Dear All,
This issue has been resolved by Piotr Matusiak. I really really appreciate
his always kind help.
Thank you very much Piotr.
Best Regards,
Manny
On Mon, Apr 18, 2011 at 10:58 PM, Manouchehr Omari <manouchehr1979_at_gmail.com
> wrote:
>
>
> Dear All,
>
> The IPsec VPN establishes between two Cisco ASAs but i can't ping from both
> sites don't work, Please see below config,
>
>
> *HQ ASA - 5510*
>
>
> ASA Version 8.2(2)
> !
> interface Ethernet0/0
> nameif outside
> security-level 0
> ip address 111.125.x.x 255.255.255.248
> !
> interface Ethernet0/1
> nameif CSC
> security-level 100
> ip address 10.71.23.1 255.255.255.0
> !
> interface Ethernet0/3
> no nameif
> no security-level
> no ip address
> !
> interface Ethernet0/3.1
> vlan 20
> nameif Inside
> security-level 100
> ip address 10.1.2.3 255.0.0.0
> !
> ftp mode passive
> access-list outside_acl extended permit icmp any host 111.125.x.x
> echo-reply
> access-list outside_acl extended permit icmp any host 111.125.x.x
> unreachable
> access-list outside_acl extended permit icmp any host 111.125.x.x
> time-exceeded
> access-list outside_1_cryptomap extended permit ip 10.71.23.0 255.255.255.0
> 10.210.10.36 255.255.255.252
> access-list CSC_nat0_outbound extended permit ip 10.71.23.0 255.255.255.0
> 10.210.10.36 255.255.255.252
> pager lines 24
> mtu outside 1500
> mtu CSC 1500
> mtu Inside 1500
> mtu Neda 1500
> mtu management 1500
> no failover
> icmp unreachable rate-limit 1 burst-size 1
> no asdm history enable
> arp timeout 14400
> global (outside) 1 interface
> nat (CSC) 0 access-list CSC_nat0_outbound
> nat (CSC) 1 10.1.2.0 255.255.255.0
> nat (CSC) 1 10.71.23.0 255.255.255.0
> access-group outside_acl in interface outside
> route outside 0.0.0.0 0.0.0.0 111.125.x.x 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
> timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
> 0:05:00
> timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
> 0:02:00
> timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
> timeout tcp-proxy-reassembly 0:01:00
> dynamic-access-policy-record DfltAccessPolicy
> http server enable
> http 10.1.2.0 255.255.255.0 Inside
> no snmp-server location
> no snmp-server contact
> snmp-server enable traps snmp authentication linkup linkdown coldstart
> crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
> crypto ipsec security-association lifetime seconds 28800
> crypto ipsec security-association lifetime kilobytes 4608000
> crypto map outside_map 1 match address outside_1_cryptomap
> crypto map outside_map 1 set pfs
> crypto map outside_map 1 set peer 202.86.x.x
> crypto map outside_map 1 set transform-set ESP-3DES-MD5
> crypto map outside_map interface outside
> crypto isakmp enable outside
> crypto isakmp policy 10
> authentication pre-share
> encryption 3des
> hash md5
> group 2
> lifetime 86400
> telnet timeout 5
> ssh 10.1.2.0 255.255.255.0 Inside
> ssh timeout 60
> console timeout 0
> threat-detection basic-threat
> threat-detection statistics access-list
> no threat-detection statistics tcp-intercept
> webvpn
> tunnel-group 202.86.x.x type ipsec-l2l
> tunnel-group 202.86.x.x ipsec-attributes
> pre-shared-key *****
> !
> class-map inspection_default
> match default-inspection-traffic
> !
> !
> policy-map type inspect dns preset_dns_map
> parameters
> message-length maximum client auto
> message-length maximum 512
> policy-map global_policy
> class inspection_default
> inspect dns preset_dns_map
> inspect ftp
> inspect h323 h225
> inspect h323 ras
> inspect rsh
> inspect rtsp
> inspect esmtp
> inspect sqlnet
> inspect skinny
> inspect sunrpc
> inspect xdmcp
> inspect sip
> inspect netbios
> inspect tftp
> inspect ip-options
> !
> service-policy global_policy global
> prompt hostname context
> Cryptochecksum:3deb292e78a44d158ffc36ebf4ae9c9d
> : end
>
>
>
>
> -----------------------------------------------------------------------------------------------------------------------------------
>
> *Branch ASA - 5505*
>
>
> ASA Version 7.2(3)
>
> interface Vlan1
> nameif inside
> security-level 100
> ip address 10.210.10.38 255.255.255.252
> !
> interface Vlan2
> nameif outside
> security-level 0
> ip address 202.86.x.x 255.255.255.252
> !
> interface Ethernet0/0
> switchport access vlan 2
> !
> interface Ethernet0/1
> !
> interface Ethernet0/2
> shutdown
> !
> interface Ethernet0/3
> shutdown
> !
> interface Ethernet0/4
> shutdown
> !
> interface Ethernet0/5
> shutdown
> !
> interface Ethernet0/6
> shutdown
> !
> interface Ethernet0/7
> shutdown
> !
> access-list outside_acl extended permit icmp any host 202.86.x.x echo-reply
>
> access-list outside_acl extended permit icmp any host 202.86.x.x
> unreachable
> access-list outside_acl extended permit icmp any host 202.86.x.x
> time-exceeded
> access-list inside_nat0_outbound extended permit ip 10.210.10.36
> 255.255.255.252 10.71.23.0 255.255.255.0
> access-list outside_2_cryptomap extended permit ip 10.210.10.36
> 255.255.255.252 10.71.23.0 255.255.255.0
> pager lines 24
> logging enable
> logging timestamp
> logging console debugging
> logging buffered notifications
> logging trap notifications
> mtu inside 1500
> mtu outside 1500
> ip audit name TRANSIT_TRAFFIC attack action alarm drop reset
> ip audit interface inside TRANSIT_TRAFFIC
> ip audit interface outside TRANSIT_TRAFFIC
> ip audit info action
> ip audit attack action alarm drop reset
> icmp unreachable rate-limit 1 burst-size 1
> asdm image disk0:/asdm-523.bin
> no asdm history enable
> arp timeout 14400
> global (outside) 1 interface
> nat (inside) 0 access-list inside_nat0_outbound
> access-group outside_acl in interface outside
> route outside 0.0.0.0 0.0.0.0 202.86.x.x
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
> timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
> 0:05:00
> timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
> 0:02:00
> timeout uauth 0:05:00 absolute
> http server enable
> no snmp-server location
> no snmp-server contact
> snmp-server enable traps snmp authentication linkup linkdown coldstart
> crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
> crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
> crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
> crypto map outside_map 10 match address outside_2_cryptomap
> crypto map outside_map 10 set pfs
> crypto map outside_map 10 set peer 111.125.x.x
> crypto map outside_map 10 set transform-set ESP-3DES-MD5
> crypto map outside_map interface outside
> crypto isakmp enable outside
> crypto isakmp policy 1
> authentication pre-share
> encryption des
> hash md5
> group 2
> lifetime 86400
> crypto isakmp policy 10
> authentication pre-share
> encryption 3des
> hash md5
> group 2
> lifetime 86400
> crypto isakmp policy 50
> authentication pre-share
> encryption aes
> hash sha
> group 5
> lifetime 86400
> ssh timeout 60
> console timeout 0
>
> !
> class-map inspection_default
> match default-inspection-traffic
> !
> !
> policy-map type inspect dns preset_dns_map
> parameters
> message-length maximum 512
> policy-map global_policy
> class inspection_default
> inspect dns preset_dns_map
> inspect ftp
> inspect h323 h225
> inspect h323 ras
> inspect rsh
> inspect rtsp
> inspect esmtp
> inspect sqlnet
> inspect skinny
> inspect sunrpc
> inspect xdmcp
> inspect sip
> inspect netbios
> inspect tftp
> !
> service-policy global_policy global
> tunnel-group 111.125.x.x type ipsec-l2l
> tunnel-group 111.125.x.x ipsec-attributes
> pre-shared-key *
> prompt hostname context
> Cryptochecksum:8af0be17d29c8f5b78ba80cc39f28cf3
> : end
Blogs and organic groups at http://www.ccie.net
Received on Tue Apr 19 2011 - 01:49:55 ART
This archive was generated by hypermail 2.2.0 : Sun May 01 2011 - 09:00:29 ART