I have two ASA 5505 running 8.4. Both can access the Internet. ASA#1 has a VoIP gateway behind it that is being NATted, hence the extra rules.
This is on ASA #1:
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 10.10.10.1 255.255.255.224
!
object network server
host 192.168.1.100
object service voip-range
service udp source range 9000 9049
object service sip-tcp
service tcp source eq sip
object service sip-udp
service udp source eq sip
object service sip-secure
service tcp source eq 5061
object service sip-tcp-remote
service tcp source eq 5090
object service sip-udp-remote
service udp source eq 5090
object network Remote_Network
subnet 192.168.2.0 255.255.255.0
description Travis network
object network My_Network
subnet 192.168.1.0 255.255.255.0
access-list l2l_list extended permit ip object My_Network object Remote_Network
access-list outside_access_in extended permit tcp any object server eq sip log errors
access-list outside_access_in extended permit udp any object server eq sip log errors
access-list outside_access_in extended permit udp any object server range 9000 9049 log errors
access-list outside_access_in extended permit object sip-secure any object server log errors
access-list outside_access_in extended permit object sip-tcp-remote any object server log errors
access-list outside_access_in extended permit object sip-udp-remote any object server log errors
access-list outside_access_in extended deny ip any any log alerts
access-list inside_access_in extended permit ip any any log debugging
nat (inside,outside) source static server interface service voip-range voip-range
nat (inside,outside) source static server interface service sip-tcp sip-tcp
nat (inside,outside) source static server interface service sip-udp sip-udp
nat (inside,outside) source static server interface service sip-secure sip-secure
nat (inside,outside) source static server interface service sip-tcp-remote sip-tcp-remote
nat (inside,outside) source static server interface service sip-udp-remote sip-udp-remote
nat (inside,outside) source dynamic any interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.10.10.2 1
crypto ipsec ikev1 transform-set FirstSet esp-3des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal sec
protocol esp encryption aes 3des des
protocol esp integrity sha-1
crypto map kernelvpn 1 match address l2l_list
crypto map kernelvpn 1 set peer 10.10.10.8
crypto map kernelvpn 1 set ikev1 transform-set FirstSet
crypto map kernelvpn 1 set ikev2 ipsec-proposal sec
crypto map kernelvpn interface outside
crypto ikev2 policy 1
encryption 3des
integrity sha
group 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
tunnel-group 10.10.10.8 type ipsec-l2l
tunnel-group 10.10.10.8 ipsec-attributes
ikev1 pre-shared-key abcd1234
And this is what's on ASA #2
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 10.10.10.8 255.255.255.224
!
object network Remote_Network
subnet 192.168.1.0 255.255.255.0
description Travis network
object network My_Network
subnet 192.168.2.0 255.255.255.0
access-list l2l_list extended permit ip object My_Network object Remote_Network
access-list outside_access_in extended deny ip any any log alerts
access-list inside_access_in extended permit ip any any log debugging
nat (inside,outside) source dynamic any interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.10.10.9 1
crypto ipsec ikev1 transform-set FirstSet esp-3des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal sec
protocol esp encryption aes 3des des
protocol esp integrity sha-1
crypto map kernelvpn 1 match address l2l_list
crypto map kernelvpn 1 set peer 10.10.10.1
crypto map kernelvpn 1 set ikev1 transform-set FirstSet
crypto map kernelvpn 1 set ikev2 ipsec-proposal sec
crypto map kernelvpn interface outside
crypto ikev2 policy 1
encryption 3des
integrity sha
group 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
tunnel-group 10.10.10.1 type ipsec-l2l
tunnel-group 10.10.10.1 ipsec-attributes
ikev1 pre-shared-key *****
Some helpful output:
ciscoasa(config)# show crypto isakmp sa
There are no IKEv1 SAs
There are no IKEv2 SAs
show crypto ipsec sa doesn't show a thing!
Not sure what other options I have here… I've tried to do the following ping with no luck:
ping inside 192.168.2.1
Packet trace yields the following:
ciscoasa(config)# packet-trace input inside tcp 192.168.1.11 22 192.168.2.1 22
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any log debugging
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source dynamic any interface
Additional Information:
Dynamic translate 192.168.1.11/22 to 10.10.10.2/22
Phase: 5
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 475091, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
Best Answer
I don't see your NAT statements on either ASA for the tunnel. For the new code ASA 8.4 you should have those vpn tunnels entered using "twice nat".