Question : ASA 5510 Site-to-Site VPN

I'm having trouble getting a Site-to-Site VPN stood up between a couple of ASA 5510's at remote locations. It doesn't look like the two ASA's are even attempting to bring up the tunnel - "show crypto ipsec sa" says there are no SA's. Here is some info regarding the locations and the configs of the two firewalls:

Location 1:
Internet IP: a.b.c.34
Internal IP: 192.168.40.0/24

Location 2:
Internet IP: x.y.z.116
Internal IP: 192.168.100.0/24

#########################################################################
# Firewall 1
#########################################################################

ASA Version 7.2(2)10
!
hostname *
domain-name *****
enable password * encrypted
names
dns-guard
!
interface Ethernet0/0
speed 10
duplex full
nameif Internet
security-level 0
ip address a.b.c.34 255.255.255.240
!
interface Ethernet0/1
speed 100
duplex full
nameif corporate
security-level 75
ip address 192.168.40.1 255.255.255.0
!
interface Ethernet0/2
speed 100
duplex full
nameif DSL
security-level 0
ip address 192.168.0.2 255.255.255.0
!
interface Ethernet0/3
speed 100
duplex full
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
passwd * encrypted
boot system disk0:/asa722-10-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name ****
object-group icmp-type icmp_allowed_into_corporateNet
icmp-object echo-reply
icmp-object time-exceeded
icmp-object traceroute
icmp-object unreachable
icmp-object echo
access-list internal_access_in remark allow internal users any icmp thru the firewall for now
access-list internal_access_in extended permit icmp any any
access-list internal_access_in remark allow anything outbound for now
access-list internal_access_in extended permit ip any any
access-list DSL_access_in extended permit icmp any any object-group icmp_allowed_into_corporateNet
access-list Internet_20_cryptomap extended permit ip 192.168.40.0 255.255.255.0 host x.y.z.116
access-list corporate_nat0_outbound extended permit ip 192.168.40.0 255.255.255.0 host x.y.z.116
pager lines 50
logging enable
logging asdm informational
mtu Internet 1500
mtu corporate 1500
mtu DSL 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Internet
icmp permit any corporate
icmp permit any DSL
asdm image disk0:/asdm522-54.bin
asdm history enable
arp timeout 14400
nat-control
global (Internet) 10 interface
global (DSL) 10 interface
nat (corporate) 0 access-list corporate_nat0_outbound
nat (corporate) 10 192.168.1.0 255.255.255.0
nat (corporate) 10 192.168.40.0 255.255.255.0
access-group internet_access_in in interface Internet
access-group internal_access_in in interface corporate
access-group DSL_access_in in interface DSL
route Internet 0.0.0.0 0.0.0.0 a.b.c.33 1 track 1
route corporate 192.168.1.0 255.255.255.0 192.168.40.8 1
route DSL 0.0.0.0 0.0.0.0 192.168.0.1 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.40.0 255.255.255.0 corporate
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
type echo protocol ipIcmpEcho a.b.c.33 interface Internet
num-packets 3
frequency 10
sla monitor schedule 123 life forever start-time now
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map Internet_map 20 match address Internet_20_cryptomap
crypto map Internet_map 20 set pfs
crypto map Internet_map 20 set peer x.y.z.116
crypto map Internet_map 20 set transform-set ESP-3DES-SHA
crypto map Internet_map interface Internet
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
track 1 rtr 123 reachability
tunnel-group x.y.z.116 type ipsec-l2l
tunnel-group x.y.z.116 ipsec-attributes
pre-shared-key *
telnet 192.168.1.0 255.255.255.0 corporate
telnet 192.168.40.0 255.255.255.0 corporate
telnet timeout 15
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map asa_global_fw_policy
class inspection_default
inspect ftp
inspect dns
!
service-policy asa_global_fw_policy global
ntp server 192.5.41.41 source Internet prefer
prompt hostname context
Cryptochecksum:716f3096c3c4381fafa9e15ea0c94fba
: end

#########################################################################
# Firewall 2
#########################################################################

ASA Version 7.2(2)10
!
hostname
domain-name *
enable password encrypted
names
dns-guard
!
interface Ethernet0/0
speed 100
duplex full
nameif Internet
security-level 0
ip address x.y.z.116 255.255.255.248 standby x.y.z.117
!
interface Ethernet0/1
speed 100
duplex full
nameif SomeNet
security-level 100
ip address 192.168.100.253 255.255.255.0 standby 192.168.100.254
!
interface Ethernet0/2
speed 100
duplex full
nameif DMZ
security-level 0
ip address 192.168.53.1 255.255.255.0 standby 192.168.53.2
!
interface Ethernet0/3
speed 100
duplex full
nameif corporate
security-level 0
ip address 192.168.48.1 255.255.255.0 standby 192.168.48.2
!
interface Management0/0
description LAN/STATE Failover Interface
!
passwd ** encrypted
boot system disk0:/asa722-10-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name corp.precysesolutions.com
object-group icmp-type icmp_allowed_in
icmp-object echo
icmp-object echo-reply
icmp-object time-exceeded
icmp-object traceroute
icmp-object unreachable
access-list SomeNet_access_in extended permit ip any any
access-list Internet_access_in extended permit icmp any any object-group icmp_allowed_in
access-list SomeNet_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 host a.b.c.34
access-list Internet_20_cryptomap extended permit ip 192.168.100.0 255.255.255.0 host a.b.c.34
pager lines 24
logging enable
logging asdm informational
mtu Internet 1500
mtu SomeNet 1500
mtu DMZ 1500
mtu corporate 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Internet
icmp permit any SomeNet
icmp permit any DMZ
icmp permit any corporate
asdm image disk0:/asdm522-54.bin
no asdm history enable
arp timeout 14400
nat-control
global (Internet) 1 interface
nat (SomeNet) 0 access-list SomeNet_nat0_outbound
nat (SomeNet) 1 192.168.100.0 255.255.255.0
access-group Internet_access_in in interface Internet
access-group SomeNet_access_in in interface SomeNet
route Internet 0.0.0.0 0.0.0.0 x.y.z.113 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.100.0 255.255.255.0 SomeNet
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map Internet_map 20 match address Internet_20_cryptomap
crypto map Internet_map 20 set pfs
crypto map Internet_map 20 set peer a.b.c.34
crypto map Internet_map 20 set transform-set ESP-3DES-SHA
crypto map Internet_map interface Internet
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group a.b.c.34 type ipsec-l2l
tunnel-group a.b.c.34 ipsec-attributes
pre-shared-key *
telnet 192.168.100.0 255.255.255.0 SomeNet
telnet timeout 15
ssh timeout 5
console timeout 0
!
!
ntp authenticate
ntp server 192.5.41.41 source Internet prefer
prompt hostname context
Cryptochecksum:be267d2521225057f7eccf7195a95941
: end

Answer : ASA 5510 Site-to-Site VPN

>access-list Internet_20_cryptomap extended permit ip 192.168.40.0 255.255.255.0 host x.y.z.116
>access-list corporate_nat0_outbound extended permit ip 192.168.40.0 255.255.255.0 host x.y.z.116
Do NOT put the remote host in the access-lists. Remove them and start over:
access-list Internet_20_cryptomap permit ip 192.168.40.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list corporate_nat0_outbound permit ip 192.168.40.0 255.255.255.0 192.168.100.0 255.255.255.0

Re-apply these because they disappear when you remove the acls in the first step:
nat (corporate) 0 access-list corporate_nat0_outbound
crypto map Internet_map 20 match address Internet_20_cryptomap

Do the same on the remote site, mirror image:
no access-list SomeNet_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 host a.b.c.34
no access-list Internet_20_cryptomap extended permit ip 192.168.100.0 255.255.255.0 host a.b.c.34
access-list SomeNet_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list Internet_20_cryptomap extended permit ip 192.168.100.0 255.255.255.0 192.168.40.0 255.255.255.0
nat (corporate) 0 access-list SomeNet_nat0_outbound
crypto map Internet_map 20 match address Internet_20_cryptomap

Random Solutions

Sonicwall TZ180 STD and Netopia 3347

error starting jboss 4.0.5.GA on fedora 10/red hat enterprise server 5 linux

WAN Bandwidth test...Is my T1 really operating at T1 speeds?

Backup Solution for small Netware / OES network

Native or Mixed Mode Windows 2003

JBOSS clustering question

Unable to get fibre interfaces up on Cisco 3750?

Add second primary DNS zone

How to configure XP as a router?

Static Route Help - See my diagram