Sitemap

Amicuk Programming Answers

Site to Site VPN between ASA 5505 and Juniper SSG140 no traffic

2015-10-11   Views:5

Advertisement

interface Ethernet0/0  switchport access vlan 2 interface Ethernet0/1  switchport access vlan 3 interface Ethernet0/2  switchport trunk allowed vlan 20-21,24,28,212-214,227,232-236,254-256  switchport mode trunk interface Ethernet0/3  switchport trun

interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
 switchport access vlan 3
interface Ethernet0/2
 switchport trunk allowed vlan 20-21,24,28,212-214,227,232-236,254-256
 switchport mode trunk
interface Ethernet0/3
 switchport trunk allowed vlan 20-21,24,28,212-214,227,232-236,254-256
 switchport mode trunk
interface Ethernet0/4
 switchport trunk allowed vlan 20-21,24,28,212-214,227,232-236,254-256
 switchport mode trunk
interface Ethernet0/5
 switchport trunk allowed vlan 20-21,24,28,212-214,227,232-236,254-256
 switchport mode trunk
interface Ethernet0/6
 switchport trunk allowed vlan 20-21,24,28,212-214,227,232-236,254-256
 switchport mode trunk
interface Ethernet0/7
 switchport access vlan 250
interface Vlan2
 nameif outside
 security-level 0
 ip address 81.XXX.XXX.XXX 255.255.255.252
interface Vlan3
 nameif OUTSIDE_BACK
 security-level 0
 ip address 41.XXX.XXX.XXX 255.255.255.248
interface Vlan20
 nameif XXX
 security-level 80
 ip address 10.143.0.1 255.255.255.0 standby 10.143.0.2
interface Vlan21
 nameif XXX
 security-level 90
 ip address 10.143.1.1 255.255.255.0 standby 10.143.1.2
interface Vlan24
 nameif XXX
 security-level 80
 ip address 10.143.4.1 255.255.255.0 standby 10.143.4.2
interface Vlan28
 nameif XXX
 security-level 80
 ip address 10.143.8.1 255.255.255.0 standby 10.143.8.2
interface Vlan212
 nameif SELF
 security-level 80
 ip address 10.143.12.1 255.255.255.0 standby 10.143.12.2
interface Vlan213
 nameif XXX
 security-level 80
 ip address 10.143.13.1 255.255.255.0 standby 10.143.13.2
interface Vlan214
 nameif BIOFR
 security-level 80
 ip address 10.143.14.1 255.255.255.0 standby 10.143.14.2
interface Vlan232
 nameif MNGT
 security-level 80
 ip address 10.143.32.1 255.255.255.0 standby 10.143.32.2
interface Vlan233
 nameif XXX
 security-level 80
 ip address 10.143.33.1 255.255.255.0 standby 10.143.33.2
interface Vlan234
 nameif XXX
 security-level 80
 ip address 10.143.34.1 255.255.255.0 standby 10.143.34.2
interface Vlan235
 nameif XX
 security-level 80
 ip address 10.143.35.1 255.255.255.0 standby 10.143.35.2
interface Vlan236
 nameif XXX
 security-level 80
 ip address 10.143.36.1 255.255.255.0 standby 10.143.36.2
interface Vlan250
description LAN Failover Interface
interface Vlan254
 nameif TEST
 security-level 80
 ip address 10.143.254.1 255.255.255.0 standby 10.143.254.2
interface Vlan255
 nameif XXX
 security-level 100
 ip address 10.143.255.1 255.255.255.0 standby 10.143.255.2
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network XXX
 subnet 10.143.14.0 255.255.255.0
object network XXX
 subnet 10.143.35.0 255.255.255.0
object network XXX
 subnet 10.143.1.0 255.255.255.0
object network MGMT
 subnet 10.143.32.0 255.255.255.0
object network XXX
 subnet 10.143.36.0 255.255.255.0
object network XXX
 subnet 10.143.4.0 255.255.252.0
object network XXX
 subnet 10.143.33.0 255.255.255.0
object network ACCT
 subnet 10.143.34.0 255.255.255.0
object network XXX
 subnet 10.143.0.0 255.255.255.0
object network XXX
 subnet 10.143.8.0 255.255.255.0
object network XXX
 subnet 10.143.12.0 255.255.255.0
object network XXX
 subnet 10.143.37.0 255.255.255.0
object network TEST
 subnet 10.143.254.0 255.255.255.0
object network XXX
 subnet 10.143.255.0 255.255.255.0
object network NETWORK_OBJ_10.143.0.0_16
 subnet 10.143.0.0 255.255.0.0
object network NETWORK_OBJ_10.91.0.0_16
 subnet 10.91.0.0 255.255.0.0
object-group network vpn-local-network
 network-object 10.143.14.0 255.255.255.0
 network-object 10.143.35.0 255.255.255.0
 network-object 10.143.1.0 255.255.255.0
 network-object 10.143.32.0 255.255.255.0
 network-object 10.143.36.0 255.255.255.0
 network-object 10.143.4.0 255.255.255.0
 network-object 10.143.33.0 255.255.255.0
 network-object 10.143.34.0 255.255.255.0
object-group network vpn-remote-network
 network-object 10.112.0.0 255.255.0.0
access-list ACL_VPN extended permit ip 10.143.0.0 255.255.0.0 10.112.0.0 255.255.0.0
access-list ACL_INSIDE_NONAT extended permit ip 10.143.0.0 255.255.0.0 10.112.0.0 255.255.0.0
access-list PING extended permit icmp any any
access-list PING extended permit icmp any any object-group ALLOW_PING
pager lines 24
logging asdm informational
mtu outside 1500
failover
failover lan unit primary
failover lan interface FAILOVER Vlan250
failover interface ip FAILOVER 10.143.250.1 255.255.255.0 standby 10.143.250.2
no monitor-interface outside
no monitor-interface OUTSIDE_BACK
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-721.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (XXX,outside) source dynamic XXX interface
nat (XXX,outside) source dynamic XXX interface
nat (XXX,outside) source dynamic XXX interface
nat (XXX,outside) source dynamic XXX interface
nat (XXX,outside) source dynamic XXX interface
nat (XXX,outside) source dynamic XXX interface
nat (XX,outside) source dynamic XXX interface
nat (XXX,outside) source dynamic XXX interface
nat (XXX,outside) source dynamic XX interface
nat(IT,outside) source dynamic IT interface
nat (TEST,outside) source dynamic TEST interface
nat ( IT,outside) source dynamic IT interface
nat (TEST,outside) source static vpn-local-network vpn-local-network destination static vpn-remote-network vpn-remote-network no-proxy-arp route-lookup
access-group PING in interface outside
access-group PING in interface OUTSIDE_BACK
route outside 0.0.0.0 0.0.0.0 81.XXX.XXX.XXX.XXX 1 track 1
route OUTSIDE_BACK 0.0.0.0 0.0.0.0 41.XXXX
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
sysopt connection preserve-vpn-flows
sla monitor 123
 type echo protocol ipIcmpEcho 41.xxx.xxx.xxx interface outside
 frequency 10
sla monitor schedule 123 life forever start-time now
crypto ipsec ikev1 transform-set ESP-3DES-ESP-MD5-HMAC esp-3des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map TEST 1 match address ACL_VPN
crypto map TEST 1 set peer 194.XXX.XXX.XXX
crypto map TEST 1 set ikev1 transform-set ESP-3DES-ESP-MD5-HMAC
crypto map TEST 1 set security-association lifetime seconds 86400
crypto map TEST 1 set security-association lifetime kilobytes 2147483647
crypto map TEST interface outside
crypto ca trustpool policy
no crypto isakmp nat-traversal
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
track 1 rtr 123 reachability
telnet timeout 5
ssh stricthostkeycheck
ssh 10.143.255.0 255.255.255.0 IT
ssh timeout 10
ssh key-exchange group dh-group1-sha1
console timeout 60
management-access IT
dhcpd lease 60000
dhcpd ping_timeout 20
dhcpd domain tls.ad
dhcpd auto_config outside
dhcpd address 10.143.4.10-10.143.4.200 XXX
dhcpd dns 10.91.0.34 8.8.8.8 interface XXX
dhcpd option 3 ip 10.143.4.1 interface XXX
dhcpd enable XXX
dhcpd address 10.143.12.10-10.143.12.200 XXX
dhcpd option 3 ip 10.143.12.1 interface XXX
dhcpd enable XXX
dhcpd address 10.143.14.10-10.143.14.200 XXX
dhcpd option 3 ip 10.143.14.1 interface XXX
dhcpd enable XXX
dhcpd address 10.143.32.10-10.143.32.100 MNGT
dhcpd option 3 ip 10.143.32.1 interface MNGT
dhcpd enable MNGT
dhcpd address 10.143.33.10-10.143.33.100 XXX
dhcpd option 3 ip 10.143.32.1 interface XXX
dhcpd enable XXX
dhcpd address 10.143.34.10-10.143.34.100 XXX
dhcpd option 3 ip 10.143.32.1 interface XXX
dhcpd enable XXX
dhcpd address 10.143.36.10-10.143.36.100 XXX
dhcpd option 3 ip 10.143.32.1 interface XXX
dhcpd enable XXX
dhcpd address 10.143.255.10-10.143.255.200 XXX
dhcpd option 3 ip 10.143.255.1 interface XXX
dhcpd enable IT
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp authenticate
ntp server 10.90.0.34
ntp server 10.91.0.34
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
group-policy DfltGrpPolicy attributes
 vpn-idle-timeout none
 vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
username tlsnimda password OW03yrp6/wvkyg6E encrypted
tunnel-group 194.XXX.XXX.XXX type ipsec-l2l
tunnel-group 194.XXX.XXX.XXX ipsec-attributes
 ikev1 pre-shared-key *****
class-map icmp
 match default-inspection-traffic
policy-map icmppolicy
 class icmp
  inspect icmp
service-policy icmppolicy interface outside
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:e820e629c3cbaf67478c065440ac8138
VPN is up but not passing any traffing
  Crypto map tag: TEST, seq num: 1, local addr: 81.xxx.xxx.xxx
      access-list ACL_VPN extended permit ip 10.143.0.0 255.255.0.0 10.112.0.0 255.255.0.0
      local ident (addr/mask/prot/port): (10.143.0.0/255.255.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.112.0.0/255.255.0.0/0/0)
      current_peer: 194.xxx.xxx.xxx
      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 10, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 10
      local crypto endpt.: 81.xxx.xxx.xxx/0, remote crypto endpt.: 194.xxx.xxx.xx/0
      path mtu 1500, ipsec overhead 58(36), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: CC4FACB7
      current inbound spi : D8C0AC76
    inbound esp sas:
      spi: 0xD8C0AC76 (3636505718)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 9367552, crypto-map: TEST
         sa timing: remaining key lifetime (kB/sec): (1824522239/3507)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0xCC4FACB7 (3427773623)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 9367552, crypto-map: TEST
         sa timing: remaining key lifetime (kB/sec): (1824522239/3507)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
VPN is unstable 
Connection terminated for peer 194.XXX.XXX.XX.  Reason: Peer Terminate  Remote Proxy 10.112.0.0, Local Proxy 10.143.0.0
I cannot pass any traffic through the vpn when it's UP, or ping the other side.
ASA VERSION 9.2

The replay answer
Advertisement
I do not think that'll be any problem. Here at work we also use Cisco ADSL 800 Series with vpn between customers' sites without any issues. The ASA should vpn for sure.

Go to See the other 2 answers

Hot
After I downloaded Firefox, I attempted to update the top four plugins, I already have adobe flash player, but I went on ahead and downloaded it again with the other three, java and two others. I then restarted my computer, and when I logged back on [More]
Hi, I am importing video from the Sony HVR-Z5E straight into Premiere using the capture option off the file menu but the colour looks completely different to what it looks like on the camera. Why should this be? When I preview the video in the captur [More]
Hi sap, IN XK01 under company code data, tab for Correspondence  in this one field for Clrk's internet (Internet address of partner company clerk), please explain what is the functionality of this one. Reg Umi Moderator: Please, avoid asking basic qu [More]
Most of the Swing examples that I have noticed for building a JTree have used many different ADTs, but I haven't noticed any examples to use a JTree to display a linked list (not necessarily the LinkedList class though). I was studying Data Structure [More]
After reading all the previous posts and topics on iPhoto vs. LR2 and such with RAW/NEF file formats, they simply don't work well with each other, right? Basically, what I am trying to understand like a lot of others is that the way they read/write f [More]
I am new to this forum, and I am searching but canu2019t find a solution. I have a database, which contains a field called u201CCheck Nou201D, which contains the check numbers as well as type of payment received from a contributor. So, if the contrib [More]
Hello all... i just bought a zen touch and started to get familiar with the Creative MediaSource Organizer, when you clic settings it pops up the settting windows and somewhere in the middle says Startup Screen "Change Jukebox's startup screen" [More]
Hi there, Looking for a way in PowerShell to remove a specific unresolved SID from a group. Having an issue where a group is populated with accounts from a domain in another forrest. When the accounts are deleted the SID remains in the group unresolv [More]
We have several Windows 2003 servers in our untrusted domain which we backup with DPM using certificate based authentication. All but one appear to work without any problems. One which keeps failing throws the following error message which I am not a [More]
My Imac autoamtically shuts down by itself.  I have no problem in restarting it but would like to know why it shuts downRead here: http://support.apple.com/kb/ht4098Read other 2 answers [More]