Mark, try to configure outbound acl on outside interface of ASA2 with: permit gre host 222.222.222.222 host 111.111.111.111 (if crypto profiles on routers disabled) permit udp host 222.222.222.222 eq 500 host 111.111.111.111 eq 500 (if crypto profiles on routers enabled) permit ip any any
And watch for matching.. -- Best regards, Andrey On Wed, May 18, 2011 at 1:29 AM, Andrey <[email protected]> wrote: > No, you don't, the more so because you have internet in the path. > Mark, problem is steel there...somewhere between ASA1 and Gi0/0.603, and > likely its on ASA2. > > -- > Best regards, > Andrey > On Wed, May 18, 2011 at 1:10 AM, Mark Senteza <[email protected]>wrote: > >> I've stripped the "tunnel protection ipsec profile" config from my tunnel >> interfaces. Still no joy. >> >> The ASA on the DMVPN Hub side is running version 8.2, and the inbound ACL >> shows no hit counts for any crypto traffic. The test pings come through >> fine, so I know that the NATs for the DMPVN endpoints are set up fine. I'll >> have to confirm with the remote ASA admins that there's no other ACLs along >> the path that is dropping traffic, because I'd have expected at least ESP or >> GRE to show hit counts. >> >> access-list OUTSIDE line 66 extended permit object-group CRYPTO host >> 222.222.222.222 host 111.111.111.111 0xe62abcbe >> access-list OUTSIDE line 66 extended permit esp host 222.222.222.222 >> host 111.111.111.111 (hitcnt=0) 0x628ac306 >> access-list OUTSIDE line 66 extended permit gre host 222.222.222.222 >> host 111.111.111.111 (hitcnt=0) 0x1e349ff8 >> access-list OUTSIDE line 66 extended permit udp host 222.222.222.222 >> host 111.111.111.111 eq isakmp (hitcnt=0) 0x0a22d45b >> access-list OUTSIDE line 66 extended permit udp host 222.222.222.222 >> host 111.111.111.111 eq 4500 (hitcnt=0) 0x8b3259e1 >> access-list OUTSIDE line 67 extended permit icmp host 222.222.222.222 >> host 111.111.111.111 echo (hitcnt=5) >> >> Do I need to have the private IPs for the DMPVN endpoints exempted from >> NAT. For instance >> >> access-list NAT-EXEMPT ext permit ip host 10.10.1.1 host 10.20.1.1 >> >> nat (inside) 0 access-list NAT-EXEMPT >> >> >> On Tue, May 17, 2011 at 11:38 AM, Andrey <[email protected]> wrote: >> >>> apparently you do not want to turn off the encryptoin :) >>> so, a couple of thoughts: >>> >>> MM1 messages is not reaching the hub, or reply from hub is not reaching >>> the spoke, so problems somewhere in the path; >>> what os version on your ASAs? not 8.3? >>> I guess your problem is nat or acls on your ASAs >>> >>> -- >>> Best regards, >>> Andrey >>> >>> >> > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
