well i think when i type show arp ? and there is NO OUTPUT AT ALL ! this means both sides inside and outside i am not getting anything ??? confused.
isn't it VLAN PROBLEM ??? -----Original Message----- From: [email protected] on behalf of Leon Lai (gmail) Sent: Tue 2/15/2011 9:24 AM To: kamran shakil Cc: [email protected] Subject: Re: [OSL | CCIE_Security] [Troubleshooting Issie ] router -------->asa (single mode) ----------> router "plz help" On which interface u are unable to get show arp output? Thanks Leon Lai Sent from my iPad On Feb 15, 2011, at 11:23 AM, kamran shakil <[email protected]> wrote: Dears, I am not running GNS3. This is real-life RACK setup. My ASA version is 8.2(1) and running in single mode with "no nat-control".... In SHOW ARP , i am getting nothing !!! This was a techonology setup. Can there be a VLAN issue underneath or SVI missing or is there anything in my configs so far ????? setup is simple ================ router 5 --------- (inside) ASA (outside) ------------- router 1 ASA ====== interface Ethernet0/1 nameif inside security-level 100 ip address 100.100.7.10 255.255.255.0 ! interface Redundant1 member-interface Ethernet0/0 member-interface Ethernet0/2 nameif outside security-level 0 allow-ssc-mgmt ip address 100.100.6.10 255.255.255.0 access-list outside extended permit icmp any any access-list outside extended permit tcp host 100.100.6.4 host 100.100.52.5 eq telnet access-list outside extended permit tcp host 100.100.51.1 host 100.100.52.5 eq telnet access-list outside extended permit esp host 192.168.1.1 host 192.168.5.5 access-list outside extended permit udp host 192.168.1.1 host 192.168.5.5 eq isakmp access-list R1-R5 extended permit ip host 100.100.51.1 host 100.100.52.5 access-list R4-R5 extended permit ip host 100.100.6.4 host 100.100.52.5 pager lines 24 mtu outside 1500 mtu inside 1500 no failover icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 static (outside,inside) 100.100.3.70 access-list R1-R5 static (outside,inside) 100.100.7.31 access-list R4-R5 access-group outside in interface outside router ospf 1 network 100.100.6.0 255.255.255.0 area 0 network 100.100.7.0 255.255.255.0 area 0 log-adj-changes R1 CONFIG ========== crypto isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp key cisco address 100.100.7.5 ! ! crypto ipsec transform-set tset esp-des esp-md5-hmac ! crypto ipsec profile vpn set transform-set tset int lo0 ip add 192.168.1.1 255.255.255.0 interface Tunnel0 ip address 123.1.1.1 255.255.255.0 tunnel source 100.100.6.1 tunnel destination 100.100.7.5 tunnel mode ipsec ipv4 tunnel protection ipsec profile vpn router eigrp 199 network 123.1.1.0 0.0.0.255 network 192.168.1.0 no auto-summary R5 CONFIG ========== crypto isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp key cisco address 100.100.6.1 ! ! crypto ipsec transform-set tset esp-des esp-md5-hmac ! crypto ipsec profile vpn set transform-set tset interface Loopback0 ip address 192.168.5.5 255.255.255.0 ! ! interface Tunnel0 ip address 123.1.1.5 255.255.255.0 tunnel source 100.100.7.5 tunnel destination 100.100.6.1 tunnel mode ipsec ipv4 tunnel protection ipsec profile vpn router ospf 1 router-id 5.5.5.5 log-adjacency-changes network 100.100.7.5 0.0.0.0 area 0 network 100.100.8.5 0.0.0.0 area 0 network 100.100.52.5 0.0.0.0 area 0 Upon debug cry isa , and loggin console 7, i m getting following messages: Rack05R5#sh cry isa sa IPv4 Crypto ISAKMP SA dst src state conn-id slot status 100.100.6.1 100.100.7.5 MM_NO_STATE 0 0 ACTIVE IPv6 Crypto ISAKMP SA Rack05R5# *Jan 5 12:11:31.912: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE... *Jan 5 12:11:31.912: ISAKMP (0:0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1 *Jan 5 12:11:31.912: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE *Jan 5 12:11:31.912: ISAKMP:(0): sending packet to 100.100.6.1 my_port 500 peer_port 500 (I) MM_NO_STATE *Jan 5 12:11:31.912: ISAKMP:(0):Sending an IKE IPv4 Packet. *Jan 5 12:11:41.900: ISAKMP: set new node 0 to QM_IDLE *Jan 5 12:11:41.900: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 100.100.7.5, remote 100.100.6.1) *Jan 5 12:11:41.900: ISAKMP: Error while processing SA request: Failed to initialize SA *Jan 5 12:11:41.904: ISAKMP: Error while processing KMI message 0, error 2. *Jan 5 12:11:41.912: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE... *Jan 5 12:11:41.912: ISAKMP (0:0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1 *Jan 5 12:11:41.912: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE *Jan 5 12:11:41.912: ISAKMP:(0): sending packet to 100.100.6.1 my_port 500 peer_port 500 (I) MM_NO_STATE *Jan 5 12:11:41.912: ISAKMP:(0):Sending an IKE IPv4 Packet. _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit <http://www.ipexpert.com> www.ipexpert.com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
