Site-to-Site Up but traffic not passing 1

[RMurr34]

Hello,

I've created a site-to-site connection between two ASA5510s. The tunnel is up at both ends (as shown at top below). However, I'm unable to ping across and I can't join a domain controller in Site A to the domain in Site B. I'm sure it's some simple command that I'm missing. An extra set of eyes would be greatly appreciated.

ASA Number 1


ASA1(config)# show crypto isakmp sa

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: 209.xxx.xxx.xxx
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
ASA1e(config)#
ASA1e(config)#
ASA1e(config)# show run
: Saved

ASA Number 2

ASA2(config)# show crypto isakmp sa

Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

1 IKE Peer: 168.xxx.xxx.xxx
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
2 IKE Peer: 69.xxx.xxx.xxx
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE




ASA Number 1 Config


ASA Version 7.0(7)
!
hostname ASA1e
domain-name mydomain.com
enable password w65RXk0Y4imVbQ8i encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 69.xxx.xxx.xxx 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.50.129 255.255.255.192
!
interface Ethernet0/2
nameif inside2
security-level 100
ip address 192.168.102.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd Y5ZLu5QeTZUXjtW9 encrypted
ftp mode passive
same-security-traffic permit inter-interface
access-list 101 extended permit tcp any host 69.xxx.xxx.58 eq 3389
access-list 101 extended permit tcp any host 69.xxx.xxx.59 eq 3389
access-list 101 extended permit tcp any host 69.xxx.xxx.51 eq 3389
access-list 101 extended permit tcp any host 69.xxx.xxx.60 eq 3389
access-list 101 extended permit tcp any host 69.xxx.xxx.61 eq 3389
access-list 101 extended permit tcp any host 69.xxx.xxx.62 eq 3389
access-list 101 extended permit tcp any host 69.xxx.xxx.57 eq 3389
access-list 101 extended permit tcp any host 69.xxx.xxx.54 eq 3389
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit icmp any any unreachable
access-list 101 extended permit icmp any any time-exceeded
access-list 120 extended permit ip 192.168.50.128 255.255.255.192 192.168.50.64 255.255.255.192
access-list 110 extended permit ip 192.168.50.128 255.255.255.192 192.168.50.0 255.255.255.192
access-list 100 extended permit ip 192.168.50.128 255.255.255.192 192.168.50.0 255.255.255.192
access-list 100 extended permit ip 192.168.50.128 255.255.255.192 192.168.50.64 255.255.255.192
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu inside2 1500
mtu management 1500
no failover
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 access-list 100
nat (inside2) 1 0.0.0.0 0.0.0.0
static (inside2,inside) 192.168.102.0 192.168.102.0 netmask 255.255.255.0
static (inside2,outside) 69.xxx.xxx.60 192.168.102.4 netmask 255.255.255.255
static (inside2,outside) 69.xxx.xxx.61 192.168.102.5 netmask 255.255.255.255
static (inside2,outside) 69.xxx.xxx.62 192.168.102.6 netmask 255.255.255.255
static (inside2,outside) 69.xxx.xxx.57 192.168.102.3 netmask 255.255.255.255
static (inside2,outside) 69.xxx.xxx.54 192.168.102.7 netmask 255.255.255.255
static (inside,outside) 69.xxx.xxx.51 192.168.50.130 netmask 255.255.255.255
static (inside,outside) 69.xxx.xxx.58 192.168.50.131 netmask 255.255.255.255
static (inside,outside) 69.xxx.xxx.59 192.168.50.132 netmask 255.255.255.255
static (inside,inside2) 192.168.50.0 192.168.50.0 netmask 255.255.255.192
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 69.xxx.xxx.49 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.101.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server community dontmesswithtexas
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set FirstSet esp-des esp-md5-hmac
crypto map newmap 10 match address 110
crypto map newmap 10 set peer 209.xxx.xxx.xxx
crypto map newmap 10 set transform-set FirstSet
crypto map newmap 20 match address 120
crypto map newmap 20 set peer 168.xxx.xxx.xxx
crypto map newmap 20 set transform-set FirstSet
crypto map newmap interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 14400
tunnel-group 209.xxx.xxx.xxx type ipsec-l2l
tunnel-group 209.xxx.xxx.xxx ipsec-attributes
pre-shared-key *
tunnel-group 168.xxx.xxx.xxx type ipsec-l2l
tunnel-group 168.xxx.xxx.xxx ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:8ca484f1c38b048a602e336f9a9a1a9c
: end
ASA1(config)#


ASA Number 2 Config




remote(config)# show run
: Saved
:
ASA Version 7.0(8)
!
hostname remote
domain-name REMOTE
enable password w65RXk0Y4imVbQ8i encrypted
passwd TY3hwE1RIOYpJzgO encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 209.xxx.xxx.xxx 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.50.1 255.255.255.192
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
access-list 101 extended permit ip 192.168.50.0 255.255.255.192 192.168.50.64 255.255.255.192
access-list 101 extended permit ip 192.168.50.0 255.255.255.192 192.168.50.128 255.255.255.192
access-list 102 extended permit tcp any host 209.xxx.xxx.35 eq 3389
access-list 102 extended permit tcp any host 209.xxx.xxx.36 eq 3389
access-list 102 extended permit tcp any host 209.xxx.xxx.37 eq 3389
access-list 102 extended permit tcp any host 209.xxx.xxx.38 eq 3389
access-list 102 extended permit tcp any host 209.xxx.xxx.39 eq 3389
access-list 102 extended permit tcp any host 209.xxx.xxx.40 eq 3389
access-list 102 extended permit tcp any host 209.xxx.xxx.41 eq 3389
access-list 102 extended permit tcp any host 209.xxx.xxx.42 eq 3389
access-list 102 extended permit tcp any host 209.xxx.xxx.43 eq 3389
access-list 102 extended permit icmp any any echo-reply
access-list 102 extended permit icmp any any unreachable
access-list 102 extended permit icmp any any time-exceeded
access-list 102 extended permit tcp any host 209.xxx.xxx.44 eq 3389
access-list 102 extended permit tcp any host 209.xxx.xxx.46 eq ftp
access-list 102 extended permit tcp any host 209.xxx.xxx.46 eq 3389
access-list 102 extended permit tcp any host 209.xxx.xxx.45 eq 3389
access-list 120 extended permit ip 192.168.50.0 255.255.255.192 192.168.50.64 255.255.255.192
access-list 130 extended permit ip 192.168.50.0 255.255.255.192 192.168.50.128 255.255.255.192
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 209.xxx.xxx.36 192.168.50.5 netmask 255.255.255.255
static (inside,outside) 209.xxx.xxx.37 192.168.50.4 netmask 255.255.255.255
static (inside,outside) 209.xxx.xxx.38 192.168.50.6 netmask 255.255.255.255
static (inside,outside) 209.xxx.xxx.39 192.168.50.7 netmask 255.255.255.255
static (inside,outside) 209.xxx.xxx.35 192.168.50.8 netmask 255.255.255.255
static (inside,outside) 209.xxx.xxx.40 192.168.50.9 netmask 255.255.255.255
static (inside,outside) 209.xxx.xxx.41 192.168.50.10 netmask 255.255.255.255
static (inside,outside) 209.xxx.xxx.42 192.168.50.11 netmask 255.255.255.255
static (inside,outside) 209.xxx.xxx.45 192.168.50.13 netmask 255.255.255.255
static (inside,outside) 209.xxx.xxx.43 192.168.50.15 netmask 255.255.255.255
static (inside,outside) 209.xxx.xxx.44 192.168.50.16 netmask 255.255.255.255
static (inside,outside) 209.xxx.xxx.46 192.168.50.50 netmask 255.255.255.255
access-group 102 in interface outside
route outside 0.0.0.0 0.0.0.0 209.xxx.xxx.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username mypix password WWL8OwlOK4S.1p.b encrypted
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set FirstSet esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dyn1 1 set security-association lifetime seconds 28800
crypto dynamic-map dyn1 1 set security-association lifetime kilobytes 4608000
crypto map newmap 20 match address 120
crypto map newmap 20 set peer 168.xxx.xxx.xxx
crypto map newmap 20 set transform-set FirstSet
crypto map newmap 20 set security-association lifetime seconds 28800
crypto map newmap 20 set security-association lifetime kilobytes 4608000
crypto map newmap 30 match address 130
crypto map newmap 30 set peer 69.xxx.xxx.xxx
crypto map newmap 30 set transform-set FirstSet
crypto map newmap 30 set security-association lifetime seconds 28800
crypto map newmap 30 set security-association lifetime kilobytes 4608000
crypto map newmap 65535 set security-association lifetime seconds 28800
crypto map newmap 65535 set security-association lifetime kilobytes 4608000
crypto map newmap interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 14400
tunnel-group 168.xxx.xxx.xxx type ipsec-l2l
tunnel-group 168.xxx.xxx.xxx ipsec-attributes
pre-shared-key *
tunnel-group 69.xxx.xxx.xxx type ipsec-l2l
tunnel-group 69.xxx.xxx.xxx ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.50.0 255.255.255.0 inside
ssh timeout 10
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:737125b4ea4068d9108fa8dee21526d5
: end
remote(config)#

 

[hairlessupportmonkey]

it may not be a config issue - but what is doing the DNS on the remote workstations?

ACSS - SME
General Geek

 

[unclerico]

at first glance ASA #1 is missing a NAT exemption statement. nat(inside) 0 access-list 100

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[RMurr34]

That was it unclerico! Once again you come through for me. It's greatly appreciated.