This is a from another thread yesterday that was good. I added second remote site to the central ASA but now I lost the VPN coonection and unable to ping from a PC to the internal (was able to before) 10.0.0.x.. If I were to remove the PULLMAN WARNER it would be fine.
warnerasa(config)# sh crypto isa sa
There are no isakmp sas
warnerasa(config)#
But I am able to ping to all 3 peers 207.x.x.98 207.x.x.58 62.x.x.162, the all reply.
The cnetral "scrubbed" config is below..
Let me know if you would like the 3 remote site. 2 remote site was good from another thread.
Any advise would be apreciated.
pullmanasa# sh run
: Saved
:
ASA Version 8.0(2)
!
hostname pullmanasa
domain-name DOMAIN.COM
enable password xbuOFGS/b6r6SI6t encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 207.X.X.98 255.255.255.248
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
no ip address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group CoxDNS
name-server 68.4.16.30
name-server 68.6.16.30
dns server-group DefaultDNS
domain-name DOMAIN.COM
access-list outside_access_in extended permit tcp host 207.X.X.13 host 207.X.X.99 eq 5900
access-list outside_access_in extended permit tcp host 207.X.X.16 host 207.X.X.99 eq 5900
access-list outside_access_in extended permit tcp host 207.X.X.19 host 207.X.X.99 eq 5900
access-list outside_access_in extended permit tcp any host 207.X.X.100 eq 4709
access-list outside_access_in extended permit tcp any host 207.X.X.100 eq 18772
access-list NONAT extended permit ip 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list NONAT extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list PULLMAN-ZODIAC extended permit ip 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list PULLMAN-WARNER extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
pager lines 24
logging enable
logging buffered informational
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip verify reverse-path interface inside
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (outside) 2 207.X.X.99
global (outside) 3 207.X.X.100
nat (inside) 0 access-list NONAT
nat (inside) 2 10.1.1.3 255.255.255.255
nat (inside) 3 10.1.1.60 255.255.255.255
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 207.X.X.99 5900 10.1.1.3 5900 netmask 255.255.255.255
static (inside,outside) tcp 207.X.X.100 4709 10.1.1.60 4709 netmask 255.255.255.255
static (inside,outside) tcp 207.X.X.100 18772 10.1.1.60 18772 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 207.X.X.98 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 207.X.X.19 255.255.255.255 outside
http 207.X.X.16 255.255.255.255 outside
http 207.X.X.13 255.255.255.255 outside
http 10.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetinbound interface inside
service resetinbound interface outside
crypto ipsec transform-set ASA1TS esp-3des esp-sha-hmac
crypto ipsec transform-set ASA3TS esp-3des esp-sha-hmac
crypto map PULLMANVPN 10 match address PULLMAN-ZODIAC
crypto map PULLMANVPN 10 set peer 63.X.X.162
crypto map PULLMANVPN 10 set transform-set ASA1TS
crypto map PULLMANVPN 10 set security-association lifetime seconds 36000
crypto map PULLMANVPN2 20 match address PULLMAN-WARNER
crypto map PULLMANVPN2 20 set peer 207.X.X.58
crypto map PULLMANVPN2 20 set transform-set ASA3TS
crypto map PULLMANVPN2 20 set security-association lifetime seconds 36000
crypto map PULLMANVPN2 interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 10.1.1.0 255.255.255.0 inside
ssh 207.X.X.13 255.255.255.255 outside
ssh 207.X.X.16 255.255.255.255 outside
ssh 207.X.X.19 255.255.255.255 outside
ssh timeout 30
ssh version 2
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection scanning-threat shun
threat-detection statistics
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
!
service-policy global_policy global
ntp server 131.107.1.10 source outside prefer
tunnel-group 63.X.X.162 type ipsec-l2l
tunnel-group 63.X.X.162 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 30 retry 5
tunnel-group 207.X.X.58 type ipsec-l2l
tunnel-group 207.X.X.58 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:cba42eede19f5d9b3561ca0e0eb9a5c4
: end
pullmanasa#
Thanks for your help
warnerasa(config)# sh crypto isa sa
There are no isakmp sas
warnerasa(config)#
But I am able to ping to all 3 peers 207.x.x.98 207.x.x.58 62.x.x.162, the all reply.
The cnetral "scrubbed" config is below..
Let me know if you would like the 3 remote site. 2 remote site was good from another thread.
Any advise would be apreciated.
pullmanasa# sh run
: Saved
:
ASA Version 8.0(2)
!
hostname pullmanasa
domain-name DOMAIN.COM
enable password xbuOFGS/b6r6SI6t encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 207.X.X.98 255.255.255.248
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
no ip address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group CoxDNS
name-server 68.4.16.30
name-server 68.6.16.30
dns server-group DefaultDNS
domain-name DOMAIN.COM
access-list outside_access_in extended permit tcp host 207.X.X.13 host 207.X.X.99 eq 5900
access-list outside_access_in extended permit tcp host 207.X.X.16 host 207.X.X.99 eq 5900
access-list outside_access_in extended permit tcp host 207.X.X.19 host 207.X.X.99 eq 5900
access-list outside_access_in extended permit tcp any host 207.X.X.100 eq 4709
access-list outside_access_in extended permit tcp any host 207.X.X.100 eq 18772
access-list NONAT extended permit ip 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list NONAT extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list PULLMAN-ZODIAC extended permit ip 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list PULLMAN-WARNER extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
pager lines 24
logging enable
logging buffered informational
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip verify reverse-path interface inside
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (outside) 2 207.X.X.99
global (outside) 3 207.X.X.100
nat (inside) 0 access-list NONAT
nat (inside) 2 10.1.1.3 255.255.255.255
nat (inside) 3 10.1.1.60 255.255.255.255
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 207.X.X.99 5900 10.1.1.3 5900 netmask 255.255.255.255
static (inside,outside) tcp 207.X.X.100 4709 10.1.1.60 4709 netmask 255.255.255.255
static (inside,outside) tcp 207.X.X.100 18772 10.1.1.60 18772 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 207.X.X.98 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 207.X.X.19 255.255.255.255 outside
http 207.X.X.16 255.255.255.255 outside
http 207.X.X.13 255.255.255.255 outside
http 10.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetinbound interface inside
service resetinbound interface outside
crypto ipsec transform-set ASA1TS esp-3des esp-sha-hmac
crypto ipsec transform-set ASA3TS esp-3des esp-sha-hmac
crypto map PULLMANVPN 10 match address PULLMAN-ZODIAC
crypto map PULLMANVPN 10 set peer 63.X.X.162
crypto map PULLMANVPN 10 set transform-set ASA1TS
crypto map PULLMANVPN 10 set security-association lifetime seconds 36000
crypto map PULLMANVPN2 20 match address PULLMAN-WARNER
crypto map PULLMANVPN2 20 set peer 207.X.X.58
crypto map PULLMANVPN2 20 set transform-set ASA3TS
crypto map PULLMANVPN2 20 set security-association lifetime seconds 36000
crypto map PULLMANVPN2 interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 10.1.1.0 255.255.255.0 inside
ssh 207.X.X.13 255.255.255.255 outside
ssh 207.X.X.16 255.255.255.255 outside
ssh 207.X.X.19 255.255.255.255 outside
ssh timeout 30
ssh version 2
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection scanning-threat shun
threat-detection statistics
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
!
service-policy global_policy global
ntp server 131.107.1.10 source outside prefer
tunnel-group 63.X.X.162 type ipsec-l2l
tunnel-group 63.X.X.162 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 30 retry 5
tunnel-group 207.X.X.58 type ipsec-l2l
tunnel-group 207.X.X.58 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:cba42eede19f5d9b3561ca0e0eb9a5c4
: end
pullmanasa#
Thanks for your help