NAT of overlapping network through IPSEC tunnel

I am having a NAT problem constructing a router to PIX tunnel (12.4-15T3 to 7.2). I need to both NAT overload through the outside interface for all internet traffic and NAT to a private network for traffic that will flow through an IPSEC tunnel.
Because there is network overlap between sites I have added a NAT on the router as follows:
1) A NAT pool of 254 172.17.20.x addresses.
2) An access list permiting traffic to the hosts on the other side of the tunnel.
3) A NAT source statement using the above ACL and pool.
The IPSEC configuration then includes the 172.17.20.x addresses in the tunnel specification. The tunnel pegs up correctly under this config, traffic originating behind the router is NATd to 172.17.20.x if and only if the traffic matches the access list.
However, once a host has created a 172.17.20.x NAT translation, the normal overload NAT out to the internet no longer works. Even if the second traffic destination does not match the access-list created for the 172.17.20.x NAT statement, the existing translation slot is used. Since 172.17.20.x is not valid on the internet, this has a negative effect on the staff in this location :-/
Both NATing to the internet (using overload PAT on the outside IP address) and NATing for the tunnel (using the list of 172.17.20.x address) are necessary. What am I missing?

Refer to PIX/ASA 7.x and later: Site to Site (L2L) IPsec VPN with Policy NAT (Overlapping Private Networks) Configuration Example
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml

Similar Messages

  • All the traffic go through IPsec tunnel(site to site ) ,but something seems not working correctly

    Hi, all,
      I have seen a good post in google.com about how to make all the client's traffic though IPsec tunnel then out to the Internet from the Main site,now I attach this configuration and application for discussion, and what the problem is that I am still confused with the configuration on Main site ,  I hope anyone who can tell me more detail and how to accomplish it. Any answer will be appreciated , thank you !
    Quote :
    Question ? :
    Mine is a very simple configuration.  I have 2 sites linked via an IPsec tunnel.  Dallas is my Main HQ R1 and Austin R2 is my remote office.  I want all traffic from Austin to route thru the tunnel up to Dallas, then out to the Internet.
    Dallas (Main) Lan Net is: 10.10.200.0/24
    Austin (Remote) LAN Net is: 10.20.2.0/24
    The Dallas (Main) site has a VPN config of:
    Local Net: 0.0.0.0/0
    Remote Net: 10.20.2.0/24
    The Austin (Remote) site has a VPN config of:
    10.20.2.0/24
    Remote Net: 0.0.0.0/0
    The tunnel gets established just fine.  From the Austin LAN clients, I can ping the router at the main site (10.10.200.1).  This is how I know the tunnel is created, but I cannot ping anything beyond the router from the Austin LAN, e.g. 8.8.8.8.
    I'm sure it's something simple I failed to configure.  Anyone have any pointers or hints?
    Answer:
    Thanks to Jimp from the other thread, I was able to see why it was not working.  To fix, I had to change the Outbound NAT on the main side to Manual.  Then I created a new Outbound NAT rule that included the subnet from the Austin network (10.20.2.0).  Basically, I just created a copy of the default rule and changed the Source network.
    Once I made this change, Voila!  Traffic from the remote side started heading out to the Internet.  Now all traffic flows thru the Main site.  It makes perfect sense why I needed to make this change, it just took a slap in the head from Jimp to point me in the right direction.
    My question ?
    The answer said "To fix, I had to change the Outbound NAT on the main side to Manual.  Then I created a new Outbound NAT rule that included the subnet from the Austin network (10.20.2.0).  Basically, I just created a copy of the default rule and changed the Source network." what this mean and
    how to do it , could anybody give me the specific configuration ? thanks a lot.

    Thank you for Jouni's reply,  following is the configuration on Cisco 2800 router ,no firewall enable, :
    crypto isakmp policy 100
    encr aes 256
    authentication pre-share
    group 2
    crypto isakmp key x.x.x address 0.0.0.0 0.0.0.0
    crypto isakmp keepalive 60
    crypto ipsec transform-set IPsectrans esp-3des esp-md5-hmac
    crypto dynamic-map IPsecdyn 100
    set transform-set IPsectrans
    match address 102
    crypto map IPsecmap 100 ipsec-isakmp dynamic IPsecdyn
    interface Loopback1
    ip address 10.10.200.1 255.255.255.0
    interface FastEthernet0/0
    ip address 113.113.1.1 255.255.255.128
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto
    crypto map IPsecmap
    interface FastEthernet0/1
    ip address 192.168.1.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    duplex auto
    speed auto
    ip route 0.0.0.0 0.0.0.0 113.113.1.2
    ip http server
    no ip http secure-server
    ip nat inside source list 100 interface FastEthernet0/0 overload
    access-list 100 permit ip 192.168.1.0 0.0.0.255 any
    access-list 102 permit ip any 10.20.2.0 0.0.0.255

  • Cisco 831 no netflow export packets through IPSEC

    I have cisco 831 in remote office. Remote office is connected to Central Office through IPSec tunnel. I has configured netflow export from sorce address Lan interface (inside interface) remote office to Server central office. But I did not see netflow packet in central Office at netflow server. May be somebody fixed the problem ?

    Check 'ip route-cache flow' cmd enabled on tunnel interface.
    also check this bug-id:CSCef28662.
    Try this link:
    http://www.cisco.com/en/US/tech/tk812/technologies_white_paper09186a008022bde8.shtml#wp1002626

  • GRE traffic can not pass through LRT224 IPSec Tunnel

    Hi,
    We have a trouble when using Cisco Router GRE tunnel plus LRT224 IPSec Gateway-Gateway Tunnel.
    We found after reboot, GRE packets can not pass trough LRT224 IPSec tunnel. need to restart serval time then gre will back to normal.
    Besides that, GRE keepalive packets can not pass trough LRT224 IPSec Tunnel.
    please help. I had tried to upgrade to latest firmware version.
    Firmware Version : v1.0.3.09 (Dec 26 2014 14:28:46) 
    A-END:
    interface Tunnel1
    ip address 10.216.80.105 255.255.255.252
    ip mtu 1400
    ip nat outside
    ip virtual-reassembly in
    ip tcp adjust-mss 1360
    ip ospf network point-to-point
    ip ospf hello-interval 3
    ip ospf cost 10000
    tunnel source 10.216.81.2
    tunnel destination 10.216.80.90
    end
    B-END:
    interface Tunnel11
    ip address 10.216.80.110 255.255.255.252
    ip mtu 1400
    ip tcp adjust-mss 1360
    ip ospf network point-to-point
    ip ospf cost 10000
    ip ospf hello-interval 3
    tunnel source 10.216.80.91
    tunnel destination 10.216.81.3
    end
    CISCO2911 <> LRT224 <> INTERNET <> LRT224 <> CISCO 2621
    San

    Can you post the results from the below command for the Cisco Routers?
    IOS Command: "sh version"
    Why not static route without NAT through the LRT224 IPSec VPN?
    Just curious why did you use LRT224's for the Site to Site VPN instead of the Cisco Routers?
    Please remember to Kudo those that help you.
    Linksys
    Communities Technical Support

  • Not Seeing NAT Translations Across GRE IPSec Tunnel

    Hello,
    I have a P2P GRE over IPSec tunnel beween two 3725s using NAT overload and the Internet as transport. I can reach the backside networks, tunnel endpoints, etc., and I have verified that the traffic is being encrypted. What I am not seeing however are any NAT translations taking place. They must be happeing because my traffic is being routed through the tunnel via the public interfaces. I am assuming that this is a result of the checksum being altered when the translation is done.
    Would I be correct in assuming that I could use something like NAT Transparency or IPSec over TCP/UDP to fix the problem and begin seeing NAT translations?
    Thanks for any help you guys may be able to provide!
    Anthony, CCNA (Network/Voice)

    Can you send over the configurations
    You seem to have a phase 1 issue, it's not negotiating correctly.
    Thanks

  • Static NAT with IPSec tunnel

    Hi,
    I have a hopefully fairly basic question regarding configuring some static NAT entries on a remote site 887 router which also has a IPSec tunnel configured back to our main office.  I am fairly new to networking so forgive me if I ask some really silly questions!
    I have been asked to configure some mobile phone "boost" boxes, which will take a mobile phone and send the traffic over the Internet - this is required because of the poor signal at the branch.  These boxes connect via Ethernet to the local network and need a direct connection to the Internet and also certain UDP and TCP ports opening up.
    There is only one local subnet on site and the ACL for the crypto map dictates that all traffic from this network to our head office go over the tunnel.  What I wanted to do was create another vlan, give this a different subnet.  Assign these mobile boost boxes DHCP reservations (there is no interface to them so they cannot be configured) and then allow them to break out to the Internet locally rather than send the traffic back to our head office and have to open up ports on our main ASA firewall. 
    From my research I came across this article (http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml
    So I went ahead and created a separate vlan and DHCP reservation and then also followed the guidelines outlined above about using a route-map to stop the traffic being sent down the tunnel and then configured static NAT statements for each of the four ports these boost boxes need to work.  I configure the ip nat inside/outside on the relevant ports (vlan 3 for inside, dialer 1 for outside)
    The configuration can be seen below for the NAT part;
    ! Denies vpn interesting traffic but permits all other
    ip access-list extended NAT-Traffic
    deny ip 172.19.191.0 0.0.0.255 172.16.0.0 0.3.255.255
    deny ip 172.19.191.0 0.0.0.255 10.0.0.0 0.255.255.255
    deny ip 172.19.191.0 0.0.0.255 192.168.128.0 0.0.3.255
    deny ip 172.19.191.0 0.0.0.255 12.15.28.0 0.0.0.255
    deny ip 172.19.191.0 0.0.0.255 137.230.0.0 0.0.255.255
    deny ip 172.19.191.0 0.0.0.255 165.26.0.0 0.0.255.255
    deny ip 172.19.191.0 0.0.0.255 192.56.231.0 0.0.0.255
    deny ip 172.19.191.0 0.0.0.255 192.168.49.0 0.0.0.255
    deny ip 172.19.191.0 0.0.0.255 192.168.61.0 0.0.0.255
    deny ip 172.19.191.0 0.0.0.255 192.168.240.0 0.0.7.255
    deny ip 172.19.191.0 0.0.0.255 205.206.192.0 0.0.3.255
    permit ip any any
    ! create route map
    route-map POLICY-NAT 10
    match ip address NAT-Traffic
    ! static nat
    ip nat inside source static tcp 192.168.1.2 50 85.233.188.47 50 route-map POLICY-NAT extendable
    ip nat inside source static udp 192.168.1.2 123 85.233.188.47 123 route-map POLICY-NAT extendable
    ip nat inside source static udp 192.168.1.2 500 85.233.188.47 500 route-map POLICY-NAT extendable
    ip nat inside source static udp 192.168.1.2 4500 85.233.188.47 4500 route-map POLICY-NAT extendable
    Unfortunately this didn't work as expected, and soon after I configured this the VPN tunnel went down.  Am I right in thinking that UDP port 500 is also the same port used by ISAKMP so by doing this configuration it effectively breaks IPSec?
    Am I along the right lines in terms of configuration?  And if not can anyone point me in the direction of anything that may help at all please?
    Many thanks in advance
    Brian

    Hi,
    Sorry to bump this thread up but is anyone able to assist in configuration?  I am now thinking that if I have another public IP address on the router which is not used for the VPN tunnel I can perform the static NAT using that IP which should not break anything?
    Thanks
    Brian

  • Considerations for an IPSEC tunnel through another IPSEC tunnel

    Hi,
    I am trying to ipmlement a IPSEC "tunnel through a tunnel" as follows:
    ASA-1 ( inside network 10.10.10.0 /24 - outside network 1.1.1.1/30) to ASA-2 (outside network 1.1.1.2/30 - inside network 20.20.20.0/24)
    This tunnel is fully functional.
    Created a DMZ interface (2.2.2.1/30) on ASA-1
    Created a DMZ interface (2.2.2.2/30) on ASA-2
    Attached ASA-A outside interface to ASA-1 DMZ interface - inside network 30.30.30.0/24
    Attached ASA-B outside interface to ASA-2 DMX interface - inside network 40.40.40.0/24
    Created an ACL on ASA-1 and ASA-2 DMZ interfaces allowing ESP,IKE traffic
    2nd tunnel not working!
    Questions
    Should I add the DMZ /30's to the crypto map of ASA-1 and ASA-2 (I did, and it did still not work)
    Should there be a route statement for the /30's on ASA-1 and ASA-2, or should the default GW be sufficient?
    Any and all help will be appreciated!
    Dave

    post config for review

  • Can a Cisco 881 router create an L2TP/IPsec tunnel via NAT to Windows 2008?

    Hi
    Was anyone successfull in setting up an L2TP/IPsec tunnel through NAT-T against a Windows 2008/ R2 RRAS server? I am using an 881 router and the layout is someting like this:
    Client -> 881 -> NAT -> internet -> Windows 2008 RRAS
    The tunnel goes form the 881 to the Windows server (not from the client...).
    Thanks
    Roland

    Hi Federico
    Thanks for your help! Much appreciated.
    In my case this should be transparent to the client - I would like not to initiate the connection from the client.
    Does that makes sense? I am considering L2TP because Windows 2008 R2 doesn't support IPSec tunnels through NAT (2008 R2 being the responder and the Cisco router the initiator of the IPSec connection).
    Regards
    Roland

  • NAT traffic over a IPSec tunnel (ISR)

    Hi.
    I's suppose to setup i IPSec tunnel between an 1811 and some sort of CheckPoint firewall. The IPSec part isen't that big of a deal, but the system manager on the "CheckPoint side" want the traffic though the tunnel should originate from a public IP-address, and only one source IP-address.
    So, Let say that my ISP have given me 10.10.1.1 - 10.10.1.5, our inside clients have an IP-address from the range 192.168.10.0/24, and the remote application in the "Checkpoint site" has the IP-address 172.16.1.10. The result of this should be:
    IPSec tunnel is created using the 10.10.1.1 IP-address.
    The traffic from the 192.168.1.0/24 clients should access the application at 172.16.1.10 using 10.10.1.2 as source address OVER the IPSec tunnel.
    Is this possible? I guess that it would mean that I have to NAT the traffic going though the IPSec tunnel, but I'm having trouble getting this to work. I have googled all day long looking for something similar.
    Anyone who could shed some light? Any insight appreciated.
    Sheers!
    /Johan Christensson

    Thanks jjohnston1127!
    Well, i guess that it would work, and I wasen't that far off, but got stuck in the "ip nat inside" rule when I where to specify either a pool och an interface. It diden't accur to me that a pool chould just consist of 1 IP-address.
    How ever, this raised a new problem. The "match address" access-list that I use in the crypto map for the IPSec configuration currently looks something like this:
    access-list 150 permit ip host 10.10.1.2 host 172.16.1.10
    If i change it to something like this, the tunnel negotiation get triggerd.
    access-list 150 permit ip 192.168.1.0 0.0.0.255 host 172.16.1.10
    How ever i assume that the negotiation failes because the tunnel configuration in my router has a different "local network" than the "remote network" at the Checkpoint site.
    Is this because that the NAT'ing dosen't get processed before the IPSec configuration?
    Can this behavior be changed?
    Best regards,
    Johan Christensson

  • The inside network is accessable only through IPsec, do I need enable ios FW?

    I'm building a remote site, and the only traffic in or out of their inside network is via IPsec tunnels.  There is no unecrypted access to the internet.  Should I still configure the ISR firewall?  If so , why?

    If I get your set correctly imagined (haha)
    Anyway, it really depends on you:
    However, for full-tunnel setup, w/c i think you have set-up there, you can enable it for better QoS and basic site blocking as well
    for split-tunnel, then configure it in your remote site.
    Stateless firewall configuration in IOS really is handly, though reporting wise, its not that friendly. 
    Best part of stateless firewall is it can be content based.
    EX: 
    class-map match-any FILTER
      match protocol http host *yahoo* 
      match protocol facebook 
      match protocol youtube
    #class-map type urlfilter match-any CONTENT_DROP
      #match url category Adult-Mature-Content
    There are more protocols as well, and (i think) even p2p protocol can be blocked (utorrent, bitorrent etc)
    Content filtering however is a subscription license and needs to be registered/enabled
    SEE: http://www.cisco.com/c/en/us/products/collateral/security/ios-content-filtering/white_paper_c89-492776.html

  • IPSec tunnel and policy NAT question

    Hello All!
    I have a router acting as VPN gateway on my end and I need to implement NAT translations on my IPSEC tunnel as follows:
    1. I need to translate incoming IP address of the remote end of IPSec tunnel to some other IP address on our end
    2. I need to translate outgoin IP address of our end of IPSec tunnel to a different IP address
    I have impemented following configuration, but for some reason it is not working, I get packets decrypted on my end, but dont have packets encrypted to send to the other end.
    Here is the configuration
    Remote end  crypto interesting ACL:
    ip access-list extended crypto-interesting-remote
    permit ip host 192.168.1.10 host 10.0.0.10
    My end configuration:
    interface GigabitEthernet0/0
    ip address xxx.xxx.xxx.xxb yyy.yyy.yyy.yyy
    ip nat outside
    ip virtual-reassembly in
    duplex auto
    speed auto
    crypto map VPN
    ip access-list extended crypto-interesting-local
    permit ip host 10.0.0.10 host 192.168.1.10
    interface GigabitEthernet0/3
    ip address 172.16.0.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly in
    speed auto
    ip nat inside source static 172.16.0.20 10.0.0.10   (to translate loca IP address to the one on the crypto-interesting list - exposed to the remote peer - it works)
    ip nat outside source static 192.168.1.10 192.168.168.10 (to translate remote IP address to some other IP address on our end - not working - I get packets decrypted, but no packets encrypted)
    ip route 192.168.168.10 255.255.255.255 gigabitethernet 0/0
    ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxa
    All the routes are set, crypto ipsec tunnel is up and working and I am wondering if this is possible to achieve two-way NAT translation ?
    Any response highly appreciated!
    Thanks!

    Figured that out.
    The problem was in route
    ip route 192.168.168.10 255.255.255.255 gigabitethernet 0/0
    should be next-hop IP address instead of interface gigabitethernet0/0
    Apparently packet arrives on the interface but does not pass it, when having route like this, becuase there is no one sitting with 192.168.168.10 ip address on the outside

  • IPSEC tunnel with NAT and NetMeeting

    I have established an IPSEC tunnel with two Cisco 2621 routers. Clients over the Internet are able to dial into the MCU server, which is behind one of the Cisco 2621 routers configured with NAT but the MCU is not able to call the client. The MCU is able to call any server or client on the LAN however it is not able to call anyone passed the router configured with NAT. Could anyone who has experience with NAT and IPSEC help me out?
    Thanks,

    The following doc should help...
    http://www.cisco.com/warp/public/707/ipsecnat.html

  • IPsec tunnel without a private network

    I'm trying to achieve a site-to-site ipsec tunnel to a Cisco ASA 5520.  Most examples feature the ASA with a public interface that terminates the tuennel and a private network on another interface that the tunnel interacts with.  Where my scenario differs is that the interface that accepts the tunnel is part of a public /29 network where I want the remaining hosts on that subnet to be able to route thrugh to the other end of the tunnel.  My tunnel gets established, but any attempts to route via the IP assigned to that one interface result in the ASA rejecting traffic.  Is this scenario even possible?  If so, what configuration options should I consider?
    Thanks!

    I got to say I have never tried this or had any situation where I would want to use the ASA like this.
    This would be something I would have to test as I can't say for sure if its possible or not.
    For one I would atleast make sure the following things
    Make sure you have the configuration "same-security-traffic permit intra-interfaceThis will permit the traffic to enter and leave the same interface which in this case is "outside"
    That the host default route points to the ASA
    Consider configuring NAT0 for the "outside" /29 network on the "outside" interface when the destination network is the remote site network
    Use the command "packet-tracer" command to simulate a packet coming from the "outside" host towards the remote site and see what the output ispacket-tracer input outside tcp
    How do you confirm the ASA is rejecting the traffic? Do you see some log message?
    Have you seen any traffic get encapsulated/encrypted at this site OR is there only traffic incoming from the remote site?
    - Jouni

  • Cisco ASA 5505 Site to site VPN IPSEC tunnel to an Clavister Firewall

    Hi,
    I have weird problem with a Site to site VPN tunnel from a Cisco ASA 5505 to an Clavister Firewall.
    When I restart the Cisco ASA 5505 the tunnel is up and down,up, down, down, and I get all strange messages when I see if the tunnel is up or down with the syntax: show crypto isakmp sa
    After a while like 5-10 min the vpn site to site tunnel is up and here is the strange thing happening I have all accesslists and tunnel accesslists right I can only access one remote network (Main site Clavister Firewall) trought the vpn tunnel behind the Cisco ASA 5505, and I have 5 more remote networks that I want to access but only one remote network is working trought the vpn tunnel behind the Cisco ASA. I see that when I do this syntax in ASA: show crypto ipsec sa.
    They had a Clavister Firewall before on that site before and now they have a Cisco ASA 5505 and all the rules on the main site thats have the big Clavister Firewall is intact so the problems are in the Cisco ASA 5505.
    Here is some logs that ASDM give me about the tunnel issue, but like I said, the tunnel is up and only one remote network is reachable in that tunnel.....
    3
    Nov 21 2012
    07:11:09
    713902
    Group = 195.149.180.254, IP = 195.149.169.254, Removing peer from correlator table failed, no match!
    3
    Nov 21 2012
    07:11:09
    713902
    Group = 195.149.180.254, IP = 195.149.169.254, QM FSM error (P2 struct &0xc92462d0, mess id 0x1c6bf927)!
    3
    Nov 21 2012
    07:11:09
    713061
    Group = 195.149.180.254, IP = 195.149.169.254, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
    5
    Nov 21 2012
    07:11:09
    713119
    Group = 195.149.180.254, IP = 195.149.169.254, PHASE 1 COMPLETED
    Here is from the syntax: show crypto isakmp sa
    Result of the command: "show crypto isakmp sa"
       Active SA: 1
        Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
    Total IKE SA: 1
    1   IKE Peer: 195.149.180.254
        Type    : L2L             Role    : responder
        Rekey   : no              State   : MM_ACTIVE
    Result of the command: "show crypto ipsec sa"
    interface: outside
        Crypto map tag: CustomerCryptoMap, seq num: 10, local addr: 213.180.90.29
          access-list arvika_garnisonen permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0
          local ident (addr/mask/prot/port): (172.22.65.0/255.255.255.0/0/0)
          remote ident (addr/mask/prot/port): (192.168.123.0/255.255.255.0/0/0)
          current_peer:195.149.180.254
          #pkts encaps: 2188, #pkts encrypt: 2188, #pkts digest: 2188
          #pkts decaps: 2082, #pkts decrypt: 2082, #pkts verify: 2082
          #pkts compressed: 0, #pkts decompressed: 0
          #pkts not compressed: 2188, #pkts comp failed: 0, #pkts decomp failed: 0
          #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
          #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
          #send errors: 0, #recv errors: 0
          local crypto endpt.: 213.180.67.29, remote crypto endpt.: 195.149.180.254
          path mtu 1500, ipsec overhead 74, media mtu 1500
          current outbound spi: E715B315
        inbound esp sas:
          spi: 0xFAC769EB (4207372779)
             transform: esp-aes-256 esp-sha-hmac no compression
             in use settings ={L2L, Tunnel, PFS Group 5, }
             slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap
             sa timing: remaining key lifetime (kB/sec): (38738/2061)
             IV size: 16 bytes
             replay detection support: Y
             Anti replay bitmap:
              0xFFFFFFFF 0xFFFFFFFF
        outbound esp sas:
          spi: 0xE715B315 (3876958997)
             transform: esp-aes-256 esp-sha-hmac no compression
             in use settings ={L2L, Tunnel, PFS Group 5, }
             slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap
             sa timing: remaining key lifetime (kB/sec): (38673/2061)
             IV size: 16 bytes
             replay detection support: Y
             Anti replay bitmap:
              0x00000000 0x00000001
    And here are my Accesslists and vpn site to site config:
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption aes-256
    hash sha
    group 5
    lifetime 84600
    crypto isakmp nat-traversal 40
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto map CustomerCryptoMap 10 match address VPN_Tunnel
    crypto map CustomerCryptoMap 10 set pfs group5
    crypto map CustomerCryptoMap 10 set peer 195.149.180.254
    crypto map CustomerCryptoMap 10 set transform-set ESP-AES-256-SHA
    crypto map CustomerCryptoMap interface outside
    access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0 -------> This is the only remote network I can reach behind the Cisco ASA and the other remote networks dont work..
    access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5
    access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76
    access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221
    access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0
    access-list nonat extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0
    access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5
    access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76
    access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221
    access-list nonat extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0
    nat (inside) 0 access-list nonat
    All these remote networks are at the Main Site Clavister Firewall.
    Best Regards
    Michael

    Hi,
    I'd start by getting the configuration of the remote site related to Local/Remote network configurations and go through them. Even though no changes have been made.
    If they are mirror images of eachother already I'd say its probably some problem related to Cisco/Clavister setup
    Seems especially wierd to me that one of the error messages includes 0.0.0.0 lines.
    I have run into some problems with L2L VPN configurations when our Cisco device just doesnt want to work with the remote end device. In some cases we have confirmed that our networks defined for the L2L VPN are exactly the same and yet when checking debugs on the ASA side we can see the remote end device using totally wrong network masks for the VPN negotiaton and therefore it failed. That problem we corrected with changing the network masks a bit.
    Maybe you could try to change the Encryption Domain configurations a bit and test it then.
    You could also maybe take some debugs on the Phase2 and see if you get anymore  hints as to what could be the problem when only one network is working for the L2L VPN.
    - Jouni

  • The tale of two IPSec Tunnels...

    I'm trying to set up an ipsec tunnel at a particular site, and I am just stumped at this point.  I have two sites I'm working with, a test site on my bench and the other actual site at another location.  Both are ASA 5510's, both are running ASA v8.2(5).  The test site has a 3560 off of it, and the production site has a 3750 stack off it.  I don't think that part should matter, though.
    I used the wizard to create the ipsec configuration on both devices, test and prod, and used the same naming on both to help compare.  The test site connects and I can ssh to the 3560 behind it just fine.  The production site, however, cannot connect to that 3750 or ping it to save my life.  I've poured through the configs on both, and although there are just a couple of differences, the two ASA's are pretty close in configs.
    At first I thought it was an acl issue, but I've filtered the logs by syslog id 106023 to watch for denys by access group.  When I try to connect to the 3750, I get absolutely no entry in the log that anything is being denied, so I figure that's not it.
    Then I thought it may be a routing issue.  The one difference between the two sites is that the test site is using eigrp to disperse routes between the asa and switch, while the production site is using static routes.  But I also didn't think that would've mattered, because on the static route switch I even put a static route in there to the vpn network which didn't make a difference.
    I've also run packet traces on the firewall when doing a ping, and on the test siteI see echo requests and replies.  Oon the production site I only see requests, no replies.  My encap counters don't increment during pings, but the decap counters do, which make sense.
    Other things to note:  The test site that works also has a site-to-site vpn up and runnning, so you'll see that in the config as well.  Client is Mac OS X 10.6.8, using the Cisco IPSec Config.
    I'm hoping someone can look at my configs and tell me if they see anything I'm missing on them that could help solve my problems.  I'd appreciate it!  Thanks
    Test Site that works
    Production Site that Doesn't
    testasa01-5510# sh run
    : Saved
    ASA Version 8.2(5)
    hostname testasa01-5510
    names
    interface Ethernet0/0
    nameif outside
    security-level 0
    ip address <outsideif> 255.255.255.240
    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address 10.39.194.2 255.255.255.248
    interface Ethernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    interface Management0/0
    nameif management
    security-level 100
    no ip address
    management-only
    boot system disk0:/asa825-k8.bin
    ftp mode passive
    clock timezone PST -8
    clock summer-time PDT recurring
    access-list inside_access_in extended permit ip 10.39.0.0 255.255.0.0 any log disable
    access-list RemoteAccess_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
    access-list inside_nat0_outbound extended permit ip 10.39.0.0 255.255.0.0 10.0.0.0 255.0.0.0
    access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 172.16.139.0 255.255.255.240
    access-list outside_cryptomap extended permit ip 10.39.0.0 255.255.0.0 10.0.0.0 255.0.0.0
    access-list remoteaccess extended permit ip 172.16.139.0 255.255.255.240 any log disable
    tcp-map WSOptions
      tcp-options range 24 31 allow
    pager lines 24
    logging enable
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    mtu management 1500
    ip local pool vpn_ip_pool 172.16.139.0-172.16.139.10 mask 255.255.255.0
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-713.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 100 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 100 10.39.0.0 255.255.0.0
    access-group inside_access_in in interface inside
    router eigrp 100
    network 10.0.0.0 255.0.0.0
    passive-interface default
    no passive-interface inside
    route outside 0.0.0.0 0.0.0.0 <outsideif> 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication ssh console LOCAL
    http server enable
    http 10.0.0.0 255.0.0.0 management
    http 10.0.0.0 255.0.0.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transport
    crypto ipsec transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-AES-128-MD5-TRANS mode transport
    crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transport
    crypto ipsec transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5-TRANS mode transport
    crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transport
    crypto ipsec transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-MD5-TRANS mode transport
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transport
    crypto ipsec transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5-TRANS mode transport
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-SHA-TRANS mode transport
    crypto ipsec transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-DES-MD5-TRANS mode transport
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map1 1 match address outside_cryptomap
    crypto map outside_map1 1 set pfs group1
    crypto map outside_map1 1 set peer 209.242.145.200
    crypto map outside_map1 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map1 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map1 interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication crack
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 20
    authentication rsa-sig
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 30
    authentication pre-share
    encryption aes-256
    hash sha    
    group 2
    lifetime 86400
    crypto isakmp policy 40
    authentication crack
    encryption aes-192
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 50
    authentication rsa-sig
    encryption aes-192
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 60
    authentication pre-share
    encryption aes-192
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 70
    authentication crack
    encryption aes
    hash sha    
    group 2
    lifetime 86400
    crypto isakmp policy 80
    authentication rsa-sig
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 90
    authentication pre-share
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 100
    authentication crack
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 110
    authentication rsa-sig
    encryption 3des
    hash sha    
    group 2
    lifetime 86400
    crypto isakmp policy 120
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 130
    authentication crack
    encryption des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 140
    authentication rsa-sig
    encryption des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 150
    authentication pre-share
    encryption des
    hash sha    
    group 2
    lifetime 86400
    crypto isakmp policy 170
    authentication pre-share
    encryption 3des
    hash sha
    group 1
    lifetime 86400
    telnet timeout 5
    ssh 10.0.0.0 255.0.0.0 inside
    ssh 0.0.0.0 0.0.0.0 management
    ssh timeout 60
    console timeout 0
    management-access inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    ntp server <server> source inside
    webvpn
    group-policy GroupPolicy1 internal
    group-policy GroupPolicy1 attributes
    vpn-tunnel-protocol IPSec
    group-policy RemoteAccess internal
    group-policy RemoteAccess attributes
    dns-server value 8.8.8.8
    vpn-filter value remoteaccess
    vpn-tunnel-protocol IPSec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value RemoteAccess_splitTunnelAcl
    split-tunnel-all-dns disable
    vlan none
    tunnel-group RemoteAccess type remote-access
    tunnel-group RemoteAccess general-attributes
    address-pool vpn_ip_pool
    default-group-policy RemoteAccess
    tunnel-group RemoteAccess ipsec-attributes
    pre-shared-key *****
    tunnel-group 111.222.333.444 type ipsec-l2l
    tunnel-group 111.222.333.444
    general-attributes
    default-group-policy GroupPolicy1
    tunnel-group 111.222.333.444
    ipsec-attributes
    pre-shared-key *****
    class-map WSOptions-class
    match any
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect netbios
      inspect tftp
      inspect ip-options
    class WSOptions-class
      set connection advanced-options WSOptions
    policy-map type inspect ip-options ip-options-map
    parameters
      eool action allow
      nop action allow
      router-alert action allow
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    : end
    mp01-5510asa# sh run
    : Saved
    ASA Version 8.2(5)
    hostname mp01-5510asa
    names
    interface Ethernet0/0
    nameif inside
    security-level 100
    ip address 10.29.194.2 255.255.255.252
    interface Ethernet0/1
    nameif dmz
    security-level 50
    ip address 172.16.29.1 255.255.255.0
    interface Ethernet0/2
    description
    nameif backup
    security-level 0
    ip address <backupif> 255.255.255.252
    interface Ethernet0/3
    description
    speed 100
    duplex full
    nameif outside
    security-level 0
    ip address <outsideif> 255.255.255.248
    interface Management0/0
    nameif management
    security-level 100
    ip address 10.29.199.11 255.255.255.0
    management-only
    banner login Authorized Use Only
    boot system disk0:/asa825-k8.bin
    ftp mode passive
    clock timezone PST -8
    clock summer-time PDT recurring
    object-group network DM_INLINE_NETWORK_1
    network-object 10.29.1.0 255.255.255.0
    network-object 10.29.15.0 255.255.255.0
    network-object 10.29.199.0 255.255.255.0
    network-object 10.29.200.0 255.255.255.0
    network-object 10.29.31.0 255.255.255.0
    access-list inside_access_in extended permit ip 10.29.0.0 255.255.0.0 any log warnings
    access-list inside_access_in extended permit ip object-group DM_INLINE_NETWORK_1 any log warnings
    access-list inside_access_in extended permit ip 192.168.29.0 255.255.255.0 any log warnings
    access-list inside_access_in extended permit ip 10.29.32.0 255.255.255.0 any log warnings
    access-list outside_access_in extended permit ip any host 50.59.30.116 log warnings
    access-list RemoteAccess_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
    access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 10.254.29.0 255.255.255.0 log warnings
    access-list remoteaccess extended permit ip 10.254.29.0 255.255.255.0 any log warnings
    access-list RemoteAccess2_splitTunnelAcl standard permit 10.29.0.0 255.255.0.0
    pager lines 24
    logging enable
    logging list acl-messages message 106023
    logging buffered acl-messages
    logging asdm acl-messages
    mtu inside 1500
    mtu dmz 1500
    mtu backup 1500
    mtu outside 1500
    mtu management 1500
    ip local pool vpn_ip_pool3 10.254.29.0-10.254.29.10 mask 255.255.255.0
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-645.bin
    asdm history enable
    arp timeout 14400
    global (inside) 201 interface
    global (dmz) 101 interface
    global (backup) 101 interface
    global (outside) 101 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 101 10.29.1.0 255.255.255.0
    nat (inside) 101 10.29.15.0 255.255.255.0
    nat (inside) 101 10.29.31.0 255.255.255.0
    nat (inside) 101 10.29.32.0 255.255.255.0
    nat (inside) 101 10.29.199.0 255.255.255.0
    nat (inside) 101 10.29.200.0 255.255.255.0
    nat (inside) 101 192.168.29.0 255.255.255.0
    static (inside,outside) <outsideif> 10.29.15.10 netmask 255.255.255.255
    access-group inside_access_in in interface inside
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 50.59.30.113 1 track 1
    route backup 0.0.0.0 0.0.0.0 205.179.122.165 254
    route management 10.0.0.0 255.0.0.0 10.29.199.1 1
    route inside 10.29.0.0 255.255.0.0 10.29.194.1 1
    route inside 192.168.29.0 255.255.255.0 10.29.194.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication ssh console LOCAL
    aaa authentication enable console LOCAL
    http server enable
    http 10.0.0.0 255.0.0.0 management
    http 10.0.0.0 255.0.0.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    sla monitor 100
    type echo protocol ipIcmpEcho 74.125.239.16 interface outside
    num-packets 3
    frequency 10
    sla monitor schedule 100 life forever start-time now
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash md5
    group 2
    lifetime 86400
    crypto isakmp policy 30
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    track 1 rtr 100 reachability
    telnet timeout 5
    ssh 10.0.0.0 255.0.0.0 inside
    ssh 10.0.0.0 255.0.0.0 management
    ssh timeout 60
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    ntp server 10.200.1.41 source inside
    webvpn
    group-policy RemoteAccess internal
    group-policy RemoteAccess attributes
    dns-server value 8.8.8.8
    vpn-filter value remoteaccess
    vpn-tunnel-protocol IPSec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value RemoteAccess_splitTunnelAcl
    split-tunnel-all-dns disable
    vlan none
    tunnel-group RemoteAccess type remote-access
    tunnel-group RemoteAccess general-attributes
    address-pool vpn_ip_pool3
    default-group-policy RemoteAccess
    tunnel-group RemoteAccess ipsec-attributes
    pre-shared-key *****
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect netbios
      inspect tftp
      inspect icmp
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    testasa01-5510# sh crypto ipsec sa
    interface: outside
        Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: <outsideif>
          local ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
          remote ident (addr/mask/prot/port): (172.16.139.1/255.255.255.255/0/0)
          current_peer: <peer ip>, username: blah
          dynamic allocated peer ip: 172.16.139.1
          #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
          #pkts decaps: 30, #pkts decrypt: 30, #pkts verify: 30
          #pkts compressed: 0, #pkts decompressed: 0
          #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
          #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
          #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
          #send errors: 0, #recv errors: 0
          local crypto endpt.: <outsideif>/4500, remote crypto endpt.: <peer ip>/37291
          path mtu 1500, ipsec overhead 82, media mtu 1500
          current outbound spi: 0A7F396F
          current inbound spi : E87AF806
        inbound esp sas:
          spi: 0xE87AF806 (3900372998)
             transform: esp-aes esp-sha-hmac no compression
             in use settings ={RA, Tunnel,  NAT-T-Encaps, }
             slot: 0, conn_id: 49152, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
             sa timing: remaining key lifetime (sec): 3587
             IV size: 16 bytes
             replay detection support: Y
             Anti replay bitmap:
              0x00000000 0x7FFFFFFF
        outbound esp sas:
          spi: 0x0A7F396F (176109935)
             transform: esp-aes esp-sha-hmac no compression
             in use settings ={RA, Tunnel,  NAT-T-Encaps, }
             slot: 0, conn_id: 49152, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
             sa timing: remaining key lifetime (sec): 3587
             IV size: 16 bytes
             replay detection support: Y
             Anti replay bitmap:
              0x00000000 0x00000001
    mp01-5510asa# sh crypto ipsec sa
    interface: outside
        Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: <outsideif>
          local ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
          remote ident (addr/mask/prot/port): (10.254.29.1/255.255.255.255/0/0)
          current_peer: <peer ip>, username: blah
          dynamic allocated peer ip: 10.254.29.1
          #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
          #pkts decaps: 51, #pkts decrypt: 51, #pkts verify: 51
          #pkts compressed: 0, #pkts decompressed: 0
          #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
          #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
          #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
          #send errors: 0, #recv errors: 0
          local crypto endpt.: <outsideif>/4500, remote crypto endpt.: <peer ip>/37291
          path mtu 1500, ipsec overhead 82, media mtu 1500
          current outbound spi: 096265D4
          current inbound spi : F5E4780C
        inbound esp sas:
          spi: 0xF5E4780C (4125390860)
             transform: esp-aes esp-sha-hmac no compression
             in use settings ={RA, Tunnel,  NAT-T-Encaps, }
             slot: 0, conn_id: 102400, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
             sa timing: remaining key lifetime (sec): 3576
             IV size: 16 bytes
             replay detection support: Y
             Anti replay bitmap:
              0x001FFFFF 0xFFFFFFFF
        outbound esp sas:
          spi: 0x096265D4 (157443540)
             transform: esp-aes esp-sha-hmac no compression
             in use settings ={RA, Tunnel,  NAT-T-Encaps, }
             slot: 0, conn_id: 102400, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
             sa timing: remaining key lifetime (sec): 3576
             IV size: 16 bytes
             replay detection support: Y
             Anti replay bitmap:
              0x00000000 0x00000001

    Config (non working site) looks fine(unless I missed something:)) . You may want to add :
    access-list RemoteAccess_splitTunnelAcl standard permit 192.168.29.0 255.255.255.0
    Try by taking out vpnfilter :  vpn-filter value remoteaccess
    To further t-shoot, try using packet tracer from ASA to the client...
    https://supportforums.cisco.com/docs/DOC-5796
    Thx
    MS

Maybe you are looking for

  • After installing Photoshop Elements 10, it shuts down

    After the first time this happened, I deleted and then reinstalled Photoshop Elements 10.  But, the problem persists. After it the program opens and I select Edit, the program opens completely and then, immediately appears an error message from Windo

  • MacBook Pro (Retina, 15-inch, Mid 2014) -- Enable NVIDIA GeForce GT 750M ?

    Hi I got a MacBook Pro (Retina, 15-inch, Mid 2014) running on Yosemite. I wonder how is possible to enable the NVIDIA GeForce GT 750M card? I am looking around but I cannot find documentation explaining about how to enable the other video card. Any t

  • WS application configuration - best practice advice

    Hi there, I'm a newbie on web services. I'm currently developing a Web Service using JAX-WS 2.1 and deploying on Tomcat 6. I'm wondering where to put my application's configuration. If I was developing a standalone java application I would put it in

  • Identify Browser Type - Safari Compatability

    Some web pages have code to identify the "Browser Type" eg is it IE, NS etc. How should Safari be correctly identified ? -- assuming that it's this test that is causing Safari to fail -- what test should be added to make the site Safari compatable ?

  • Changing Pricing conditions

    Hi, Is it possible to change pricing conditions after a PO has been created?