Hi All,
I've R1 and ASA1 configured for secured communication through IPsec
tunnel. The basic problem is that ASA1 can't ping R1 public IP
192.1.12.15 and visa versa. Although R4 can ping R1.
Where do I enable ping from ASA1 to R1 so as to bring up the tunnel?
The same setup is working for R1 and ASA2 tunnel communication (Task b)
verifying that configuration on R1 and ASA is configured correctly.
Attaching R1, R4 and ASA2 configs.
Appreciate any input.
-Anshul
ASA1# Version 7.2 (2)
!
firewall transparent
hostname ASA1
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
!
interface Ethernet0/1
nameif inside
security-level 100
!
access-list ALLOW extended permit ospf any any
access-list ALLOW extended permit icmp any any echo
access-list ALLOW extended permit icmp any any echo-reply
access-list L2L extended permit ip host 192.1.49.55 10.1.1.0 255.255.255.0
ip address 192.1.49.55 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
access-group ALLOW in interface outside
access-group ALLOW out interface inside
route outside 0.0.0.0 0.0.0.0 192.1.49.4 1
username ipexpert password ij0ksrjE7tWxN/Kb encrypted
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set MYTRANS esp-des esp-sha-hmac
crypto map MYMAP 10 match address L2L
crypto map MYMAP 10 set connection-type answer-only
crypto map MYMAP 10 set peer 192.1.12.15
crypto map MYMAP 10 set transform-set MYTRANS
crypto map MYMAP interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 192.1.12.15 type ipsec-l2l
tunnel-group 192.1.12.15 ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh 10.1.1.0 255.255.255.0 outside
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
!
service-policy global_policy global
: end
ASA1#
R1#sh run
Building configuration...
Current configuration : 2394 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 15
!
!
ip cef
!
!
no ip domain lookup
ip domain name ipexpert.com
ip ssh source-interface FastEthernet1
!
!
!
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
crypto isakmp key ccie address 192.1.49.55
crypto isakmp key ccie address 10.5.5.55
!
!
crypto ipsec transform-set ASA esp-3des esp-sha-hmac
!
crypto map MYMAP 10 ipsec-isakmp
set peer 192.1.49.55
set transform-set ASA
match address ASA1
crypto map MYMAP 20 ipsec-isakmp
set peer 10.5.5.55
set transform-set ASA
match address ASA2
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.0.0.0
!
interface Loopback16
ip address 172.16.1.1 255.255.255.0
!
interface FastEthernet0
ip address 10.2.2.1 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map MYMAP
!
interface FastEthernet1
ip address 10.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface Vlan1
no ip address
!
router rip
version 2
network 1.0.0.0
network 10.0.0.0
network 172.16.0.0
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 10.2.2.10
ip route 10.5.5.0 255.255.255.0 10.2.2.5
ip route 192.168.5.0 255.255.255.0 10.2.2.10
ip route 192.168.104.0 255.255.255.0 10.2.2.10
!
!
ip http server
no ip http secure-server
ip nat inside source static udp 10.1.1.100 1645 10.2.2.99 1812 extendable
ip nat inside source static udp 10.1.1.100 1646 10.2.2.99 1813 extendable
!
ip access-list extended ASA1
permit ip 10.1.1.0 0.0.0.255 host 192.1.49.55
ip access-list extended ASA2
permit ip 10.1.1.0 0.0.0.255 host 10.5.5.55
!
!
!
!
!
!
!
control-plane
!
alias exec cc config t
alias exec ship sh ip int brief
alias exec sir sh ip route
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
password cisco
login local
!
scheduler allocate 20000 1000
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
R4#sh run
Building configuration...
Current configuration : 2250 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R4
!
boot-start-marker
boot system flash:c2800nm-advipservicesk9-mz.123-14.T7.bin
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$XhG4$4bU7fv3bFbd5l4j07YhqH1
enable password lab
!
no aaa new-model
!
resource policy
!
ip subnet-zero
!
!
ip cef
no ip dhcp use vrf connected
!
!
no ip ips deny-action ips-interface
!
no ftp-server write-enable
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username cisco privilege 15 secret 5 $1$LcCz$x79vweHvNGPQrOvTZyXz8.
!
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp key ccie address 192.1.12.10
no crypto isakmp ccm
!
!
crypto ipsec transform-set PIXL2L esp-des esp-md5-hmac
!
crypto map MYMAP 10 ipsec-isakmp
set peer 192.1.12.10
set transform-set PIXL2L
match address PIXL2L
!
!
!
!
interface Loopback0
ip address 4.4.4.4 255.0.0.0
!
interface Loopback10
ip address 192.168.104.4 255.255.255.0
!
interface GigabitEthernet0/0
ip address 192.1.49.4 255.255.255.0
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
!
interface Serial0/0/0
ip address 192.1.24.4 255.255.255.0
ip virtual-reassembly
encapsulation frame-relay
ip ospf network point-to-point
frame-relay map ip 192.1.24.2 402 broadcast
no frame-relay inverse-arp
frame-relay lmi-type cisco
crypto map MYMAP
!
router ospf 1
router-id 4.4.4.4
log-adjacency-changes
network 4.4.4.4 0.0.0.0 area 10
network 192.1.24.0 0.0.0.255 area 10
network 192.1.49.0 0.0.0.255 area 10
!
ip classless
ip route 10.2.2.0 255.255.255.0 192.1.24.2
!
!
ip http server
no ip http secure-server
!
ip access-list extended PIXL2L
permit ip 192.168.104.0 0.0.0.255 10.2.2.0 0.0.0.255
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
alias exec ship sh ip int brief
alias exec sir sh ip route
alias exec shr sh run
!
line con 0
exec-timeout 0 0
logging synchronous
login local
stopbits 1
line aux 0
stopbits 1
line vty 0 4
privilege level 15
password csco
login local
transport input telnet
line vty 5 15
privilege level 15
password csco
login local
transport input telnet
!
scheduler allocate 20000 1000
!
end
R4#