Hi All,
 
I've R1 and ASA1 configured for secured communication through IPsec
tunnel. The basic problem is that ASA1 can't ping R1 public IP
192.1.12.15 and visa versa. Although R4 can ping R1.
Where do I enable ping from ASA1 to R1 so as to bring up the tunnel?
 
The same setup is working for R1 and ASA2 tunnel communication (Task b)
verifying that configuration on R1 and ASA is configured correctly.
 
Attaching R1, R4 and ASA2 configs.
 
Appreciate any input.
-Anshul
 
ASA1# Version 7.2 (2)
!
firewall transparent
hostname ASA1
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
!
interface Ethernet0/1
 nameif inside
 security-level 100
!
access-list ALLOW extended permit ospf any any 
access-list ALLOW extended permit icmp any any echo 
access-list ALLOW extended permit icmp any any echo-reply 
access-list L2L extended permit ip host 192.1.49.55 10.1.1.0 255.255.255.0 
ip address 192.1.49.55 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
access-group ALLOW in interface outside
access-group ALLOW out interface inside
route outside 0.0.0.0 0.0.0.0 192.1.49.4 1
username ipexpert password ij0ksrjE7tWxN/Kb encrypted
aaa authentication ssh console LOCAL 
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set MYTRANS esp-des esp-sha-hmac 
crypto map MYMAP 10 match address L2L
crypto map MYMAP 10 set connection-type answer-only
crypto map MYMAP 10 set peer 192.1.12.15 
crypto map MYMAP 10 set transform-set MYTRANS
crypto map MYMAP interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 1
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
tunnel-group 192.1.12.15 type ipsec-l2l
tunnel-group 192.1.12.15 ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh 10.1.1.0 255.255.255.0 outside
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
!
service-policy global_policy global
: end
ASA1#
R1#sh run
Building configuration...

Current configuration : 2394 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 15
!
!
ip cef
!
!         
no ip domain lookup
ip domain name ipexpert.com
ip ssh source-interface FastEthernet1
!
!
!
!
! 
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
crypto isakmp key ccie address 192.1.49.55
crypto isakmp key ccie address 10.5.5.55
!
!
crypto ipsec transform-set ASA esp-3des esp-sha-hmac 
!
crypto map MYMAP 10 ipsec-isakmp 
 set peer 192.1.49.55
 set transform-set ASA 
 match address ASA1
crypto map MYMAP 20 ipsec-isakmp 
 set peer 10.5.5.55
 set transform-set ASA 
 match address ASA2
!
!
!
!
interface Loopback0
 ip address 1.1.1.1 255.0.0.0
!
interface Loopback16
 ip address 172.16.1.1 255.255.255.0
!
interface FastEthernet0
 ip address 10.2.2.1 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map MYMAP
!
interface FastEthernet1
 ip address 10.1.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
!
interface Vlan1
 no ip address
!
router rip
 version 2
 network 1.0.0.0
 network 10.0.0.0
 network 172.16.0.0
 no auto-summary
!
ip route 0.0.0.0 0.0.0.0 10.2.2.10
ip route 10.5.5.0 255.255.255.0 10.2.2.5
ip route 192.168.5.0 255.255.255.0 10.2.2.10
ip route 192.168.104.0 255.255.255.0 10.2.2.10
!
!
ip http server
no ip http secure-server
ip nat inside source static udp 10.1.1.100 1645 10.2.2.99 1812 extendable
ip nat inside source static udp 10.1.1.100 1646 10.2.2.99 1813 extendable
!
ip access-list extended ASA1
 permit ip 10.1.1.0 0.0.0.255 host 192.1.49.55
ip access-list extended ASA2
 permit ip 10.1.1.0 0.0.0.255 host 10.5.5.55
!
!
!
!
!
!
!
control-plane
!
alias exec cc config t
alias exec ship sh ip int brief
alias exec sir sh ip route
!
line con 0
 exec-timeout 0 0
 logging synchronous
line aux 0
line vty 0 4
 password cisco
 login local
!
scheduler allocate 20000 1000
!
webvpn context Default_context
 ssl authenticate verify all
 !
 no inservice
!
end
R4#sh run
Building configuration...

Current configuration : 2250 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R4
!
boot-start-marker
boot system flash:c2800nm-advipservicesk9-mz.123-14.T7.bin
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$XhG4$4bU7fv3bFbd5l4j07YhqH1
enable password lab
!
no aaa new-model
!
resource policy
!
ip subnet-zero
!         
!
ip cef
no ip dhcp use vrf connected
!
!
no ip ips deny-action ips-interface
!
no ftp-server write-enable
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username cisco privilege 15 secret 5 $1$LcCz$x79vweHvNGPQrOvTZyXz8.
!
! 
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
 group 2
crypto isakmp key ccie address 192.1.12.10
no crypto isakmp ccm
!
!
crypto ipsec transform-set PIXL2L esp-des esp-md5-hmac 
!
crypto map MYMAP 10 ipsec-isakmp 
 set peer 192.1.12.10
 set transform-set PIXL2L 
 match address PIXL2L
!
!
!
!
interface Loopback0
 ip address 4.4.4.4 255.0.0.0
!
interface Loopback10
 ip address 192.168.104.4 255.255.255.0
!
interface GigabitEthernet0/0
 ip address 192.1.49.4 255.255.255.0
 duplex auto
 speed auto
 no mop enabled
!
interface GigabitEthernet0/1
 no ip address
 duplex auto
 speed auto
!
interface Serial0/0/0
 ip address 192.1.24.4 255.255.255.0
 ip virtual-reassembly
 encapsulation frame-relay
 ip ospf network point-to-point
 frame-relay map ip 192.1.24.2 402 broadcast
 no frame-relay inverse-arp
 frame-relay lmi-type cisco
 crypto map MYMAP
!
router ospf 1
 router-id 4.4.4.4
 log-adjacency-changes
 network 4.4.4.4 0.0.0.0 area 10
 network 192.1.24.0 0.0.0.255 area 10
 network 192.1.49.0 0.0.0.255 area 10
!
ip classless
ip route 10.2.2.0 255.255.255.0 192.1.24.2
!
!
ip http server
no ip http secure-server
!
ip access-list extended PIXL2L
 permit ip 192.168.104.0 0.0.0.255 10.2.2.0 0.0.0.255
!
!
!
!
!         
control-plane
!
!
!
!
!
!
!
!
!
alias exec ship sh ip int brief
alias exec sir sh ip route
alias exec shr sh run
!
line con 0
 exec-timeout 0 0
 logging synchronous
 login local
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 privilege level 15
 password csco
 login local
 transport input telnet
line vty 5 15
 privilege level 15
 password csco
 login local
 transport input telnet
!
scheduler allocate 20000 1000
!
end

R4#

Reply via email to