Chicago ASA relevant config:
interface GigabitEthernet0 description INTERNET nameif outside security-level 0 ip address 200.0.0.2 255.255.255.252 ! interface GigabitEthernet1 description CHICAGO-LAN nameif inside security-level 100 ip address 192.168.3.1 255.255.255.0 ! ! object-group network minnesota-lan network-object 192.168.0.0 255.255.255.0 object-group network chicago-lan network-object 192.168.3.0 255.255.255.0 ! access-list chicago2minnesota extended permit ip 192.168.3.0 255.255.255.0 192.168.0.0 255.255.255.0 ! nat (inside,outside) source static chicago-lan chicago-lan destination static minnesota-lan minnesota-lan nat (inside,outside) source dynamic chicago-lan interface route outside 0.0.0.0 0.0.0.0 200.0.0.1 1 ! crypto ipsec ikev1 transform-set localtset esp-aes esp-sha-hmac crypto map local-cmap 10 match address chicago2minnesota crypto map local-cmap 10 set peer 100.0.0.2 crypto map local-cmap 10 set ikev1 transform-set localtset crypto map local-cmap interface outside crypto isakmp identity address crypto ikev1 enable outside crypto ikev1 policy 1 authentication pre-share encryption aes hash sha group 2 lifetime 86400 ! tunnel-group 100.0.0.2 type ipsec-l2l tunnel-group 100.0.0.2 ipsec-attributes ikev1 pre-shared-key **** ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect icmp ! service-policy global_policy global ! end
TroubleSHOOT
minnesota-host> traceroute 192.168.3.10
Tracing the route to 192.168.3.10 VRF info: (vrf in name/id, vrf out name/id) 1 192.168.3.10 7 msec 4 msec *
minnesota-host> ping 192.168.3.10
Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.3.10, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/5/20 ms
minnesota# show crypto isakmp sa detail
IKEv1 SAs: Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 200.0.0.2 Type : L2L Role : responder Rekey : no State : MM_ACTIVE Encrypt : aes Hash : SHA Auth : preshared Lifetime: 86400 Lifetime Remaining: 85597 There are no IKEv2 SAs
minnesota# show crypto ipsec sa
interface: outside Crypto map tag: local-cmap, seq num: 10, local addr: 100.0.0.2 access-list minnesota2chicago extended permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0 local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0) current_peer: 200.0.0.2 #pkts encaps: 19, #pkts encrypt: 19, #pkts digest: 19 #pkts decaps: 19, #pkts decrypt: 19, #pkts verify: 19 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 19, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: 100.0.0.2/0, remote crypto endpt.: 200.0.0.2/0 path mtu 1500, ipsec overhead 74, media mtu 1500 current outbound spi: 1D5D9D16 current inbound spi : 0EAAE763 inbound esp sas: spi: 0x0EAAE763 (246081379) transform: esp-aes esp-sha-hmac no compression in use settings ={L2L, Tunnel, } slot: 0, conn_id: 4096, crypto-map: local-cmap sa timing: remaining key lifetime (kB/sec): (3914998/28048) IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x000FFFFF outbound esp sas: spi: 0x1D5D9D16 (492674326) transform: esp-aes esp-sha-hmac no compression in use settings ={L2L, Tunnel, } slot: 0, conn_id: 4096, crypto-map: local-cmap sa timing: remaining key lifetime (kB/sec): (3914998/28048) IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001
See Also:
biOos
No comments:
Post a Comment