Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

No VPN L2L traffic

Status
Not open for further replies.
marc3lo

marc3lo

Technical User
Jul 11, 2005
85
MX
Hello, I’m setting up my first VPN L2L connection between ASA5510 and ASA5505. The tunnel comes up fine but can´t send traffic though the VPN, does anyone have an idea of what could be wrong ???
Here are the config.



5510
ASA Version 8.0(4)
!
hostname MEXICALI

!
interface Ethernet0/0
nameif outside
security-level 0
pppoe client vpdn group telnor
ip address pppoe setroute
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 172.16.11.254 255.255.255.0
!
interface Ethernet0/2
nameif tlan
security-level 100
ip address 172.20.2.230 255.255.255.0
!
interface Ethernet0/3
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

access-list nonat extended permit ip 172.20.0.0 255.255.0.0 172.16.41.0 255.255.255.0
access-list nonat extended permit ip 172.16.11.0 255.255.255.0 172.20.0.0 255.255.0.0
access-list nonat extended permit ip 172.16.11.0 255.255.255.0 192.9.0.0 255.255.0.0
access-list nonat extended permit ip 172.16.11.0 255.255.255.0 172.16.21.0 255.255.255.0
access-list nonat extended permit ip 172.16.11.0 255.255.255.0 172.16.41.0 255.255.255.0
access-list nonat extended permit ip 172.16.11.0 255.255.255.0 172.16.30.0 255.255.255.0
access-list nonat extended permit ip 172.16.11.0 255.255.255.0 172.16.50.0 255.255.255.0
access-list nonat extended permit ip 172.20.0.0 255.255.0.0 172.16.30.0 255.255.255.0
access-list nonat extended permit ip 172.20.0.0 255.255.0.0 172.16.50.0 255.255.255.0
access-list civtij extended permit ip 172.16.11.0 255.255.255.0 172.16.21.0 255.255.255.0
access-list civtij extended permit ip 172.20.0.0 255.255.0.0 172.16.21.0 255.255.255.0
access-list civtij extended permit ip 192.168.0.0 255.255.0.0 172.16.21.0 255.255.255.0

pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu tlan 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
route tlan 172.20.0.0 255.255.0.0 172.20.2.1 1
route tlan 192.9.0.0 255.255.0.0 192.9.7.160 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
webvpn
svc ask none default svc
aaa-server vpn protocol radius
http server enable
http 172.16.11.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
http 172.16.10.0 255.255.255.0 inside
http 172.20.0.0 255.255.0.0 tlan
no snmp-server location
no snmp-server contact
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto
crypto map mymap 10 match address civtij
crypto map mymap 10 set connection-type answer-only
crypto map mymap 10 set peer 201.xx.xx.142
crypto map mymap 10 set transform-set myset
crypto map mymap 10 set security-association lifetime seconds 28800
crypto map mymap 10 set security-association lifetime kilobytes 4608000
crypto map mymap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 172.16.10.0 255.255.255.0 inside
telnet 172.16.11.0 255.255.255.0 inside
telnet 172.20.0.0 255.255.0.0 tlan
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group telnor request dialout pppoe
vpdn group telnor localname pjbccentrocivico01@prodigy.net.mx
vpdn group telnor ppp authentication pap
vpdn username pjbccentrocivico01@prodigy.net.mx password *********
dhcpd address 172.16.11.240-172.16.11.250 inside
dhcpd dns 200.38.10.1 interface inside
dhcpd enable inside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept

tunnel-group 201.xx.xx.142 type ipsec-l2l
tunnel-group 201.xx.xx.142 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:183d53d73022ac7223c974cd5880e92b
: end
MEXICALI#



5505

ASA Version 8.2(1)
!
hostname PENALESTJ

!
interface Vlan1
nameif inside
security-level 100
ip address 172.16.21.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group telnor
ip address pppoe setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list vpn extended permit ip 172.16.21.0 255.255.255.0 172.16.11.0 255.255.255.0
access-list vpn extended permit ip 172.16.21.0 255.255.255.0 172.20.0.0 255.255.0.0
access-list vpn extended permit ip 172.16.21.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list nonat extended permit ip 172.16.21.0 255.255.255.0 172.16.11.0 255.255.255.0
access-list nonat extended permit ip 172.16.21.0 255.255.255.0 172.20.0.0 255.255.0.0
access-list nonat extended permit ip 172.16.21.0 255.255.255.0 192.168.0.0 255.255.0.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 172.16.21.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map mymap 1 match address vpn
crypto map mymap 1 set connection-type originate-only
crypto map mymap 1 set peer 201.xx.xx.101
crypto map mymap 1 set transform-set myset
crypto map mymap interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 172.16.21.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group telnor request dialout pppoe
vpdn group telnor localname ikusimexicali@prodigy.net.mx
vpdn group telnor ppp authentication pap
vpdn username ikusimexicali@prodigy.net.mx password *********
dhcpd auto_config outside
!
dhcpd address 172.16.21.5-172.16.21.36 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 201.xx.xx.101 type ipsec-l2l
tunnel-group 201.xx.xx.101 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:413ca1357fbbc7a4ee123a3d1468c086
: end





 
Sort by date Sort by votes
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
282
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
121
gkittelson
gkittelson
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
351
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
86
WhosYourDiffie
WhosYourDiffie
Russtoleum
  • Locked
  • Question
SW GVC won't route traffic through sonicwall to offsite tunnel unless it leases an ip on the same su
Replies
1
Views
91
Russtoleum
Russtoleum

Part and Inventory Search

Sponsor

Back
Top