traps syslog
  snmp-server enable traps ipsec start stop
  snmp-server enable traps entity config-change
  snmp-server enable traps memory-threshold
  snmp-server enable traps interface-threshold
  snmp-server enable traps cpu threshold rising
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto ipsec security-association pmtu-aging infinite
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
  crypto map outside_map0 1 match address outside_cryptomap
  crypto map outside_map0 1 set peer 76.98.2.63
  crypto map outside_map0 1 set ikev1 transform-set ESP-3DES-MD5 ESP-3DES-SHA
  crypto map outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map0 interface outside
  crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map inside_map interface inside
  crypto ca trustpoint ASDM_TrustPoint0
  enrollment self
  subject-name CN=stout-fw
  keypair vpn.stoutte.homeip.net
  crl configure
  crypto ca trustpoint ASDM_TrustPoint1
  enrollment terminal
  crl configure
  crypto ca trustpoint Home--Server-CA
  enrollment terminal
  subject-name CN=stout-fw,O=home
  keypair HOME-SERVER-CA
  crl configure
  crypto ca trustpoint HOME-SSL
  enrollment terminal
  fqdn stoutfw.homeip.net
  subject-name CN=stoutfw,O=Home
  keypair HOME-SSL
  no validation-usage
  crl configure
  crypto ca trustpoint SelfSigned
  enrollment self
  fqdn stoutfw.homeip.net
  subject-name CN=stout-fw
  keypair SelfSigned
  crl configure
  crypto ca trustpoint ASDM_TrustPoint2
  enrollment self
  fqdn 192.168.1.6
  subject-name CN=stout-fw
  keypair SelfSigned
  crl configure
  crypto ca trustpool policy
  crypto ikev2 enable outside client-services port 443
  crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
  crypto ikev1 enable inside
  crypto ikev1 enable outside
  telnet 192.168.1.0 255.255.255.0 inside
  telnet timeout 20
  ssh 192.168.1.0 255.255.255.0 inside
  ssh timeout 5
  console timeout 0
  management-access inside
  threat-detection basic-threat
  threat-detection statistics host
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ntp server 192.168.1.5 source inside prefer
  ssl trust-point SelfSigned outside
  ssl trust-point ASDM_TrustPoint2 inside
  group-policy DfltGrpPolicy attributes
  vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
  group-policy GroupPolicy1 internal
  group-policy GroupPolicy1 attributes
  vpn-tunnel-protocol ikev1
  username stoutte password 0w8WOxYi69SDg3bs encrypted privilege 15
  username stoutte attributes
  webvpn
    anyconnect keep-installer installed
    anyconnect profiles value VPN_client_profile type user
  tunnel-group 76.98.2.63 type ipsec-l2l
  tunnel-group 76.98.2.63 general-attributes
  default-group-policy GroupPolicy1
  tunnel-group 76.98.2.63 ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group VPN type remote-access
  tunnel-group VPN general-attributes
  authentication-server-group Radius LOCAL
  default-group-policy GroupPolicy_VPN
  dhcp-server link-selection 192.168.1.101
  tunnel-group VPN webvpn-attributes
  group-alias VPN enable
  class-map inspection_default
  match default-inspection-traffic
  remote-asa
  : Saved
  ASA Version 9.1(1)
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.10.10.254 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 192.168.0.10 255.255.255.0
  ftp mode passive
  clock timezone EDT -5
  clock summer-time EDT recurring
  dns server-group DefaultDNS
  domain-name netlab.com
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network Ted
  subnet 192.168.1.0 255.255.255.0
  description Teds Network
  object network Ted_Public
  host 24.163.116.187
  object network outside_private
  subnet 192.168.0.0 255.255.255.0
  object network NETWORK_OBJ_10.10.10.0_24
  subnet 10.10.10.0 255.255.255.0
  access-list outside_cryptomap extended permit ip 10.10.10.0 255.255.255.0 object Ted
  access-list outside_access_in extended permit icmp any4 any4 echo-reply
  access-list outside_access_in extended permit ip object Ted 10.10.10.0 255.255.255.0
  access-list outside_access_in extended permit ip object Ted_Public any
  pager lines 24
  logging enable
  logging buffered debugging
  logging asdm informational
  logging debug-trace
  nat (inside,outside) source static NETWORK_OBJ_10.10.10.0_24 NETWORK_OBJ_10.10.10.0_24 destination static Ted Ted no-proxy-arp
  object network obj_any
  nat (inside,outside) dynamic interface
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
  route outside 192.168.1.0 255.255.255.0 192.168.0.1 1
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  http server enable
  http 24.163.116.187 255.255.255.255 outside
  http 192.168.0.0 255.255.255.0 outside
  http 10.10.10.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  crypto map outside_map2 1 match address outside_cryptomap
  crypto map outside_map2 1 set peer 24.163.116.187
  crypto map outside_map2 1 set ikev1 transform-set ESP-3DES-MD5 ESP-3DES-SHA
  crypto map outside_map2 interface outside
  crypto ikev2 enable outside
  crypto ikev2 enable inside
  crypto ikev1 enable outside
  crypto ikev1 enable inside
  ssh 10.10.10.0 255.255.255.0 inside
  ssh timeout 30
  console timeout 0
  dhcpd address 10.10.10.1-10.10.10.20 inside
  dhcpd enable inside
  group-policy GroupPolicy1 internal
  group-policy GroupPolicy1 attributes
  vpn-tunnel-protocol ikev1
  username admin password 8Ec7AqG6iwxq6gQ2 encrypted privilege 15
  tunnel-group 24.163.116.187 type ipsec-l2l
  tunnel-group 24.163.116.187 general-attributes
  default-group-policy GroupPolicy1
  tunnel-group 24.163.116.187 ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:2f4107de10e7171c3d951745c56b8d01
  : end
  no asdm history enable

  I am trying to establish a site-to-site vpn between 2 ASAs and am able to get the tunnel to establish and can get connectivity from the remote end of the connection to the local side. However, traffic from the local side is not able to get to the remote end. We have 2 ASA 5505 establishing the tunnel, on the remote end there is a linksys home router forwarding all traffic to the ASA outside interface on a private subnet. Our layout is as follows.
  Internal Network              Local ASA                   ISP1      ISP2          Remote Router                       Remote ASA                 Remote Network
  192.168.1.0/24         local-gateway/public ip                                 public ip/192.168.0.1/24     192.168.0.10/10.10.10.254         10.10.10.0/24
  10.10.10.0/24 (remote) -> 192.168.1.0/24 (local) works
  192.168.1.0/24 (local) -> 10.10.10.0/24 (remote) does not work
  Below are the configs of the local and remote asa. any help would be greatly appreaciated.
  local-asa
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.1.6 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address dhcp setroute
  same-security-traffic permit inter-interface
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network Switch
  host 192.168.1.5
  description 2960-24 Switch
  object network NETWORK_OBJ_192.168.1.0_24
  subnet 192.168.1.0 255.255.255.0
  object network Mark_Public
  host 76.98.2.63
  description Mark Public
  object network Mark
  subnet 10.10.10.0 255.255.255.0
  description Marks Network
  object network Mark_routed_subnet
  subnet 192.168.0.0 255.255.255.0
  access-list outside_access_in extended permit icmp any4 any4 echo-reply
  access-list outside_access_in extended permit tcp any object home-app-svr object-group DM_INLINE_TCP_2
  access-list outside_access_in extended permit ip object Mark 192.168.1.0 255.255.255.0
  access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 object Mark
  access-list Home standard permit 192.168.1.0 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  icmp deny any outside
  asdm image disk0:/asdm-711.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static Mark Mark no-proxy-arp
  object network obj_any
  nat (inside,outside) dynamic interface
  access-group outside_access_in in interface outside
  route outside 10.10.10.0 255.255.255.0 24.163.112.1 1
  route outside 10.10.10.0 255.255.255.0 76.98.2.63 128
  aaa-server Radius protocol radius
  aaa-server Radius (inside) host 192.168.1.101
  key *****
  user-identity default-domain LOCAL
  aaa authentication ssh console Radius LOCAL
  aaa authentication telnet console Radius LOCAL
  aaa authentication enable console Radius LOCAL
  aaa authentication http console Radius LOCAL
  aaa authentication serial console Radius LOCAL
  aaa accounting enable console Radius
  aaa accounting serial console Radius
  aaa accounting ssh console Radius
  aaa accounting telnet console Radius
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  http 66.162.9.0 255.255.255.0 outside
  http 76.98.2.63 255.255.255.255 outside
  http 10.10.10.0 255.255.255.0 inside
  snmp-server host inside 192.168.1.101 community *****
  snmp-server location 149 Cinder Cross
  snmp-server contact Ted Stout
  snmp-server community *****
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  snmp-server enable traps syslog
  snmp-server enable traps ipsec start stop
  snmp-server enable traps entity config-change
  snmp-server enable traps memory-threshold
  snmp-server enable traps interface-threshold
  snmp-server enable traps cpu threshold rising
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto ipsec security-association pmtu-aging infinite
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
  crypto map outside_map0 1 match address outside_cryptomap
  crypto map outside_map0 1 set peer 76.98.2.63
  crypto map outside_map0 1 set ikev1 transform-set ESP-3DES-MD5 ESP-3DES-SHA
  crypto map outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map0 interface outside
  crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map inside_map interface inside
  crypto ca trustpoint ASDM_TrustPoint0
  enrollment self
  subject-name CN=stout-fw
  keypair vpn.stoutte.homeip.net
  crl configure
  crypto ca trustpoint ASDM_TrustPoint1
  enrollment terminal
  crl configure
  crypto ca trustpoint Home--Server-CA
  enrollment terminal
  subject-name CN=stout-fw,O=home
  keypair HOME-SERVER-CA
  crl configure
  crypto ca trustpoint HOME-SSL
  enrollment terminal
  fqdn stoutfw.homeip.net
  subject-name CN=stoutfw,O=Home
  keypair HOME-SSL
  no validation-usage
  crl configure
  crypto ca trustpoint SelfSigned
  enrollment self
  fqdn stoutfw.homeip.net
  subject-name CN=stout-fw
  keypair SelfSigned
  crl configure
  crypto ca trustpoint ASDM_TrustPoint2
  enrollment self
  fqdn 192.168.1.6
  subject-name CN=stout-fw
  keypair SelfSigned
  crl configure
  crypto ca trustpool policy
  crypto ikev2 enable outside client-services port 443
  crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
  crypto ikev1 enable inside
  crypto ikev1 enable outside
  telnet 192.168.1.0 255.255.255.0 inside
  telnet timeout 20
  ssh 192.168.1.0 255.255.255.0 inside
  ssh timeout 5
  console timeout 0
  management-access inside
  threat-detection basic-threat
  threat-detection statistics host
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ntp server 192.168.1.5 source inside prefer
  ssl trust-point SelfSigned outside
  ssl trust-point ASDM_TrustPoint2 inside
  group-policy DfltGrpPolicy attributes
  vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
  group-policy GroupPolicy1 internal
  group-policy GroupPolicy1 attributes
  vpn-tunnel-protocol ikev1
  username stoutte password 0w8WOxYi69SDg3bs encrypted privilege 15
  username stoutte attributes
  webvpn
    anyconnect keep-installer installed
    anyconnect profiles value VPN_client_profile type user
  tunnel-group 76.98.2.63 type ipsec-l2l
  tunnel-group 76.98.2.63 general-attributes
  default-group-policy GroupPolicy1
  tunnel-group 76.98.2.63 ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group VPN type remote-access
  tunnel-group VPN general-attributes
  authentication-server-group Radius LOCAL
  default-group-policy GroupPolicy_VPN
  dhcp-server link-selection 192.168.1.101
  tunnel-group VPN webvpn-attributes
  group-alias VPN enable
  class-map inspection_default
  match default-inspection-traffic
  remote-asa
  : Saved
  ASA Version 9.1(1)
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.10.10.254 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 192.168.0.10 255.255.255.0
  ftp mode passive
  clock timezone EDT -5
  clock summer-time EDT recurring
  dns server-group DefaultDNS
  domain-name netlab.com
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network Ted
  subnet 192.168.1.0 255.255.255.0
  description Teds Network
  object network Ted_Public
  host 24.163.116.187
  object network outside_private
  subnet 192.168.0.0 255.255.255.0
  object network NETWORK_OBJ_10.10.10.0_24
  subnet 10.10.10.0 255.255.255.0
  access-list outside_cryptomap extended permit ip 10.10.10.0 255.255.255.0 object Ted
  access-list outside_access_in extended permit icmp any4 any4 echo-reply
  access-list outside_access_in extended permit ip object Ted 10.10.10.0 255.255.255.0
  access-list outside_access_in extended permit ip object Ted_Public any
  pager lines 24
  logging enable
  logging buffered debugging
  logging asdm informational
  logging debug-trace
  nat (inside,outside) source static NETWORK_OBJ_10.10.10.0_24 NETWORK_OBJ_10.10.10.0_24 destination static Ted Ted no-proxy-arp
  object network obj_any
  nat (inside,outside) dynamic interface
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
  route outside 192.168.1.0 255.255.255.0 192.168.0.1 1
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  http server enable
  http 24.163.116.187 255.255.255.255 outside
  http 192.168.0.0 255.255.255.0 outside
  http 10.10.10.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  crypto map outside_map2 1 match address outside_cryptomap
  crypto map outside_map2 1 set peer 24.163.116.187
  crypto map outside_map2 1 set ikev1 transform-set ESP-3DES-MD5 ESP-3DES-SHA
  crypto map outside_map2 interface outside
  crypto ikev2 enable outside
  crypto ikev2 enable inside
  crypto ikev1 enable outside
  crypto ikev1 enable inside
  ssh 10.10.10.0 255.255.255.0 inside
  ssh timeout 30
  console timeout 0
  dhcpd address 10.10.10.1-10.10.10.20 inside
  dhcpd enable inside
  group-policy GroupPolicy1 internal
  group-policy GroupPolicy1 attributes
  vpn-tunnel-protocol ikev1
  username admin password 8Ec7AqG6iwxq6gQ2 encrypted privilege 15
  tunnel-group 24.163.116.187 type ipsec-l2l
  tunnel-group 24.163.116.187 general-attributes
  default-group-policy GroupPolicy1
  tunnel-group 24.163.116.187 ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:2f4107de10e7171c3d951745c56b8d01
  : end
  no asdm history enable

• Remote Access VPN on Cisco ASA Problem

  Hi, i configured Remote access VPN on Cisco ASA 8.x as per below configuration.
  Problem is that my internet has stopped working, and default route is just showing stars.
  i can ping internal server 10.110.10.150 fine , which i allowed on VPN ACL, but my other traffic not going to regular internet on my laptop,
  what additional required to force my internet to go to regular internet instead of getting encrypted?
  Also attaching output of route print at the point when VPN is connected.
  ip local pool RA_VPN_POOL 10.1.200.100-10.1.200.150 mask 255.255.255.0
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto dynamic-map RA_VPN 65535 set transform-set ESP-AES-128-SHA
  crypto dynamic-map RA_VPN 65535 set security-association lifetime seconds 28800
  crypto dynamic-map RA_VPN 65535 set security-association lifetime kilobytes 4608000
  crypto map VPN_MAP 65535 ipsec-isakmp dynamic RA_VPN
  crypto map VPN_MAP interface outside
  isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  tunnel-group ITT_RA type remote-access
  tunnel-group ITT_RA general-attributes
  address-pool RA_VPN_POOL
  default-group-policy RA_VPN_GP
  tunnel-group ITT_RA ipsec-attributes
  pre-shared-key <group key>
  group-policy RA_VPN_GP internal
  group-policy RA_VPN_GP attributes
  dns-server value 10.0.0.1 10.0.0.2
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value Split_Tunnel_List
  default-domain value mydomain.com
  address-pools value RA_VPN_POOL
  access-list Split_Tunnel_List extended permit ip host 10.110.10.150 10.1.200.0 255.255.255.0
  access-list nonattest extended permit ip host 10.110.10.150 10.1.200.0 255.255.255.0
  nat (inside) 0 access-list nonattest
  IPv4 Route Table
  ===========================================================================
  Active Routes:
  Network Destination        Netmask          Gateway       Interface  Metric
            0.0.0.0          0.0.0.0      10.111.36.1      10.111.36.9          276
            0.0.0.0          0.0.0.0         On-link      10.1.200.100            20
         10.1.200.0    255.255.255.0         On-link      10.1.200.100    276
       10.1.200.100  255.255.255.255         On-link      10.1.200.100    276
       10.1.200.255  255.255.255.255         On-link      10.1.200.100    276
      10.110.10.150  255.255.255.255       10.1.200.1     10.1.200.100    100
        10.111.36.0    255.255.255.0         On-link       10.111.36.9    276

  Hi, i configured Remote access VPN on Cisco ASA 8.x as per below configuration.
  Problem is that my internet has stopped working, and default route is just showing stars.
  i can ping internal server 10.110.10.150 fine , which i allowed on VPN ACL, but my other traffic not going to regular internet on my laptop,
  what additional required to force my internet to go to regular internet instead of getting encrypted?
  Also attaching output of route print at the point when VPN is connected.
  ip local pool RA_VPN_POOL 10.1.200.100-10.1.200.150 mask 255.255.255.0
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto dynamic-map RA_VPN 65535 set transform-set ESP-AES-128-SHA
  crypto dynamic-map RA_VPN 65535 set security-association lifetime seconds 28800
  crypto dynamic-map RA_VPN 65535 set security-association lifetime kilobytes 4608000
  crypto map VPN_MAP 65535 ipsec-isakmp dynamic RA_VPN
  crypto map VPN_MAP interface outside
  isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  tunnel-group ITT_RA type remote-access
  tunnel-group ITT_RA general-attributes
  address-pool RA_VPN_POOL
  default-group-policy RA_VPN_GP
  tunnel-group ITT_RA ipsec-attributes
  pre-shared-key <group key>
  group-policy RA_VPN_GP internal
  group-policy RA_VPN_GP attributes
  dns-server value 10.0.0.1 10.0.0.2
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value Split_Tunnel_List
  default-domain value mydomain.com
  address-pools value RA_VPN_POOL
  access-list Split_Tunnel_List extended permit ip host 10.110.10.150 10.1.200.0 255.255.255.0
  access-list nonattest extended permit ip host 10.110.10.150 10.1.200.0 255.255.255.0
  nat (inside) 0 access-list nonattest
  IPv4 Route Table
  ===========================================================================
  Active Routes:
  Network Destination        Netmask          Gateway       Interface  Metric
            0.0.0.0          0.0.0.0      10.111.36.1      10.111.36.9          276
            0.0.0.0          0.0.0.0         On-link      10.1.200.100            20
         10.1.200.0    255.255.255.0         On-link      10.1.200.100    276
       10.1.200.100  255.255.255.255         On-link      10.1.200.100    276
       10.1.200.255  255.255.255.255         On-link      10.1.200.100    276
      10.110.10.150  255.255.255.255       10.1.200.1     10.1.200.100    100
        10.111.36.0    255.255.255.0         On-link       10.111.36.9    276

• Need help setting up site-to-site VPN between two ASA 5505's

  We have been pulling our hair outtrying to solve this. Below is the running configs for both Sites. We have always used Junipers prior to this. It does not appear that the tunnel is getting created. Any help would be greatly appreciated
  Basic
  Network A: (Dallas)
  10.180.1.0 / 24
  Network B: (Georgia)
  10.180.2.0 /24
  Running Config on Dallas ASA
  : Saved
  ASA Version 8.4(4)1
  hostname ACH-DALLAS
  enable password baW0bWk3Oyn6cZhc encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.180.1.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 71.123.179.111 255.255.255.0
  ftp mode passive
  clock timezone CST -6
  clock summer-time CDT recurring
  dns domain-lookup inside
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network Route
  subnet 0.0.0.0 0.0.0.0
  object network Outside
  host 71.123.179.111
  object network Server
  host 10.180.1.3
  object service FTP
  service tcp source range ftp-data ftp destination range ftp-data ftp
  description FTP
  object network FTP_Server
  host 10.180.1.3
  description FTP Server
  object network Site-A-Dallas-Subnet
  subnet 10.180.1.0 255.255.255.0
  description Dallas
  object network Site-B-Georgia-Firewall
  host 173.227.90.194
  description Georgia Firewall
  object network Site-B-Georgia-Subnet
  subnet 10.180.2.0 255.255.255.0
  description Georgia
  object network Georgia
  subnet 10.180.2.0 255.255.255.0
  object network Dallas
  subnet 10.180.1.0 255.255.255.0
  object-group service DM_INLINE_TCP_1 tcp
  port-object eq ftp
  port-object eq ftp-data
  access-list inside_access_in extended permit ip any any
  access-list outside_access_in extended permit ip any any
  access-list outside_access_in extended permit tcp any object FTP_Server object-group DM_INLINE_TCP_1
  access-list outside_1_cryptomap extended permit ip object Georgia object Dallas
  access-list outside_cryptomap extended permit ip object Dallas object Georgia
  pager lines 24
  logging enable
  logging asdm debugging
  mtu inside 1500
  mtu outside 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source static Dallas Dallas destination static Georgia Georgia no-proxy-arp route-lookup
  object network FTP_Server
  nat (inside,outside) static interface service tcp ftp ftp
  nat (inside,outside) after-auto source static any interface destination static obj_any obj_any
  nat (inside,outside) after-auto source static any interface service FTP FTP
  access-group inside_access_in in interface inside
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 71.123.179.1 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  http server enable
  http 10.180.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto ipsec security-association replay window-size 1024
  crypto map outside_map 1 match address outside_cryptomap
  crypto map outside_map 1 set pfs
  crypto map outside_map 1 set peer 173.227.90.194
  crypto map outside_map 1 set ikev1 phase1-mode aggressive
  crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
  crypto map outside_map 1 set ikev2 pre-shared-key *****
  crypto map outside_map interface outside
  crypto ca trustpoint _SmartCallHome_ServerCA
  crl configure
  crypto ikev2 policy 1
  encryption aes-256
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 10
  encryption aes-192
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 20
  encryption aes
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 30
  encryption 3des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 40
  encryption des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 enable outside
  crypto ikev1 enable outside
  crypto ikev1 policy 20
  authentication rsa-sig
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 30
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 40
  authentication crack
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 50
  authentication rsa-sig
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 60
  authentication pre-share
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 70
  authentication crack
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 80
  authentication rsa-sig
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 90
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 100
  authentication crack
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 110
  authentication rsa-sig
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 130
  authentication crack
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 140
  authentication rsa-sig
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 150
  authentication pre-share
  encryption des
  hash sha
  group 2
  lifetime 86400
  telnet 10.180.1.0 255.255.255.0 inside
  telnet timeout 5
  ssh timeout 5
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  dhcpd auto_config outside
  dhcpd address 10.180.1.51-10.180.1.254 inside
  dhcpd dns 68.237.112.12 68.238.96.12 interface inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics host
  threat-detection statistics port
  threat-detection statistics protocol
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ntp server 64.147.116.229 source outside prefer
  webvpn
  group-policy GroupPolicy_173.227.90.194 internal
  group-policy GroupPolicy_173.227.90.194 attributes
  vpn-tunnel-protocol ikev1 ikev2
  tunnel-group 173.227.90.194 type ipsec-l2l
  tunnel-group 173.227.90.194 general-attributes
  default-group-policy GroupPolicy_173.227.90.194
  tunnel-group 173.227.90.194 ipsec-attributes
  ikev1 pre-shared-key *****
  ikev2 remote-authentication pre-shared-key *****
  ikev2 local-authentication pre-shared-key *****
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  prompt hostname context
  call-home reporting anonymous
  Cryptochecksum:8f338f323a8f642808bd20965b793291
  : end
  no asdm history enable
  Running Config on Georgia ASA
  : Saved
  ASA Version 8.4(4)1
  hostname ACHGeorgia
  enable password 8Ry2YjIyt7RRXU24 encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.180.2.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 173.227.90.194 255.255.255.224
  ftp mode passive
  clock timezone CST -6
  clock summer-time CDT recurring
  dns domain-lookup outside
  dns server-group DefaultDNS
  name-server 216.136.95.2
  name-server 64.132.94.250
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network Site-A-Dallas-Firewall
  host 71.123.179.111
  description Dallas Firewall
  object network Site-A-Dallas-Subnet
  subnet 10.180.1.0 255.255.255.0
  description Dallas
  object network Site-B-Georgia-Subnet
  subnet 10.180.2.0 255.255.255.0
  description Georgia
  object network Georgia
  subnet 10.180.2.0 255.255.255.0
  object network Dallas
  subnet 10.180.1.0 255.255.255.0
  access-list inside_access_in extended permit ip any any
  access-list outside_access_in extended permit ip any any
  access-list outside_1_cryptomap extended permit ip object Dallas object Georgia
  access-list outside_cryptomap extended permit ip object Georgia object Dallas
  pager lines 24
  logging enable
  logging asdm debugging
  mtu inside 1500
  mtu outside 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source static any interface destination static obj_any any
  nat (any,outside) source dynamic any interface
  nat (inside,outside) source static Georgia Georgia destination static Dallas Dallas no-proxy-arp route-lookup
  access-group inside_access_in in interface inside
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 173.227.90.193 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  http server enable
  http 10.180.2.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto map outside_map 1 match address outside_cryptomap
  crypto map outside_map 1 set pfs
  crypto map outside_map 1 set peer 71.123.179.111
  crypto map outside_map 1 set ikev1 phase1-mode aggressive
  crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
  crypto map outside_map 1 set ikev2 pre-shared-key *****
  crypto map outside_map interface outside
  crypto ca trustpoint _SmartCallHome_ServerCA
  crl configure
  crypto ca certificate chain _SmartCallHome_ServerCA
  certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
      308205ec 308204d4 a0030201 0202106e cc7aa5a7 032009b8 cebcf4e9 52d49130
      0d06092a 864886f7 0d010105 05003081 ca310b30 09060355 04061302 55533117
      30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
      13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504
      0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
      20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56
      65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043
      65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31
      30303230 38303030 3030305a 170d3230 30323037 32333539 35395a30 81b5310b
      30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20
      496e632e 311f301d 06035504 0b131656 65726953 69676e20 54727573 74204e65
      74776f72 6b313b30 39060355 040b1332 5465726d 73206f66 20757365 20617420
      68747470 733a2f2f 7777772e 76657269 7369676e 2e636f6d 2f727061 20286329
      3130312f 302d0603 55040313 26566572 69536967 6e20436c 61737320 33205365
      63757265 20536572 76657220 4341202d 20473330 82012230 0d06092a 864886f7
      0d010101 05000382 010f0030 82010a02 82010100 b187841f c20c45f5 bcab2597
      a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10
      9c688b2e 957b899b 13cae234 34c1f35b f3497b62 83488174 d188786c 0253f9bc
      7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b
      15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845
      63cd1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8
      18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced
      4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f
      81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 02030100 01a38201 df308201
      db303406 082b0601 05050701 01042830 26302406 082b0601 05050730 01861868
      7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1d130101
      ff040830 060101ff 02010030 70060355 1d200469 30673065 060b6086 480186f8
      45010717 03305630 2806082b 06010505 07020116 1c687474 70733a2f 2f777777
      2e766572 69736967 6e2e636f 6d2f6370 73302a06 082b0601 05050702 02301e1a
      1c687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406
      03551d1f 042d302b 3029a027 a0258623 68747470 3a2f2f63 726c2e76 65726973
      69676e2e 636f6d2f 70636133 2d67352e 63726c30 0e060355 1d0f0101 ff040403
      02010630 6d06082b 06010505 07010c04 61305fa1 5da05b30 59305730 55160969
      6d616765 2f676966 3021301f 30070605 2b0e0302 1a04148f e5d31a86 ac8d8e6b
      c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973
      69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30
      1b311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301d0603
      551d0e04 1604140d 445c1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355
      1d230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300d0609
      2a864886 f70d0101 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80
      4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e
      b2227055 d9203340 3307c265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a
      6decd018 7d494aca 99c71928 a2bed877 24f78526 866d8705 404167d1 273aeddc
      481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16
      b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0
      5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8
      6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28
      6c2527b9 deb78458 c61f381e a4c4cb66
    quit
  crypto ikev2 policy 1
  encryption aes-256
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 10
  encryption aes-192
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 20
  encryption aes
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 30
  encryption 3des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 40
  encryption des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 enable outside
  crypto ikev1 enable outside
  crypto ikev1 policy 20
  authentication rsa-sig
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 30
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 40
  authentication crack
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 50
  authentication rsa-sig
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 60
  authentication pre-share
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 70
  authentication crack
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 80
  authentication rsa-sig
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 90
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 100
  authentication crack
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 110
  authentication rsa-sig
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 130
  authentication crack
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 140
  authentication rsa-sig
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 150
  authentication pre-share
  encryption des
  hash sha
  group 2
  lifetime 86400
  telnet 10.180.2.0 255.255.255.0 inside
  telnet timeout 5
  ssh timeout 5
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  dhcpd address 10.180.2.51-10.180.2.254 inside
  dhcpd dns 216.136.95.2 64.132.94.250 interface inside
  dhcpd enable inside
  dhcpd dns 216.136.95.2 64.132.94.250 interface outside
  no threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy GroupPolicy_71.123.179.111 internal
  group-policy GroupPolicy_71.123.179.111 attributes
  vpn-tunnel-protocol ikev1 ikev2
  tunnel-group 71.123.179.111 type ipsec-l2l
  tunnel-group 71.123.179.111 general-attributes
  default-group-policy GroupPolicy_71.123.179.111
  tunnel-group 71.123.179.111 ipsec-attributes
  ikev1 pre-shared-key *****
  ikev2 remote-authentication pre-shared-key *****
  ikev2 local-authentication pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  call-home reporting anonymous
  Cryptochecksum:8bf23063c95795ec4cd59cc0e051097f
  : end
  no asdm history enable

  I am fairly new to cisco. I dont have a direct terminal connection. I ran the debug command above and through the GUI I saved these two log files. When I started logging I sent a ping packet to the other side. I can see that the Dallas location attempted to create a tunnel. When I did the same thing from Georgia it did not appear to even attempt to create a tunnel. The other thing I am seeing is that on the Georgia ASA under monitoring->VPN->Sessions there is no status to the right. On the Dallas side I see that there is 1 inactive tunnel. Any suggestions
  Log file from Dallas:
  6|Jan 23 2013|13:43:28|106015|209.221.63.27|143|71.123.179.111|2347|Deny TCP (no connection) from 209.221.63.27/143 to 71.123.179.111/2347 flags FIN ACK  on interface outside
  6|Jan 23 2013|13:43:28|302014|209.221.63.27|143|10.180.1.55|2347|Teardown TCP connection 37396 for outside:209.221.63.27/143 to inside:10.180.1.55/2347 duration 0:00:04 bytes 1603 TCP FINs
  6|Jan 23 2013|13:43:28|302013|10.180.1.55|2348|209.221.63.27|143|Built outbound TCP connection 37398 for outside:209.221.63.27/143 (209.221.63.27/143) to inside:10.180.1.55/2348 (71.123.179.111/2348)
  7|Jan 23 2013|13:43:26|752008|||||Duplicate entry already in Tunnel Manager
  6|Jan 23 2013|13:43:24|302013|10.180.1.55|2347|209.221.63.27|143|Built outbound TCP connection 37396 for outside:209.221.63.27/143 (209.221.63.27/143) to inside:10.180.1.55/2347 (71.123.179.111/2347)
  6|Jan 23 2013|13:43:22|302013|10.180.1.55|2346|209.221.63.27|143|Built outbound TCP connection 37395 for outside:209.221.63.27/143 (209.221.63.27/143) to inside:10.180.1.55/2346 (71.123.179.111/2346)
  7|Jan 23 2013|13:43:21|752008|||||Duplicate entry already in Tunnel Manager
  6|Jan 23 2013|13:43:21|302014|209.221.62.17|80|10.180.1.58|2982|Teardown TCP connection 37393 for outside:209.221.62.17/80 to inside:10.180.1.58/2982 duration 0:00:00 bytes 1387 TCP FINs
  6|Jan 23 2013|13:43:21|302013|10.180.1.58|2982|209.221.62.17|80|Built outbound TCP connection 37393 for outside:209.221.62.17/80 (209.221.62.17/80) to inside:10.180.1.58/2982 (71.123.179.111/2982)
  6|Jan 23 2013|13:43:18|302014|209.221.62.17|80|10.180.1.58|2981|Teardown TCP connection 37392 for outside:209.221.62.17/80 to inside:10.180.1.58/2981 duration 0:00:00 bytes 668 TCP FINs
  6|Jan 23 2013|13:43:17|302013|10.180.1.58|2981|209.221.62.17|80|Built outbound TCP connection 37392 for outside:209.221.62.17/80 (209.221.62.17/80) to inside:10.180.1.58/2981 (71.123.179.111/2981)
  7|Jan 23 2013|13:43:16|752008|||||Duplicate entry already in Tunnel Manager
  6|Jan 23 2013|13:43:14|302014|209.221.62.17|80|10.180.1.58|2978|Teardown TCP connection 37390 for outside:209.221.62.17/80 to inside:10.180.1.58/2978 duration 0:00:02 bytes 59217 TCP FINs
  6|Jan 23 2013|13:43:12|302013|10.180.1.58|2978|209.221.62.17|80|Built outbound TCP connection 37390 for outside:209.221.62.17/80 (209.221.62.17/80) to inside:10.180.1.58/2978 (71.123.179.111/2978)
  7|Jan 23 2013|13:43:12|752008|||||Duplicate entry already in Tunnel Manager
  6|Jan 23 2013|13:43:07|302014|209.221.63.27|143|10.180.1.55|2328|Teardown TCP connection 37129 for outside:209.221.63.27/143 to inside:10.180.1.55/2328 duration 0:10:40 bytes 17496 TCP FINs
  6|Jan 23 2013|13:43:04|302014|209.221.62.17|80|10.180.1.58|2977|Teardown TCP connection 37388 for outside:209.221.62.17/80 to inside:10.180.1.58/2977 duration 0:00:01 bytes 28170 TCP FINs
  6|Jan 23 2013|13:43:02|302013|10.180.1.58|2977|209.221.62.17|80|Built outbound TCP connection 37388 for outside:209.221.62.17/80 (209.221.62.17/80) to inside:10.180.1.58/2977 (71.123.179.111/2977)
  6|Jan 23 2013|13:43:01|302014|209.221.62.17|80|10.180.1.58|2976|Teardown TCP connection 37387 for outside:209.221.62.17/80 to inside:10.180.1.58/2976 duration 0:00:00 bytes 668 TCP FINs
  6|Jan 23 2013|13:43:01|302013|10.180.1.58|2976|209.221.62.17|80|Built outbound TCP connection 37387 for outside:209.221.62.17/80 (209.221.62.17/80) to inside:10.180.1.58/2976 (71.123.179.111/2976)
  7|Jan 23 2013|13:43:00|609002|64.74.126.6||||Teardown local-host outside:64.74.126.6 duration 1:12:35
  7|Jan 23 2013|13:42:58|710005|10.180.1.58|3266|71.123.179.111|52698|UDP request discarded from 10.180.1.58/3266 to inside:71.123.179.111/52698
  7|Jan 23 2013|13:42:52|609002|118.2.120.3||||Teardown local-host outside:118.2.120.3 duration 0:10:26
  7|Jan 23 2013|13:42:50|609002|74.125.227.101||||Teardown local-host outside:74.125.227.101 duration 1:20:36
  7|Jan 23 2013|13:42:49|752008|||||Duplicate entry already in Tunnel Manager
  7|Jan 23 2013|13:42:46|609002|64.74.103.184||||Teardown local-host outside:64.74.103.184 duration 0:12:34
  6|Jan 23 2013|13:42:46|302014|23.66.230.74|80|10.180.1.55|2320|Teardown TCP connection 37080 for outside:23.66.230.74/80 to inside:10.180.1.55/2320 duration 0:13:01 bytes 2591 FIN Timeout
  7|Jan 23 2013|13:42:44|752008|||||Duplicate entry already in Tunnel Manager
  7|Jan 23 2013|13:42:39|752008|||||Duplicate entry already in Tunnel Manager
  7|Jan 23 2013|13:42:38|609002|74.125.227.130||||Teardown local-host outside:74.125.227.130 duration 1:12:35
  7|Jan 23 2013|13:42:38|609002|74.125.227.73||||Teardown local-host outside:74.125.227.73 duration 1:12:35
  6|Jan 23 2013|13:42:35|302015|71.123.179.111|500|173.227.90.194|500|Built outbound UDP connection 37383 for outside:173.227.90.194/500 (173.227.90.194/500) to identity:71.123.179.111/500 (71.123.179.111/500)
  5|Jan 23 2013|13:42:34|750001|||||Local:71.123.179.111:500 Remote:173.227.90.194:500 Username:Unknown Received request to establish an IPsec tunnel; local traffic selector = Address Range: 10.180.1.3-10.180.1.3 Protocol: 0 Port Range: 0-65535; remote traffic selector = Address Range: 10.180.2.1-10.180.2.1 Protocol: 0 Port Range: 0-65535
  5|Jan 23 2013|13:42:34|752003|||||Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv2.  Map Tag = outside_map.  Map Sequence Number = 1.
  7|Jan 23 2013|13:42:34|609001|10.180.2.1||||Built local-host outside:10.180.2.1
  7|Jan 23 2013|13:42:32|609002|192.150.19.49||||Teardown local-host outside:192.150.19.49 duration 1:52:40
  7|Jan 23 2013|13:42:32|609002|10.180.2.1||||Teardown local-host outside:10.180.2.1 duration 0:10:42
  7|Jan 23 2013|13:42:32|609002|98.138.47.63||||Teardown local-host outside:98.138.47.63 duration 1:52:41
  7|Jan 23 2013|13:42:29|609002|184.84.130.70||||Teardown local-host outside:184.84.130.70 duration 1:12:35
  Log file from Georgia:
  7|Jan 23 2013|13:47:49|609002|10.180.1.1||||Teardown local-host outside:10.180.1.1 duration 0:00:02
  6|Jan 23 2013|13:47:49|302021|10.180.1.1|0|10.180.2.2|1|Teardown ICMP connection for faddr 10.180.1.1/0 gaddr 173.227.90.194/1 laddr 10.180.2.2/1
  6|Jan 23 2013|13:47:47|302020|10.180.2.2|1|10.180.1.1|0|Built outbound ICMP connection for faddr 10.180.1.1/0 gaddr 173.227.90.194/1 laddr 10.180.2.2/1
  7|Jan 23 2013|13:47:47|609001|10.180.1.1||||Built local-host outside:10.180.1.1
  7|Jan 23 2013|13:47:44|609002|10.180.1.1||||Teardown local-host outside:10.180.1.1 duration 0:00:02
  6|Jan 23 2013|13:47:44|302021|10.180.1.1|0|10.180.2.2|1|Teardown ICMP connection for faddr 10.180.1.1/0 gaddr 173.227.90.194/1 laddr 10.180.2.2/1
  6|Jan 23 2013|13:47:42|302020|10.180.2.2|1|10.180.1.1|0|Built outbound ICMP connection for faddr 10.180.1.1/0 gaddr 173.227.90.194/1 laddr 10.180.2.2/1
  7|Jan 23 2013|13:47:42|609001|10.180.1.1||||Built local-host outside:10.180.1.1
  7|Jan 23 2013|13:47:40|609002|10.180.1.1||||Teardown local-host outside:10.180.1.1 duration 0:00:02
  6|Jan 23 2013|13:47:40|302021|10.180.1.1|0|10.180.2.2|1|Teardown ICMP connection for faddr 10.180.1.1/0 gaddr 173.227.90.194/1 laddr 10.180.2.2/1
  6|Jan 23 2013|13:47:38|302020|10.180.2.2|1|10.180.1.1|0|Built outbound ICMP connection for faddr 10.180.1.1/0 gaddr 173.227.90.194/1 laddr 10.180.2.2/1
  7|Jan 23 2013|13:47:38|609001|10.180.1.1||||Built local-host outside:10.180.1.1
  7|Jan 23 2013|13:47:30|609002|10.180.1.1||||Teardown local-host outside:10.180.1.1 duration 0:00:02
  6|Jan 23 2013|13:47:30|302021|10.180.1.1|0|10.180.2.2|1|Teardown ICMP connection for faddr 10.180.1.1/0 gaddr 173.227.90.194/1 laddr 10.180.2.2/1
  6|Jan 23 2013|13:47:28|302020|10.180.2.2|1|10.180.1.1|0|Built outbound ICMP connection for faddr 10.180.1.1/0 gaddr 173.227.90.194/1 laddr 10.180.2.2/1
  7|Jan 23 2013|13:47:28|609001|10.180.1.1||||Built local-host outside:10.180.1.1
  7|Jan 23 2013|13:47:25|609002|10.180.1.1||||Teardown local-host outside:10.180.1.1 duration 0:00:02
  6|Jan 23 2013|13:47:25|302021|10.180.1.1|0|10.180.2.2|1|Teardown ICMP connection for faddr 10.180.1.1/0 gaddr 173.227.90.194/1 laddr 10.180.2.2/1
  6|Jan 23 2013|13:47:23|302020|10.180.2.2|1|10.180.1.1|0|Built outbound ICMP connection for faddr 10.180.1.1/0 gaddr 173.227.90.194/1 laddr 10.180.2.2/1
  7|Jan 23 2013|13:47:23|609001|10.180.1.1||||Built local-host outside:10.180.1.1
  7|Jan 23 2013|13:47:20|609002|10.180.1.1||||Teardown local-host outside:10.180.1.1 duration 0:00:02
  6|Jan 23 2013|13:47:20|302021|10.180.1.1|0|10.180.2.2|1|Teardown ICMP connection for faddr 10.180.1.1/0 gaddr 173.227.90.194/1 laddr 10.180.2.2/1
  6|Jan 23 2013|13:47:18|302020|10.180.2.2|1|10.180.1.1|0|Built outbound ICMP connection for faddr 10.180.1.1/0 gaddr 173.227.90.194/1 laddr 10.180.2.2/1
  7|Jan 23 2013|13:47:18|609001|10.180.1.1||||Built local-host outside:10.180.1.1
  7|Jan 23 2013|13:47:16|609002|10.180.1.1||||Teardown local-host outside:10.180.1.1 duration 0:00:02
  6|Jan 23 2013|13:47:16|302021|10.180.1.1|0|10.180.2.2|1|Teardown ICMP connection for faddr 10.180.1.1/0 gaddr 173.227.90.194/1 laddr 10.180.2.2/1
  6|Jan 23 2013|13:47:14|302020|10.180.2.2|1|10.180.1.1|0|Built outbound ICMP connection for faddr 10.180.1.1/0 gaddr 173.227.90.194/1 laddr 10.180.2.2/1
  7|Jan 23 2013|13:47:14|609001|10.180.1.1||||Built local-host outside:10.180.1.1

• Cannot establish site-site vpn tunnel through ASA 9.1(2)

  Hi,
  We use ASA 9.1(2) to filter traffic in/out of our organisation. A dept within the organisation also have a firewall. They want to establish a site-site VPN tunnel with a remote firewall. We have allowed full access between the public address of the dept firewall and the remote firewall and full access between the remote firewall address and the dept firewall address . We do not use NAT.
  The site-site VPN tunnel fails to establish.
  The dept sysadmin has requested that we enable IPSec Passthrough. From my reading this will not make any difference as we allow full access between the firewalls in both directions. Is that correct?
  Has anyone encountered issues with ASA 9.1(2) interfering with site-site tunnels?
  Regards

  >The dept sysadmin has requested that we enable IPSec Passthrough. From my reading this will not make any difference as we allow full access between the firewalls in both directions. Is that correct?
  Yes, in that case, no IPsec-pass-through is needed. All you need is (in both directions):
  UDP/500
  UDP/4500 (also if you don't use NAT, the remote gateway could be located behind a NAT gateway)
  IP/50
  for testing ICMP/Echo
  If you allowed full IP-access between these two endpoints, it is more than enough.
  When they start testing, do you see a connection on your ASA. There should be at least UDP/500 traffic.
  Can the two gateways ping each other? 

• Access Site to Site Networks behind Cisco ASA thru VPN Client

  I have configured remote access thru asa for vpn clients to our main network. I can ping the required networks from vpn client. Internally I can ping remote network thru our sonicwall site to site vpn. I however cannot ping the remote network from the vpn client. I've added the network in the configuration on the ASA that I am trying to connect to. Any ideas what I can do so I can connect to Site B thru my vpn client connecting to Site A?
  Thanks,
  Matt

  Hello, matt0000111111.
  Did you add a VPN clients network to the sit-to-site VPN settings and to the NAT list (if nat exist at the interfaces at site-to-site vpn)?