I thought I saw earlier a mention of the traffic hair-pinning, yet your crypto map is bound to the outside interface.
Is the IPSEC tunnel being established on the outside or the inside interface? can you sh the output of a "sh route" also. On 01/04/2008, at 9:00 PM, William wrote: > Can't paste the whole thing, but here are the bits: > > access-list inside_nat0_outbound extended permit ip 11.11.11.0 > 255.255.255.0 22.22.22.0 255.255.255.0 > > access-list inside_access_in extended permit ip 11.11.11.0 > 255.255.255.0 22.22.22.0 255.255.255.0 > access-list inside_access_in extended permit icmp any any > > access-list Split-Tunnel extended permit ip 11.11.11.0 255.255.255.0 > 22.22.22.0 255.255.255.0 > > nat (inside) 0 access-list inside_nat0_outbound > access-group inside_access_in in interface inside > > group-policy 800vpn internal > group-policy 800vpn attributes > password-storage enable > pfs enable > split-tunnel-policy tunnelspecified > split-tunnel-network-list value Split-Tunnel > nem enable > > > > crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac > crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac > crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac > crypto dynamic-map outside_dyn_map 20 set pfs > crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA > crypto dynamic-map outside_dyn_map 40 set pfs > crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA > crypto dynamic-map outside_dyn_map 60 set pfs > crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA > crypto dynamic-map outside_dyn_map 80 set pfs > crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA > crypto dynamic-map outside_dyn_map 100 set pfs > crypto dynamic-map outside_dyn_map 100 set transform-set ESP-DES-MD5 > crypto dynamic-map outside_dyn_map 120 set pfs > crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-MD5 > > > crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map > crypto map outside_map interface outside > > crypto isakmp policy 1 > authentication pre-share > encryption 3des > hash md5 > group 2 > lifetime 86400 > > > tunnel-group Uname type ipsec-ra > tunnel-group Uname general-attributes > default-group-policy 800vpn > tunnel-group Uname ipsec-attributes > pre-shared-key * > isakmp ikev1-user-authentication none > > On 01/04/2008, Ben Steele <[EMAIL PROTECTED]> wrote: >> Maybe it would be easier if you just pasted your config in rather >> than >> us keep guessing, but I can add to the guess list.. :) >> >> do you have nat-control turned on? if so have you got your nat 0 >> statement setup for the IPSEC traffic? >> >> >> Ben >> >> >> On 01/04/2008, at 8:08 PM, William wrote: >> >>> Hi Peter, >>> >>> I went ahead and enabled it in the end, it stopped the error >>> messages >>> (denys) coming up in the logs but my data still isnt passing >>> through. >>> I'm still abit lost as to whats causing my issue, do you think it >>> could be to with my ISAKMP/IPSEC settings? I'm not so sure because >>> the >>> logs show PHASE1&2 completed without any problems. :( >>> >>> Regards, >>> >>> >>> On 01/04/2008, Peter Rathlev <[EMAIL PROTECTED]> wrote: >>>> On Tue, 2008-04-01 at 09:05 +0100, William wrote: >>>>> The command same-security-traffic permit intra-interface is not in >>>>> the >>>>> config but am I likely to break anything if I use it? >>>> >>>> >>>> Well, you're likely to break the security that is there from the >>>> beginning, without this command. You could compare it to "local >>>> proxy >>>> arp". It will not stop any traffic flows that already work, just >>>> allow >>>> some more ones. >>>> >>>> Reference for the command: >>>> >>>> http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s1_72.html#wp1289167 >>>> http://tinyurl.com/2ateua >>>> >>>> Regards, >>>> >>>> Peter >>>> >>>> >>>> >> >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp@puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/