Full L2L Tunnel

Hello,
I am curious to know if there is a way to make a full tunnel for a L2L option. I need to have all Internet traffic go through a trusted Internet connection. I know I can do this doing GRE over IPSec but was hoping for an alternative solution.
Thanks in advance
-Chris           

Hi Cristopher,
When you create a LAN-to-LAN tunnel you define protected traffic in the crypto ACL, so if you would like to send all the traffic across the LAN-to-LAN tunnel, then do the following:
hostname(config)# access-list l2l_list extended permit ip 192.168.0.0 255.255.0.0 any
hostname(config)# crypto map abcmap 1 match address l2l_list
Where 192.168.0.0/16 is your LAN.
HTH.
Portu.
Please rate any helpful posts

Similar Messages

  • ASA - ICMP works on a L2L tunnel but TCP fails.

    All,
    I have just started to work with the ASA's and I have a couple of problems with two 5510 8.4(1) ASA's supporting a L2L tunnel.
    Problem-1:
    Below  is the topology and currently the only config on these ASA's is what is  required to get the LAN2LAN tunnel setup and nothing more. ASA01 and ASA02 are the tunnel termination devices.
    LAN A->Routing device->ASA-01 ----->Internet<------------ASA-02<-Routing device<-LAN2
    Below is what is working
    - Tunnel is established between the ASA's.
    - I can ping from LAN A to LAN B and viceversa.
    Below is not what is working
    - I cannot RDP from a device in LAN A to LAN B and vice versa.
    What we found in troubleshooting when we initiate a RDP session from a server in LAN-A to Server in LAN-B.
    - The packet capture on  ASA - A shows that the SYN leaves the ingress(LAN interface).
    -  The packet capture on ASA - B shows that the SYN is leaving the LAN interface.
    -  Dont see a SYN-ACK on ASA-B. First we thought there might be a  different reason(detailed below as problem-2) but we dont see the  syn-ack on ASA-A either.
    - Doing a asp-drop capture on ASA-B we saw that the SYN,ACK from server in LAN-B is being dropped with the following message
    Drop-reason: (tcp-not-syn) First TCP packet not SYN
    Any ideas on why ASA-B doesnt treat this is as a established tcp session?
    Problem -2
    On the packet capture wizard in ASDM if I do a  capture on the LAN interface of the ASA02 I can only see packets  leaving the ASA towards the LAN but I do not see anything coming back  into the interface from the LAN interface. This works the same whether I  do a ICMP or a TCP session(RDP).
    For example - Ping from a server on LAN A to LAN B
    - On ASA01
    The packet capture wizard shows both icmp-echo from LAN-A and icmp-reply from LAN-B
    - On ASA02
    The packet capture wizard shows icmp-echo from LAN-A both not the icmp-reply from LAN-B.
    I am not sure what the reason for both the problems above and the reasons might just be that my skill level with ASA's are just not there yet. Any guidance will be great appreciated.
    Thanks,
    Vishnu

    Hello Vishnu,
    Any ideas on why ASA-B doesnt treat this is as a established tcp session?
    This is happening because the ASA is not seeing the entire 3 way hanshake, Are you sure all the packets are going across the ASA??? I would recommend you to do captures on both inside interfaces just for RDP traffic and attach them to this post so I can correlate to determine if indeed the ASA is receving what it needs.
    On the packet capture wizard in ASDM if I do a  capture on the LAN interface of the ASA02 I can only see packets  leaving the ASA towards the LAN but I do not see anything coming back  into the interface from the LAN interface. This works the same whether I  do a ICMP or a TCP session(RDP).
    That's exactly the reason of why this problem is happening, Good job correlating the facts,
    Resolution of the issues:
    I would say the problem is on the Routing device between ASA-2 and the LAN-2...
    Make sure the Routing device knows that in order to reach the LAN-1 it needs to send the traffic back to the ASA-2 as somehow this traffic is not making it on the right interface,
    Remember to rate all of the helpful posts. That's as important as a Thanks.
    Julio Carvajal Segura

  • Two separate L2L tunnels between same two ASA

    I have a large MPLS fully meshed network with two main locations, both of which have an ASA with internet access as well as the MPLS access.  I need to be able to provide a backup connection between the two main locations in the event one of the MPLS links to one or the other goes down.
    I am considering using a L2L IPSEC tunnel between the two ASA's but the interesting traffic for the tunnel is different depending on which of the links is down and there fore I would need two different tunnels.  I have my servers and remote desktop servers at one of the main sites and the other main site has another organization attached to it externally that the servers must be able to access.
    Is there a way of creating two separate L2L tunnels between the two ASA's?  Could I perhaps assign two public IP addresses to each of the ASA's and then create the tunnels between different endpoints on each ASA?
    Does anyone have another possible solution to the problem? 
    Gene

    You should be able to do what you want using IP SLA. Please see this excellent blog post which documents one way to accomplish it.
    Hope this helps.

  • Oracle application having problem on PIX to ASA L2L tunnel.

    Hi ALL,
    My customer has performed a PIX migration to ASA5520 on last weekend. And the configuration on the new ASA5520 is almost the same as the original PIX515. There are several L2L vpn tunnel configuration on the ASA5520. After the migration, all VPN tunnel can establish without problem. But my customer found that their Oracle application running on one of the VPN tunnel has connectivity issue. This application did not have problem when in the original environment.
    This VPN tunnel is a L2L tunnel between remote and main office. In remote office, the VPN endpoint is a PIX515E w/ OS 7.0(5). In main office is an ASA5520 with 7.2(2). The original firewall in main office is a PIX 515 w/ 7.0(5). The IPSec match address list is an IP network to IP network access list without port definition.
    We found that the Oracle client on remote office can connect to the port opened on the Oracle server on main office. But after connected to the port on the server, the application will re-establish a new connection using random port between this client and server, and this new connection seems to not able to establish.
    Anyone can tell me that is it possible to impact the Oracle application on this IPSec tunnel? The ACL is an IP to IP acl. What can I do to troubleshoot this issue? Why the issue rise on the new ASA implementation?
    I'm looking forward to your reply! Please help!
    Jason

    Hi,
    Here is the end to end troubleshooting steps for L2L tunnel.
    Please check debug commands carefully you will get your key point where is troubble.
    http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml
    Regards,
    Dharmesh Purohit

  • Creating L2L Tunnel to IOS Endpoint

    Hey All,
    Quick questions. I've been reviewing the guides on Cisco and have yet to find an example of what I'm looking for. The scenario is that there will be a client device that uses DHCP on the WAN side. This device can authenticate using IPSec to a VPN termination device. On our hub end we want to use a Cisco IOS router to terminate the connection. My question is that this will not be exactly a L2L tunnel, the endpoint has a configuration to build in a username to authenticate with. So it appears the tunnel with authenticate using a username a pre-shared key, rather than PSK and configured remote IP address (since this is DHCP). I've found an example of this on Cisco here: http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00800ae459.shtml. Unfortunately the example is from an IOS DHCP endpoint to a 3000-series concentrator. Anyone have a config example of what I'm looking for?
    -Mike
    http://cs-mars.blogspot.com

    Mike,
    When you say client device. Is it like a router or is it a PC.
    If it is a PC, take a look at this link
    Link:1
    http://www.cisco.com/en/US/partner/products/sw/secursw/ps2308/products_configuration_example09186a00801c4246.shtml
    If it is a device like a router or so, you need to configure the router just like one in the link given above
    Link2:
    http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800945cf.shtml
    But the server part is like Link 1.
    Hope this helps.
    Here is a good link for configuration of VPN on Cisco devices.
    http://www.cisco.com/en/US/partner/tech/tk583/tk372/tech_configuration_examples_list.html
    Rate this post, if it helps.
    Thanks
    Gilbert

  • Long shot question about L2L tunnel

    I have a Cisco 5540 that terminates one end of a L2L tunnel, the remote end is a Sonicwall TZ100.  The tunnel is in place to carry voice traffic and I have a need to decrypt the traffic that's been captured in .cap file using Wireshark 1.8.5.
    Anyone have any thoughts on how to go about getting the session keys from either device?

    Hi,
    Nice find and interesting read. Might have to take a look at this at some point
    Are you capturing traffic on the ASA "outside" interface?
    I guess there must be a specific reason that you didnt capture the traffic before/after the tunnel on the "inside" interface of the ASA? Maybe see that the same traffic/data was passed on to the L2L VPN after the ASA had encrypted/encapsulated the traffic?
    - Jouni

  • Is it possible to allocate bandwidth to an application in an L2L tunnel?

    Hi,
    In an L2L tunnel, we wanted to allocate bandwidth for all users in Site A when accessing applications (Web-based and thick) in a server in Site B. The responses for both applications are not acceptable.
    The same VPN link between the two sites is also used by other applications i.e. DC replication, etc. and the Internet link used for VPN is also used for SMTP and Lotus Notes.
    In Site A, the tunnel is terminated outside of the PIX 7.2(2) and Site B is terminated outside of ASA 5510 7.2(2). The routers infront of these firewalls have PBR such that PAT?ed address from the firewall is routed to the ADSL instead of the serial interface.
    If we?ll upgrade the Internet line, I have to make sure that it will resolve the issue.
    Thanks in advance.
    Regards,
    Archie

    Hi,
    Thanks.
    - The first challenge is where to apply QoS i.e. do traffic policing/allocate bandwidth for IPSec use. My guess is on the router but I'm not 100% sure.
    -If on the router, what's the command?
    - Once the first challenge is done, can I do traffic policing on applications inside VPN which are terminated on PIX and ASA?
    Regards,
    Archie

  • L2L Tunnel keeps dropping

    I have our main site using a Cisco 5510 running 8.4.2 code and a remote site using a Cisco 5505 running 8.4.2 code.  The main site has a T1 and the remote site is using a DSL connection.  About every other day I have to reset the connection at the remote site.  The process that I have found that works is to remove the nat statement, clear the cry ips sa and then add back the  nat statement.  The connection usually comes back up and a few minutes.  I am trying to see what is causing this to drop.  Does anybody have any ideas?
    Thanks,
    TJ                  

    9 local4.notice 10.10.10.1  May 18 2013 18:42:29: %ASA-5-752004: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv1.  Map Tag = outside_map.  Map Sequence Number = 4.\n
    2013-05-18 18:42:29 local4.debug 10.10.10.1  May 18 2013 18:42:29: %ASA-7-715077: Pitcher: received a key acquire message, spi 0x0\n
    2013-05-18 18:42:29 local4.warning 10.10.10.1  May 18 2013 18:42:29: %ASA-4-752012: IKEv1 was unsuccessful at setting up a tunnel.  Map Tag = outside_map.  Map Sequence Number = 4.\n
    2013-05-18 18:42:29 local4.error 10.10.10.1  May 18 2013 18:42:29: %ASA-3-752015: Tunnel Manager has failed to establish an L2L SA.  All configured IKE versions failed to establish the tunnel. Map Tag= outside_map.  Map Sequence Number = 4.\n
    2013-05-18 18:42:29 local4.debug 10.10.10.1  May 18 2013 18:42:29: %ASA-7-752002: Tunnel Manager Removed entry.  Map Tag = outside_map.  Map Sequence Number = 4.\n
    9 local4.notice 10.10.10.1  May 18 2013 18:42:29: %ASA-5-752004: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv1.  Map Tag = outside_map.  Map Sequence Number = 4.\n
    2013-05-18 18:42:29 local4.debug 10.10.10.1  May 18 2013 18:42:29: %ASA-7-715077: Pitcher: received a key acquire message, spi 0x0\n
    2013-05-18 18:42:29 local4.warning 10.10.10.1  May 18 2013 18:42:29: %ASA-4-752012: IKEv1 was unsuccessful at setting up a tunnel.  Map Tag = outside_map.  Map Sequence Number = 4.\n
    2013-05-18 18:42:29 local4.error 10.10.10.1  May 18 2013 18:42:29: %ASA-3-752015: Tunnel Manager has failed to establish an L2L SA.  All configured IKE versions failed to establish the tunnel. Map Tag= outside_map.  Map Sequence Number = 4.\n
    2013-05-18 18:42:29 local4.debug 10.10.10.1  May 18 2013 18:42:29: %ASA-7-752002: Tunnel Manager Removed entry.  Map Tag = outside_map.  Map Sequence Number = 4
    I just enabled the crypto ipsec 255 and will post that when it drops again.
    Thanks,
    TJ

  • Reassign Peers ina VPN L2L tunnel

    Curiosity question... I have 2 new ASA5515's that I am setting up for an equipment upgrade. IN the time before I swap them out I am using them as a sort of make-shift lab to get the L2L VPN setup going. I did not want to use current IP addresses for the test environment so I used bogus numbers.
    My question is: Can I go back in and change the peer IP address and the local/remote address's without having to tear them down to factory specs again?
    - Do I just reissue the Tunnel-Group X.X.X.X type IPsec-l2l command with the correct IP's?
     I know there are a few other area's that I will have to change the peer IP as well, but the just of my question is can I do it or do I have to start over?
    -Jon

    Jon
    You shouldn't have to reconfigure them from scratch if that is what you are asking.
    You just need to modify the peer IPs wherever they appear in your configuration.
    Jon

  • Cluster IP address thru L2L tunnel

    I have 3 windows 2003 terminal servers setup for load balance using Windows Network Load Balance Manager. IP addresses 192.168.1.14, 192.168.1.15, 192.168.1.16 Cluster IP 192.168.1.40 multicast.
    I have a remote site connected via site to site VPN tunnel using Cisco ASA5510 devices, subnet 192.168.100.1. On the local LAN(192.168.1.0) I can get connected to terminal servers using the cluster IP, at the remote site I can not. At the remote site I can connect to each TS using the actual IP address, I can ping the cluster IP address or the dns name and get a response. Can anybody think of any reason why I can not connect using the cluster IP address?
    Thanks

    I have setup wireshark on my 192.168.1.0 subnet and setup a packet capture on the ASA5510. On the wireshark I see SYN packets coming in from my machine 192.168.100.102 to the cluster IP and I see SYN,ACK packets Src the cluster IP with the mac address of one of the terminal servers and the dst my IP address with the mac address of the ASA 5510. On the ASA5510 packet capture I only see the SYN packets from my machine coming in but no SYN,ACK packets going out. What happened to the SYN,ACK packets?
    I did a packet capture when connecting to the actual IP address of the terminal server (Which Works) and compared the SYN,ACK packets from both and saw no difference.

  • L2L tunnel up, not passing traffic...all of a sudden

    I've had a tunnel in place on a 5505 to a remote network i don't control...so my troubleshooting there is limited.  But the tunnel has been in place for over a year without issue.  Suddenly it doesn't appear to be passing traffic.  But it is in at least one direction.  
    Remote network:192.168.191.0/24
    Local ASA side: 10.220.78.0/24
    I had a constant ping started from 192.168.191.10 > 10.220.78.23
    Which is a Windows server pinging a Windows workstation.
    When i debug icmp on the ASA i get:
    ICMP echo request from outside:192.168.191.10 to inside:10.220.78.23 ID=1 seq=2866 len=32
    ICMP echo reply from inside:10.220.78.23 to outside:192.168.191.10 ID=1 seq=2866 len=32
    Which confirms to me that the remote network is in fact traversing the tunnel and hitting the 10.220.78.23 device, which is in fact responding, and the reply is being sent out the ASA.
    The tunnel negotiates and comes up any time I reset it, by all accounts it looks correct.
    The problem is not limited to ICMP as I'm unable to net use or map drives, nor can 192.168.191.10 print to the printer at 10.220.78.20.
    But once i saw the icmp trace output I pretty much figured it has to be on the remote end...so....
    My question, can I absolutely infer from this that the issue resides on the remote end?

    Some additional info.  Aside from the ping they have running from the remote network, which is shown in the above icmp trace, if i run packet tracer from the local network to the remote, tunnel's up/traffic is allowed.  Not a big surprise since the tunnel does negotiate and stay up.
    I captured packets from the ASA and I can see the local 10.220.78.23 device sending the reply to 192.168.191.10.  Matching up with the icmp trace.
    I had them run a packet capture on their firewall and confirmed, the ICMP requests from 192.168.191.10 are being encapsulated and sent on the tunnel.  Again confirmed in my mind since i see the requests on the ASA.  But they don't ever see the response.
    There's no tcp adjust mss command on the ASA but there's this in the config:
    ASA# sh run all sys
    no sysopt connection timewait
    sysopt connection tcpmss 1380
    sysopt connection tcpmss minimum 0
    sysopt connection permit-vpn
    sysopt connection reclassify-vpn
    no sysopt connection preserve-vpn-flows
    no sysopt nodnsalias inbound
    no sysopt nodnsalias outbound
    no sysopt radius ignore-secret
    no sysopt noproxyarp inside
    no sysopt noproxyarp outside
    Any other ideas?

  • Disable l2l tunnel on contentrator with snmp

    hello
    is it possible to disable a ipsec lan to lan tunnel with snmpset on a concentrator 3005? I found the following link http://www.cisco.com/warp/public/471/vpn3k_logout.html which shows how to terminate a tunnel.
    thanks for answers!
    Andre

    As far as I know, this is not supported with SNMP

  • CSCth29311 - Dynamic L2L Tunnels can replace Static RRI Routes

                       He need to help
    https://tools.cisco.com/bugsearch/bug/CSCth29311
    crypto map CRYPTO-DEFAULT 160 match address Azure-crypto
    crypto map CRYPTO-DEFAULT 160 set peer 137.117.161.73
    crypto map CRYPTO-DEFAULT 160 set transform-set ESP-AES-256-SHA
    crypto map CRYPTO-DEFAULT 160 set security-association lifetime seconds 3600
    crypto map CRYPTO-DEFAULT 160 set security-association lifetime kilobytes 102400000
    crypto map CRYPTO-DEFAULT 160 set reverse-route
    crypto map CRYPTO-DEFAULT 170 match address Realtech-crypto
    crypto map CRYPTO-DEFAULT 170 set peer 93.90.21.245
    crypto map CRYPTO-DEFAULT 170 set transform-set ESP-AES-256-SHA
    crypto map CRYPTO-DEFAULT 170 set security-association lifetime seconds 3600
    crypto map CRYPTO-DEFAULT 170 set reverse-route
          RSI-ASA1# sh ver
    Cisco Adaptive Security Appliance Software Version 8.2(1)
    Device Manager Version 6.2(1)
    Compiled on Tue 05-May-09 22:45 by builders
    System image file is "disk0:/asa821-k8.bin"
    Config file at boot was "startup-config"
    RSI-ASA1 up 7 days 3 hours
    failover cluster up 7 days 3 hours
    Hardware:   ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz
    Internal ATA Compact Flash, 256MB
    BIOS Flash M50FW080 @ 0xffe00000, 1024KB
    Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                               Boot microcode   : CN1000-MC-BOOT-2.00
                               SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                               IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.04
    0: Ext: GigabitEthernet0/0  : address is 0026.0b31.522e, irq 9
    1: Ext: GigabitEthernet0/1  : address is 0026.0b31.522f, irq 9
    2: Ext: GigabitEthernet0/2  : address is 0026.0b31.5230, irq 9
    3: Ext: GigabitEthernet0/3  : address is 0026.0b31.5231, irq 9
    4: Ext: Management0/0       : address is 0026.0b31.5232, irq 11
    5: Int: Not used            : irq 11
    6: Int: Not used            : irq 5
    Licensed features for this platform:
    Maximum Physical Interfaces  : Unlimited
    Maximum VLANs                : 150
    Inside Hosts                 : Unlimited
    Failover                     : Active/Active
    VPN-DES                      : Enabled
    VPN-3DES-AES                 : Enabled
    Security Contexts            : 2
    GTP/GPRS                     : Disabled
    SSL VPN Peers                : 100
    Total VPN Peers              : 750
    Shared License               : Disabled
    AnyConnect for Mobile        : Disabled
    AnyConnect for Linksys phone : Disabled
    AnyConnect Essentials        : Disabled
    Advanced Endpoint Assessment : Disabled
    UC Phone Proxy Sessions      : 2
    Total UC Proxy Sessions      : 2
    Botnet Traffic Filter        : Disabled
    This platform has an ASA 5520 VPN Plus license.
    Serial Number: JMX1337L26T
    Running Activation Key: 0x9207c551 0x203587d4 0xd41345a0 0x894cc424 0x0d371c93
    Configuration register is 0x1
    Configuration last modified by enable_15 at 01:29:41.324 CET Thu Dec 19 2013

    UPGRADE VERSION
    El BUG está asociado a esta versión 8.2 (1) y tal como comenta Cisco en el workround habrá que remover y añadir  manual la Crypto map . Pero evidentemente no es la mejor solución lo cual el fabricante recomienda hacer un upgrade de la versión a la 8.4.7 ED.
    Vitor Morais BT Spain

  • Cisco ASA 5505 L2L VPN Tunnel with one Dynamic IP

    Hi Rizwan,
    Thanks for your response.  I updated the configuration per your response below... It still doesn't work.  please see my new config files below.  Please help.  Thanks in advance for your help....
    Hi Pinesh,
    Please make follow changes on host: officeasa
    remove this line below highlighted.
    crypto dynamic-map L2LMap 1 match address Crypto_L2L
    It is only because group1 is weak, so please change it to group2
    crypto dynamic-map L2LMap 1 set pfs group1
    route outside 10.10.6.0 255.255.255.0 96.xxx.xxx.117
    Please make follow changes on host: homeasa
    It is only because group1 is weak, so please change it to group2
    crypto map L2Lmap 1 set pfs group1
    route outside 10.10.5.0 255.255.255.0 xxx.xxx.xxx.xxx default gateway on homeasa.
    Hope that helps, if not please open a new thread.
    Thanks
    Rizwan Rafeek
    New config files..
    Site-A:   (Office):
    Hostname: asaoffice
    Inside: 10.10.5.0/254
    Outside e0/0: Static IP 96.xxx.xxx.118/30
    Site-B:   (Home):
    Hostname: asahome
    Inside: 10.10.6.0/254
    Outside e0/0: Dynamic IP (DG: 66.xxx.xxx.1)
    SIte-A:
    officeasa(config)# sh config
    : Saved
    : Written by enable_15 at 15:34:23.899 UTC Sat Mar 3 2012
    ASA Version 8.2(5)
    hostname officeasa
    enable password xyz encrypted
    passwd xyz encrypted
    names
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    switchport access vlan 3
    interface Ethernet0/2
    switchport access vlan 3
    interface Ethernet0/3
    switchport access vlan 3
    interface Ethernet0/4
    switchport access vlan 3
    interface Ethernet0/5
    switchport access vlan 3
    interface Ethernet0/6
    switchport access vlan 3
    interface Ethernet0/7
    switchport access vlan 3
    interface Vlan2
    nameif outside
    security-level 0
    ip address 96.xxx.xxx.118 255.255.255.252
    interface Vlan3
    nameif inside
    security-level 100
    ip address 10.10.5.254 255.255.255.0
    ftp mode passive
    same-security-traffic permit inter-interface
    access-list NONAT extended permit ip 10.10.5.0 255.255.255.0 192.168.100.0 255.2
    access-list NONAT extended permit ip 10.10.5.0 255.255.255.0 10.10.6.0 255.255.2
    access-list ormtST standard permit 10.10.5.0 255.255.255.0
    access-list OCrypto_L2L extended permit ip 10.10.5.0 255.255.255.0 10.10.6.0 255
    pager lines 24
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    ip local pool ormtIPP 192.168.100.100-192.168.100.110 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list NONAT
    nat (inside) 1 0.0.0.0 0.0.0.0
    route outside 0.0.0.0 0.0.0.0 96.xxx.xxx.117 1
    route outside 10.10.6.0 255.255.255.0 96.xxx.xxx.117 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 10.10.5.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set OSite2Site esp-3des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map OL2LMap 1 set pfs
    crypto dynamic-map OL2LMap 1 set transform-set OSite2Site
    crypto dynamic-map OL2LMap 1 set reverse-route
    crypto map out_L2lMap 65535 ipsec-isakmp dynamic OL2LMap
    crypto map out_L2LMap interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    client-update enable
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    dhcpd address 10.10.5.101-10.10.5.132 inside
    dhcpd dns 8.8.8.8 8.8.4.4 interface inside
    dhcpd enable inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    enable outside
    svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
    svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 2
    svc enable
    tunnel-group-list enable
    group-policy ormtGP internal
    group-policy ormtGP attributes
    dns-server value 8.8.8.8
    vpn-tunnel-protocol svc webvpn
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value ormtST
    address-pools value ormtIPP
    webvpn
    svc keep-installer installed
    svc rekey time 30
    svc rekey method ssl
    svc ask enable default svc timeout 20
    username user1 password abcxyz encrypted
    username user1 attributes
    service-type remote-access
    tunnel-group ormtProfile type remote-access
    tunnel-group ormtProfile general-attributes
    default-group-policy ormtGP
    tunnel-group ormtProfile webvpn-attributes
    group-alias OFFICE enable
    tunnel-group defaultL2LGroup type ipsec-l2l
    tunnel-group defaultL2LGroup ipsec-attributes
    pre-shared-key *
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum client auto
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:46d5c2e1ac91d73293f2fb1a0045180c
    officeasa(config)#
    Site-B:
    Home ASA Configuration:
    homeasa# sh config
    : Saved
    : Written by enable_15 at 15:48:42.479 UTC Sat Mar 3 2012
    ASA Version 8.2(5)
    hostname homeasa
    enable password xyz encrypted
    passwd xyz encrypted
    names
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    switchport access vlan 3
    interface Ethernet0/2
    switchport access vlan 3
    interface Ethernet0/3
    switchport access vlan 3
    interface Ethernet0/4
    switchport access vlan 3
    interface Ethernet0/5
    switchport access vlan 3
    interface Ethernet0/6
    switchport access vlan 3
    interface Ethernet0/7
    switchport access vlan 3
    interface Vlan2
    nameif outside
    security-level 0
    ip address dhcp setroute
    interface Vlan3
    nameif inside
    security-level 100
    ip address 10.10.6.254 255.255.255.0
    ftp mode passive
    same-security-traffic permit inter-interface
    access-list NONAT extended permit ip 10.10.6.0 255.255.255.0 192.168.101.0 255.255.255.0
    access-list NONAT extended permit ip 10.10.6.0 255.255.255.0 10.10.5.0 255.255.255.0
    access-list hrmtST standard permit 10.10.6.0 255.255.255.0
    access-list Crypto_L2L extended permit ip 10.10.6.0 255.255.255.0 10.10.5.0 255.255.255.0
    pager lines 24
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    ip local pool hrmtIPP 192.168.101.100-192.168.101.110 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list NONAT
    nat (inside) 1 0.0.0.0 0.0.0.0
    route outside 10.10.5.0 255.255.255.0 66.xxx.xxx.1 1   (IP address of the Dynamic IP from ISP)
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 10.10.6.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set Site2Site esp-3des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto map L2Lmap 1 match address Crypto_L2L
    crypto map L2Lmap 1 set peer 96.xxx.xxx.118
    crypto map L2Lmap 1 set transform-set Site2Site
    crypto map L2LMap 1 set pfs
    crypto map L2LMap interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    dhcpd address 10.10.6.101-10.10.6.132 inside
    dhcpd dns 8.8.8.8 8.8.4.4 interface inside
    dhcpd enable inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    enable outside
    svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
    svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 2
    svc enable
    tunnel-group-list enable
    group-policy hrmtGP internal
    group-policy hrmtGP attributes
    dns-server value 8.8.8.8
    vpn-tunnel-protocol svc webvpn
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value hrmtST
    address-pools value hrmtIPP
    webvpn
    svc keep-installer installed
    svc rekey time 30
    svc rekey method ssl
    svc ask enable default svc timeout 20
    username user1 password abcxyz encrypted
    username user1 attributes
    service-type admin
    tunnel-group hrmtProfile type remote-access
    tunnel-group hrmtProfile general-attributes
    default-group-policy hrmtGP
    tunnel-group hrmtProfile webvpn-attributes
    group-alias hrmtCGA enable
    tunnel-group 96.xxx.xxx.118 type ipsec-l2l
    tunnel-group 96.xxx.xxx.118 ipsec-attributes
    pre-shared-key *
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum client auto
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:d16a0d49f275612dff7e404f49bcc499
    homeasa#

    Thanks Rizwan,
    Still no luck.  I can't even ping the otherside (office)..  I am not sure if i'm running the debug rightway.   Here are my results...
    homeasa(config)# ping inside 10.10.5.254............. (Office CIsco ASA5505 IP on local side.  I also tried pinging the server on other side (office) whic is @10.10.5.10 and got the same result)
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 10.10.5.254, timeout is 2 seconds:
    Success rate is 0
    homeasa(config)# debug crypto isakmp 7
    homeasa(config)# debug crypto ipsec 7
    homeasa(config)# sho crypto isakmp 7
                                       ^
    ERROR: % Invalid input detected at '^' marker.
    homeasa(config)# sho crypto isakmp
    There are no isakmp sas
    Global IKE Statistics
    Active Tunnels: 0
    Previous Tunnels: 0
    In Octets: 0
    In Packets: 0
    In Drop Packets: 0
    In Notifys: 0
    In P2 Exchanges: 0
    In P2 Exchange Invalids: 0
    In P2 Exchange Rejects: 0
    In P2 Sa Delete Requests: 0
    Out Octets: 0
    Out Packets: 0
    Out Drop Packets: 0
    Out Notifys: 0
    Out P2 Exchanges: 0
    Out P2 Exchange Invalids: 0
    Out P2 Exchange Rejects: 0
    Out P2 Sa Delete Requests: 0
    Initiator Tunnels: 0
    Initiator Fails: 0
    Responder Fails: 0
    System Capacity Fails: 0
    Auth Fails: 0
    Decrypt Fails: 0
    Hash Valid Fails: 0
    No Sa Fails: 0
    Global IPSec over TCP Statistics
    Embryonic connections: 0
    Active connections: 0
    Previous connections: 0
    Inbound packets: 0
    Inbound dropped packets: 0
    Outbound packets: 0
    Outbound dropped packets: 0
    RST packets: 0
    Recevied ACK heart-beat packets: 0
    Bad headers: 0
    Bad trailers: 0
    Timer failures: 0
    Checksum errors: 0
    Internal errors: 0
    hjnavasa(config)# sh crypto ipsec sa peer 96.xxx.xxx.118
    There are no ipsec sas
    homeasa(config)#

  • L2L issue, the tunnel does not getting up from one direction

    Hello,
    We have configure a L2L vpn between Asa and 1841 router. We are facing this issue.
    The tunnel is not getting up from the 1841 site never. When we are trying to generate traffic from the ASA site the tunnel is up and we can see decryps and encryps packets.
    Router 1841 Config:
    crypto isakmp policy 100
    encr 3des
    hash md5
    authentication pre-share
    group 2
    crypto isakmp key * address 213.249.XX.XX
    crypto ipsec transform-set XXXXX esp-3des esp-md5-hmac
    crypto map EKO_BG 100 ipsec-isakmp
    set peer 213.249.x.x
    set security-association lifetime seconds 28800
    set transform-set XXXXX
    set pfs group2
    match address 111
    interface FastEthernet0/0.2
    encapsulation dot1Q 3338
    ip address 212.200.30.130 255.255.255.252
    ip nat outside
    ip virtual-reassembly
    crypto map XXXXX
    ip nat pool nat_pool 93.87.XX.XX 93.87.XX.XX prefix-length 29
    ip nat inside source list 101 pool nat_pool overload
    ip nat inside source static 10.70.2.10 93.87.18.161
    ip nat inside source static 10.70.25.10 93.87.18.162
    ip nat inside source static 10.70.36.5 93.87.18.163
    ip nat inside source static 10.70.39.10 93.87.18.164
    ip nat inside source static 10.70.5.10 93.87.18.165
    access-list 101 deny   ip 10.70.200.0 0.0.0.255 any
    access-list 101 permit ip 10.70.0.0 0.0.255.255 any
    access-list 111 permit ip 10.70.200.0 0.0.0.255 172.40.10.100 0.0.0.3
    Asa Config:
    access-list inside_nat0_outbound extended permit ip 172.40.10.100 255.255.255.252 10.70.200.0 255.255.255.0
    access-list outside_cryptomap_320 remark xxxxxxx
    access-list outside_cryptomap_320 extended permit ip 172.40.10.100 255.255.255.252 10.70.200.0 255.255.255.0
    access-list inside_pnat_outbound_V5 extended permit ip host 10.8.x.x 10.70.200.0 255.255.255.0
    pager lines 24
    nat (inside) 9 access-list inside_pnat_outbound_V5
    crypto ipsec transform-set xxxxx esp-3des esp-md5-hmac
    crypto map mymap 150 match address
    crypto map mymap 150 set pfs
    crypto map mymap 150 set peer XXXXXX
    crypto map mymap 150 set transform-set XXX
    crypto map mymap 150 set security-association lifetime seconds 28800
    crypto map mymap 150 set security-association lifetime kilobytes 10000
    crypto map mymap 320 match address outside_cryptomap_320
    crypto map mymap 320 set pfs
    crypto map mymap 320 set peer XXXXX
    crypto map mymap 320 set transform-set XXXXX
    crypto map mymap 320 set security-association lifetime seconds 28800
    crypto map mymap 320 set security-association lifetime kilobytes 4608000
    crypto map mymap 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map mymap interface outside
    isakmp policy 150 authentication pre-share
    isakmp policy 150 encryption 3des
    isakmp policy 150 hash md5
    isakmp policy 150 group 2
    tunnel-group 212.200.x.x type ipsec-l2l
    tunnel-group 212.200.x.x ipsec-attributes
    pre-shared-key *
    Please advise.
    Thank you.

    hello Ashley,
    thank you for this info. Now from the router site the tunneling is getting up and I can see packets but althought the tunnel is up it can not make telnet to our server (172.40.10.100) on a specific port.
    We from ASA site can ping router Site and make telnet.
    Any ideas???
    Thank you all from your answers!

Maybe you are looking for

  • How do I sync all my icloud accounts onto one, more specifically I'm trying to access all my music from all my devices

    I have multiple Apple devices, Desktops, laptops, iPad, iPhones, etc.  I somehow was able to sync the desktop at my vacation home with iColoud where I stored not only all the music I purchased through iTunes, but my entire CD collection.  I have sinc

  • Previous month first data and previous month last date

    can any body have query to get previous month first date and previous month last date. Ex: First day of the previous week: TIMESTAMPADD(SQL_TSI_DAY,-6, (TIMESTAMPADD(SQL_TSI_DAY, DAYOFWEEK(CURRENT_DATE) *-1,CURRENT_DATE))) Last day of the previous we

  • Integrating SAP-ERP system to SAP-SCM system via SAP-XI

    Hi All, My requirement is to make a scenario for Integrating SAP-ERP system to SAP-SCM system via SAP-XI,Sender side is IDOC Adapter and Receiver side is Proxy.As iam not aware of the scenario procedure can any body could explain briefly step-by-step

  • Share to .pdf loses hyperlinks

    Hi I have been trying to create a .pdf from Pages (ipad version) that contains hyperlinks.  The hyperlinks work fine in the Pages document, but when I Share it and convert to .pdf the hyperlinks no longer work. I have installed Adobe Reader and GoodR

  • CONVERSION_EXIT_EAN11_INPUT

    Hi, We have conversion routine EAN 11 in 0EANUPC infoobject. this contains a Functional module called CONVERSION_EXIT_EAN11_INPUT... Can anyone explain me the functionality of this functional module. regards.. Balaji