My pleasure mate :)
Regards,
--
Piotr Matusiak
CCIE #19860 (R&S, Security), CCSI #33705
Technical Instructor
website: www.MicronicsTraining.com
blog: www.ccie1.com
�If you can't explain it simply, you don't understand it well enough� -
Albert Einstein
2011/4/19 Manouchehr Omari <manouchehr1979_at_gmail.com>
> Dear All,
>
> This issue has been resolved by Piotr Matusiak. I really really appreciate
> his always kind help.
>
> Thank you very much Piotr.
>
> Best Regards,
> Manny
>
> On Mon, Apr 18, 2011 at 10:58 PM, Manouchehr Omari <
> manouchehr1979_at_gmail.com
> > wrote:
>
> >
> >
> > Dear All,
> >
> > The IPsec VPN establishes between two Cisco ASAs but i can't ping from
> both
> > sites don't work, Please see below config,
> >
> >
> > *HQ ASA - 5510*
> >
> >
> > ASA Version 8.2(2)
> > !
> > interface Ethernet0/0
> > nameif outside
> > security-level 0
> > ip address 111.125.x.x 255.255.255.248
> > !
> > interface Ethernet0/1
> > nameif CSC
> > security-level 100
> > ip address 10.71.23.1 255.255.255.0
> > !
> > interface Ethernet0/3
> > no nameif
> > no security-level
> > no ip address
> > !
> > interface Ethernet0/3.1
> > vlan 20
> > nameif Inside
> > security-level 100
> > ip address 10.1.2.3 255.0.0.0
> > !
> > ftp mode passive
> > access-list outside_acl extended permit icmp any host 111.125.x.x
> > echo-reply
> > access-list outside_acl extended permit icmp any host 111.125.x.x
> > unreachable
> > access-list outside_acl extended permit icmp any host 111.125.x.x
> > time-exceeded
> > access-list outside_1_cryptomap extended permit ip 10.71.23.0
> 255.255.255.0
> > 10.210.10.36 255.255.255.252
> > access-list CSC_nat0_outbound extended permit ip 10.71.23.0 255.255.255.0
> > 10.210.10.36 255.255.255.252
> > pager lines 24
> > mtu outside 1500
> > mtu CSC 1500
> > mtu Inside 1500
> > mtu Neda 1500
> > mtu management 1500
> > no failover
> > icmp unreachable rate-limit 1 burst-size 1
> > no asdm history enable
> > arp timeout 14400
> > global (outside) 1 interface
> > nat (CSC) 0 access-list CSC_nat0_outbound
> > nat (CSC) 1 10.1.2.0 255.255.255.0
> > nat (CSC) 1 10.71.23.0 255.255.255.0
> > access-group outside_acl in interface outside
> > route outside 0.0.0.0 0.0.0.0 111.125.x.x 1
> > timeout xlate 3:00:00
> > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
> > timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
> > 0:05:00
> > timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
> > 0:02:00
> > timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
> > timeout tcp-proxy-reassembly 0:01:00
> > dynamic-access-policy-record DfltAccessPolicy
> > http server enable
> > http 10.1.2.0 255.255.255.0 Inside
> > no snmp-server location
> > no snmp-server contact
> > snmp-server enable traps snmp authentication linkup linkdown coldstart
> > crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
> > crypto ipsec security-association lifetime seconds 28800
> > crypto ipsec security-association lifetime kilobytes 4608000
> > crypto map outside_map 1 match address outside_1_cryptomap
> > crypto map outside_map 1 set pfs
> > crypto map outside_map 1 set peer 202.86.x.x
> > crypto map outside_map 1 set transform-set ESP-3DES-MD5
> > crypto map outside_map interface outside
> > crypto isakmp enable outside
> > crypto isakmp policy 10
> > authentication pre-share
> > encryption 3des
> > hash md5
> > group 2
> > lifetime 86400
> > telnet timeout 5
> > ssh 10.1.2.0 255.255.255.0 Inside
> > ssh timeout 60
> > console timeout 0
> > threat-detection basic-threat
> > threat-detection statistics access-list
> > no threat-detection statistics tcp-intercept
> > webvpn
> > tunnel-group 202.86.x.x type ipsec-l2l
> > tunnel-group 202.86.x.x ipsec-attributes
> > pre-shared-key *****
> > !
> > class-map inspection_default
> > match default-inspection-traffic
> > !
> > !
> > policy-map type inspect dns preset_dns_map
> > parameters
> > message-length maximum client auto
> > message-length maximum 512
> > policy-map global_policy
> > class inspection_default
> > inspect dns preset_dns_map
> > inspect ftp
> > inspect h323 h225
> > inspect h323 ras
> > inspect rsh
> > inspect rtsp
> > inspect esmtp
> > inspect sqlnet
> > inspect skinny
> > inspect sunrpc
> > inspect xdmcp
> > inspect sip
> > inspect netbios
> > inspect tftp
> > inspect ip-options
> > !
> > service-policy global_policy global
> > prompt hostname context
> > Cryptochecksum:3deb292e78a44d158ffc36ebf4ae9c9d
> > : end
> >
> >
> >
> >
> >
>
-----------------------------------------------------------------------------
------------------------------------------------------
> >
> > *Branch ASA - 5505*
> >
> >
> > ASA Version 7.2(3)
> >
> > interface Vlan1
> > nameif inside
> > security-level 100
> > ip address 10.210.10.38 255.255.255.252
> > !
> > interface Vlan2
> > nameif outside
> > security-level 0
> > ip address 202.86.x.x 255.255.255.252
> > !
> > interface Ethernet0/0
> > switchport access vlan 2
> > !
> > interface Ethernet0/1
> > !
> > interface Ethernet0/2
> > shutdown
> > !
> > interface Ethernet0/3
> > shutdown
> > !
> > interface Ethernet0/4
> > shutdown
> > !
> > interface Ethernet0/5
> > shutdown
> > !
> > interface Ethernet0/6
> > shutdown
> > !
> > interface Ethernet0/7
> > shutdown
> > !
> > access-list outside_acl extended permit icmp any host 202.86.x.x
> echo-reply
> >
> > access-list outside_acl extended permit icmp any host 202.86.x.x
> > unreachable
> > access-list outside_acl extended permit icmp any host 202.86.x.x
> > time-exceeded
> > access-list inside_nat0_outbound extended permit ip 10.210.10.36
> > 255.255.255.252 10.71.23.0 255.255.255.0
> > access-list outside_2_cryptomap extended permit ip 10.210.10.36
> > 255.255.255.252 10.71.23.0 255.255.255.0
> > pager lines 24
> > logging enable
> > logging timestamp
> > logging console debugging
> > logging buffered notifications
> > logging trap notifications
> > mtu inside 1500
> > mtu outside 1500
> > ip audit name TRANSIT_TRAFFIC attack action alarm drop reset
> > ip audit interface inside TRANSIT_TRAFFIC
> > ip audit interface outside TRANSIT_TRAFFIC
> > ip audit info action
> > ip audit attack action alarm drop reset
> > icmp unreachable rate-limit 1 burst-size 1
> > asdm image disk0:/asdm-523.bin
> > no asdm history enable
> > arp timeout 14400
> > global (outside) 1 interface
> > nat (inside) 0 access-list inside_nat0_outbound
> > access-group outside_acl in interface outside
> > route outside 0.0.0.0 0.0.0.0 202.86.x.x
> > timeout xlate 3:00:00
> > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
> > timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
> > 0:05:00
> > timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
> > 0:02:00
> > timeout uauth 0:05:00 absolute
> > http server enable
> > no snmp-server location
> > no snmp-server contact
> > snmp-server enable traps snmp authentication linkup linkdown coldstart
> > crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
> > crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
> > crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
> > crypto map outside_map 10 match address outside_2_cryptomap
> > crypto map outside_map 10 set pfs
> > crypto map outside_map 10 set peer 111.125.x.x
> > crypto map outside_map 10 set transform-set ESP-3DES-MD5
> > crypto map outside_map interface outside
> > crypto isakmp enable outside
> > crypto isakmp policy 1
> > authentication pre-share
> > encryption des
> > hash md5
> > group 2
> > lifetime 86400
> > crypto isakmp policy 10
> > authentication pre-share
> > encryption 3des
> > hash md5
> > group 2
> > lifetime 86400
> > crypto isakmp policy 50
> > authentication pre-share
> > encryption aes
> > hash sha
> > group 5
> > lifetime 86400
> > ssh timeout 60
> > console timeout 0
> >
> > !
> > class-map inspection_default
> > match default-inspection-traffic
> > !
> > !
> > policy-map type inspect dns preset_dns_map
> > parameters
> > message-length maximum 512
> > policy-map global_policy
> > class inspection_default
> > inspect dns preset_dns_map
> > inspect ftp
> > inspect h323 h225
> > inspect h323 ras
> > inspect rsh
> > inspect rtsp
> > inspect esmtp
> > inspect sqlnet
> > inspect skinny
> > inspect sunrpc
> > inspect xdmcp
> > inspect sip
> > inspect netbios
> > inspect tftp
> > !
> > service-policy global_policy global
> > tunnel-group 111.125.x.x type ipsec-l2l
> > tunnel-group 111.125.x.x ipsec-attributes
> > pre-shared-key *
> > prompt hostname context
> > Cryptochecksum:8af0be17d29c8f5b78ba80cc39f28cf3
> > : end
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Tue Apr 19 2011 - 10:51:57 ART