Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: ipsec l2l tunnel between 5505 and 5540

ipsec l2l tunnel between 5505 and 5540 7 years 3 weeks ago #32302

  • ixfnx
  • ixfnx's Avatar
  • Offline
  • New Member
  • Posts: 1
  • Karma: 0
I'm having trouble getting the tunnel up between the two devices. please take a look and tell me I've left out something silly. here is the config from the 5505, the 5540 is good as I have several other 1841's connected to the device over ipsec vpn.

ASA Version 8.2(1)
hostname cr201
enable password <removed> encrypted
passwd <removed> encrypted
interface Vlan1
no nameif
no security-level
no ip address
interface Vlan2
description outside ISP connection
nameif outside
security-level 0
ip address A.B.C.13
interface Vlan3
nameif inside
security-level 100
ip address
interface Ethernet0/0
description outside network
switchport access vlan 2
interface Ethernet0/1
description inside network
switchport access vlan 3
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
clock timezone EST5EDT -5
dns server-group DefaultDNS
access-list 100 extended permit ip
access-list 100 extended permit ip
access-list 100 extended permit ip
access-list 100 extended permit ip
access-list 100 extended permit ip
pager lines 24
logging enable
logging timestamp
logging monitor debugging
logging buffered debugging
logging trap debugging
logging history debugging
logging facility 18
logging device-id hostname
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 1440
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1
route outside A.B.C.13 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server authbiz protocol tacacs+
aaa-server authbiz (inside) host
timeout 5
key <removed>
aaa authentication telnet console authbiz LOCAL
aaa authentication enable console authbiz LOCAL
aaa authentication ssh console authbiz LOCAL
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set foo esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map biz 10 match address 100
crypto map biz 10 set peer A.B.C.2
crypto map biz 10 set transform-set foo
crypto map biz interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
ssh A.B.C.D outside
ssh inside
ssh timeout 5
console timeout 0
dhcpd ping_timeout 750
dhcpd domain
dhcpd address inside
dhcpd enable inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server source inside
username admin password <removed> encrypted privilege 15
tunnel-group A.B.C.2 type ipsec-l2l
tunnel-group A.B.C.2 ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
inspect http
service-policy global_policy global
prompt hostname context
The administrator has disabled public write access.

Re: ipsec l2l tunnel between 5505 and 5540 7 years 3 weeks ago #32330

  • ikon
  • ikon's Avatar
  • Offline
  • Frequent Member
  • Posts: 48
  • Karma: 0
Where is the other ends config?

Looks ok but you dont have any access lists allowing traffic from inside to the VPN, you have crytomap access lists to tell the vn what the interesting traffic is, it might be that the VPN is connected but traffic is not flowwing because of ACL?

do you have any logs?
enable syslog or look in the ASDM for syslog messages.
The administrator has disabled public write access.
Time to create page: 0.081 seconds


Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V


  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup